fix(api): wrap audit log writes inside their parent transactions

Prevents mutations from committing without an audit trail if the
auditLog.create call fails after the main write already succeeded.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

packages/api/src/__tests__/assistant-tools-admin-crud-test-helpers.ts

@@ -19,7 +19,7 @@ export function createToolContext(
   },
 ): ToolContext {
   const userRole = options?.userRole ?? SystemRole.ADMIN;
-  const mergedDb = {
+  const mergedDb: Record<string, unknown> = {
     ...defaultDbDefaults,
     ...db,
     blueprint: {
@@ -27,6 +27,9 @@ export function createToolContext(
       ...(db.blueprint as Record<string, unknown> | undefined),
     },
   };
+  if (!mergedDb["$transaction"]) {
+    mergedDb["$transaction"] = vi.fn(async (fn: (tx: unknown) => unknown) => fn(mergedDb));
+  }
   return {
     db: mergedDb as ToolContext["db"],
     userId: "user_1",

packages/api/src/__tests__/assistant-tools-estimate-test-helpers.ts

@@ -21,8 +21,10 @@ export function createToolContext(
   },
 ): ToolContext {
   const userRole = options?.userRole ?? SystemRole.ADMIN;
+  const mergedDb: Record<string, unknown> = { ...db };
+  mergedDb["$transaction"] = vi.fn(async (fn: (tx: unknown) => unknown) => fn(mergedDb));
   return {
-    db: db as ToolContext["db"],
+    db: mergedDb as ToolContext["db"],
     userId: "user_1",
     userRole,
     permissions: new Set(options?.permissions ?? []),

packages/api/src/__tests__/assistant-tools-master-data-mutation-test-helpers.ts

@@ -1,4 +1,5 @@
 import { PermissionKey, SystemRole } from "@capakraken/shared";
+import { vi } from "vitest";
 
 import type { ToolContext } from "../router/assistant-tools.js";
 
@@ -10,8 +11,12 @@ export function createToolContext(
   },
 ): ToolContext {
   const userRole = options?.userRole ?? SystemRole.ADMIN;
+  const mergedDb: Record<string, unknown> = { ...db };
+  if (!mergedDb["$transaction"]) {
+    mergedDb["$transaction"] = vi.fn(async (fn: (tx: unknown) => unknown) => fn(mergedDb));
+  }
   return {
-    db: db as ToolContext["db"],
+    db: mergedDb as ToolContext["db"],
     userId: "user_1",
     userRole,
     permissions: new Set(options?.permissions ?? []),

packages/api/src/__tests__/effort-rule-procedure-support.test.ts

@@ -161,7 +161,7 @@ describe("effort rule procedure support", () => {
     const createMany = vi.fn().mockResolvedValue({ count: 1 });
     const auditCreate = vi.fn().mockResolvedValue({});
 
-    const result = await applyEffortRules(createManagerContext({
+    const db: Record<string, unknown> = {
       estimate: {
         findUnique: vi.fn().mockResolvedValue({
           id: "est_1",
@@ -195,7 +195,10 @@ describe("effort rule procedure support", () => {
       auditLog: {
         create: auditCreate,
       },
-    }), {
+      $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
+    };
+
+    const result = await applyEffortRules(createManagerContext(db), {
       estimateId: "est_1",
       ruleSetId: "ers_1",
       mode: "replace",

packages/api/src/__tests__/effort-rule-router.test.ts

@@ -416,7 +416,7 @@ describe("effortRule.applyRules", () => {
   it("replaces existing demand lines in replace mode", async () => {
     const estimate = makeEstimate("WORKING", [{ id: "dl_old" }]);
     const ruleSet = sampleRuleSet();
-    const db = {
+    const db: Record<string, unknown> = {
       estimate: { findUnique: vi.fn().mockResolvedValue(estimate) },
       effortRuleSet: { findUnique: vi.fn().mockResolvedValue(ruleSet) },
       estimateDemandLine: {
@@ -424,6 +424,7 @@ describe("effortRule.applyRules", () => {
         createMany: vi.fn().mockResolvedValue({ count: 1 }),
       },
       auditLog: { create: vi.fn().mockResolvedValue({}) },
+      $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
     };
 
     const caller = createManagerCaller(db);
@@ -444,7 +445,7 @@ describe("effortRule.applyRules", () => {
   it("does not delete existing lines in append mode", async () => {
     const estimate = makeEstimate("WORKING", [{ id: "dl_old" }]);
     const ruleSet = sampleRuleSet();
-    const db = {
+    const db: Record<string, unknown> = {
       estimate: { findUnique: vi.fn().mockResolvedValue(estimate) },
       effortRuleSet: { findUnique: vi.fn().mockResolvedValue(ruleSet) },
       estimateDemandLine: {
@@ -452,6 +453,7 @@ describe("effortRule.applyRules", () => {
         createMany: vi.fn().mockResolvedValue({ count: 1 }),
       },
       auditLog: { create: vi.fn().mockResolvedValue({}) },
+      $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
     };
 
     const caller = createManagerCaller(db);
@@ -513,7 +515,7 @@ describe("effortRule.applyRules", () => {
   it("creates demand lines with correct metadata shape", async () => {
     const estimate = makeEstimate("WORKING");
     const ruleSet = sampleRuleSet();
-    const db = {
+    const db: Record<string, unknown> = {
       estimate: { findUnique: vi.fn().mockResolvedValue(estimate) },
       effortRuleSet: { findUnique: vi.fn().mockResolvedValue(ruleSet) },
       estimateDemandLine: {
@@ -521,6 +523,7 @@ describe("effortRule.applyRules", () => {
         createMany: vi.fn().mockResolvedValue({ count: 1 }),
       },
       auditLog: { create: vi.fn().mockResolvedValue({}) },
+      $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
     };
 
     const caller = createManagerCaller(db);

packages/api/src/__tests__/estimate-router.test.ts

@@ -434,9 +434,10 @@ describe("estimate router", () => {
       const estimateCreate = vi.fn().mockResolvedValue(created);
       const auditLogCreate = vi.fn().mockResolvedValue({});
 
-      const db = {
+      const db: Record<string, unknown> = {
         estimate: { create: estimateCreate },
         auditLog: { create: auditLogCreate },
+        $transaction: vi.fn(async (callback: (tx: unknown) => unknown) => callback(db)),
       };
 
       const caller = createManagerCaller(db);
@@ -474,10 +475,11 @@ describe("estimate router", () => {
       });
       const auditLogCreate = vi.fn().mockResolvedValue({});
 
-      const db = {
+      const db: Record<string, unknown> = {
         estimate: { create: estimateCreate },
         project: { findUnique: projectFindUnique },
         auditLog: { create: auditLogCreate },
+        $transaction: vi.fn(async (callback: (tx: unknown) => unknown) => callback(db)),
       };
 
       const caller = createManagerCaller(db);
@@ -699,7 +701,7 @@ describe("estimate router", () => {
       const updateEstimate = vi.fn().mockResolvedValue({});
       const auditLogCreate = vi.fn().mockResolvedValue({});
 
-      const db = {
+      const db: Record<string, unknown> = {
         estimate: {
           findUnique,
           update: updateEstimate,
@@ -709,13 +711,8 @@ describe("estimate router", () => {
           update: updateVersion,
         },
         auditLog: { create: auditLogCreate },
-        $transaction: vi.fn(async (callback: (tx: unknown) => unknown) =>
-          callback({
-            estimateVersion: { updateMany, update: updateVersion },
-            estimate: { update: updateEstimate },
-          }),
-        ),
       };
+      db["$transaction"] = vi.fn(async (callback: (tx: unknown) => unknown) => callback(db));
 
       const caller = createManagerCaller(db);
       const result = await caller.submitVersion({ estimateId: "est_1" });
@@ -803,7 +800,7 @@ describe("estimate router", () => {
       const updateEstimate = vi.fn().mockResolvedValue({});
       const auditLogCreate = vi.fn().mockResolvedValue({});
 
-      const db = {
+      const db: Record<string, unknown> = {
         estimate: {
           findUnique,
           update: updateEstimate,
@@ -813,13 +810,8 @@ describe("estimate router", () => {
           update: updateVersion,
         },
         auditLog: { create: auditLogCreate },
-        $transaction: vi.fn(async (callback: (tx: unknown) => unknown) =>
-          callback({
-            estimateVersion: { updateMany, update: updateVersion },
-            estimate: { update: updateEstimate },
-          }),
-        ),
       };
+      db["$transaction"] = vi.fn(async (callback: (tx: unknown) => unknown) => callback(db));
 
       const caller = createManagerCaller(db);
       const result = await caller.approveVersion({ estimateId: "est_1" });
@@ -903,7 +895,7 @@ describe("estimate router", () => {
       const updateEstimate = vi.fn().mockResolvedValue({});
       const auditLogCreate = vi.fn().mockResolvedValue({});
 
-      const db = {
+      const db: Record<string, unknown> = {
         estimate: {
           findUnique,
           update: updateEstimate,
@@ -915,18 +907,8 @@ describe("estimate router", () => {
         resourceCostSnapshot: { createMany: createSnapshots },
         estimateMetric: { createMany: createMetrics },
         auditLog: { create: auditLogCreate },
-        $transaction: vi.fn(async (callback: (tx: unknown) => unknown) =>
-          callback({
-            estimateVersion: { create: createVersion },
-            estimateAssumption: { createMany: createAssumptions },
-            scopeItem: { create: createScopeItem },
-            estimateDemandLine: { createMany: createDemandLines },
-            resourceCostSnapshot: { createMany: createSnapshots },
-            estimateMetric: { createMany: createMetrics },
-            estimate: { update: updateEstimate },
-          }),
-        ),
       };
+      db["$transaction"] = vi.fn(async (callback: (tx: unknown) => unknown) => callback(db));
 
       const caller = createManagerCaller(db);
       const result = await caller.createRevision({ estimateId: "est_1" });
@@ -1008,12 +990,13 @@ describe("estimate router", () => {
       const estimateCreate = vi.fn().mockResolvedValue(cloned);
       const auditLogCreate = vi.fn().mockResolvedValue({});
 
-      const db = {
+      const db: Record<string, unknown> = {
         estimate: {
           findUnique: estimateFindUnique,
           create: estimateCreate,
         },
         auditLog: { create: auditLogCreate },
+        $transaction: vi.fn(async (callback: (tx: unknown) => unknown) => callback(db)),
       };
 
       const caller = createManagerCaller(db);
@@ -1026,9 +1009,10 @@ describe("estimate router", () => {
     it("throws NOT_FOUND when source estimate does not exist", async () => {
       const findUnique = vi.fn().mockResolvedValue(null);
 
-      const db = {
+      const db: Record<string, unknown> = {
         estimate: { findUnique },
         auditLog: { create: vi.fn() },
+        $transaction: vi.fn(async (callback: (tx: unknown) => unknown) => callback(db)),
       };
 
       const caller = createManagerCaller(db);
@@ -1130,10 +1114,11 @@ describe("estimate router", () => {
       const updateVersion = vi.fn().mockResolvedValue({});
       const auditLogCreate = vi.fn().mockResolvedValue({});
 
-      const db = {
+      const db: Record<string, unknown> = {
         estimate: { findUnique: estimateFindUnique },
         estimateVersion: { update: updateVersion },
         auditLog: { create: auditLogCreate },
+        $transaction: vi.fn(async (callback: (tx: unknown) => unknown) => callback(db)),
       };
 
       const caller = createManagerCaller(db);
@@ -1279,10 +1264,11 @@ describe("estimate router", () => {
       const createExport = vi.fn().mockResolvedValue({ id: "exp_1" });
       const auditLogCreate = vi.fn().mockResolvedValue({});
 
-      const db = {
+      const db: Record<string, unknown> = {
         estimate: { findUnique: estimateFindUnique },
         estimateExport: { create: createExport },
         auditLog: { create: auditLogCreate },
+        $transaction: vi.fn(async (callback: (tx: unknown) => unknown) => callback(db)),
       };
 
       const caller = createManagerCaller(db);
@@ -1300,10 +1286,11 @@ describe("estimate router", () => {
     it("throws NOT_FOUND when estimate does not exist", async () => {
       const findUnique = vi.fn().mockResolvedValue(null);
 
-      const db = {
+      const db: Record<string, unknown> = {
         estimate: { findUnique },
         estimateExport: { create: vi.fn() },
         auditLog: { create: vi.fn() },
+        $transaction: vi.fn(async (callback: (tx: unknown) => unknown) => callback(db)),
       };
 
       const caller = createManagerCaller(db);

packages/api/src/__tests__/experience-multiplier-procedure-support.test.ts

@@ -165,7 +165,7 @@ describe("experience multiplier procedure support", () => {
     const update = vi.fn().mockResolvedValue({});
     const auditCreate = vi.fn().mockResolvedValue({});
 
-    const result = await applyExperienceMultiplierRules(createManagerContext({
+    const db: Record<string, unknown> = {
       estimate: {
         findUnique: vi.fn().mockResolvedValue({
           id: "est_1",
@@ -199,7 +199,10 @@ describe("experience multiplier procedure support", () => {
       auditLog: {
         create: auditCreate,
       },
-    }), {
+      $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
+    };
+
+    const result = await applyExperienceMultiplierRules(createManagerContext(db), {
       estimateId: "est_1",
       multiplierSetId: "ems_1",
     });

packages/api/src/__tests__/experience-multiplier-router.test.ts

@@ -462,13 +462,14 @@ describe("experienceMultiplier.applyRules", () => {
   it("updates demand lines with adjusted rates and creates audit log", async () => {
     const estimate = makeEstimate("WORKING");
     const multiplierSet = sampleMultiplierSet();
-    const db = {
+    const db: Record<string, unknown> = {
       estimate: { findUnique: vi.fn().mockResolvedValue(estimate) },
       experienceMultiplierSet: { findUnique: vi.fn().mockResolvedValue(multiplierSet) },
       estimateDemandLine: {
         update: vi.fn().mockResolvedValue({}),
       },
       auditLog: { create: vi.fn().mockResolvedValue({}) },
+      $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
     };
 
     const caller = createManagerCaller(db);
@@ -528,13 +529,14 @@ describe("experienceMultiplier.applyRules", () => {
 
     const estimate = makeEstimate("WORKING");
     const multiplierSet = sampleMultiplierSet();
-    const db = {
+    const db: Record<string, unknown> = {
       estimate: { findUnique: vi.fn().mockResolvedValue(estimate) },
       experienceMultiplierSet: { findUnique: vi.fn().mockResolvedValue(multiplierSet) },
       estimateDemandLine: {
         update: vi.fn(),
       },
       auditLog: { create: vi.fn().mockResolvedValue({}) },
+      $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
     };
 
     const caller = createManagerCaller(db);
@@ -544,7 +546,7 @@ describe("experienceMultiplier.applyRules", () => {
     });
 
     expect(result.linesUpdated).toBe(0);
-    expect(db.estimateDemandLine.update).not.toHaveBeenCalled();
+    expect((db.estimateDemandLine as Record<string, ReturnType<typeof vi.fn>>).update).not.toHaveBeenCalled();
   });
 
   it("rejects applying to a non-WORKING version", async () => {
@@ -613,13 +615,14 @@ describe("experienceMultiplier.applyRules", () => {
     });
     const estimate = makeEstimate("WORKING", [lineWithMetadata]);
     const multiplierSet = sampleMultiplierSet();
-    const db = {
+    const db: Record<string, unknown> = {
       estimate: { findUnique: vi.fn().mockResolvedValue(estimate) },
       experienceMultiplierSet: { findUnique: vi.fn().mockResolvedValue(multiplierSet) },
       estimateDemandLine: {
         update: vi.fn().mockResolvedValue({}),
       },
       auditLog: { create: vi.fn().mockResolvedValue({}) },
+      $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
     };
 
     const caller = createManagerCaller(db);

packages/api/src/__tests__/import-export-procedure-support.test.ts

@@ -133,20 +133,19 @@ describe("import-export procedure support", () => {
       .mockResolvedValueOnce(null);
     const resourceUpdate = vi.fn().mockResolvedValue({ id: "res_1" });
     const auditCreate = vi.fn().mockResolvedValue({ id: "audit_1" });
+    const db: Record<string, unknown> = {
+      resource: {
+        findFirst: resourceFindFirst,
+        update: resourceUpdate,
+      },
+      auditLog: {
+        create: auditCreate,
+      },
+      $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
+    };
 
     const result = await importCsv(
-      createContext(
+      createContext(db, [PermissionKey.IMPORT_DATA]),
-        {
-          resource: {
-            findFirst: resourceFindFirst,
-            update: resourceUpdate,
-          },
-          auditLog: {
-            create: auditCreate,
-          },
-        },
-        [PermissionKey.IMPORT_DATA],
-      ),
       {
         entityType: "resources",
         rows: [

packages/api/src/__tests__/import-export-router.test.ts

@@ -73,17 +73,19 @@ describe("import-export router", () => {
     });
     const resourceUpdate = vi.fn().mockResolvedValue({ id: "res_1" });
     const auditCreate = vi.fn().mockResolvedValue({ id: "audit_1" });
+    const importDb: Record<string, unknown> = {
+      resource: {
+        findFirst: resourceFindFirst,
+        update: resourceUpdate,
+      },
+      auditLog: {
+        create: auditCreate,
+      },
+    };
+    importDb["$transaction"] = vi.fn(async (fn: (tx: unknown) => unknown) => fn(importDb));
 
     const caller = createProtectedCaller(
-      {
+      importDb,
-        resource: {
-          findFirst: resourceFindFirst,
-          update: resourceUpdate,
-        },
-        auditLog: {
-          create: auditCreate,
-        },
-      },
       {
         role: SystemRole.MANAGER,
         granted: [PermissionKey.IMPORT_DATA],

packages/api/src/__tests__/project-router.test.ts

@@ -221,13 +221,14 @@ describe("project router", () => {
   describe("create", () => {
     it("creates a project and returns its id", async () => {
       const created = { ...sampleProject, id: "project_new" };
-      const db = {
+      const db: Record<string, unknown> = {
         project: {
           findUnique: vi.fn().mockResolvedValue(null), // no shortCode conflict
           create: vi.fn().mockResolvedValue(created),
         },
         auditLog: { create: vi.fn().mockResolvedValue({}) },
         webhook: { findMany: vi.fn().mockResolvedValue([]) },
+        $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
       };
 
       const caller = createManagerCaller(db);
@@ -253,13 +254,14 @@ describe("project router", () => {
       vi.mocked(dispatchWebhooks).mockRejectedValueOnce(new Error("webhook unavailable"));
 
       const created = { ...sampleProject, id: "project_safe_create" };
-      const db = {
+      const db: Record<string, unknown> = {
         project: {
           findUnique: vi.fn().mockResolvedValue(null),
           create: vi.fn().mockResolvedValue(created),
         },
         auditLog: { create: vi.fn().mockResolvedValue({}) },
         webhook: { findMany: vi.fn().mockResolvedValue([]) },
+        $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
       };
 
       const caller = createManagerCaller(db);
@@ -451,12 +453,13 @@ describe("project router", () => {
   describe("update", () => {
     it("updates project fields", async () => {
       const updated = { ...sampleProject, name: "Updated Name" };
-      const db = {
+      const db: Record<string, unknown> = {
         project: {
           findUnique: vi.fn().mockResolvedValue(sampleProject),
           update: vi.fn().mockResolvedValue(updated),
         },
         auditLog: { create: vi.fn().mockResolvedValue({}) },
+        $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
       };
 
       const caller = createManagerCaller(db);
@@ -558,14 +561,12 @@ describe("project router", () => {
 
   describe("batchUpdateStatus", () => {
     it("updates multiple projects and returns count", async () => {
-      const db = {
+      const db: Record<string, unknown> = {
         project: {
           update: vi.fn().mockResolvedValue(sampleProject),
         },
         auditLog: { create: vi.fn().mockResolvedValue({}) },
-        $transaction: vi.fn((calls: unknown[]) =>
+        $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
-          Promise.all((calls as Promise<unknown>[]).map(() => sampleProject)),
-        ),
       };
 
       const caller = createManagerCaller(db);
@@ -575,7 +576,7 @@ describe("project router", () => {
       });
 
       expect(result.count).toBe(3);
-      expect(db.auditLog.create).toHaveBeenCalled();
+      expect((db.auditLog as Record<string, ReturnType<typeof vi.fn>>).create).toHaveBeenCalled();
     });
   });
 

packages/api/src/__tests__/resource-router-crud.test.ts

@@ -328,12 +328,13 @@ describe("resource router CRUD", () => {
   describe("create", () => {
     it("creates a resource and returns it", async () => {
       const created = { ...sampleResource, id: "res_new", resourceRoles: [] };
-      const db = {
+      const db: Record<string, unknown> = {
         resource: {
           findFirst: vi.fn().mockResolvedValue(null),
           create: vi.fn().mockResolvedValue(created),
         },
         auditLog: { create: vi.fn().mockResolvedValue({}) },
+        $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
       };
 
       const caller = createManagerCaller(db);
@@ -399,13 +400,14 @@ describe("resource router CRUD", () => {
   describe("update", () => {
     it("updates resource fields", async () => {
       const updated = { ...sampleResource, displayName: "Alice Updated" };
-      const db = {
+      const db: Record<string, unknown> = {
         resource: {
           findUnique: vi.fn().mockResolvedValue(sampleResource),
           update: vi.fn().mockResolvedValue(updated),
         },
         resourceRole: { deleteMany: vi.fn().mockResolvedValue({ count: 0 }) },
         auditLog: { create: vi.fn().mockResolvedValue({}) },
+        $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
       };
 
       const caller = createManagerCaller(db);
@@ -443,11 +445,12 @@ describe("resource router CRUD", () => {
   describe("deactivate", () => {
     it("sets isActive to false", async () => {
       const deactivated = { ...sampleResource, isActive: false };
-      const db = {
+      const db: Record<string, unknown> = {
         resource: {
           update: vi.fn().mockResolvedValue(deactivated),
         },
         auditLog: { create: vi.fn().mockResolvedValue({}) },
+        $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
       };
 
       const caller = createManagerCaller(db);
@@ -469,12 +472,13 @@ describe("resource router CRUD", () => {
         .fn()
         .mockResolvedValueOnce({ ...sampleResource, id: "res_1", isActive: false })
         .mockResolvedValueOnce({ ...sampleResource, id: "res_2", isActive: false });
-      const db = {
+      const auditCreate = vi.fn().mockResolvedValue({});
+      const db: Record<string, unknown> = {
         resource: {
           update,
         },
-        $transaction: vi.fn(async (operations: Promise<unknown>[]) => Promise.all(operations)),
+        auditLog: { create: auditCreate },
-        auditLog: { create: vi.fn().mockResolvedValue({}) },
+        $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
       };
 
       const caller = createManagerCaller(db);
@@ -482,7 +486,7 @@ describe("resource router CRUD", () => {
 
       expect(result).toEqual({ count: 2 });
       expect(db.$transaction).toHaveBeenCalledTimes(1);
-      expect(db.auditLog.create).toHaveBeenCalledWith(
+      expect(auditCreate).toHaveBeenCalledWith(
         expect.objectContaining({
           data: expect.objectContaining({
             entityType: "Resource",

packages/api/src/__tests__/role-procedure-support.test.ts

@@ -222,7 +222,7 @@ describe("role procedure support", () => {
       color: "#111111",
       _count: { resourceRoles: 2 },
     };
-    const db = {
+    const db: Record<string, unknown> = {
       role: {
         findUnique: vi.fn().mockResolvedValue(null),
         create: vi.fn().mockResolvedValue(role),
@@ -230,6 +230,7 @@ describe("role procedure support", () => {
       auditLog: {
         create: vi.fn().mockResolvedValue(undefined),
       },
+      $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
     };
 
     const result = await createRole(createContext(db), {
@@ -300,7 +301,7 @@ describe("role procedure support", () => {
       isActive: true,
       _count: { resourceRoles: 1 },
     };
-    const db = {
+    const db: Record<string, unknown> = {
       role: {
         findUnique: vi.fn()
           .mockResolvedValueOnce(existing)
@@ -312,6 +313,7 @@ describe("role procedure support", () => {
       auditLog: {
         create: vi.fn().mockResolvedValue(undefined),
       },
+      $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
     };
 
     const result = await updateRole(createContext(db), UpdateRoleProcedureInputSchema.parse({
@@ -371,7 +373,7 @@ describe("role procedure support", () => {
     countPlanningEntries.mockResolvedValue({
       countsByRoleId: new Map([["role_fx", 4]]),
     });
-    const db = {
+    const db: Record<string, unknown> = {
       role: {
         update: vi.fn().mockResolvedValue({
           id: "role_fx",
@@ -385,6 +387,7 @@ describe("role procedure support", () => {
       auditLog: {
         create: vi.fn().mockResolvedValue(undefined),
       },
+      $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
     };
 
     const result = await deactivateRole(createContext(db), RoleIdInputSchema.parse({ id: "role_fx" }));

packages/api/src/__tests__/role-router-auth.test.ts

@@ -143,15 +143,14 @@ describe("role router authorization", () => {
       // planningEntry count queries (attachZeroAllocationCount path)
       const planningEntryFindMany = vi.fn().mockResolvedValue([]);
 
+      const db: Record<string, unknown> = {
+        role: { create: roleCreate, findUnique: roleFindUnique },
+        auditLog: { create: auditLogCreate },
+        planningEntry: { findMany: planningEntryFindMany },
+        $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(db)),
+      };
       const caller = createCaller(
-        createContext(
+        createContext(db, { role: SystemRole.MANAGER }),
-          {
-            role: { create: roleCreate, findUnique: roleFindUnique },
-            auditLog: { create: auditLogCreate },
-            planningEntry: { findMany: planningEntryFindMany },
-          },
-          { role: SystemRole.MANAGER },
-        ),
       );
 
       // Should not throw UNAUTHORIZED or FORBIDDEN
@@ -180,19 +179,18 @@ describe("role router authorization", () => {
       const demandRequirementFindMany = vi.fn().mockResolvedValue([]);
       const assignmentFindMany = vi.fn().mockResolvedValue([]);
 
+      const adminDb: Record<string, unknown> = {
+        role: {
+          findUnique: roleFindUnique,
+          delete: roleDelete,
+        },
+        auditLog: { create: auditLogCreate },
+        demandRequirement: { findMany: demandRequirementFindMany },
+        assignment: { findMany: assignmentFindMany },
+        $transaction: vi.fn(async (fn: (tx: unknown) => unknown) => fn(adminDb)),
+      };
       const caller = createCaller(
-        createContext(
+        createContext(adminDb, { role: SystemRole.ADMIN }),
-          {
-            role: {
-              findUnique: roleFindUnique,
-              delete: roleDelete,
-            },
-            auditLog: { create: auditLogCreate },
-            demandRequirement: { findMany: demandRequirementFindMany },
-            assignment: { findMany: assignmentFindMany },
-          },
-          { role: SystemRole.ADMIN },
-        ),
       );
 
       const result = await caller.delete({ id: "role_1" });

packages/api/src/router/allocation/assignment-mutations.ts

@@ -302,16 +302,16 @@ export async function batchUpdateAllocationStatusWithAudit(
       ).allocation),
     );
 
-    return updatedAllocations;
+    await tx.auditLog.create({
-  });
+      data: {
+        entityType: "Allocation",
+        entityId: input.ids.join(","),
+        action: "UPDATE",
+        changes: { after: { status: input.status, ids: input.ids } },
+      },
+    });
 
-  await db.auditLog.create({
+    return updatedAllocations;
-    data: {
-      entityType: "Allocation",
-      entityId: input.ids.join(","),
-      action: "UPDATE",
-      changes: { after: { status: input.status, ids: input.ids } },
-    },
   });
 
   return updated;

packages/api/src/router/effort-rule-procedure-support.ts

@@ -238,41 +238,43 @@ export async function applyEffortRules(
   const rules = toEffortRuleEngineInputs(ruleSet.rules);
   const result = expandScopeToEffort(scopeItems, rules);
 
-  if (input.mode === "replace") {
+  await ctx.db.$transaction(async (tx) => {
-    await ctx.db.estimateDemandLine.deleteMany({
+    if (input.mode === "replace") {
-      where: { estimateVersionId: version.id },
+      await tx.estimateDemandLine.deleteMany({
-    });
+        where: { estimateVersionId: version.id },
-  }
+      });
+    }
 
-  if (result.lines.length > 0) {
+    if (result.lines.length > 0) {
-    await ctx.db.estimateDemandLine.createMany({
+      await tx.estimateDemandLine.createMany({
-      data: buildEstimateDemandLineRows({
+        data: buildEstimateDemandLineRows({
-        estimateVersionId: version.id,
+          estimateVersionId: version.id,
-        currency: estimate.baseCurrency,
+          currency: estimate.baseCurrency,
-        ruleSet: { id: ruleSet.id, name: ruleSet.name },
+          ruleSet: { id: ruleSet.id, name: ruleSet.name },
-        lines: result.lines,
+          lines: result.lines,
-      }),
+        }),
-    });
+      });
-  }
+    }
 
-  await ctx.db.auditLog.create({
+    await tx.auditLog.create({
-    data: {
+      data: {
-      entityType: "Estimate",
+        entityType: "Estimate",
-      entityId: estimate.id,
+        entityId: estimate.id,
-      action: "UPDATE",
+        action: "UPDATE",
-      ...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
+        ...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
-      changes: {
+        changes: {
-        after: {
+          after: {
-          effortRulesApplied: {
+            effortRulesApplied: {
-            ruleSetId: ruleSet.id,
+              ruleSetId: ruleSet.id,
-            ruleSetName: ruleSet.name,
+              ruleSetName: ruleSet.name,
-            mode: input.mode,
+              mode: input.mode,
-            linesGenerated: result.lines.length,
+              linesGenerated: result.lines.length,
-            warnings: result.warnings,
+              warnings: result.warnings,
+            },
           },
         },
       },
-    },
+    });
   });
 
   return {

packages/api/src/router/estimate-commercial.ts

@@ -65,22 +65,24 @@ export const estimateCommercialProcedures = {
 
       const validated = CommercialTermsSchema.parse(input.terms);
 
-      await ctx.db.estimateVersion.update({
+      await ctx.db.$transaction(async (tx) => {
-        where: { id: version.id },
+        await tx.estimateVersion.update({
-        data: { commercialTerms: validated as unknown as Prisma.InputJsonValue },
+          where: { id: version.id },
-      });
+          data: { commercialTerms: validated as unknown as Prisma.InputJsonValue },
+        });
 
-      await ctx.db.auditLog.create({
+        await tx.auditLog.create({
-        data: {
+          data: {
-          entityType: "Estimate",
+            entityType: "Estimate",
-          entityId: estimate.id,
+            entityId: estimate.id,
-          action: "UPDATE",
+            action: "UPDATE",
-          ...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
+            ...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
-          changes: {
+            changes: {
-            field: "commercialTerms",
+              field: "commercialTerms",
-            after: validated,
+              after: validated,
-          } as Prisma.InputJsonValue,
+            } as Prisma.InputJsonValue,
-        },
+          },
+        });
       });
 
       return { versionId: version.id, terms: validated };

packages/api/src/router/estimate-procedure-support.ts

@@ -100,28 +100,32 @@ export async function createEstimateRecord(
     await autoFillDemandLineRates(ctx.db, input.demandLines, input.projectId);
   const enrichedInput = { ...input, demandLines: enrichedLines };
 
-  const estimate = await createEstimate(
+  const estimate = await ctx.db.$transaction(async (tx) => {
-    ctx.db as unknown as Parameters<typeof createEstimate>[0],
+    const created = await createEstimate(
-    withComputedMetrics(enrichedInput, input.baseCurrency),
+      tx as unknown as Parameters<typeof createEstimate>[0],
-  );
+      withComputedMetrics(enrichedInput, input.baseCurrency),
+    );
 
-  await ctx.db.auditLog.create({
+    await tx.auditLog.create({
-    data: {
+      data: {
-      entityType: "Estimate",
+        entityType: "Estimate",
-      entityId: estimate.id,
+        entityId: created.id,
-      action: "CREATE",
+        action: "CREATE",
-      ...withAuditUser(ctx.dbUser?.id),
+        ...withAuditUser(ctx.dbUser?.id),
-      changes: {
+        changes: {
-        after: {
+          after: {
-          id: estimate.id,
+            id: created.id,
-          name: estimate.name,
+            name: created.name,
-          status: estimate.status,
+            status: created.status,
-          projectId: estimate.projectId,
+            projectId: created.projectId,
-          latestVersionNumber: estimate.latestVersionNumber,
+            latestVersionNumber: created.latestVersionNumber,
-          autoFilledRateCardLines: autoFilledIndices.length,
+            autoFilledRateCardLines: autoFilledIndices.length,
-        },
+          },
-      } as Prisma.InputJsonValue,
+        } as Prisma.InputJsonValue,
-    },
+      },
+    });
+
+    return created;
   });
 
   return estimate;
@@ -133,10 +137,30 @@ export async function cloneEstimateRecord(
 ) {
   let estimate;
   try {
-    estimate = await cloneEstimate(
+    estimate = await ctx.db.$transaction(async (tx) => {
-      ctx.db as unknown as Parameters<typeof cloneEstimate>[0],
+      const cloned = await cloneEstimate(
-      input,
+        tx as unknown as Parameters<typeof cloneEstimate>[0],
-    );
+        input,
+      );
+
+      await tx.auditLog.create({
+        data: {
+          entityType: "Estimate",
+          entityId: cloned.id,
+          action: "CREATE",
+          ...withAuditUser(ctx.dbUser?.id),
+          changes: {
+            after: {
+              id: cloned.id,
+              name: cloned.name,
+              clonedFrom: input.sourceEstimateId,
+            },
+          } as Prisma.InputJsonValue,
+        },
+      });
+
+      return cloned;
+    });
   } catch (error) {
     rethrowEstimateRouterError(error, [
       {
@@ -146,22 +170,6 @@ export async function cloneEstimateRecord(
     ]);
   }
 
-  await ctx.db.auditLog.create({
-    data: {
-      entityType: "Estimate",
-      entityId: estimate.id,
-      action: "CREATE",
-      ...withAuditUser(ctx.dbUser?.id),
-      changes: {
-        after: {
-          id: estimate.id,
-          name: estimate.name,
-          clonedFrom: input.sourceEstimateId,
-        },
-      } as Prisma.InputJsonValue,
-    },
-  });
-
   return estimate;
 }
 
@@ -194,10 +202,35 @@ export async function updateEstimateDraftRecord(
 
   let estimate;
   try {
-    estimate = await updateEstimateDraft(
+    estimate = await ctx.db.$transaction(async (tx) => {
-      ctx.db as unknown as Parameters<typeof updateEstimateDraft>[0],
+      const updated = await updateEstimateDraft(
-      withComputedMetrics(enrichedInput, input.baseCurrency ?? "EUR"),
+        tx as unknown as Parameters<typeof updateEstimateDraft>[0],
-    );
+        withComputedMetrics(enrichedInput, input.baseCurrency ?? "EUR"),
+      );
+
+      await tx.auditLog.create({
+        data: {
+          entityType: "Estimate",
+          entityId: updated.id,
+          action: "UPDATE",
+          ...withAuditUser(ctx.dbUser?.id),
+          changes: {
+            after: {
+              id: updated.id,
+              name: updated.name,
+              status: updated.status,
+              latestVersionNumber: updated.latestVersionNumber,
+              workingVersionId: updated.versions.find(
+                (version) => version.status === "WORKING",
+              )?.id,
+              autoFilledRateCardLines: autoFilledIndices.length,
+            },
+          } as Prisma.InputJsonValue,
+        },
+      });
+
+      return updated;
+    });
   } catch (error) {
     rethrowEstimateRouterError(error, [
       {
@@ -211,27 +244,6 @@ export async function updateEstimateDraftRecord(
     ]);
   }
 
-  await ctx.db.auditLog.create({
-    data: {
-      entityType: "Estimate",
-      entityId: estimate.id,
-      action: "UPDATE",
-      ...withAuditUser(ctx.dbUser?.id),
-      changes: {
-        after: {
-          id: estimate.id,
-          name: estimate.name,
-          status: estimate.status,
-          latestVersionNumber: estimate.latestVersionNumber,
-          workingVersionId: estimate.versions.find(
-            (version) => version.status === "WORKING",
-          )?.id,
-          autoFilledRateCardLines: autoFilledIndices.length,
-        },
-      } as Prisma.InputJsonValue,
-    },
-  });
-
   return estimate;
 }
 
@@ -241,10 +253,35 @@ export async function createEstimateExportRecord(
 ) {
   let estimate;
   try {
-    estimate = await createEstimateExport(
+    estimate = await ctx.db.$transaction(async (tx) => {
-      ctx.db as unknown as Parameters<typeof createEstimateExport>[0],
+      const exported = await createEstimateExport(
-      input,
+        tx as unknown as Parameters<typeof createEstimateExport>[0],
-    );
+        input,
+      );
+
+      const exportedVersion = input.versionId
+        ? exported.versions.find((version) => version.id === input.versionId)
+        : exported.versions[0];
+
+      await tx.auditLog.create({
+        data: {
+          entityType: "Estimate",
+          entityId: exported.id,
+          action: "UPDATE",
+          ...withAuditUser(ctx.dbUser?.id),
+          changes: {
+            after: {
+              id: exported.id,
+              exportFormat: input.format,
+              exportCount: exportedVersion?.exports.length ?? null,
+              versionId: exportedVersion?.id ?? null,
+            },
+          } as Prisma.InputJsonValue,
+        },
+      });
+
+      return exported;
+    });
   } catch (error) {
     rethrowEstimateRouterError(error, [
       {
@@ -258,27 +295,6 @@ export async function createEstimateExportRecord(
     ]);
   }
 
-  const exportedVersion = input.versionId
-    ? estimate.versions.find((version) => version.id === input.versionId)
-    : estimate.versions[0];
-
-  await ctx.db.auditLog.create({
-    data: {
-      entityType: "Estimate",
-      entityId: estimate.id,
-      action: "UPDATE",
-      ...withAuditUser(ctx.dbUser?.id),
-      changes: {
-        after: {
-          id: estimate.id,
-          exportFormat: input.format,
-          exportCount: exportedVersion?.exports.length ?? null,
-          versionId: exportedVersion?.id ?? null,
-        },
-      } as Prisma.InputJsonValue,
-    },
-  });
-
   return estimate;
 }
 
@@ -288,10 +304,36 @@ export async function createEstimatePlanningHandoffRecord(
 ) {
   let result;
   try {
-    result = await createEstimatePlanningHandoff(
+    result = await ctx.db.$transaction(async (tx) => {
-      ctx.db as unknown as Parameters<typeof createEstimatePlanningHandoff>[0],
+      const handoff = await createEstimatePlanningHandoff(
-      input,
+        tx as unknown as Parameters<typeof createEstimatePlanningHandoff>[0],
-    );
+        input,
+      );
+
+      await tx.auditLog.create({
+        data: {
+          entityType: "Estimate",
+          entityId: handoff.estimateId,
+          action: "UPDATE",
+          ...withAuditUser(ctx.dbUser?.id),
+          changes: {
+            after: {
+              planningHandoff: {
+                versionId: handoff.estimateVersionId,
+                versionNumber: handoff.estimateVersionNumber,
+                projectId: handoff.projectId,
+                createdCount: handoff.createdCount,
+                assignedCount: handoff.assignedCount,
+                placeholderCount: handoff.placeholderCount,
+                fallbackPlaceholderCount: handoff.fallbackPlaceholderCount,
+              },
+            },
+          } as Prisma.InputJsonValue,
+        },
+      });
+
+      return handoff;
+    });
   } catch (error) {
     rethrowEstimateRouterError(error, [
       {
@@ -319,28 +361,6 @@ export async function createEstimatePlanningHandoffRecord(
     ]);
   }
 
-  await ctx.db.auditLog.create({
-    data: {
-      entityType: "Estimate",
-      entityId: result.estimateId,
-      action: "UPDATE",
-      ...withAuditUser(ctx.dbUser?.id),
-      changes: {
-        after: {
-          planningHandoff: {
-            versionId: result.estimateVersionId,
-            versionNumber: result.estimateVersionNumber,
-            projectId: result.projectId,
-            createdCount: result.createdCount,
-            assignedCount: result.assignedCount,
-            placeholderCount: result.placeholderCount,
-            fallbackPlaceholderCount: result.fallbackPlaceholderCount,
-          },
-        },
-      } as Prisma.InputJsonValue,
-    },
-  });
-
   for (const allocation of result.allocations) {
     emitAllocationCreated({
       id: allocation.id,

packages/api/src/router/estimate-version-workflow.ts

@@ -21,10 +21,32 @@ export const estimateVersionWorkflowProcedures = {
 
       let estimate;
       try {
-        estimate = await submitEstimateVersion(
+        estimate = await ctx.db.$transaction(async (tx) => {
-          ctx.db as unknown as Parameters<typeof submitEstimateVersion>[0],
+          const submitted = await submitEstimateVersion(
-          input,
+            tx as unknown as Parameters<typeof submitEstimateVersion>[0],
-        );
+            input,
+          );
+
+          await tx.auditLog.create({
+            data: {
+              entityType: "Estimate",
+              entityId: submitted.id,
+              action: "UPDATE",
+              ...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
+              changes: {
+                after: {
+                  id: submitted.id,
+                  status: submitted.status,
+                  submittedVersionId: submitted.versions.find(
+                    (version) => version.status === "SUBMITTED",
+                  )?.id,
+                },
+              } as Prisma.InputJsonValue,
+            },
+          });
+
+          return submitted;
+        });
       } catch (error) {
         rethrowEstimateRouterError(error, [
           {
@@ -41,24 +63,6 @@ export const estimateVersionWorkflowProcedures = {
         ]);
       }
 
-      await ctx.db.auditLog.create({
-        data: {
-          entityType: "Estimate",
-          entityId: estimate.id,
-          action: "UPDATE",
-          ...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
-          changes: {
-            after: {
-              id: estimate.id,
-              status: estimate.status,
-              submittedVersionId: estimate.versions.find(
-                (version) => version.status === "SUBMITTED",
-              )?.id,
-            },
-          } as Prisma.InputJsonValue,
-        },
-      });
-
       return estimate;
     }),
 
@@ -69,10 +73,32 @@ export const estimateVersionWorkflowProcedures = {
 
       let estimate;
       try {
-        estimate = await approveEstimateVersion(
+        estimate = await ctx.db.$transaction(async (tx) => {
-          ctx.db as unknown as Parameters<typeof approveEstimateVersion>[0],
+          const approved = await approveEstimateVersion(
-          input,
+            tx as unknown as Parameters<typeof approveEstimateVersion>[0],
-        );
+            input,
+          );
+
+          await tx.auditLog.create({
+            data: {
+              entityType: "Estimate",
+              entityId: approved.id,
+              action: "UPDATE",
+              ...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
+              changes: {
+                after: {
+                  id: approved.id,
+                  status: approved.status,
+                  approvedVersionId: approved.versions.find(
+                    (version) => version.status === "APPROVED",
+                  )?.id,
+                },
+              } as Prisma.InputJsonValue,
+            },
+          });
+
+          return approved;
+        });
       } catch (error) {
         rethrowEstimateRouterError(error, [
           {
@@ -89,24 +115,6 @@ export const estimateVersionWorkflowProcedures = {
         ]);
       }
 
-      await ctx.db.auditLog.create({
-        data: {
-          entityType: "Estimate",
-          entityId: estimate.id,
-          action: "UPDATE",
-          ...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
-          changes: {
-            after: {
-              id: estimate.id,
-              status: estimate.status,
-              approvedVersionId: estimate.versions.find(
-                (version) => version.status === "APPROVED",
-              )?.id,
-            },
-          } as Prisma.InputJsonValue,
-        },
-      });
-
       return estimate;
     }),
 
@@ -117,10 +125,33 @@ export const estimateVersionWorkflowProcedures = {
 
       let estimate;
       try {
-        estimate = await createEstimateRevision(
+        estimate = await ctx.db.$transaction(async (tx) => {
-          ctx.db as unknown as Parameters<typeof createEstimateRevision>[0],
+          const revision = await createEstimateRevision(
-          input,
+            tx as unknown as Parameters<typeof createEstimateRevision>[0],
-        );
+            input,
+          );
+
+          await tx.auditLog.create({
+            data: {
+              entityType: "Estimate",
+              entityId: revision.id,
+              action: "UPDATE",
+              ...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
+              changes: {
+                after: {
+                  id: revision.id,
+                  status: revision.status,
+                  latestVersionNumber: revision.latestVersionNumber,
+                  workingVersionId: revision.versions.find(
+                    (version) => version.status === "WORKING",
+                  )?.id,
+                },
+              } as Prisma.InputJsonValue,
+            },
+          });
+
+          return revision;
+        });
       } catch (error) {
         rethrowEstimateRouterError(error, [
           {
@@ -138,25 +169,6 @@ export const estimateVersionWorkflowProcedures = {
         ]);
       }
 
-      await ctx.db.auditLog.create({
-        data: {
-          entityType: "Estimate",
-          entityId: estimate.id,
-          action: "UPDATE",
-          ...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
-          changes: {
-            after: {
-              id: estimate.id,
-              status: estimate.status,
-              latestVersionNumber: estimate.latestVersionNumber,
-              workingVersionId: estimate.versions.find(
-                (version) => version.status === "WORKING",
-              )?.id,
-            },
-          } as Prisma.InputJsonValue,
-        },
-      });
-
       return estimate;
     }),
 };

packages/api/src/router/experience-multiplier-procedure-support.ts

@@ -275,42 +275,46 @@ export async function applyExperienceMultiplierRules(
   const inputs = demandLines.map((line) => buildExperienceMultiplierInput(line));
   const batch = applyExperienceMultipliersBatch(inputs, engineRules);
 
-  let updatedCount = 0;
+  const updatedCount = await ctx.db.$transaction(async (tx) => {
-  for (let i = 0; i < demandLines.length; i++) {
+    let count = 0;
-    const line = demandLines[i]!;
+    for (let i = 0; i < demandLines.length; i++) {
-    const result = batch.results[i]!;
+      const line = demandLines[i]!;
+      const result = batch.results[i]!;
 
-    if (hasExperienceMultiplierChanges(line, result)) {
+      if (hasExperienceMultiplierChanges(line, result)) {
-      await ctx.db.estimateDemandLine.update({
+        await tx.estimateDemandLine.update({
-        where: { id: line.id },
+          where: { id: line.id },
-        data: buildExperienceMultiplierDemandLineUpdateData({
+          data: buildExperienceMultiplierDemandLineUpdateData({
-          line,
+            line,
-          result,
+            result,
-          multiplierSet,
+            multiplierSet,
-        }),
+          }),
-      });
+        });
-      updatedCount++;
+        count++;
+      }
     }
-  }
 
-  await ctx.db.auditLog.create({
+    await tx.auditLog.create({
-    data: {
+      data: {
-      entityType: "Estimate",
+        entityType: "Estimate",
-      entityId: estimate.id,
+        entityId: estimate.id,
-      action: "UPDATE",
+        action: "UPDATE",
-      ...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
+        ...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
-      changes: {
+        changes: {
-        after: {
+          after: {
-          experienceMultipliersApplied: {
+            experienceMultipliersApplied: {
-            setId: multiplierSet.id,
+              setId: multiplierSet.id,
-            setName: multiplierSet.name,
+              setName: multiplierSet.name,
-            linesUpdated: updatedCount,
+              linesUpdated: count,
-            totalOriginalHours: batch.totalOriginalHours,
+              totalOriginalHours: batch.totalOriginalHours,
-            totalAdjustedHours: batch.totalAdjustedHours,
+              totalAdjustedHours: batch.totalAdjustedHours,
+            },
           },
         },
       },
-    },
+    });
+
+    return count;
   });
 
   return {

packages/api/src/router/import-export-procedure-support.ts

@@ -159,36 +159,38 @@ export async function importCsv(ctx: ImportExportMutationContext, input: ImportC
     return { ...results, message: `Dry run: ${input.rows.length} rows validated` };
   }
 
-  for (let index = 0; index < input.rows.length; index += 1) {
+  await ctx.db.$transaction(async (tx) => {
-    const row = input.rows[index];
+    for (let index = 0; index < input.rows.length; index += 1) {
-    if (!row) {
+      const row = input.rows[index];
-      continue;
+      if (!row) {
-    }
+        continue;
-
-    try {
-      if (input.entityType === "resources") {
-        const outcome = await importResourceRow(ctx, row);
-        if (outcome.updated) {
-          results.updated += 1;
-        } else if (outcome.error) {
-          results.errors.push({ row: index + 1, message: outcome.error });
-        }
       }
-    } catch (error) {
-      results.errors.push({
-        row: index + 1,
-        message: error instanceof Error ? error.message : "Unknown error",
-      });
-    }
-  }
 
-  await ctx.db.auditLog.create({
+      try {
-    data: {
+        if (input.entityType === "resources") {
-      entityType: input.entityType,
+          const outcome = await importResourceRow({ ...ctx, db: tx as unknown as typeof ctx.db }, row);
-      entityId: "bulk-import",
+          if (outcome.updated) {
-      action: "IMPORT",
+            results.updated += 1;
-      changes: { summary: results },
+          } else if (outcome.error) {
-    },
+            results.errors.push({ row: index + 1, message: outcome.error });
+          }
+        }
+      } catch (error) {
+        results.errors.push({
+          row: index + 1,
+          message: error instanceof Error ? error.message : "Unknown error",
+        });
+      }
+    }
+
+    await tx.auditLog.create({
+      data: {
+        entityType: input.entityType,
+        entityId: "bulk-import",
+        action: "IMPORT",
+        changes: { summary: results },
+      },
+    });
   });
 
   return results;

packages/api/src/router/project-lifecycle.ts

@@ -123,19 +123,23 @@ export function createProjectLifecycleProcedures(
       )
       .mutation(async ({ ctx, input }) => {
         requirePermission(ctx, PermissionKey.MANAGE_PROJECTS);
-        const updated = await ctx.db.$transaction(
+        const updated = await ctx.db.$transaction(async (tx) => {
-          input.ids.map((id) =>
+          const results = await Promise.all(
-            ctx.db.project.update({ where: { id }, data: { status: input.status } }),
+            input.ids.map((id) =>
-          ),
+              tx.project.update({ where: { id }, data: { status: input.status } }),
-        );
+            ),
+          );
 
-        await ctx.db.auditLog.create({
+          await tx.auditLog.create({
-          data: {
+            data: {
-            entityType: "Project",
+              entityType: "Project",
-            entityId: input.ids.join(","),
+              entityId: input.ids.join(","),
-            action: "UPDATE",
+              action: "UPDATE",
-            changes: { after: { status: input.status, ids: input.ids } },
+              changes: { after: { status: input.status, ids: input.ids } },
-          },
+            },
+          });
+
+          return results;
         });
 
         dependencies.invalidateDashboardCacheInBackground();

packages/api/src/router/project-mutations.ts

@@ -80,17 +80,21 @@ export function createProjectMutationProcedures(
           target: BlueprintTarget.PROJECT,
         });
 
-        const project = await ctx.db.project.create({
+        const project = await ctx.db.$transaction(async (tx) => {
-          data: buildProjectCreateData(input),
+          const created = await tx.project.create({
-        });
+            data: buildProjectCreateData(input),
+          });
 
-        await ctx.db.auditLog.create({
+          await tx.auditLog.create({
-          data: {
+            data: {
-            entityType: "Project",
+              entityType: "Project",
-            entityId: project.id,
+              entityId: created.id,
-            action: "CREATE",
+              action: "CREATE",
-            changes: { after: project },
+              changes: { after: created },
-          },
+            },
+          });
+
+          return created;
         });
 
         backgroundEffects.invalidateDashboardCacheInBackground();
@@ -124,18 +128,22 @@ export function createProjectMutationProcedures(
           target: BlueprintTarget.PROJECT,
         });
 
-        const updated = await ctx.db.project.update({
+        const updated = await ctx.db.$transaction(async (tx) => {
-          where: { id: input.id },
+          const result = await tx.project.update({
-          data: buildProjectUpdateData(input.data),
+            where: { id: input.id },
-        });
+            data: buildProjectUpdateData(input.data),
+          });
 
-        await ctx.db.auditLog.create({
+          await tx.auditLog.create({
-          data: {
+            data: {
-            entityType: "Project",
+              entityType: "Project",
-            entityId: input.id,
+              entityId: input.id,
-            action: "UPDATE",
+              action: "UPDATE",
-            changes: { before: existing, after: updated },
+              changes: { before: existing, after: result },
-          },
+            },
+          });
+
+          return result;
         });
 
         backgroundEffects.invalidateDashboardCacheInBackground();

packages/api/src/router/resource-mutations.ts

@@ -34,62 +34,66 @@ export const resourceMutationProcedures = {
         throw new TRPCError({ code: "BAD_REQUEST", message: "A resource can have at most one primary role" });
       }
 
-      const resource = await ctx.db.resource.create({
+      const resource = await ctx.db.$transaction(async (tx) => {
-        data: {
+        const created = await tx.resource.create({
-          eid: input.eid,
+          data: {
-          displayName: input.displayName,
+            eid: input.eid,
-          email: input.email,
+            displayName: input.displayName,
-          chapter: input.chapter,
+            email: input.email,
-          lcrCents: input.lcrCents,
+            chapter: input.chapter,
-          ucrCents: input.ucrCents,
+            lcrCents: input.lcrCents,
-          currency: input.currency,
+            ucrCents: input.ucrCents,
-          chargeabilityTarget: input.chargeabilityTarget,
+            currency: input.currency,
-          availability: input.availability,
+            chargeabilityTarget: input.chargeabilityTarget,
-          skills: input.skills as unknown as import("@capakraken/db").Prisma.InputJsonValue,
+            availability: input.availability,
-          dynamicFields: input.dynamicFields as unknown as import("@capakraken/db").Prisma.InputJsonValue,
+            skills: input.skills as unknown as import("@capakraken/db").Prisma.InputJsonValue,
-          blueprintId: input.blueprintId,
+            dynamicFields: input.dynamicFields as unknown as import("@capakraken/db").Prisma.InputJsonValue,
-          portfolioUrl: input.portfolioUrl || undefined,
+            blueprintId: input.blueprintId,
-          roleId: input.roleId || undefined,
+            portfolioUrl: input.portfolioUrl || undefined,
-          ...(input.postalCode !== undefined ? { postalCode: input.postalCode } : {}),
+            roleId: input.roleId || undefined,
-          ...(input.postalCode && !input.federalState
+            ...(input.postalCode !== undefined ? { postalCode: input.postalCode } : {}),
-            ? { federalState: inferStateFromPostalCode(input.postalCode) }
+            ...(input.postalCode && !input.federalState
-            : input.federalState !== undefined
+              ? { federalState: inferStateFromPostalCode(input.postalCode) }
-              ? { federalState: input.federalState }
+              : input.federalState !== undefined
-              : {}),
+                ? { federalState: input.federalState }
-          ...(input.countryId !== undefined ? { countryId: input.countryId || null } : {}),
+                : {}),
-          ...(input.metroCityId !== undefined ? { metroCityId: input.metroCityId || null } : {}),
+            ...(input.countryId !== undefined ? { countryId: input.countryId || null } : {}),
-          ...(input.orgUnitId !== undefined ? { orgUnitId: input.orgUnitId || null } : {}),
+            ...(input.metroCityId !== undefined ? { metroCityId: input.metroCityId || null } : {}),
-          ...(input.managementLevelGroupId !== undefined ? { managementLevelGroupId: input.managementLevelGroupId || null } : {}),
+            ...(input.orgUnitId !== undefined ? { orgUnitId: input.orgUnitId || null } : {}),
-          ...(input.managementLevelId !== undefined ? { managementLevelId: input.managementLevelId || null } : {}),
+            ...(input.managementLevelGroupId !== undefined ? { managementLevelGroupId: input.managementLevelGroupId || null } : {}),
-          ...(input.resourceType !== undefined ? { resourceType: input.resourceType } : {}),
+            ...(input.managementLevelId !== undefined ? { managementLevelId: input.managementLevelId || null } : {}),
-          ...(input.chgResponsibility !== undefined ? { chgResponsibility: input.chgResponsibility } : {}),
+            ...(input.resourceType !== undefined ? { resourceType: input.resourceType } : {}),
-          ...(input.rolledOff !== undefined ? { rolledOff: input.rolledOff } : {}),
+            ...(input.chgResponsibility !== undefined ? { chgResponsibility: input.chgResponsibility } : {}),
-          ...(input.departed !== undefined ? { departed: input.departed } : {}),
+            ...(input.rolledOff !== undefined ? { rolledOff: input.rolledOff } : {}),
-          ...(input.enterpriseId !== undefined ? { enterpriseId: input.enterpriseId || null } : {}),
+            ...(input.departed !== undefined ? { departed: input.departed } : {}),
-          ...(input.clientUnitId !== undefined ? { clientUnitId: input.clientUnitId || null } : {}),
+            ...(input.enterpriseId !== undefined ? { enterpriseId: input.enterpriseId || null } : {}),
-          ...(input.fte !== undefined ? { fte: input.fte } : {}),
+            ...(input.clientUnitId !== undefined ? { clientUnitId: input.clientUnitId || null } : {}),
-          resourceRoles: input.roles?.length
+            ...(input.fte !== undefined ? { fte: input.fte } : {}),
-            ? {
+            resourceRoles: input.roles?.length
-                create: input.roles.map((role) => ({
+              ? {
-                  roleId: role.roleId,
+                  create: input.roles.map((role) => ({
-                  isPrimary: role.isPrimary,
+                    roleId: role.roleId,
-                })),
+                    isPrimary: role.isPrimary,
-              }
+                  })),
-            : undefined,
+                }
-        } as unknown as Parameters<typeof ctx.db.resource.create>[0]["data"],
+              : undefined,
-        include: {
+          } as unknown as Parameters<typeof tx.resource.create>[0]["data"],
-          resourceRoles: { include: { role: { select: ROLE_BRIEF_SELECT } } },
+          include: {
-        },
+            resourceRoles: { include: { role: { select: ROLE_BRIEF_SELECT } } },
-      });
+          },
+        });
 
-      await ctx.db.auditLog.create({
+        await tx.auditLog.create({
-        data: {
+          data: {
-          entityType: "Resource",
+            entityType: "Resource",
-          entityId: resource.id,
+            entityId: created.id,
-          action: "CREATE",
+            action: "CREATE",
-          userId: ctx.dbUser?.id,
+            userId: ctx.dbUser?.id,
-          changes: { after: resource },
+            changes: { after: created },
-        } as unknown as Parameters<typeof ctx.db.auditLog.create>[0]["data"],
+          } as unknown as Parameters<typeof tx.auditLog.create>[0]["data"],
+        });
+
+        return created;
       });
 
       return resource;
@@ -121,67 +125,71 @@ export const resourceMutationProcedures = {
         }
       }
 
-      const updated = await ctx.db.resource.update({
+      const updated = await ctx.db.$transaction(async (tx) => {
-        where: { id: input.id },
+        const result = await tx.resource.update({
-        data: {
+          where: { id: input.id },
-          ...(input.data.displayName !== undefined ? { displayName: input.data.displayName } : {}),
+          data: {
-          ...(input.data.email !== undefined ? { email: input.data.email } : {}),
+            ...(input.data.displayName !== undefined ? { displayName: input.data.displayName } : {}),
-          ...(input.data.chapter !== undefined ? { chapter: input.data.chapter } : {}),
+            ...(input.data.email !== undefined ? { email: input.data.email } : {}),
-          ...(input.data.lcrCents !== undefined ? { lcrCents: input.data.lcrCents } : {}),
+            ...(input.data.chapter !== undefined ? { chapter: input.data.chapter } : {}),
-          ...(input.data.ucrCents !== undefined ? { ucrCents: input.data.ucrCents } : {}),
+            ...(input.data.lcrCents !== undefined ? { lcrCents: input.data.lcrCents } : {}),
-          ...(input.data.currency !== undefined ? { currency: input.data.currency } : {}),
+            ...(input.data.ucrCents !== undefined ? { ucrCents: input.data.ucrCents } : {}),
-          ...(input.data.chargeabilityTarget !== undefined ? { chargeabilityTarget: input.data.chargeabilityTarget } : {}),
+            ...(input.data.currency !== undefined ? { currency: input.data.currency } : {}),
-          ...(input.data.availability !== undefined ? { availability: input.data.availability as unknown as import("@capakraken/db").Prisma.InputJsonValue } : {}),
+            ...(input.data.chargeabilityTarget !== undefined ? { chargeabilityTarget: input.data.chargeabilityTarget } : {}),
-          ...(input.data.skills !== undefined ? { skills: input.data.skills as unknown as import("@capakraken/db").Prisma.InputJsonValue } : {}),
+            ...(input.data.availability !== undefined ? { availability: input.data.availability as unknown as import("@capakraken/db").Prisma.InputJsonValue } : {}),
-          ...(input.data.dynamicFields !== undefined ? { dynamicFields: input.data.dynamicFields as unknown as import("@capakraken/db").Prisma.InputJsonValue } : {}),
+            ...(input.data.skills !== undefined ? { skills: input.data.skills as unknown as import("@capakraken/db").Prisma.InputJsonValue } : {}),
-          ...(input.data.blueprintId !== undefined ? { blueprintId: input.data.blueprintId } : {}),
+            ...(input.data.dynamicFields !== undefined ? { dynamicFields: input.data.dynamicFields as unknown as import("@capakraken/db").Prisma.InputJsonValue } : {}),
-          ...(input.data.isActive !== undefined ? { isActive: input.data.isActive } : {}),
+            ...(input.data.blueprintId !== undefined ? { blueprintId: input.data.blueprintId } : {}),
-          ...(input.data.portfolioUrl !== undefined ? { portfolioUrl: input.data.portfolioUrl || null } : {}),
+            ...(input.data.isActive !== undefined ? { isActive: input.data.isActive } : {}),
-          ...(input.data.roleId !== undefined ? { roleId: input.data.roleId || null } : {}),
+            ...(input.data.portfolioUrl !== undefined ? { portfolioUrl: input.data.portfolioUrl || null } : {}),
-          ...(input.data.postalCode !== undefined ? { postalCode: input.data.postalCode } : {}),
+            ...(input.data.roleId !== undefined ? { roleId: input.data.roleId || null } : {}),
-          ...(input.data.postalCode && !input.data.federalState
+            ...(input.data.postalCode !== undefined ? { postalCode: input.data.postalCode } : {}),
-            ? { federalState: inferStateFromPostalCode(input.data.postalCode) }
+            ...(input.data.postalCode && !input.data.federalState
-            : input.data.federalState !== undefined
+              ? { federalState: inferStateFromPostalCode(input.data.postalCode) }
-              ? { federalState: input.data.federalState }
+              : input.data.federalState !== undefined
-              : {}),
+                ? { federalState: input.data.federalState }
-          ...(input.data.countryId !== undefined ? { countryId: input.data.countryId || null } : {}),
+                : {}),
-          ...(input.data.metroCityId !== undefined ? { metroCityId: input.data.metroCityId || null } : {}),
+            ...(input.data.countryId !== undefined ? { countryId: input.data.countryId || null } : {}),
-          ...(input.data.orgUnitId !== undefined ? { orgUnitId: input.data.orgUnitId || null } : {}),
+            ...(input.data.metroCityId !== undefined ? { metroCityId: input.data.metroCityId || null } : {}),
-          ...(input.data.managementLevelGroupId !== undefined ? { managementLevelGroupId: input.data.managementLevelGroupId || null } : {}),
+            ...(input.data.orgUnitId !== undefined ? { orgUnitId: input.data.orgUnitId || null } : {}),
-          ...(input.data.managementLevelId !== undefined ? { managementLevelId: input.data.managementLevelId || null } : {}),
+            ...(input.data.managementLevelGroupId !== undefined ? { managementLevelGroupId: input.data.managementLevelGroupId || null } : {}),
-          ...(input.data.resourceType !== undefined ? { resourceType: input.data.resourceType } : {}),
+            ...(input.data.managementLevelId !== undefined ? { managementLevelId: input.data.managementLevelId || null } : {}),
-          ...(input.data.chgResponsibility !== undefined ? { chgResponsibility: input.data.chgResponsibility } : {}),
+            ...(input.data.resourceType !== undefined ? { resourceType: input.data.resourceType } : {}),
-          ...(input.data.rolledOff !== undefined ? { rolledOff: input.data.rolledOff } : {}),
+            ...(input.data.chgResponsibility !== undefined ? { chgResponsibility: input.data.chgResponsibility } : {}),
-          ...(input.data.departed !== undefined ? { departed: input.data.departed } : {}),
+            ...(input.data.rolledOff !== undefined ? { rolledOff: input.data.rolledOff } : {}),
-          ...(input.data.enterpriseId !== undefined ? { enterpriseId: input.data.enterpriseId || null } : {}),
+            ...(input.data.departed !== undefined ? { departed: input.data.departed } : {}),
-          ...(input.data.clientUnitId !== undefined ? { clientUnitId: input.data.clientUnitId || null } : {}),
+            ...(input.data.enterpriseId !== undefined ? { enterpriseId: input.data.enterpriseId || null } : {}),
-          ...(input.data.fte !== undefined ? { fte: input.data.fte } : {}),
+            ...(input.data.clientUnitId !== undefined ? { clientUnitId: input.data.clientUnitId || null } : {}),
-        } as unknown as Parameters<typeof ctx.db.resource.update>[0]["data"],
+            ...(input.data.fte !== undefined ? { fte: input.data.fte } : {}),
-        include: {
+          } as unknown as Parameters<typeof tx.resource.update>[0]["data"],
-          resourceRoles: { include: { role: { select: ROLE_BRIEF_SELECT } } },
+          include: {
-        },
+            resourceRoles: { include: { role: { select: ROLE_BRIEF_SELECT } } },
-      });
+          },
+        });
 
-      if (input.data.roles !== undefined) {
+        if (input.data.roles !== undefined) {
-        await ctx.db.resourceRole.deleteMany({ where: { resourceId: input.id } });
+          await tx.resourceRole.deleteMany({ where: { resourceId: input.id } });
-        if (input.data.roles.length > 0) {
+          if (input.data.roles.length > 0) {
-          await ctx.db.resourceRole.createMany({
+            await tx.resourceRole.createMany({
-            data: input.data.roles.map((role) => ({
+              data: input.data.roles.map((role) => ({
-              resourceId: input.id,
+                resourceId: input.id,
-              roleId: role.roleId,
+                roleId: role.roleId,
-              isPrimary: role.isPrimary,
+                isPrimary: role.isPrimary,
-            })),
+              })),
-          });
+            });
+          }
         }
-      }
 
-      await ctx.db.auditLog.create({
+        await tx.auditLog.create({
-        data: {
+          data: {
-          entityType: "Resource",
+            entityType: "Resource",
-          entityId: input.id,
+            entityId: input.id,
-          action: "UPDATE",
+            action: "UPDATE",
-          changes: { before: existing, after: updated },
+            changes: { before: existing, after: result },
-        },
+          },
+        });
+
+        return result;
       });
 
       return updated;
@@ -191,18 +199,22 @@ export const resourceMutationProcedures = {
     .input(z.object({ id: z.string() }))
     .mutation(async ({ ctx, input }) => {
       requirePermission(ctx, PermissionKey.MANAGE_RESOURCES);
-      const resource = await ctx.db.resource.update({
+      const resource = await ctx.db.$transaction(async (tx) => {
-        where: { id: input.id },
+        const result = await tx.resource.update({
-        data: { isActive: false },
+          where: { id: input.id },
-      });
+          data: { isActive: false },
+        });
 
-      await ctx.db.auditLog.create({
+        await tx.auditLog.create({
-        data: {
+          data: {
-          entityType: "Resource",
+            entityType: "Resource",
-          entityId: input.id,
+            entityId: input.id,
-          action: "UPDATE",
+            action: "UPDATE",
-          changes: { after: { isActive: false } },
+            changes: { after: { isActive: false } },
-        },
+          },
+        });
+
+        return result;
       });
 
       return resource;
@@ -212,19 +224,23 @@ export const resourceMutationProcedures = {
     .input(z.object({ ids: z.array(z.string()).min(1).max(100) }))
     .mutation(async ({ ctx, input }) => {
       requirePermission(ctx, PermissionKey.MANAGE_RESOURCES);
-      const updated = await ctx.db.$transaction(
+      const updated = await ctx.db.$transaction(async (tx) => {
-        input.ids.map((id) =>
+        const results = await Promise.all(
-          ctx.db.resource.update({ where: { id }, data: { isActive: false } }),
+          input.ids.map((id) =>
-        ),
+            tx.resource.update({ where: { id }, data: { isActive: false } }),
-      );
+          ),
+        );
 
-      await ctx.db.auditLog.create({
+        await tx.auditLog.create({
-        data: {
+          data: {
-          entityType: "Resource",
+            entityType: "Resource",
-          entityId: input.ids.join(","),
+            entityId: input.ids.join(","),
-          action: "UPDATE",
+            action: "UPDATE",
-          changes: { after: { isActive: false, ids: input.ids } },
+            changes: { after: { isActive: false, ids: input.ids } },
-        },
+          },
+        });
+
+        return results;
       });
 
       return { count: updated.length };
@@ -238,23 +254,25 @@ export const resourceMutationProcedures = {
     .mutation(async ({ ctx, input }) => {
       requirePermission(ctx, PermissionKey.MANAGE_RESOURCES);
 
-      await ctx.db.$transaction(
+      await ctx.db.$transaction(async (tx) => {
-        input.ids.map((id) =>
+        await Promise.all(
-          ctx.db.$executeRaw`
+          input.ids.map((id) =>
-            UPDATE "Resource"
+            tx.$executeRaw`
-            SET "dynamicFields" = "dynamicFields" || ${JSON.stringify(input.fields)}::jsonb
+              UPDATE "Resource"
-            WHERE id = ${id}
+              SET "dynamicFields" = "dynamicFields" || ${JSON.stringify(input.fields)}::jsonb
-          `,
+              WHERE id = ${id}
-        ),
+            `,
-      );
+          ),
+        );
 
-      await ctx.db.auditLog.create({
+        await tx.auditLog.create({
-        data: {
+          data: {
-          entityType: "Resource",
+            entityType: "Resource",
-          entityId: input.ids.join(","),
+            entityId: input.ids.join(","),
-          action: "UPDATE",
+            action: "UPDATE",
-          changes: { after: { dynamicFields: input.fields, ids: input.ids } } as unknown as import("@capakraken/db").Prisma.InputJsonValue,
+            changes: { after: { dynamicFields: input.fields, ids: input.ids } } as unknown as import("@capakraken/db").Prisma.InputJsonValue,
-        },
+          },
+        });
       });
 
       return { updated: input.ids.length };
@@ -271,20 +289,20 @@ export const resourceMutationProcedures = {
         throw new TRPCError({ code: "NOT_FOUND", message: "Resource not found" });
       }
 
-      await ctx.db.$transaction([
+      await ctx.db.$transaction(async (tx) => {
-        ctx.db.assignment.deleteMany({ where: { resourceId: input.id } }),
+        await tx.assignment.deleteMany({ where: { resourceId: input.id } });
-        ctx.db.vacation.deleteMany({ where: { resourceId: input.id } }),
+        await tx.vacation.deleteMany({ where: { resourceId: input.id } });
-        ctx.db.resource.delete({ where: { id: input.id } }),
+        await tx.resource.delete({ where: { id: input.id } });
-      ]);
 
-      await ctx.db.auditLog.create({
+        await tx.auditLog.create({
-        data: {
+          data: {
-          entityType: "Resource",
+            entityType: "Resource",
-          entityId: input.id,
+            entityId: input.id,
-          action: "DELETE",
+            action: "DELETE",
-          userId: ctx.dbUser?.id,
+            userId: ctx.dbUser?.id,
-          changes: { before: resource } as unknown as import("@capakraken/db").Prisma.InputJsonValue,
+            changes: { before: resource } as unknown as import("@capakraken/db").Prisma.InputJsonValue,
-        },
+          },
+        });
       });
 
       return { deleted: true };
@@ -298,20 +316,20 @@ export const resourceMutationProcedures = {
         select: { id: true, displayName: true, eid: true },
       });
 
-      await ctx.db.$transaction([
+      await ctx.db.$transaction(async (tx) => {
-        ctx.db.assignment.deleteMany({ where: { resourceId: { in: input.ids } } }),
+        await tx.assignment.deleteMany({ where: { resourceId: { in: input.ids } } });
-        ctx.db.vacation.deleteMany({ where: { resourceId: { in: input.ids } } }),
+        await tx.vacation.deleteMany({ where: { resourceId: { in: input.ids } } });
-        ctx.db.resource.deleteMany({ where: { id: { in: input.ids } } }),
+        await tx.resource.deleteMany({ where: { id: { in: input.ids } } });
-      ]);
 
-      await ctx.db.auditLog.createMany({
+        await tx.auditLog.createMany({
-        data: resources.map((r) => ({
+          data: resources.map((r) => ({
-          entityType: "Resource",
+            entityType: "Resource",
-          entityId: r.id,
+            entityId: r.id,
-          action: "DELETE",
+            action: "DELETE",
-          userId: ctx.dbUser?.id,
+            userId: ctx.dbUser?.id,
-          changes: { before: r } as unknown as import("@capakraken/db").Prisma.InputJsonValue,
+            changes: { before: r } as unknown as import("@capakraken/db").Prisma.InputJsonValue,
-        })),
+          })),
+        });
       });
 
       return { deleted: resources.length };

packages/api/src/router/role-procedure-support.ts

@@ -135,18 +135,22 @@ export async function createRole(
   requirePermission(ctx, PermissionKey.MANAGE_ROLES);
   await assertRoleNameAvailable(ctx.db, input.name);
 
-  const role = await ctx.db.role.create({
+  const role = await ctx.db.$transaction(async (tx) => {
-    data: buildRoleCreateData(input),
+    const created = await tx.role.create({
-    include: { _count: { select: { resourceRoles: true } } },
+      data: buildRoleCreateData(input),
-  });
+      include: { _count: { select: { resourceRoles: true } } },
+    });
 
-  await ctx.db.auditLog.create({
+    await tx.auditLog.create({
-    data: {
+      data: {
-      entityType: "Role",
+        entityType: "Role",
-      entityId: role.id,
+        entityId: created.id,
-      action: "CREATE",
+        action: "CREATE",
-      changes: { after: role },
+        changes: { after: created },
-    },
+      },
+    });
+
+    return created;
   });
 
   emitRoleCreated({ id: role.id, name: role.name });
@@ -168,19 +172,23 @@ export async function updateRole(
     await assertRoleNameAvailable(ctx.db, input.data.name, input.id);
   }
 
-  const updated = await ctx.db.role.update({
+  const updated = await ctx.db.$transaction(async (tx) => {
-    where: { id: input.id },
+    const result = await tx.role.update({
-    data: buildRoleUpdateData(input.data),
+      where: { id: input.id },
-    include: { _count: { select: { resourceRoles: true } } },
+      data: buildRoleUpdateData(input.data),
-  });
+      include: { _count: { select: { resourceRoles: true } } },
+    });
 
-  await ctx.db.auditLog.create({
+    await tx.auditLog.create({
-    data: {
+      data: {
-      entityType: "Role",
+        entityType: "Role",
-      entityId: input.id,
+        entityId: input.id,
-      action: "UPDATE",
+        action: "UPDATE",
-      changes: { before: existing, after: updated },
+        changes: { before: existing, after: result },
-    },
+      },
+    });
+
+    return result;
   });
 
   emitRoleUpdated({ id: updated.id, name: updated.name });
@@ -213,15 +221,17 @@ export async function deleteRole(
     });
   }
 
-  await ctx.db.role.delete({ where: { id: input.id } });
+  await ctx.db.$transaction(async (tx) => {
+    await tx.role.delete({ where: { id: input.id } });
 
-  await ctx.db.auditLog.create({
+    await tx.auditLog.create({
-    data: {
+      data: {
-      entityType: "Role",
+        entityType: "Role",
-      entityId: input.id,
+        entityId: input.id,
-      action: "DELETE",
+        action: "DELETE",
-      changes: { before: role },
+        changes: { before: role },
-    },
+      },
+    });
   });
 
   emitRoleDeleted(input.id);
@@ -234,19 +244,23 @@ export async function deactivateRole(
   input: z.infer<typeof RoleIdInputSchema>,
 ) {
   requirePermission(ctx, PermissionKey.MANAGE_ROLES);
-  const role = await ctx.db.role.update({
+  const role = await ctx.db.$transaction(async (tx) => {
-    where: { id: input.id },
+    const result = await tx.role.update({
-    data: { isActive: false },
+      where: { id: input.id },
-    include: { _count: { select: { resourceRoles: true } } },
+      data: { isActive: false },
-  });
+      include: { _count: { select: { resourceRoles: true } } },
+    });
 
-  await ctx.db.auditLog.create({
+    await tx.auditLog.create({
-    data: {
+      data: {
-      entityType: "Role",
+        entityType: "Role",
-      entityId: input.id,
+        entityId: input.id,
-      action: "UPDATE",
+        action: "UPDATE",
-      changes: { after: { isActive: false } },
+        changes: { after: { isActive: false } },
-    },
+      },
+    });
+
+    return result;
   });
 
   emitRoleUpdated({ id: role.id, isActive: false });