diff --git a/src/api/SIGCM2.Application/Usuarios/ChangeMyPassword/ChangeMyPasswordCommandHandler.cs b/src/api/SIGCM2.Application/Usuarios/ChangeMyPassword/ChangeMyPasswordCommandHandler.cs
index 60df389..60e6c3b 100644
--- a/src/api/SIGCM2.Application/Usuarios/ChangeMyPassword/ChangeMyPasswordCommandHandler.cs
+++ b/src/api/SIGCM2.Application/Usuarios/ChangeMyPassword/ChangeMyPasswordCommandHandler.cs
@@ -1,6 +1,8 @@
+using System.Transactions;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 using SIGCM2.Domain.Exceptions;
 
@@ -10,13 +12,16 @@ public sealed class ChangeMyPasswordCommandHandler : ICommandHandler<ChangeMyPas
 {
     private readonly IUsuarioRepository _repository;
     private readonly IPasswordHasher _hasher;
+    private readonly IAuditLogger _audit;
 
     public ChangeMyPasswordCommandHandler(
         IUsuarioRepository repository,
-        IPasswordHasher hasher)
+        IPasswordHasher hasher,
+        IAuditLogger audit)
     {
         _repository = repository;
         _hasher = hasher;
+        _audit = audit;
     }
 
     public async Task<Unit> Handle(ChangeMyPasswordCommand cmd)
@@ -28,9 +33,21 @@ public sealed class ChangeMyPasswordCommandHandler : ICommandHandler<ChangeMyPas
             throw new InvalidOldPasswordException();
 
         var newHash = _hasher.Hash(cmd.NewPassword);
+
+        using var tx = new TransactionScope(
+            TransactionScopeOption.Required,
+            new TransactionOptions { IsolationLevel = IsolationLevel.ReadCommitted },
+            TransactionScopeAsyncFlowOption.Enabled);
+
         await _repository.UpdatePasswordAsync(cmd.UsuarioId, newHash, mustChangePassword: false);
 
-        // TODO: audit — defer to ADM-004
+        await _audit.LogAsync(
+            action: "usuario.password_change",
+            targetType: "Usuario",
+            targetId: cmd.UsuarioId.ToString());
+
+        tx.Complete();
+
         // NOTE: intentionally does NOT revoke own refresh tokens (spec REQ-BCP-05)
         return Unit.Value;
     }
diff --git a/src/api/SIGCM2.Application/Usuarios/Create/CreateUsuarioCommandHandler.cs b/src/api/SIGCM2.Application/Usuarios/Create/CreateUsuarioCommandHandler.cs
index be519fe..602830e 100644
--- a/src/api/SIGCM2.Application/Usuarios/Create/CreateUsuarioCommandHandler.cs
+++ b/src/api/SIGCM2.Application/Usuarios/Create/CreateUsuarioCommandHandler.cs
@@ -1,6 +1,8 @@
+using System.Transactions;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Application.Audit;
 using SIGCM2.Domain.Entities;
 using SIGCM2.Domain.Exceptions;
 
@@ -10,13 +12,16 @@ public sealed class CreateUsuarioCommandHandler : ICommandHandler<CreateUsuarioC
 {
     private readonly IUsuarioRepository _repository;
     private readonly IPasswordHasher _hasher;
+    private readonly IAuditLogger _audit;
 
     public CreateUsuarioCommandHandler(
         IUsuarioRepository repository,
-        IPasswordHasher hasher)
+        IPasswordHasher hasher,
+        IAuditLogger audit)
     {
         _repository = repository;
         _hasher = hasher;
+        _audit = audit;
     }
 
     public async Task<UsuarioCreatedDto> Handle(CreateUsuarioCommand command)
@@ -37,9 +42,32 @@ public sealed class CreateUsuarioCommandHandler : ICommandHandler<CreateUsuarioC
             email: command.Email,
             rol: command.Rol);
 
-        // TODO: audit — record which admin created this user (defer to UDT-Audit)
+        using var tx = new TransactionScope(
+            TransactionScopeOption.Required,
+            new TransactionOptions { IsolationLevel = IsolationLevel.ReadCommitted },
+            TransactionScopeAsyncFlowOption.Enabled);
+
         var newId = await _repository.AddAsync(usuario);
 
+        // UDT-010 (closes follow-up #6): record admin who created this user.
+        await _audit.LogAsync(
+            action: "usuario.create",
+            targetType: "Usuario",
+            targetId: newId.ToString(),
+            metadata: new
+            {
+                after = new
+                {
+                    usuario.Username,
+                    usuario.Nombre,
+                    usuario.Apellido,
+                    usuario.Email,
+                    usuario.Rol,
+                },
+            });
+
+        tx.Complete();
+
         return new UsuarioCreatedDto(
             Id: newId,
             Username: usuario.Username,
diff --git a/src/api/SIGCM2.Application/Usuarios/Deactivate/DeactivateUsuarioCommandHandler.cs b/src/api/SIGCM2.Application/Usuarios/Deactivate/DeactivateUsuarioCommandHandler.cs
index 48b1449..0812211 100644
--- a/src/api/SIGCM2.Application/Usuarios/Deactivate/DeactivateUsuarioCommandHandler.cs
+++ b/src/api/SIGCM2.Application/Usuarios/Deactivate/DeactivateUsuarioCommandHandler.cs
@@ -1,5 +1,7 @@
+using System.Transactions;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 using SIGCM2.Application.Usuarios.GetById;
 using SIGCM2.Domain.Exceptions;
@@ -10,13 +12,16 @@ public sealed class DeactivateUsuarioCommandHandler : ICommandHandler<Deactivate
 {
     private readonly IUsuarioRepository _repository;
     private readonly IRefreshTokenRepository _refreshTokenRepository;
+    private readonly IAuditLogger _audit;
 
     public DeactivateUsuarioCommandHandler(
         IUsuarioRepository repository,
-        IRefreshTokenRepository refreshTokenRepository)
+        IRefreshTokenRepository refreshTokenRepository,
+        IAuditLogger audit)
     {
         _repository = repository;
         _refreshTokenRepository = refreshTokenRepository;
+        _audit = audit;
     }
 
     public async Task<UsuarioDetailDto> Handle(DeactivateUsuarioCommand cmd)
@@ -39,10 +44,23 @@ public sealed class DeactivateUsuarioCommandHandler : ICommandHandler<Deactivate
 
         var fields = new UpdateUsuarioFields(target.Nombre, target.Apellido, target.Email, target.Rol, false);
         var now = DateTime.UtcNow;
-        await _repository.UpdateAsync(cmd.UsuarioId, fields, now);
-        await _refreshTokenRepository.RevokeAllActiveForUserAsync(cmd.UsuarioId, now);
 
-        // TODO: audit — defer to ADM-004
+        using (var tx = new TransactionScope(
+            TransactionScopeOption.Required,
+            new TransactionOptions { IsolationLevel = IsolationLevel.ReadCommitted },
+            TransactionScopeAsyncFlowOption.Enabled))
+        {
+            await _repository.UpdateAsync(cmd.UsuarioId, fields, now);
+            await _refreshTokenRepository.RevokeAllActiveForUserAsync(cmd.UsuarioId, now);
+
+            await _audit.LogAsync(
+                action: "usuario.deactivate",
+                targetType: "Usuario",
+                targetId: cmd.UsuarioId.ToString());
+
+            tx.Complete();
+        }
+
         var updated = await _repository.GetDetailAsync(cmd.UsuarioId)
             ?? throw new UsuarioNotFoundException(cmd.UsuarioId);
 
diff --git a/src/api/SIGCM2.Application/Usuarios/Permisos/UpdateUsuarioPermisosOverridesCommandHandler.cs b/src/api/SIGCM2.Application/Usuarios/Permisos/UpdateUsuarioPermisosOverridesCommandHandler.cs
index 29a90e3..f114285 100644
--- a/src/api/SIGCM2.Application/Usuarios/Permisos/UpdateUsuarioPermisosOverridesCommandHandler.cs
+++ b/src/api/SIGCM2.Application/Usuarios/Permisos/UpdateUsuarioPermisosOverridesCommandHandler.cs
@@ -1,5 +1,7 @@
+using System.Transactions;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 using SIGCM2.Domain.Exceptions;
 
@@ -15,15 +17,18 @@ public sealed class UpdateUsuarioPermisosOverridesCommandHandler
     private readonly IUsuarioRepository _usuarioRepo;
     private readonly IRolPermisoRepository _rolPermisoRepo;
     private readonly IPermisoRepository _permisoRepo;
+    private readonly IAuditLogger _audit;
 
     public UpdateUsuarioPermisosOverridesCommandHandler(
         IUsuarioRepository usuarioRepo,
         IRolPermisoRepository rolPermisoRepo,
-        IPermisoRepository permisoRepo)
+        IPermisoRepository permisoRepo,
+        IAuditLogger audit)
     {
         _usuarioRepo = usuarioRepo;
         _rolPermisoRepo = rolPermisoRepo;
         _permisoRepo = permisoRepo;
+        _audit = audit;
     }
 
     public async Task<UsuarioPermisosDto> Handle(UpdateUsuarioPermisosOverridesCommand command)
@@ -53,11 +58,31 @@ public sealed class UpdateUsuarioPermisosOverridesCommandHandler
 
         // 4. Persist — use WithPermisosJson to get updated FechaModificacion
         var newOverrides = new PermisosOverride(grant, deny);
+        var previousOverrides = PermisosOverride.FromJson(usuario.PermisosJson);
         var updated = usuario.WithPermisosJson(newOverrides.ToJson());
-        await _usuarioRepo.UpdatePermisosJsonAsync(
-            updated.Id,
-            updated.PermisosJson,
-            updated.FechaModificacion!.Value);
+
+        using (var tx = new TransactionScope(
+            TransactionScopeOption.Required,
+            new TransactionOptions { IsolationLevel = IsolationLevel.ReadCommitted },
+            TransactionScopeAsyncFlowOption.Enabled))
+        {
+            await _usuarioRepo.UpdatePermisosJsonAsync(
+                updated.Id,
+                updated.PermisosJson,
+                updated.FechaModificacion!.Value);
+
+            await _audit.LogAsync(
+                action: "usuario.permisos_update",
+                targetType: "Usuario",
+                targetId: command.Id.ToString(),
+                metadata: new
+                {
+                    before = new { grant = previousOverrides.Grant, deny = previousOverrides.Deny },
+                    after = new { grant = grant, deny = deny },
+                });
+
+            tx.Complete();
+        }
 
         // 5. Return updated effective set
         var rolPermisoEntities = await _rolPermisoRepo.GetByRolCodigoAsync(updated.Rol);
diff --git a/src/api/SIGCM2.Application/Usuarios/Reactivate/ReactivateUsuarioCommandHandler.cs b/src/api/SIGCM2.Application/Usuarios/Reactivate/ReactivateUsuarioCommandHandler.cs
index 3c56919..c89a473 100644
--- a/src/api/SIGCM2.Application/Usuarios/Reactivate/ReactivateUsuarioCommandHandler.cs
+++ b/src/api/SIGCM2.Application/Usuarios/Reactivate/ReactivateUsuarioCommandHandler.cs
@@ -1,5 +1,7 @@
+using System.Transactions;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 using SIGCM2.Application.Usuarios.GetById;
 using SIGCM2.Domain.Exceptions;
@@ -9,10 +11,12 @@ namespace SIGCM2.Application.Usuarios.Reactivate;
 public sealed class ReactivateUsuarioCommandHandler : ICommandHandler<ReactivateUsuarioCommand, UsuarioDetailDto>
 {
     private readonly IUsuarioRepository _repository;
+    private readonly IAuditLogger _audit;
 
-    public ReactivateUsuarioCommandHandler(IUsuarioRepository repository)
+    public ReactivateUsuarioCommandHandler(IUsuarioRepository repository, IAuditLogger audit)
     {
         _repository = repository;
+        _audit = audit;
     }
 
     public async Task<UsuarioDetailDto> Handle(ReactivateUsuarioCommand cmd)
@@ -31,9 +35,22 @@ public sealed class ReactivateUsuarioCommandHandler : ICommandHandler<Reactivate
 
         var fields = new UpdateUsuarioFields(target.Nombre, target.Apellido, target.Email, target.Rol, true);
         var now = DateTime.UtcNow;
-        await _repository.UpdateAsync(cmd.UsuarioId, fields, now);
 
-        // TODO: audit — defer to ADM-004
+        using (var tx = new TransactionScope(
+            TransactionScopeOption.Required,
+            new TransactionOptions { IsolationLevel = IsolationLevel.ReadCommitted },
+            TransactionScopeAsyncFlowOption.Enabled))
+        {
+            await _repository.UpdateAsync(cmd.UsuarioId, fields, now);
+
+            await _audit.LogAsync(
+                action: "usuario.reactivate",
+                targetType: "Usuario",
+                targetId: cmd.UsuarioId.ToString());
+
+            tx.Complete();
+        }
+
         var updated = await _repository.GetDetailAsync(cmd.UsuarioId)
             ?? throw new UsuarioNotFoundException(cmd.UsuarioId);
 
diff --git a/src/api/SIGCM2.Application/Usuarios/ResetPassword/ResetUsuarioPasswordCommandHandler.cs b/src/api/SIGCM2.Application/Usuarios/ResetPassword/ResetUsuarioPasswordCommandHandler.cs
index 502ef98..9af9620 100644
--- a/src/api/SIGCM2.Application/Usuarios/ResetPassword/ResetUsuarioPasswordCommandHandler.cs
+++ b/src/api/SIGCM2.Application/Usuarios/ResetPassword/ResetUsuarioPasswordCommandHandler.cs
@@ -1,6 +1,8 @@
+using System.Transactions;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 using SIGCM2.Domain.Exceptions;
 
@@ -11,15 +13,18 @@ public sealed class ResetUsuarioPasswordCommandHandler : ICommandHandler<ResetUs
     private readonly IUsuarioRepository _repository;
     private readonly IPasswordHasher _hasher;
     private readonly IRefreshTokenRepository _refreshTokenRepository;
+    private readonly IAuditLogger _audit;
 
     public ResetUsuarioPasswordCommandHandler(
         IUsuarioRepository repository,
         IPasswordHasher hasher,
-        IRefreshTokenRepository refreshTokenRepository)
+        IRefreshTokenRepository refreshTokenRepository,
+        IAuditLogger audit)
     {
         _repository = repository;
         _hasher = hasher;
         _refreshTokenRepository = refreshTokenRepository;
+        _audit = audit;
     }
 
     public async Task<ResetUsuarioPasswordResponse> Handle(ResetUsuarioPasswordCommand cmd)
@@ -32,13 +37,25 @@ public sealed class ResetUsuarioPasswordCommandHandler : ICommandHandler<ResetUs
             ?? throw new UsuarioNotFoundException(cmd.TargetId);
 
         var temp = TempPasswordGenerator.Generate(12);
-        // SECURITY: NEVER log tempPassword
+        // SECURITY: NEVER log tempPassword — it is returned to the caller, never persisted.
         var hash = _hasher.Hash(temp);
 
+        using var tx = new TransactionScope(
+            TransactionScopeOption.Required,
+            new TransactionOptions { IsolationLevel = IsolationLevel.ReadCommitted },
+            TransactionScopeAsyncFlowOption.Enabled);
+
         await _repository.UpdatePasswordAsync(cmd.TargetId, hash, mustChangePassword: true);
         await _refreshTokenRepository.RevokeAllActiveForUserAsync(cmd.TargetId, DateTime.UtcNow);
 
-        // TODO: audit — defer to ADM-004
+        await _audit.LogAsync(
+            action: "usuario.password_reset",
+            targetType: "Usuario",
+            targetId: cmd.TargetId.ToString(),
+            metadata: new { targetId = cmd.TargetId }); // NO tempPassword in metadata
+
+        tx.Complete();
+
         return new ResetUsuarioPasswordResponse(temp, MustChangeOnLogin: true);
     }
 }
diff --git a/src/api/SIGCM2.Application/Usuarios/Update/UpdateUsuarioCommandHandler.cs b/src/api/SIGCM2.Application/Usuarios/Update/UpdateUsuarioCommandHandler.cs
index 02c5370..f38203d 100644
--- a/src/api/SIGCM2.Application/Usuarios/Update/UpdateUsuarioCommandHandler.cs
+++ b/src/api/SIGCM2.Application/Usuarios/Update/UpdateUsuarioCommandHandler.cs
@@ -1,5 +1,7 @@
+using System.Transactions;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 using SIGCM2.Application.Usuarios.GetById;
 using SIGCM2.Domain.Exceptions;
@@ -11,15 +13,18 @@ public sealed class UpdateUsuarioCommandHandler : ICommandHandler<UpdateUsuarioC
     private readonly IUsuarioRepository _repository;
     private readonly IRolRepository _rolRepository;
     private readonly IRefreshTokenRepository _refreshTokenRepository;
+    private readonly IAuditLogger _audit;
 
     public UpdateUsuarioCommandHandler(
         IUsuarioRepository repository,
         IRolRepository rolRepository,
-        IRefreshTokenRepository refreshTokenRepository)
+        IRefreshTokenRepository refreshTokenRepository,
+        IAuditLogger audit)
     {
         _repository = repository;
         _rolRepository = rolRepository;
         _refreshTokenRepository = refreshTokenRepository;
+        _audit = audit;
     }
 
     public async Task<UsuarioDetailDto> Handle(UpdateUsuarioCommand cmd)
@@ -48,17 +53,36 @@ public sealed class UpdateUsuarioCommandHandler : ICommandHandler<UpdateUsuarioC
 
         var fields = new UpdateUsuarioFields(cmd.Nombre, cmd.Apellido, cmd.Email, cmd.Rol, cmd.Activo);
         var now = DateTime.UtcNow;
-        await _repository.UpdateAsync(cmd.Id, fields, now);
 
-        // Revoke refresh tokens if rol changed or user deactivated
-        var rolChanged = !string.Equals(target.Rol, cmd.Rol, StringComparison.Ordinal);
-        var justDeactivated = target.Activo && !cmd.Activo;
-        if (rolChanged || justDeactivated)
+        using (var tx = new TransactionScope(
+            TransactionScopeOption.Required,
+            new TransactionOptions { IsolationLevel = IsolationLevel.ReadCommitted },
+            TransactionScopeAsyncFlowOption.Enabled))
         {
-            await _refreshTokenRepository.RevokeAllActiveForUserAsync(cmd.Id, now);
+            await _repository.UpdateAsync(cmd.Id, fields, now);
+
+            // Revoke refresh tokens if rol changed or user deactivated
+            var rolChanged = !string.Equals(target.Rol, cmd.Rol, StringComparison.Ordinal);
+            var justDeactivated = target.Activo && !cmd.Activo;
+            if (rolChanged || justDeactivated)
+            {
+                await _refreshTokenRepository.RevokeAllActiveForUserAsync(cmd.Id, now);
+            }
+
+            await _audit.LogAsync(
+                action: "usuario.update",
+                targetType: "Usuario",
+                targetId: cmd.Id.ToString(),
+                metadata: new
+                {
+                    before = new { target.Nombre, target.Apellido, target.Email, target.Rol, target.Activo },
+                    after = new { cmd.Nombre, cmd.Apellido, cmd.Email, cmd.Rol, cmd.Activo },
+                });
+
+            tx.Complete();
         }
 
-        // TODO: audit — defer to ADM-004
+        // Post-commit read: outside the scope so SqlClient does not try to enlist a completed transaction.
         var updated = await _repository.GetDetailAsync(cmd.Id)
             ?? throw new UsuarioNotFoundException(cmd.Id);
 
diff --git a/tests/SIGCM2.Application.Tests/Usuarios/ChangeMyPasswordCommandHandlerTests.cs b/tests/SIGCM2.Application.Tests/Usuarios/ChangeMyPasswordCommandHandlerTests.cs
index 4c686cf..94bb8e4 100644
--- a/tests/SIGCM2.Application.Tests/Usuarios/ChangeMyPasswordCommandHandlerTests.cs
+++ b/tests/SIGCM2.Application.Tests/Usuarios/ChangeMyPasswordCommandHandlerTests.cs
@@ -1,6 +1,7 @@
 using NSubstitute;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Usuarios.ChangeMyPassword;
 using SIGCM2.Domain.Entities;
 using SIGCM2.Domain.Exceptions;
@@ -12,11 +13,12 @@ public class ChangeMyPasswordCommandHandlerTests
     private readonly IUsuarioRepository _repo = Substitute.For<IUsuarioRepository>();
     private readonly IPasswordHasher _hasher = Substitute.For<IPasswordHasher>();
     private readonly IRefreshTokenRepository _refreshRepo = Substitute.For<IRefreshTokenRepository>();
+    private readonly IAuditLogger _audit = Substitute.For<IAuditLogger>();
     private readonly ChangeMyPasswordCommandHandler _handler;
 
     public ChangeMyPasswordCommandHandlerTests()
     {
-        _handler = new ChangeMyPasswordCommandHandler(_repo, _hasher);
+        _handler = new ChangeMyPasswordCommandHandler(_repo, _hasher, _audit);
     }
 
     private static Usuario MakeUser(int id = 1, bool mustChangePassword = false)
diff --git a/tests/SIGCM2.Application.Tests/Usuarios/Create/CreateUsuarioCommandHandlerTests.cs b/tests/SIGCM2.Application.Tests/Usuarios/Create/CreateUsuarioCommandHandlerTests.cs
index 52a7c74..a386861 100644
--- a/tests/SIGCM2.Application.Tests/Usuarios/Create/CreateUsuarioCommandHandlerTests.cs
+++ b/tests/SIGCM2.Application.Tests/Usuarios/Create/CreateUsuarioCommandHandlerTests.cs
@@ -1,6 +1,7 @@
 using NSubstitute;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Usuarios.Create;
 using SIGCM2.Domain.Entities;
 using SIGCM2.Domain.Exceptions;
@@ -11,6 +12,7 @@ public class CreateUsuarioCommandHandlerTests
 {
     private readonly IUsuarioRepository _repository = Substitute.For<IUsuarioRepository>();
     private readonly IPasswordHasher _hasher = Substitute.For<IPasswordHasher>();
+    private readonly IAuditLogger _audit = Substitute.For<IAuditLogger>();
     private readonly CreateUsuarioCommandHandler _handler;
 
     private static CreateUsuarioCommand ValidCommand() => new(
@@ -23,7 +25,7 @@ public class CreateUsuarioCommandHandlerTests
 
     public CreateUsuarioCommandHandlerTests()
     {
-        _handler = new CreateUsuarioCommandHandler(_repository, _hasher);
+        _handler = new CreateUsuarioCommandHandler(_repository, _hasher, _audit);
     }
 
     // ── exists → throws ──────────────────────────────────────────────────────
diff --git a/tests/SIGCM2.Application.Tests/Usuarios/DeactivateUsuarioCommandHandlerTests.cs b/tests/SIGCM2.Application.Tests/Usuarios/DeactivateUsuarioCommandHandlerTests.cs
index a9161a3..7d7a69c 100644
--- a/tests/SIGCM2.Application.Tests/Usuarios/DeactivateUsuarioCommandHandlerTests.cs
+++ b/tests/SIGCM2.Application.Tests/Usuarios/DeactivateUsuarioCommandHandlerTests.cs
@@ -1,5 +1,6 @@
 using NSubstitute;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 using SIGCM2.Application.Usuarios.Deactivate;
 using SIGCM2.Domain.Entities;
@@ -11,11 +12,12 @@ public class DeactivateUsuarioCommandHandlerTests
 {
     private readonly IUsuarioRepository _repo = Substitute.For<IUsuarioRepository>();
     private readonly IRefreshTokenRepository _refreshRepo = Substitute.For<IRefreshTokenRepository>();
+    private readonly IAuditLogger _audit = Substitute.For<IAuditLogger>();
     private readonly DeactivateUsuarioCommandHandler _handler;
 
     public DeactivateUsuarioCommandHandlerTests()
     {
-        _handler = new DeactivateUsuarioCommandHandler(_repo, _refreshRepo);
+        _handler = new DeactivateUsuarioCommandHandler(_repo, _refreshRepo, _audit);
         _repo.CountActiveAdminsAsync(Arg.Any<CancellationToken>()).Returns(2);
     }
 
diff --git a/tests/SIGCM2.Application.Tests/Usuarios/ReactivateUsuarioCommandHandlerTests.cs b/tests/SIGCM2.Application.Tests/Usuarios/ReactivateUsuarioCommandHandlerTests.cs
index 20cc2ca..bceb7cd 100644
--- a/tests/SIGCM2.Application.Tests/Usuarios/ReactivateUsuarioCommandHandlerTests.cs
+++ b/tests/SIGCM2.Application.Tests/Usuarios/ReactivateUsuarioCommandHandlerTests.cs
@@ -1,5 +1,6 @@
 using NSubstitute;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 using SIGCM2.Application.Usuarios.Reactivate;
 using SIGCM2.Domain.Entities;
@@ -10,11 +11,12 @@ namespace SIGCM2.Application.Tests.Usuarios;
 public class ReactivateUsuarioCommandHandlerTests
 {
     private readonly IUsuarioRepository _repo = Substitute.For<IUsuarioRepository>();
+    private readonly IAuditLogger _audit = Substitute.For<IAuditLogger>();
     private readonly ReactivateUsuarioCommandHandler _handler;
 
     public ReactivateUsuarioCommandHandlerTests()
     {
-        _handler = new ReactivateUsuarioCommandHandler(_repo);
+        _handler = new ReactivateUsuarioCommandHandler(_repo, _audit);
     }
 
     private static Usuario MakeUser(int id = 5, bool activo = false)
diff --git a/tests/SIGCM2.Application.Tests/Usuarios/ResetUsuarioPasswordCommandHandlerTests.cs b/tests/SIGCM2.Application.Tests/Usuarios/ResetUsuarioPasswordCommandHandlerTests.cs
index d7a92ab..d0b0ab2 100644
--- a/tests/SIGCM2.Application.Tests/Usuarios/ResetUsuarioPasswordCommandHandlerTests.cs
+++ b/tests/SIGCM2.Application.Tests/Usuarios/ResetUsuarioPasswordCommandHandlerTests.cs
@@ -1,6 +1,7 @@
 using NSubstitute;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Usuarios.ResetPassword;
 using SIGCM2.Domain.Entities;
 using SIGCM2.Domain.Exceptions;
@@ -12,11 +13,12 @@ public class ResetUsuarioPasswordCommandHandlerTests
     private readonly IUsuarioRepository _repo = Substitute.For<IUsuarioRepository>();
     private readonly IPasswordHasher _hasher = Substitute.For<IPasswordHasher>();
     private readonly IRefreshTokenRepository _refreshRepo = Substitute.For<IRefreshTokenRepository>();
+    private readonly IAuditLogger _audit = Substitute.For<IAuditLogger>();
     private readonly ResetUsuarioPasswordCommandHandler _handler;
 
     public ResetUsuarioPasswordCommandHandlerTests()
     {
-        _handler = new ResetUsuarioPasswordCommandHandler(_repo, _hasher, _refreshRepo);
+        _handler = new ResetUsuarioPasswordCommandHandler(_repo, _hasher, _refreshRepo, _audit);
         _hasher.Hash(Arg.Any<string>()).Returns(args => "$2a$12$hashof_" + args[0]);
     }
 
diff --git a/tests/SIGCM2.Application.Tests/Usuarios/UpdateUsuarioCommandHandlerTests.cs b/tests/SIGCM2.Application.Tests/Usuarios/UpdateUsuarioCommandHandlerTests.cs
index fab516d..b634c72 100644
--- a/tests/SIGCM2.Application.Tests/Usuarios/UpdateUsuarioCommandHandlerTests.cs
+++ b/tests/SIGCM2.Application.Tests/Usuarios/UpdateUsuarioCommandHandlerTests.cs
@@ -2,6 +2,7 @@ using FluentValidation;
 using NSubstitute;
 using NSubstitute.ExceptionExtensions;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 using SIGCM2.Application.Usuarios.Update;
 using SIGCM2.Domain.Entities;
@@ -14,11 +15,12 @@ public class UpdateUsuarioCommandHandlerTests
     private readonly IUsuarioRepository _repo = Substitute.For<IUsuarioRepository>();
     private readonly IRolRepository _rolRepo = Substitute.For<IRolRepository>();
     private readonly IRefreshTokenRepository _refreshRepo = Substitute.For<IRefreshTokenRepository>();
+    private readonly IAuditLogger _audit = Substitute.For<IAuditLogger>();
     private readonly UpdateUsuarioCommandHandler _handler;
 
     public UpdateUsuarioCommandHandlerTests()
     {
-        _handler = new UpdateUsuarioCommandHandler(_repo, _rolRepo, _refreshRepo);
+        _handler = new UpdateUsuarioCommandHandler(_repo, _rolRepo, _refreshRepo, _audit);
 
         // Default: rol exists and is active
         _rolRepo.ExistsActiveByCodigoAsync(Arg.Any<string>(), Arg.Any<CancellationToken>()).Returns(true);