feat(audit): enchufar audit en handlers de Usuario — Closes #6

7 command handlers del módulo Usuarios ahora auditan via IAuditLogger: | Handler | Action | |-----------------------------------------|-------------------------| | CreateUsuarioCommandHandler | usuario.create | | UpdateUsuarioCommandHandler | usuario.update | | DeactivateUsuarioCommandHandler | usuario.deactivate | | ReactivateUsuarioCommandHandler | usuario.reactivate | | ChangeMyPasswordCommandHandler | usuario.password_change | | ResetUsuarioPasswordCommandHandler | usuario.password_reset | | UpdateUsuarioPermisosOverridesHandler | usuario.permisos_update | Patrón por handler (per design #D-1): using (var tx = new TransactionScope(Required, ReadCommitted, AsyncFlowEnabled)) { await repo.UpdateAsync(...); await audit.LogAsync(...); tx.Complete(); } // post-commit reads OUTSIDE the using block var updated = await repo.GetDetailAsync(...); Metadata captured: - usuario.create: after={username, nombre, apellido, email, rol} — NO password. - usuario.update: {before, after} diff of editable fields. - usuario.password_reset: {targetId} only — tempPassword is NEVER persisted to audit (returned to caller once, never stored). - usuario.permisos_update: {before, after} of grant/deny override lists. Key fix during implementation: initially used 'using var tx = ...' (bare declaration). This kept the TransactionScope active for the rest of the method, causing 'The current TransactionScope is already complete' when post-commit reads (GetDetailAsync) tried to enlist. Solution: explicit 'using (var tx = ...) { ... }' block that disposes the scope before post-commit reads. AuditContextMissingException surfaces from AuditLogger when IAuditContext lacks ActorUserId — fail-closed per #REQ-AUD-4. In integration tests, the middleware populates ActorUserId from the JWT sub of the authenticated admin. Test updates: 6 existing unit test classes now inject IAuditLogger mock: - CreateUsuarioCommandHandlerTests - UpdateUsuarioCommandHandlerTests - DeactivateUsuarioCommandHandlerTests - ReactivateUsuarioCommandHandlerTests - ChangeMyPasswordCommandHandlerTests - ResetUsuarioPasswordCommandHandlerTests Follow-up #6 ([Auditoría] Registrar admin creador en alta de usuarios) is closed: CreateUsuarioCommandHandler now records ActorUserId = admin JWT sub on every user creation. TODO comment removed. Suite: 378/378 Application.Tests + 141/141 Api.Tests = 519/519 passing. Closes #6 Refs: sdd/udt-010-auditoria-trazabilidad/{spec#REQ-UM-AUD, design, tasks#B7}
2026-04-16 13:49:44 -03:00
parent a3d6214d09
commit 26efb74c22
13 changed files with 191 additions and 33 deletions
--- a/src/api/SIGCM2.Application/Usuarios/ChangeMyPassword/ChangeMyPasswordCommandHandler.cs
+++ b/src/api/SIGCM2.Application/Usuarios/ChangeMyPassword/ChangeMyPasswordCommandHandler.cs
@@ -1,6 +1,8 @@
+using System.Transactions;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 using SIGCM2.Domain.Exceptions;

@@ -10,13 +12,16 @@ public sealed class ChangeMyPasswordCommandHandler : ICommandHandler<ChangeMyPas
 {
    private readonly IUsuarioRepository _repository;
    private readonly IPasswordHasher _hasher;
+    private readonly IAuditLogger _audit;

    public ChangeMyPasswordCommandHandler(
        IUsuarioRepository repository,
-        IPasswordHasher hasher)
+        IPasswordHasher hasher,
+        IAuditLogger audit)
    {
        _repository = repository;
        _hasher = hasher;
+        _audit = audit;
    }

    public async Task<Unit> Handle(ChangeMyPasswordCommand cmd)
@@ -28,9 +33,21 @@ public sealed class ChangeMyPasswordCommandHandler : ICommandHandler<ChangeMyPas
            throw new InvalidOldPasswordException();

        var newHash = _hasher.Hash(cmd.NewPassword);
+
+        using var tx = new TransactionScope(
+            TransactionScopeOption.Required,
+            new TransactionOptions { IsolationLevel = IsolationLevel.ReadCommitted },
+            TransactionScopeAsyncFlowOption.Enabled);
+
        await _repository.UpdatePasswordAsync(cmd.UsuarioId, newHash, mustChangePassword: false);

-        // TODO: audit — defer to ADM-004
+        await _audit.LogAsync(
+            action: "usuario.password_change",
+            targetType: "Usuario",
+            targetId: cmd.UsuarioId.ToString());
+
+        tx.Complete();
+
        // NOTE: intentionally does NOT revoke own refresh tokens (spec REQ-BCP-05)
        return Unit.Value;
    }
--- a/src/api/SIGCM2.Application/Usuarios/Create/CreateUsuarioCommandHandler.cs
+++ b/src/api/SIGCM2.Application/Usuarios/Create/CreateUsuarioCommandHandler.cs
@@ -1,6 +1,8 @@
+using System.Transactions;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Application.Audit;
 using SIGCM2.Domain.Entities;
 using SIGCM2.Domain.Exceptions;

@@ -10,13 +12,16 @@ public sealed class CreateUsuarioCommandHandler : ICommandHandler<CreateUsuarioC
 {
    private readonly IUsuarioRepository _repository;
    private readonly IPasswordHasher _hasher;
+    private readonly IAuditLogger _audit;

    public CreateUsuarioCommandHandler(
        IUsuarioRepository repository,
-        IPasswordHasher hasher)
+        IPasswordHasher hasher,
+        IAuditLogger audit)
    {
        _repository = repository;
        _hasher = hasher;
+        _audit = audit;
    }

    public async Task<UsuarioCreatedDto> Handle(CreateUsuarioCommand command)
@@ -37,9 +42,32 @@ public sealed class CreateUsuarioCommandHandler : ICommandHandler<CreateUsuarioC
            email: command.Email,
            rol: command.Rol);

-        // TODO: audit — record which admin created this user (defer to UDT-Audit)
+        using var tx = new TransactionScope(
+            TransactionScopeOption.Required,
+            new TransactionOptions { IsolationLevel = IsolationLevel.ReadCommitted },
+            TransactionScopeAsyncFlowOption.Enabled);
+
        var newId = await _repository.AddAsync(usuario);

+        // UDT-010 (closes follow-up #6): record admin who created this user.
+        await _audit.LogAsync(
+            action: "usuario.create",
+            targetType: "Usuario",
+            targetId: newId.ToString(),
+            metadata: new
+            {
+                after = new
+                {
+                    usuario.Username,
+                    usuario.Nombre,
+                    usuario.Apellido,
+                    usuario.Email,
+                    usuario.Rol,
+                },
+            });
+
+        tx.Complete();
+
        return new UsuarioCreatedDto(
            Id: newId,
            Username: usuario.Username,
--- a/src/api/SIGCM2.Application/Usuarios/Deactivate/DeactivateUsuarioCommandHandler.cs
+++ b/src/api/SIGCM2.Application/Usuarios/Deactivate/DeactivateUsuarioCommandHandler.cs
@@ -1,5 +1,7 @@
+using System.Transactions;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 using SIGCM2.Application.Usuarios.GetById;
 using SIGCM2.Domain.Exceptions;
@@ -10,13 +12,16 @@ public sealed class DeactivateUsuarioCommandHandler : ICommandHandler<Deactivate
 {
    private readonly IUsuarioRepository _repository;
    private readonly IRefreshTokenRepository _refreshTokenRepository;
+    private readonly IAuditLogger _audit;

    public DeactivateUsuarioCommandHandler(
        IUsuarioRepository repository,
-        IRefreshTokenRepository refreshTokenRepository)
+        IRefreshTokenRepository refreshTokenRepository,
+        IAuditLogger audit)
    {
        _repository = repository;
        _refreshTokenRepository = refreshTokenRepository;
+        _audit = audit;
    }

    public async Task<UsuarioDetailDto> Handle(DeactivateUsuarioCommand cmd)
@@ -39,10 +44,23 @@ public sealed class DeactivateUsuarioCommandHandler : ICommandHandler<Deactivate

        var fields = new UpdateUsuarioFields(target.Nombre, target.Apellido, target.Email, target.Rol, false);
        var now = DateTime.UtcNow;
-        await _repository.UpdateAsync(cmd.UsuarioId, fields, now);
-        await _refreshTokenRepository.RevokeAllActiveForUserAsync(cmd.UsuarioId, now);

-        // TODO: audit — defer to ADM-004
+        using (var tx = new TransactionScope(
+            TransactionScopeOption.Required,
+            new TransactionOptions { IsolationLevel = IsolationLevel.ReadCommitted },
+            TransactionScopeAsyncFlowOption.Enabled))
+        {
+            await _repository.UpdateAsync(cmd.UsuarioId, fields, now);
+            await _refreshTokenRepository.RevokeAllActiveForUserAsync(cmd.UsuarioId, now);
+
+            await _audit.LogAsync(
+                action: "usuario.deactivate",
+                targetType: "Usuario",
+                targetId: cmd.UsuarioId.ToString());
+
+            tx.Complete();
+        }
+
        var updated = await _repository.GetDetailAsync(cmd.UsuarioId)
            ?? throw new UsuarioNotFoundException(cmd.UsuarioId);

--- a/src/api/SIGCM2.Application/Usuarios/Permisos/UpdateUsuarioPermisosOverridesCommandHandler.cs
+++ b/src/api/SIGCM2.Application/Usuarios/Permisos/UpdateUsuarioPermisosOverridesCommandHandler.cs
@@ -1,5 +1,7 @@
+using System.Transactions;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 using SIGCM2.Domain.Exceptions;

@@ -15,15 +17,18 @@ public sealed class UpdateUsuarioPermisosOverridesCommandHandler
    private readonly IUsuarioRepository _usuarioRepo;
    private readonly IRolPermisoRepository _rolPermisoRepo;
    private readonly IPermisoRepository _permisoRepo;
+    private readonly IAuditLogger _audit;

    public UpdateUsuarioPermisosOverridesCommandHandler(
        IUsuarioRepository usuarioRepo,
        IRolPermisoRepository rolPermisoRepo,
-        IPermisoRepository permisoRepo)
+        IPermisoRepository permisoRepo,
+        IAuditLogger audit)
    {
        _usuarioRepo = usuarioRepo;
        _rolPermisoRepo = rolPermisoRepo;
        _permisoRepo = permisoRepo;
+        _audit = audit;
    }

    public async Task<UsuarioPermisosDto> Handle(UpdateUsuarioPermisosOverridesCommand command)
@@ -53,11 +58,31 @@ public sealed class UpdateUsuarioPermisosOverridesCommandHandler

        // 4. Persist — use WithPermisosJson to get updated FechaModificacion
        var newOverrides = new PermisosOverride(grant, deny);
+        var previousOverrides = PermisosOverride.FromJson(usuario.PermisosJson);
        var updated = usuario.WithPermisosJson(newOverrides.ToJson());
-        await _usuarioRepo.UpdatePermisosJsonAsync(
-            updated.Id,
-            updated.PermisosJson,
-            updated.FechaModificacion!.Value);
+
+        using (var tx = new TransactionScope(
+            TransactionScopeOption.Required,
+            new TransactionOptions { IsolationLevel = IsolationLevel.ReadCommitted },
+            TransactionScopeAsyncFlowOption.Enabled))
+        {
+            await _usuarioRepo.UpdatePermisosJsonAsync(
+                updated.Id,
+                updated.PermisosJson,
+                updated.FechaModificacion!.Value);
+
+            await _audit.LogAsync(
+                action: "usuario.permisos_update",
+                targetType: "Usuario",
+                targetId: command.Id.ToString(),
+                metadata: new
+                {
+                    before = new { grant = previousOverrides.Grant, deny = previousOverrides.Deny },
+                    after = new { grant = grant, deny = deny },
+                });
+
+            tx.Complete();
+        }

        // 5. Return updated effective set
        var rolPermisoEntities = await _rolPermisoRepo.GetByRolCodigoAsync(updated.Rol);
--- a/src/api/SIGCM2.Application/Usuarios/Reactivate/ReactivateUsuarioCommandHandler.cs
+++ b/src/api/SIGCM2.Application/Usuarios/Reactivate/ReactivateUsuarioCommandHandler.cs
@@ -1,5 +1,7 @@
+using System.Transactions;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 using SIGCM2.Application.Usuarios.GetById;
 using SIGCM2.Domain.Exceptions;
@@ -9,10 +11,12 @@ namespace SIGCM2.Application.Usuarios.Reactivate;
 public sealed class ReactivateUsuarioCommandHandler : ICommandHandler<ReactivateUsuarioCommand, UsuarioDetailDto>
 {
    private readonly IUsuarioRepository _repository;
+    private readonly IAuditLogger _audit;

-    public ReactivateUsuarioCommandHandler(IUsuarioRepository repository)
+    public ReactivateUsuarioCommandHandler(IUsuarioRepository repository, IAuditLogger audit)
    {
        _repository = repository;
+        _audit = audit;
    }

    public async Task<UsuarioDetailDto> Handle(ReactivateUsuarioCommand cmd)
@@ -31,9 +35,22 @@ public sealed class ReactivateUsuarioCommandHandler : ICommandHandler<Reactivate

        var fields = new UpdateUsuarioFields(target.Nombre, target.Apellido, target.Email, target.Rol, true);
        var now = DateTime.UtcNow;
-        await _repository.UpdateAsync(cmd.UsuarioId, fields, now);

-        // TODO: audit — defer to ADM-004
+        using (var tx = new TransactionScope(
+            TransactionScopeOption.Required,
+            new TransactionOptions { IsolationLevel = IsolationLevel.ReadCommitted },
+            TransactionScopeAsyncFlowOption.Enabled))
+        {
+            await _repository.UpdateAsync(cmd.UsuarioId, fields, now);
+
+            await _audit.LogAsync(
+                action: "usuario.reactivate",
+                targetType: "Usuario",
+                targetId: cmd.UsuarioId.ToString());
+
+            tx.Complete();
+        }
+
        var updated = await _repository.GetDetailAsync(cmd.UsuarioId)
            ?? throw new UsuarioNotFoundException(cmd.UsuarioId);

--- a/src/api/SIGCM2.Application/Usuarios/ResetPassword/ResetUsuarioPasswordCommandHandler.cs
+++ b/src/api/SIGCM2.Application/Usuarios/ResetPassword/ResetUsuarioPasswordCommandHandler.cs
@@ -1,6 +1,8 @@
+using System.Transactions;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 using SIGCM2.Domain.Exceptions;

@@ -11,15 +13,18 @@ public sealed class ResetUsuarioPasswordCommandHandler : ICommandHandler<ResetUs
    private readonly IUsuarioRepository _repository;
    private readonly IPasswordHasher _hasher;
    private readonly IRefreshTokenRepository _refreshTokenRepository;
+    private readonly IAuditLogger _audit;

    public ResetUsuarioPasswordCommandHandler(
        IUsuarioRepository repository,
        IPasswordHasher hasher,
-        IRefreshTokenRepository refreshTokenRepository)
+        IRefreshTokenRepository refreshTokenRepository,
+        IAuditLogger audit)
    {
        _repository = repository;
        _hasher = hasher;
        _refreshTokenRepository = refreshTokenRepository;
+        _audit = audit;
    }

    public async Task<ResetUsuarioPasswordResponse> Handle(ResetUsuarioPasswordCommand cmd)
@@ -32,13 +37,25 @@ public sealed class ResetUsuarioPasswordCommandHandler : ICommandHandler<ResetUs
            ?? throw new UsuarioNotFoundException(cmd.TargetId);

        var temp = TempPasswordGenerator.Generate(12);
-        // SECURITY: NEVER log tempPassword
+        // SECURITY: NEVER log tempPassword — it is returned to the caller, never persisted.
        var hash = _hasher.Hash(temp);

+        using var tx = new TransactionScope(
+            TransactionScopeOption.Required,
+            new TransactionOptions { IsolationLevel = IsolationLevel.ReadCommitted },
+            TransactionScopeAsyncFlowOption.Enabled);
+
        await _repository.UpdatePasswordAsync(cmd.TargetId, hash, mustChangePassword: true);
        await _refreshTokenRepository.RevokeAllActiveForUserAsync(cmd.TargetId, DateTime.UtcNow);

-        // TODO: audit — defer to ADM-004
+        await _audit.LogAsync(
+            action: "usuario.password_reset",
+            targetType: "Usuario",
+            targetId: cmd.TargetId.ToString(),
+            metadata: new { targetId = cmd.TargetId }); // NO tempPassword in metadata
+
+        tx.Complete();
+
        return new ResetUsuarioPasswordResponse(temp, MustChangeOnLogin: true);
    }
 }
--- a/src/api/SIGCM2.Application/Usuarios/Update/UpdateUsuarioCommandHandler.cs
+++ b/src/api/SIGCM2.Application/Usuarios/Update/UpdateUsuarioCommandHandler.cs
@@ -1,5 +1,7 @@
+using System.Transactions;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 using SIGCM2.Application.Usuarios.GetById;
 using SIGCM2.Domain.Exceptions;
@@ -11,15 +13,18 @@ public sealed class UpdateUsuarioCommandHandler : ICommandHandler<UpdateUsuarioC
    private readonly IUsuarioRepository _repository;
    private readonly IRolRepository _rolRepository;
    private readonly IRefreshTokenRepository _refreshTokenRepository;
+    private readonly IAuditLogger _audit;

    public UpdateUsuarioCommandHandler(
        IUsuarioRepository repository,
        IRolRepository rolRepository,
-        IRefreshTokenRepository refreshTokenRepository)
+        IRefreshTokenRepository refreshTokenRepository,
+        IAuditLogger audit)
    {
        _repository = repository;
        _rolRepository = rolRepository;
        _refreshTokenRepository = refreshTokenRepository;
+        _audit = audit;
    }

    public async Task<UsuarioDetailDto> Handle(UpdateUsuarioCommand cmd)
@@ -48,17 +53,36 @@ public sealed class UpdateUsuarioCommandHandler : ICommandHandler<UpdateUsuarioC

        var fields = new UpdateUsuarioFields(cmd.Nombre, cmd.Apellido, cmd.Email, cmd.Rol, cmd.Activo);
        var now = DateTime.UtcNow;
-        await _repository.UpdateAsync(cmd.Id, fields, now);

-        // Revoke refresh tokens if rol changed or user deactivated
-        var rolChanged = !string.Equals(target.Rol, cmd.Rol, StringComparison.Ordinal);
-        var justDeactivated = target.Activo && !cmd.Activo;
-        if (rolChanged || justDeactivated)
+        using (var tx = new TransactionScope(
+            TransactionScopeOption.Required,
+            new TransactionOptions { IsolationLevel = IsolationLevel.ReadCommitted },
+            TransactionScopeAsyncFlowOption.Enabled))
        {
-            await _refreshTokenRepository.RevokeAllActiveForUserAsync(cmd.Id, now);
+            await _repository.UpdateAsync(cmd.Id, fields, now);
+
+            // Revoke refresh tokens if rol changed or user deactivated
+            var rolChanged = !string.Equals(target.Rol, cmd.Rol, StringComparison.Ordinal);
+            var justDeactivated = target.Activo && !cmd.Activo;
+            if (rolChanged || justDeactivated)
+            {
+                await _refreshTokenRepository.RevokeAllActiveForUserAsync(cmd.Id, now);
+            }
+
+            await _audit.LogAsync(
+                action: "usuario.update",
+                targetType: "Usuario",
+                targetId: cmd.Id.ToString(),
+                metadata: new
+                {
+                    before = new { target.Nombre, target.Apellido, target.Email, target.Rol, target.Activo },
+                    after = new { cmd.Nombre, cmd.Apellido, cmd.Email, cmd.Rol, cmd.Activo },
+                });
+
+            tx.Complete();
        }

-        // TODO: audit — defer to ADM-004
+        // Post-commit read: outside the scope so SqlClient does not try to enlist a completed transaction.
        var updated = await _repository.GetDetailAsync(cmd.Id)
            ?? throw new UsuarioNotFoundException(cmd.Id);

--- a/tests/SIGCM2.Application.Tests/Usuarios/ChangeMyPasswordCommandHandlerTests.cs
+++ b/tests/SIGCM2.Application.Tests/Usuarios/ChangeMyPasswordCommandHandlerTests.cs
@@ -1,6 +1,7 @@
 using NSubstitute;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Usuarios.ChangeMyPassword;
 using SIGCM2.Domain.Entities;
 using SIGCM2.Domain.Exceptions;
@@ -12,11 +13,12 @@ public class ChangeMyPasswordCommandHandlerTests
    private readonly IUsuarioRepository _repo = Substitute.For<IUsuarioRepository>();
    private readonly IPasswordHasher _hasher = Substitute.For<IPasswordHasher>();
    private readonly IRefreshTokenRepository _refreshRepo = Substitute.For<IRefreshTokenRepository>();
+    private readonly IAuditLogger _audit = Substitute.For<IAuditLogger>();
    private readonly ChangeMyPasswordCommandHandler _handler;

    public ChangeMyPasswordCommandHandlerTests()
    {
-        _handler = new ChangeMyPasswordCommandHandler(_repo, _hasher);
+        _handler = new ChangeMyPasswordCommandHandler(_repo, _hasher, _audit);
    }

    private static Usuario MakeUser(int id = 1, bool mustChangePassword = false)
--- a/tests/SIGCM2.Application.Tests/Usuarios/Create/CreateUsuarioCommandHandlerTests.cs
+++ b/tests/SIGCM2.Application.Tests/Usuarios/Create/CreateUsuarioCommandHandlerTests.cs
@@ -1,6 +1,7 @@
 using NSubstitute;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Usuarios.Create;
 using SIGCM2.Domain.Entities;
 using SIGCM2.Domain.Exceptions;
@@ -11,6 +12,7 @@ public class CreateUsuarioCommandHandlerTests
 {
    private readonly IUsuarioRepository _repository = Substitute.For<IUsuarioRepository>();
    private readonly IPasswordHasher _hasher = Substitute.For<IPasswordHasher>();
+    private readonly IAuditLogger _audit = Substitute.For<IAuditLogger>();
    private readonly CreateUsuarioCommandHandler _handler;

    private static CreateUsuarioCommand ValidCommand() => new(
@@ -23,7 +25,7 @@ public class CreateUsuarioCommandHandlerTests

    public CreateUsuarioCommandHandlerTests()
    {
-        _handler = new CreateUsuarioCommandHandler(_repository, _hasher);
+        _handler = new CreateUsuarioCommandHandler(_repository, _hasher, _audit);
    }

    // ── exists → throws ──────────────────────────────────────────────────────
--- a/tests/SIGCM2.Application.Tests/Usuarios/DeactivateUsuarioCommandHandlerTests.cs
+++ b/tests/SIGCM2.Application.Tests/Usuarios/DeactivateUsuarioCommandHandlerTests.cs
@@ -1,5 +1,6 @@
 using NSubstitute;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 using SIGCM2.Application.Usuarios.Deactivate;
 using SIGCM2.Domain.Entities;
@@ -11,11 +12,12 @@ public class DeactivateUsuarioCommandHandlerTests
 {
    private readonly IUsuarioRepository _repo = Substitute.For<IUsuarioRepository>();
    private readonly IRefreshTokenRepository _refreshRepo = Substitute.For<IRefreshTokenRepository>();
+    private readonly IAuditLogger _audit = Substitute.For<IAuditLogger>();
    private readonly DeactivateUsuarioCommandHandler _handler;

    public DeactivateUsuarioCommandHandlerTests()
    {
-        _handler = new DeactivateUsuarioCommandHandler(_repo, _refreshRepo);
+        _handler = new DeactivateUsuarioCommandHandler(_repo, _refreshRepo, _audit);
        _repo.CountActiveAdminsAsync(Arg.Any<CancellationToken>()).Returns(2);
    }

--- a/tests/SIGCM2.Application.Tests/Usuarios/ReactivateUsuarioCommandHandlerTests.cs
+++ b/tests/SIGCM2.Application.Tests/Usuarios/ReactivateUsuarioCommandHandlerTests.cs
@@ -1,5 +1,6 @@
 using NSubstitute;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 using SIGCM2.Application.Usuarios.Reactivate;
 using SIGCM2.Domain.Entities;
@@ -10,11 +11,12 @@ namespace SIGCM2.Application.Tests.Usuarios;
 public class ReactivateUsuarioCommandHandlerTests
 {
    private readonly IUsuarioRepository _repo = Substitute.For<IUsuarioRepository>();
+    private readonly IAuditLogger _audit = Substitute.For<IAuditLogger>();
    private readonly ReactivateUsuarioCommandHandler _handler;

    public ReactivateUsuarioCommandHandlerTests()
    {
-        _handler = new ReactivateUsuarioCommandHandler(_repo);
+        _handler = new ReactivateUsuarioCommandHandler(_repo, _audit);
    }

    private static Usuario MakeUser(int id = 5, bool activo = false)
--- a/tests/SIGCM2.Application.Tests/Usuarios/ResetUsuarioPasswordCommandHandlerTests.cs
+++ b/tests/SIGCM2.Application.Tests/Usuarios/ResetUsuarioPasswordCommandHandlerTests.cs
@@ -1,6 +1,7 @@
 using NSubstitute;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Usuarios.ResetPassword;
 using SIGCM2.Domain.Entities;
 using SIGCM2.Domain.Exceptions;
@@ -12,11 +13,12 @@ public class ResetUsuarioPasswordCommandHandlerTests
    private readonly IUsuarioRepository _repo = Substitute.For<IUsuarioRepository>();
    private readonly IPasswordHasher _hasher = Substitute.For<IPasswordHasher>();
    private readonly IRefreshTokenRepository _refreshRepo = Substitute.For<IRefreshTokenRepository>();
+    private readonly IAuditLogger _audit = Substitute.For<IAuditLogger>();
    private readonly ResetUsuarioPasswordCommandHandler _handler;

    public ResetUsuarioPasswordCommandHandlerTests()
    {
-        _handler = new ResetUsuarioPasswordCommandHandler(_repo, _hasher, _refreshRepo);
+        _handler = new ResetUsuarioPasswordCommandHandler(_repo, _hasher, _refreshRepo, _audit);
        _hasher.Hash(Arg.Any<string>()).Returns(args => "$2a$12$hashof_" + args[0]);
    }

--- a/tests/SIGCM2.Application.Tests/Usuarios/UpdateUsuarioCommandHandlerTests.cs
+++ b/tests/SIGCM2.Application.Tests/Usuarios/UpdateUsuarioCommandHandlerTests.cs
@@ -2,6 +2,7 @@ using FluentValidation;
 using NSubstitute;
 using NSubstitute.ExceptionExtensions;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 using SIGCM2.Application.Usuarios.Update;
 using SIGCM2.Domain.Entities;
@@ -14,11 +15,12 @@ public class UpdateUsuarioCommandHandlerTests
    private readonly IUsuarioRepository _repo = Substitute.For<IUsuarioRepository>();
    private readonly IRolRepository _rolRepo = Substitute.For<IRolRepository>();
    private readonly IRefreshTokenRepository _refreshRepo = Substitute.For<IRefreshTokenRepository>();
+    private readonly IAuditLogger _audit = Substitute.For<IAuditLogger>();
    private readonly UpdateUsuarioCommandHandler _handler;

    public UpdateUsuarioCommandHandlerTests()
    {
-        _handler = new UpdateUsuarioCommandHandler(_repo, _rolRepo, _refreshRepo);
+        _handler = new UpdateUsuarioCommandHandler(_repo, _rolRepo, _refreshRepo, _audit);

        // Default: rol exists and is active
        _rolRepo.ExistsActiveByCodigoAsync(Arg.Any<string>(), Arg.Any<CancellationToken>()).Returns(true);