src/api/SIGCM2.Application/Permisos/Assign/AssignPermisosToRolCommandHandler.cs

@@ -1,5 +1,7 @@
+using System.Transactions;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Permisos.Dtos;
 using SIGCM2.Domain.Exceptions;
 
@@ -10,15 +12,18 @@ public sealed class AssignPermisosToRolCommandHandler : ICommandHandler<AssignPe
     private readonly IRolRepository _rolRepository;
     private readonly IPermisoRepository _permisoRepository;
     private readonly IRolPermisoRepository _rolPermisoRepository;
+    private readonly IAuditLogger _audit;
 
     public AssignPermisosToRolCommandHandler(
         IRolRepository rolRepository,
         IPermisoRepository permisoRepository,
-        IRolPermisoRepository rolPermisoRepository)
+        IRolPermisoRepository rolPermisoRepository,
+        IAuditLogger audit)
     {
         _rolRepository = rolRepository;
         _permisoRepository = permisoRepository;
         _rolPermisoRepository = rolPermisoRepository;
+        _audit = audit;
     }
 
     public async Task<IReadOnlyList<PermisoDto>> Handle(AssignPermisosToRolCommand command)
@@ -40,9 +45,28 @@ public sealed class AssignPermisosToRolCommandHandler : ICommandHandler<AssignPe
             throw new PermisoNotFoundException(missing);
         }
 
-        // 3. Reemplazar el set (DELETE+INSERT en transacción dentro del repo)
+        // Capture "before" snapshot for audit diff
-        var permisoIds = permisos.Select(p => p.Id);
+        var previousPermisos = await _rolPermisoRepository.GetByRolCodigoAsync(rol.Codigo);
-        await _rolPermisoRepository.ReplaceForRolAsync(rol.Id, permisoIds);
+        var beforeCodigos = previousPermisos.Select(p => p.Codigo).OrderBy(c => c, StringComparer.Ordinal).ToArray();
+        var afterCodigos = permisos.Select(p => p.Codigo).OrderBy(c => c, StringComparer.Ordinal).ToArray();
+
+        using (var tx = new TransactionScope(
+            TransactionScopeOption.Required,
+            new TransactionOptions { IsolationLevel = IsolationLevel.ReadCommitted },
+            TransactionScopeAsyncFlowOption.Enabled))
+        {
+            // 3. Reemplazar el set (DELETE+INSERT en transacción dentro del repo)
+            var permisoIds = permisos.Select(p => p.Id);
+            await _rolPermisoRepository.ReplaceForRolAsync(rol.Id, permisoIds);
+
+            await _audit.LogAsync(
+                action: "rol.permisos_update",
+                targetType: "Rol",
+                targetId: rol.Id.ToString(),
+                metadata: new { before = beforeCodigos, after = afterCodigos });
+
+            tx.Complete();
+        }
 
         // 4. Retornar el nuevo set asignado
         return permisos

src/api/SIGCM2.Application/Roles/Create/CreateRolCommandHandler.cs

@@ -1,5 +1,7 @@
+using System.Transactions;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Roles.Dtos;
 using SIGCM2.Domain.Entities;
 using SIGCM2.Domain.Exceptions;
@@ -9,10 +11,12 @@ namespace SIGCM2.Application.Roles.Create;
 public sealed class CreateRolCommandHandler : ICommandHandler<CreateRolCommand, RolCreatedDto>
 {
     private readonly IRolRepository _repository;
+    private readonly IAuditLogger _audit;
 
-    public CreateRolCommandHandler(IRolRepository repository)
+    public CreateRolCommandHandler(IRolRepository repository, IAuditLogger audit)
     {
         _repository = repository;
+        _audit = audit;
     }
 
     public async Task<RolCreatedDto> Handle(CreateRolCommand command)
@@ -24,7 +28,23 @@ public sealed class CreateRolCommandHandler : ICommandHandler<CreateRolCommand,
             throw new RolAlreadyExistsException(command.Codigo);
 
         var rol = Rol.ForCreation(command.Codigo, command.Nombre, command.Descripcion);
-        var newId = await _repository.AddAsync(rol);
+
+        int newId;
+        using (var tx = new TransactionScope(
+            TransactionScopeOption.Required,
+            new TransactionOptions { IsolationLevel = IsolationLevel.ReadCommitted },
+            TransactionScopeAsyncFlowOption.Enabled))
+        {
+            newId = await _repository.AddAsync(rol);
+
+            await _audit.LogAsync(
+                action: "rol.create",
+                targetType: "Rol",
+                targetId: newId.ToString(),
+                metadata: new { after = new { rol.Codigo, rol.Nombre, rol.Descripcion } });
+
+            tx.Complete();
+        }
 
         return new RolCreatedDto(
             Id: newId,

src/api/SIGCM2.Application/Roles/Deactivate/DeactivateRolCommandHandler.cs

@@ -1,5 +1,7 @@
+using System.Transactions;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Roles.Dtos;
 using SIGCM2.Domain.Exceptions;
 
@@ -8,10 +10,12 @@ namespace SIGCM2.Application.Roles.Deactivate;
 public sealed class DeactivateRolCommandHandler : ICommandHandler<DeactivateRolCommand, RolDto>
 {
     private readonly IRolRepository _repository;
+    private readonly IAuditLogger _audit;
 
-    public DeactivateRolCommandHandler(IRolRepository repository)
+    public DeactivateRolCommandHandler(IRolRepository repository, IAuditLogger audit)
     {
         _repository = repository;
+        _audit = audit;
     }
 
     public async Task<RolDto> Handle(DeactivateRolCommand command)
@@ -23,10 +27,23 @@ public sealed class DeactivateRolCommandHandler : ICommandHandler<DeactivateRolC
         if (await _repository.HasActiveUsuariosAsync(command.Codigo))
             throw new RolInUseException(command.Codigo);
 
-        var updated = await _repository.UpdateAsync(
+        using (var tx = new TransactionScope(
-            existing.Codigo, existing.Nombre, existing.Descripcion, activo: false);
+            TransactionScopeOption.Required,
-        if (!updated)
+            new TransactionOptions { IsolationLevel = IsolationLevel.ReadCommitted },
-            throw new RolNotFoundException(command.Codigo);
+            TransactionScopeAsyncFlowOption.Enabled))
+        {
+            var updated = await _repository.UpdateAsync(
+                existing.Codigo, existing.Nombre, existing.Descripcion, activo: false);
+            if (!updated)
+                throw new RolNotFoundException(command.Codigo);
+
+            await _audit.LogAsync(
+                action: "rol.deactivate",
+                targetType: "Rol",
+                targetId: existing.Id.ToString());
+
+            tx.Complete();
+        }
 
         var rol = await _repository.GetByCodigoAsync(command.Codigo)
             ?? throw new RolNotFoundException(command.Codigo);

src/api/SIGCM2.Application/Roles/Update/UpdateRolCommandHandler.cs

@@ -1,5 +1,7 @@
+using System.Transactions;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Roles.Dtos;
 using SIGCM2.Domain.Exceptions;
 
@@ -8,19 +10,42 @@ namespace SIGCM2.Application.Roles.Update;
 public sealed class UpdateRolCommandHandler : ICommandHandler<UpdateRolCommand, RolDto>
 {
     private readonly IRolRepository _repository;
+    private readonly IAuditLogger _audit;
 
-    public UpdateRolCommandHandler(IRolRepository repository)
+    public UpdateRolCommandHandler(IRolRepository repository, IAuditLogger audit)
     {
         _repository = repository;
+        _audit = audit;
     }
 
     public async Task<RolDto> Handle(UpdateRolCommand command)
     {
-        var updated = await _repository.UpdateAsync(
+        var before = await _repository.GetByCodigoAsync(command.Codigo)
-            command.Codigo, command.Nombre, command.Descripcion, command.Activo);
+            ?? throw new RolNotFoundException(command.Codigo);
 
-        if (!updated)
+        using (var tx = new TransactionScope(
-            throw new RolNotFoundException(command.Codigo);
+            TransactionScopeOption.Required,
+            new TransactionOptions { IsolationLevel = IsolationLevel.ReadCommitted },
+            TransactionScopeAsyncFlowOption.Enabled))
+        {
+            var updated = await _repository.UpdateAsync(
+                command.Codigo, command.Nombre, command.Descripcion, command.Activo);
+
+            if (!updated)
+                throw new RolNotFoundException(command.Codigo);
+
+            await _audit.LogAsync(
+                action: "rol.update",
+                targetType: "Rol",
+                targetId: before.Id.ToString(),
+                metadata: new
+                {
+                    before = new { before.Nombre, before.Descripcion, before.Activo },
+                    after = new { command.Nombre, command.Descripcion, command.Activo },
+                });
+
+            tx.Complete();
+        }
 
         var rol = await _repository.GetByCodigoAsync(command.Codigo)
             ?? throw new RolNotFoundException(command.Codigo);

tests/SIGCM2.Application.Tests/Permisos/Assign/AssignPermisosToRolCommandHandlerTests.cs

@@ -1,5 +1,6 @@
 using NSubstitute;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Permisos.Assign;
 using SIGCM2.Domain.Entities;
 using SIGCM2.Domain.Exceptions;
@@ -11,11 +12,12 @@ public class AssignPermisosToRolCommandHandlerTests
     private readonly IRolRepository _rolRepository = Substitute.For<IRolRepository>();
     private readonly IPermisoRepository _permisoRepository = Substitute.For<IPermisoRepository>();
     private readonly IRolPermisoRepository _rolPermisoRepository = Substitute.For<IRolPermisoRepository>();
+    private readonly IAuditLogger _audit = Substitute.For<IAuditLogger>();
     private readonly AssignPermisosToRolCommandHandler _handler;
 
     public AssignPermisosToRolCommandHandlerTests()
     {
-        _handler = new AssignPermisosToRolCommandHandler(_rolRepository, _permisoRepository, _rolPermisoRepository);
+        _handler = new AssignPermisosToRolCommandHandler(_rolRepository, _permisoRepository, _rolPermisoRepository, _audit);
     }
 
     private static Rol MakeRol(int id, string codigo) =>

tests/SIGCM2.Application.Tests/Roles/Create/CreateRolCommandHandlerTests.cs

@@ -1,5 +1,6 @@
 using NSubstitute;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Roles.Create;
 using SIGCM2.Domain.Entities;
 using SIGCM2.Domain.Exceptions;
@@ -9,13 +10,14 @@ namespace SIGCM2.Application.Tests.Roles.Create;
 public class CreateRolCommandHandlerTests
 {
     private readonly IRolRepository _repository = Substitute.For<IRolRepository>();
+    private readonly IAuditLogger _audit = Substitute.For<IAuditLogger>();
     private readonly CreateRolCommandHandler _handler;
 
     private static CreateRolCommand ValidCommand() => new("cajero_senior", "Cajero Senior", "Con más permisos");
 
     public CreateRolCommandHandlerTests()
     {
-        _handler = new CreateRolCommandHandler(_repository);
+        _handler = new CreateRolCommandHandler(_repository, _audit);
     }
 
     [Fact]

tests/SIGCM2.Application.Tests/Roles/Deactivate/DeactivateRolCommandHandlerTests.cs

@@ -1,5 +1,6 @@
 using NSubstitute;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Roles.Deactivate;
 using SIGCM2.Domain.Entities;
 using SIGCM2.Domain.Exceptions;
@@ -9,6 +10,7 @@ namespace SIGCM2.Application.Tests.Roles.Deactivate;
 public class DeactivateRolCommandHandlerTests
 {
     private readonly IRolRepository _repository = Substitute.For<IRolRepository>();
+    private readonly IAuditLogger _audit = Substitute.For<IAuditLogger>();
     private readonly DeactivateRolCommandHandler _handler;
 
     private static Rol RolActive(string codigo, int id = 10)
@@ -19,7 +21,7 @@ public class DeactivateRolCommandHandlerTests
 
     public DeactivateRolCommandHandlerTests()
     {
-        _handler = new DeactivateRolCommandHandler(_repository);
+        _handler = new DeactivateRolCommandHandler(_repository, _audit);
     }
 
     [Fact]

tests/SIGCM2.Application.Tests/Roles/Update/UpdateRolCommandHandlerTests.cs

@@ -1,5 +1,6 @@
 using NSubstitute;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Roles.Update;
 using SIGCM2.Domain.Entities;
 using SIGCM2.Domain.Exceptions;
@@ -9,11 +10,12 @@ namespace SIGCM2.Application.Tests.Roles.Update;
 public class UpdateRolCommandHandlerTests
 {
     private readonly IRolRepository _repository = Substitute.For<IRolRepository>();
+    private readonly IAuditLogger _audit = Substitute.For<IAuditLogger>();
     private readonly UpdateRolCommandHandler _handler;
 
     public UpdateRolCommandHandlerTests()
     {
-        _handler = new UpdateRolCommandHandler(_repository);
+        _handler = new UpdateRolCommandHandler(_repository, _audit);
     }
 
     [Fact]