Skip to content

feat(audit-log): add audit events for templates, billing, credentials, env, deployments, passwords#3246

Merged
waleedlatif1 merged 7 commits intostagingfrom
improvement/al
Feb 18, 2026
Merged

feat(audit-log): add audit events for templates, billing, credentials, env, deployments, passwords#3246
waleedlatif1 merged 7 commits intostagingfrom
improvement/al

Conversation

@waleedlatif1
Copy link
Collaborator

@waleedlatif1 waleedlatif1 commented Feb 18, 2026

Summary

  • Add new audit actions: CREDIT_PURCHASED, CREDENTIAL_SET_MEMBER_LEFT, CREDENTIAL_SET_INVITATION_ACCEPTED, PASSWORD_RESET, TEMPLATE_CREATED/UPDATED/DELETED, WORKFLOW_DEPLOYMENT_ACTIVATED
  • Add new resource types: BILLING, PASSWORD, TEMPLATE
  • Instrument 10 routes: credential set invitation accept/resend/self-revoke, password reset, deployment version activation, template CRUD, global env vars update, credit purchase
  • Update audit mock to stay in sync with source enums

Type of Change

  • New feature

Testing

Tested manually, type check passes, audit mock sync tests pass (17/17)

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel
Copy link

vercel bot commented Feb 18, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Feb 18, 2026 7:50pm

Request Review

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 18, 2026
edited
Loading

Greptile Summary

This PR expands the audit logging system across 10 API routes by adding new audit events for templates (CRUD), billing (credit purchases), credentials (invitation accept/resend, member self-leave), password resets, global environment variable updates, and deployment version activation. It also enriches existing audit calls across 18+ routes with actorName/actorEmail by threading user identity through AuthResult, McpAuthContext, and session objects.

  • Adds 8 new AuditAction entries and 3 new AuditResourceType entries to the central audit enum, with matching updates to the test mock
  • Instruments credential set invitation accept, resend, and self-revoke routes with dedicated audit actions (addresses prior review feedback about reusing CREDENTIAL_SET_INVITATION_CREATED for resends)
  • Adds onPasswordReset callback in better-auth config to audit password resets with the actual user identity (addresses prior review feedback about using actorId: 'system')
  • Extends AuthResult and McpAuthContext interfaces with optional userName/userEmail fields, populated for session-based auth
  • All new recordAudit calls are correctly placed after successful operations (fire-and-forget pattern), and audit metadata avoids logging sensitive values

Confidence Score: 4/5

  • This PR is safe to merge — all changes are additive audit instrumentation with no behavioral changes to existing logic.
  • Score reflects that changes are purely additive (new audit events and actor info propagation) with no modifications to existing business logic. All recordAudit calls follow the established fire-and-forget pattern and are placed after successful operations. The audit mock is kept in sync. Minor observation: userName/userEmail are only populated for session auth (not API key or internal JWT), but this is a pre-existing limitation and not a regression.
  • No files require special attention. All changes follow established patterns consistently.

Important Files Changed

Filename Overview
apps/sim/lib/audit/log.ts Adds new audit actions (CREDIT_PURCHASED, CREDENTIAL_SET_MEMBER_LEFT, CREDENTIAL_SET_INVITATION_ACCEPTED, CREDENTIAL_SET_INVITATION_RESENT, PASSWORD_RESET, TEMPLATE_CREATED/UPDATED/DELETED, WORKFLOW_DEPLOYMENT_ACTIVATED) and resource types (BILLING, PASSWORD, TEMPLATE). Clean additions following existing conventions.
apps/sim/lib/auth/hybrid.ts Adds userName/userEmail to AuthResult interface and populates them for session-based auth. Note: API key and internal JWT auth paths still return undefined for these fields, which means audit logs from those auth types won't capture actor name/email.
apps/sim/lib/auth/auth.ts Adds onPasswordReset callback using better-auth's callback mechanism. Uses dynamic import for audit module. Correctly uses resetUser.id/name/email from the callback. No request object available in this context, so IP/user-agent won't be captured.
apps/sim/app/api/billing/credits/route.ts Adds CREDIT_PURCHASED audit after successful purchase. Correctly placed after success check, includes amount and requestId in metadata.
apps/sim/app/api/credential-sets/[id]/invite/[invitationId]/route.ts Adds CREDENTIAL_SET_INVITATION_RESENT audit event. Addresses previous review feedback by using a dedicated resent action instead of reusing CREDENTIAL_SET_INVITATION_CREATED.
apps/sim/app/api/credential-sets/invite/[token]/route.ts Adds CREDENTIAL_SET_INVITATION_ACCEPTED audit after successful invitation acceptance transaction. Correctly placed after database transaction commits.
apps/sim/app/api/credential-sets/memberships/route.ts Adds CREDENTIAL_SET_MEMBER_LEFT audit for self-revocation. Correctly placed after transaction completes.
apps/sim/app/api/environment/route.ts Adds ENVIRONMENT_UPDATED audit after global env vars update. Includes variable count in metadata (not variable names/values, which is good for security).
apps/sim/app/api/templates/route.ts Adds TEMPLATE_CREATED audit after successful template creation. Includes template ID, name, and actor details.
apps/sim/app/api/templates/[id]/route.ts Adds TEMPLATE_UPDATED and TEMPLATE_DELETED audit events. Both correctly placed after successful DB operations.
apps/sim/app/api/workflows/[id]/deployments/[version]/route.ts Adds WORKFLOW_DEPLOYMENT_ACTIVATED audit after successful version activation. Includes workspaceId, version metadata, and actor info from session.
apps/sim/lib/mcp/middleware.ts Adds userName/userEmail to McpAuthContext and propagates from auth result in validateMcpAuth.
apps/sim/app/api/webhooks/route.ts Refactors getSession call to retain full session, then adds actorName/actorEmail to existing WEBHOOK_CREATED audit call. Uses null-coalescing to undefined for compatibility.
packages/testing/src/mocks/audit.mock.ts Adds all new audit actions and resource types to the mock, keeping it in sync with the source enums in log.ts.

Flowchart

flowchart TD
    subgraph Auth["Auth Layer"]
        Session["Session Auth"]
        APIKey["API Key Auth"]
        JWT["Internal JWT"]
    end

    subgraph AuthResult["AuthResult / McpAuthContext"]
        UID["userId"]
        UNAME["userName (new)"]
        UEMAIL["userEmail (new)"]
    end

    Session -->|populates| UID
    Session -->|populates| UNAME
    Session -->|populates| UEMAIL
    APIKey -->|populates| UID
    APIKey -.->|undefined| UNAME
    APIKey -.->|undefined| UEMAIL
    JWT -->|populates| UID
    JWT -.->|undefined| UNAME
    JWT -.->|undefined| UEMAIL

    subgraph NewAuditEvents["New Audit Events"]
        CP["CREDIT_PURCHASED"]
        CSL["CREDENTIAL_SET_MEMBER_LEFT"]
        CSIA["CREDENTIAL_SET_INVITATION_ACCEPTED"]
        CSIR["CREDENTIAL_SET_INVITATION_RESENT"]
        PR["PASSWORD_RESET"]
        TC["TEMPLATE_CREATED"]
        TU["TEMPLATE_UPDATED"]
        TD2["TEMPLATE_DELETED"]
        WDA["WORKFLOW_DEPLOYMENT_ACTIVATED"]
        EU["ENVIRONMENT_UPDATED"]
    end

    subgraph Routes["Instrumented Routes"]
        R1["/api/billing/credits"]
        R2["/api/credential-sets/memberships"]
        R3["/api/credential-sets/invite/token"]
        R4["/api/credential-sets/id/invite/invId"]
        R5["/auth (onPasswordReset)"]
        R6["/api/templates"]
        R7["/api/templates/id"]
        R8["/api/workflows/id/deployments/ver"]
        R9["/api/environment"]
    end

    R1 --> CP
    R2 --> CSL
    R3 --> CSIA
    R4 --> CSIR
    R5 --> PR
    R6 --> TC
    R7 --> TU
    R7 --> TD2
    R8 --> WDA
    R9 --> EU

    AuthResult --> NewAuditEvents
    NewAuditEvents -->|recordAudit| AuditDB[(Audit Log DB)]
Loading

Last reviewed commit: aeeead0

greptile-apps[bot]
greptile-apps bot reviewed Feb 18, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

11 files reviewed, 2 comments

Edit Code Review Agent Settings | Greptile

cursor[bot]
cursor bot reviewed Feb 18, 2026
View reviewed changes
@waleedlatif1
Copy link
Collaborator Author

waleedlatif1 commented Feb 18, 2026

@cursor review

@waleedlatif1
Copy link
Collaborator Author

waleedlatif1 commented Feb 18, 2026

@greptile

greptile-apps[bot]
greptile-apps bot reviewed Feb 18, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

27 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

cursor[bot]
cursor bot reviewed Feb 18, 2026
View reviewed changes
@waleedlatif1
improvement(audit-log): use better-auth callback for password reset a…
affcdfb 
…udit, remove cast

- Move password reset audit to onPasswordReset callback in auth config
  instead of coupling to better-auth's verification table internals
- Remove ugly double-cast on workflowData.workspaceId in deployment activation
@waleedlatif1
Copy link
Collaborator Author

waleedlatif1 commented Feb 18, 2026

@greptile

@waleedlatif1
Copy link
Collaborator Author

waleedlatif1 commented Feb 18, 2026

@cursor review

cursor[bot]
cursor bot reviewed Feb 18, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

greptile-apps[bot]
greptile-apps bot reviewed Feb 18, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

28 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

@waleedlatif1 waleedlatif1 merged commit 7c7c0fd into staging Feb 18, 2026
3 checks passed
@waleedlatif1 waleedlatif1 deleted the improvement/al branch February 18, 2026 19:53
@waleedlatif1 waleedlatif1 mentioned this pull request Feb 18, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@waleedlatif1

Comments