v0.1.3 (#36)

## What's new

Compliance, audit, and account lifecycle improvements — admin actions are now fully auditable, user data is properly anonymized on deletion, and OAuth signup flow gives users control over their profile.

### Audit

- Added audit logging for all admin actions (user activate/deactivate, team BYOC toggle, team delete, template delete, build create/cancel)
- Added admin audit page with infinite scroll and hierarchical filters
- Fixed audit log team assignment — admin/host actions now correctly land under PlatformTeamID
- Anonymize audit logs on user hard-delete (actor name, IDs, emails stripped)
- Deduplicated audit logger internals (665 → 374 lines, no behavior change)

### Authentication

- Separated GitHub OAuth login/signup flows — login no longer auto-creates accounts
- Added name confirmation dialog for new GitHub signups

### Account Lifecycle

- Email notification sent when account is permanently deleted after grace period
- Audit log anonymization tied to user purge (per-user transactional)

### UX

- Removed accent gradient bars from admin host dialogs (border + shadow only)
- Frontend renders deleted users as styled badge in audit log view

### Others

- Version bump
- Bug fixes

Reviewed-on: wrenn/wrenn#36

internal/api/handlers_admin_capsules.go

@@ -55,6 +55,7 @@ func (h *adminCapsuleHandler) Create(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	ac.TeamID = id.PlatformTeamID
 	h.audit.LogSandboxCreate(r.Context(), ac, sb.ID, sb.Template)
 	writeJSON(w, http.StatusCreated, sandboxToResponse(sb))
 }

internal/api/handlers_audit.go

@@ -35,64 +35,38 @@ type auditLogResponse struct {
 	CreatedAt    string         `json:"created_at"`
 }
 
-// List handles GET /v1/audit-logs.
-// Query params:
-//   - before: RFC3339 timestamp cursor (exclusive); omit to start from latest
-//   - limit:  page size, default 50, max 200
-//   - resource_type: filter by resource type (sandbox, snapshot, team, api_key, member, host)
-//   - action: filter by action verb
-//
-// Members see only team-scoped events; admins/owners see all.
-func (h *auditHandler) List(w http.ResponseWriter, r *http.Request) {
-	ac := auth.MustFromContext(r.Context())
+// parseAuditParams extracts common query parameters for audit log listing.
+func parseAuditParams(r *http.Request) (before time.Time, beforeID pgtype.UUID, limit int, err error) {
+	limit = 50
 
-	// Parse ?before cursor.
-	var before time.Time
 	if s := r.URL.Query().Get("before"); s != "" {
-		var err error
 		before, err = time.Parse(time.RFC3339, s)
 		if err != nil {
-			writeError(w, http.StatusBadRequest, "invalid_request", "before must be an RFC3339 timestamp")
 			return
 		}
 	}
 
-	// Parse ?limit.
-	limit := 50
 	if s := r.URL.Query().Get("limit"); s != "" {
-		n, err := strconv.Atoi(s)
-		if err != nil || n < 1 {
-			writeError(w, http.StatusBadRequest, "invalid_request", "limit must be a positive integer")
+		n, parseErr := strconv.Atoi(s)
+		if parseErr != nil || n < 1 {
+			err = parseErr
 			return
 		}
 		limit = n
 	}
 
-	// Parse ?before_id cursor (UUID).
-	var beforeID pgtype.UUID
 	if s := r.URL.Query().Get("before_id"); s != "" {
-		parsed, err := id.ParseAuditLogID(s)
+		beforeID, err = id.ParseAuditLogID(s)
 		if err != nil {
-			writeError(w, http.StatusBadRequest, "invalid_request", "before_id must be a valid audit log ID")
 			return
 		}
-		beforeID = parsed
 	}
 
-	entries, err := h.svc.List(r.Context(), service.AuditListParams{
-		TeamID:        ac.TeamID,
-		AdminScoped:   ac.Role == "owner" || ac.Role == "admin",
-		ResourceTypes: parseMultiParam(r.URL.Query()["resource_type"]),
-		Actions:       parseMultiParam(r.URL.Query()["action"]),
-		Before:        before,
-		BeforeID:      beforeID,
-		Limit:         limit,
-	})
-	if err != nil {
-		writeError(w, http.StatusInternalServerError, "db_error", "failed to list audit logs")
-		return
-	}
+	return
+}
 
+// writeAuditResponse serializes audit entries into a paginated JSON response.
+func writeAuditResponse(w http.ResponseWriter, entries []service.AuditEntry) {
 	items := make([]auditLogResponse, len(entries))
 	for i, e := range entries {
 		items[i] = auditLogResponse{
@@ -120,6 +94,67 @@ func (h *auditHandler) List(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, http.StatusOK, resp)
 }
 
+// List handles GET /v1/audit-logs.
+// Query params:
+//   - before: RFC3339 timestamp cursor (exclusive); omit to start from latest
+//   - limit:  page size, default 50, max 200
+//   - resource_type: filter by resource type (sandbox, snapshot, team, api_key, member, host)
+//   - action: filter by action verb
+//
+// Members see only team-scoped events; admins/owners see all.
+func (h *auditHandler) List(w http.ResponseWriter, r *http.Request) {
+	ac := auth.MustFromContext(r.Context())
+
+	before, beforeID, limit, err := parseAuditParams(r)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid query parameters")
+		return
+	}
+
+	entries, err := h.svc.List(r.Context(), service.AuditListParams{
+		TeamID:        ac.TeamID,
+		AdminScoped:   ac.Role == "owner" || ac.Role == "admin",
+		ResourceTypes: parseMultiParam(r.URL.Query()["resource_type"]),
+		Actions:       parseMultiParam(r.URL.Query()["action"]),
+		Before:        before,
+		BeforeID:      beforeID,
+		Limit:         limit,
+	})
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to list audit logs")
+		return
+	}
+
+	writeAuditResponse(w, entries)
+}
+
+// AdminList handles GET /v1/admin/audit-logs.
+// Returns audit logs for the platform team (team 0) with both team and admin scopes.
+// Uses the same query params as List.
+func (h *auditHandler) AdminList(w http.ResponseWriter, r *http.Request) {
+	before, beforeID, limit, err := parseAuditParams(r)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid query parameters")
+		return
+	}
+
+	entries, err := h.svc.List(r.Context(), service.AuditListParams{
+		TeamID:        id.PlatformTeamID,
+		AdminScoped:   true,
+		ResourceTypes: parseMultiParam(r.URL.Query()["resource_type"]),
+		Actions:       parseMultiParam(r.URL.Query()["action"]),
+		Before:        before,
+		BeforeID:      beforeID,
+		Limit:         limit,
+	})
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to list audit logs")
+		return
+	}
+
+	writeAuditResponse(w, entries)
+}
+
 // parseMultiParam flattens repeated params and comma-separated values into a
 // single deduplicated slice. Empty strings are dropped. Returns nil (no filter)
 // when no values are present.

internal/api/handlers_builds.go

@@ -13,6 +13,8 @@ import (
 	"github.com/go-chi/chi/v5"
 
 	"git.omukk.dev/wrenn/wrenn/internal/layout"
+	"git.omukk.dev/wrenn/wrenn/pkg/audit"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
 	"git.omukk.dev/wrenn/wrenn/pkg/db"
 	"git.omukk.dev/wrenn/wrenn/pkg/id"
 	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
@@ -22,13 +24,14 @@ import (
 )
 
 type buildHandler struct {
-	svc  *service.BuildService
-	db   *db.Queries
-	pool *lifecycle.HostClientPool
+	svc   *service.BuildService
+	db    *db.Queries
+	pool  *lifecycle.HostClientPool
+	audit *audit.AuditLogger
 }
 
-func newBuildHandler(svc *service.BuildService, db *db.Queries, pool *lifecycle.HostClientPool) *buildHandler {
-	return &buildHandler{svc: svc, db: db, pool: pool}
+func newBuildHandler(svc *service.BuildService, db *db.Queries, pool *lifecycle.HostClientPool, al *audit.AuditLogger) *buildHandler {
+	return &buildHandler{svc: svc, db: db, pool: pool, audit: al}
 }
 
 type createBuildRequest struct {
@@ -187,6 +190,8 @@ func (h *buildHandler) Create(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	ac := auth.MustFromContext(r.Context())
+	h.audit.LogBuildCreate(r.Context(), ac, build.ID, req.Name)
 	writeJSON(w, http.StatusCreated, buildToResponse(build))
 }
 
@@ -305,6 +310,8 @@ func (h *buildHandler) DeleteTemplate(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	ac := auth.MustFromContext(r.Context())
+	h.audit.LogTemplateDelete(r.Context(), ac, name)
 	w.WriteHeader(http.StatusNoContent)
 }
 
@@ -323,5 +330,7 @@ func (h *buildHandler) Cancel(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	ac := auth.MustFromContext(r.Context())
+	h.audit.LogBuildCancel(r.Context(), ac, buildID)
 	w.WriteHeader(http.StatusNoContent)
 }

internal/api/handlers_oauth.go

@@ -55,8 +55,14 @@ func (h *oauthHandler) Redirect(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	mac := computeHMAC(h.jwtSecret, state)
-	cookieVal := state + ":" + mac
+	// Persist intent (login|signup) in the state cookie so the callback can enforce it.
+	intent := r.URL.Query().Get("intent")
+	if intent != "signup" {
+		intent = "login"
+	}
+
+	mac := computeHMAC(h.jwtSecret, state+":"+intent)
+	cookieVal := state + ":" + mac + ":" + intent
 
 	http.SetCookie(w, &http.Cookie{
 		Name:     "oauth_state",
@@ -105,13 +111,17 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 		Secure:   isSecure(r),
 	})
 
-	parts := strings.SplitN(stateCookie.Value, ":", 2)
-	if len(parts) != 2 {
+	parts := strings.SplitN(stateCookie.Value, ":", 3)
+	if len(parts) < 2 {
 		redirectWithError(w, r, redirectBase, "invalid_state")
 		return
 	}
 	nonce, expectedMAC := parts[0], parts[1]
-	if !hmac.Equal([]byte(computeHMAC(h.jwtSecret, nonce)), []byte(expectedMAC)) {
+	intent := "login"
+	if len(parts) == 3 && parts[2] == "signup" {
+		intent = "signup"
+	}
+	if !hmac.Equal([]byte(computeHMAC(h.jwtSecret, nonce+":"+intent)), []byte(expectedMAC)) {
 		redirectWithError(w, r, redirectBase, "invalid_state")
 		return
 	}
@@ -249,6 +259,12 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Block auto-registration when intent is login-only.
+	if intent == "login" {
+		redirectWithError(w, r, redirectBase, "no_account")
+		return
+	}
+
 	// New OAuth identity — check for email collision.
 	existingUser, err := h.db.GetUserByEmail(ctx, email)
 	if err == nil {
@@ -365,6 +381,17 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Signal frontend that this is a new signup so it can show the name confirmation dialog.
+	http.SetCookie(w, &http.Cookie{
+		Name:     "wrenn_oauth_new_signup",
+		Value:    "1",
+		Path:     "/auth/",
+		MaxAge:   60,
+		HttpOnly: false,
+		SameSite: http.SameSiteLaxMode,
+		Secure:   isSecure(r),
+	})
+
 	redirectWithToken(w, r, redirectBase, token, id.FormatUserID(userID), id.FormatTeamID(teamID), email, profile.Name)
 }
 

internal/api/handlers_team.go

@@ -392,6 +392,7 @@ func (h *teamHandler) Leave(w http.ResponseWriter, r *http.Request) {
 // SetBYOC handles PUT /v1/admin/teams/{id}/byoc (admin only).
 // Enables or disables the BYOC feature flag for a team.
 func (h *teamHandler) SetBYOC(w http.ResponseWriter, r *http.Request) {
+	ac := auth.MustFromContext(r.Context())
 	teamIDStr := chi.URLParam(r, "id")
 
 	teamID, err := id.ParseTeamID(teamIDStr)
@@ -414,6 +415,7 @@ func (h *teamHandler) SetBYOC(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	h.audit.LogTeamSetBYOC(r.Context(), ac, teamID, req.Enabled)
 	w.WriteHeader(http.StatusNoContent)
 }
 
@@ -484,6 +486,7 @@ func (h *teamHandler) AdminListTeams(w http.ResponseWriter, r *http.Request) {
 // AdminDeleteTeam handles DELETE /v1/admin/teams/{id}
 // Soft-deletes a team and destroys all its active sandboxes.
 func (h *teamHandler) AdminDeleteTeam(w http.ResponseWriter, r *http.Request) {
+	ac := auth.MustFromContext(r.Context())
 	teamIDStr := chi.URLParam(r, "id")
 
 	teamID, err := id.ParseTeamID(teamIDStr)
@@ -498,5 +501,6 @@ func (h *teamHandler) AdminDeleteTeam(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	h.audit.LogTeamDelete(r.Context(), ac, teamID)
 	w.WriteHeader(http.StatusNoContent)
 }

internal/api/handlers_users.go

@@ -9,6 +9,7 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/jackc/pgx/v5/pgtype"
 
+	"git.omukk.dev/wrenn/wrenn/pkg/audit"
 	"git.omukk.dev/wrenn/wrenn/pkg/auth"
 	"git.omukk.dev/wrenn/wrenn/pkg/db"
 	"git.omukk.dev/wrenn/wrenn/pkg/id"
@@ -16,12 +17,13 @@ import (
 )
 
 type usersHandler struct {
-	db  *db.Queries
-	svc *service.UserService
+	db    *db.Queries
+	svc   *service.UserService
+	audit *audit.AuditLogger
 }
 
-func newUsersHandler(db *db.Queries, svc *service.UserService) *usersHandler {
-	return &usersHandler{db: db, svc: svc}
+func newUsersHandler(db *db.Queries, svc *service.UserService, al *audit.AuditLogger) *usersHandler {
+	return &usersHandler{db: db, svc: svc, audit: al}
 }
 
 // Search handles GET /v1/users/search?email=<prefix>
@@ -140,11 +142,23 @@ func (h *usersHandler) SetUserActive(w http.ResponseWriter, r *http.Request) {
 		newStatus = "disabled"
 	}
 
+	// Look up user email for audit log before changing status.
+	user, err := h.db.GetUserByID(r.Context(), userID)
+	if err != nil {
+		writeError(w, http.StatusNotFound, "not_found", "user not found")
+		return
+	}
+
 	if err := h.svc.SetUserStatus(r.Context(), userID, newStatus); err != nil {
 		httpStatus, code, msg := serviceErrToHTTP(err)
 		writeError(w, httpStatus, code, msg)
 		return
 	}
 
+	if req.Active {
+		h.audit.LogUserActivate(r.Context(), ac, userID, user.Email)
+	} else {
+		h.audit.LogUserDeactivate(r.Context(), ac, userID, user.Email)
+	}
 	w.WriteHeader(http.StatusNoContent)
 }

internal/api/openapi.yaml

@@ -2,7 +2,7 @@ openapi: "3.1.0"
 info:
   title: Wrenn API
   description: MicroVM-based code execution platform API.
-  version: "0.1.2"
+  version: "0.1.3"
 
 servers:
   - url: http://localhost:8080

internal/api/server.go

@@ -32,7 +32,7 @@ type Server struct {
 }
 
 // New constructs the chi router and registers all routes.
-// Extensions are called after core routes are registered, allowing enterprise
+// Extensions are called after core routes are registered, allowing cloud
 // or third-party code to add routes and middleware.
 func New(
 	queries *db.Queries,
@@ -85,12 +85,12 @@ func New(
 	apiKeys := newAPIKeyHandler(apiKeySvc, al)
 	hostH := newHostHandler(hostSvc, queries, al)
 	teamH := newTeamHandler(teamSvc, al, mailer)
-	usersH := newUsersHandler(queries, userSvc)
+	usersH := newUsersHandler(queries, userSvc, al)
 	auditH := newAuditHandler(auditSvc)
 	statsH := newStatsHandler(statsSvc)
 	usageH := newUsageHandler(usageSvc)
 	metricsH := newSandboxMetricsHandler(queries, pool)
-	buildH := newBuildHandler(buildSvc, queries, pool)
+	buildH := newBuildHandler(buildSvc, queries, pool, al)
 	channelH := newChannelHandler(channelSvc, al)
 	ptyH := newPtyHandler(queries, pool, jwtSecret)
 	processH := newProcessHandler(queries, pool, jwtSecret)
@@ -255,6 +255,7 @@ func New(
 		r.Delete("/teams/{id}", teamH.AdminDeleteTeam)
 		r.Get("/users", usersH.AdminListUsers)
 		r.Put("/users/{id}/active", usersH.SetUserActive)
+		r.Get("/audit-logs", auditH.AdminList)
 		r.Get("/templates", buildH.ListTemplates)
 		r.Delete("/templates/{name}", buildH.DeleteTemplate)
 		r.Post("/builds", buildH.Create)