forked from wrenn/wrenn
pptx704
1be30034bd
Introduces an append-only audit trail for all user and system actions: sandbox lifecycle (create/pause/resume/destroy/auto-pause), snapshots, team rename, API key create/revoke, member add/remove/leave/role_update, and BYOC host add/delete/marked_down/marked_up. - New audit_logs table (migration) with team_id, actor, resource, action, scope (team|admin), status (success|info|warning|error), metadata, and created_at - AuditLogger (internal/audit) with named fire-and-forget methods per event; system actor used for background events (HostMonitor, TTL reaper) - GET /v1/audit-logs: JWT-only, cursor pagination (max 200), multi-value filters for resource_type and action (comma-sep or repeated params); members see team-scoped events only, admins/owners see all - AuthContext extended with APIKeyID + APIKeyName so API key requests record meaningful actor identity - HostMonitor wired with AuditLogger for auto-pause and host marked_down
15 lines
591 B
SQL
15 lines
591 B
SQL
-- name: InsertAuditLog :exec
|
|
INSERT INTO audit_logs (id, team_id, actor_type, actor_id, actor_name, resource_type, resource_id, action, scope, status, metadata)
|
|
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11);
|
|
|
|
-- name: ListAuditLogs :many
|
|
SELECT * FROM audit_logs
|
|
WHERE team_id = $1
|
|
AND scope = ANY($2::text[])
|
|
AND (cardinality($3::text[]) = 0 OR resource_type = ANY($3::text[]))
|
|
AND (cardinality($4::text[]) = 0 OR action = ANY($4::text[]))
|
|
AND ($5::timestamptz IS NULL OR created_at < $5
|
|
OR (created_at = $5 AND id < $6))
|
|
ORDER BY created_at DESC, id DESC
|
|
LIMIT $7;
|