feat(audit): extend AuditAction enum + audit logging on alerts + expense dedup

- AuditAction gains password_change, portal_invite/activate/reset variants, send, view. AuditLogParams.ipAddress/userAgent now optional so background jobs and internal helpers can log without faking values. - alerts.service.dismissAlert/acknowledgeAlert now write action='update' rows with metadata.kind so the audit log differentiates the two state changes. - expense-dedup.service.clearDuplicate/mergeDuplicate accept userId and write action='update'/'merge' rows respectively. Routes pass ctx.userId. Audit gaps surfaced by audit-pass-#2: 6 services bypassed audit_logs entirely. This commit closes 2 of them; portal-auth lands in a later commit alongside the email-template-override work that already touches the same file. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 14:57:24 +02:00
parent 1fb3aa3aeb
commit 1b78eadd36
5 changed files with 62 additions and 10 deletions
--- a/src/lib/services/alerts.service.ts
+++ b/src/lib/services/alerts.service.ts
@@ -12,6 +12,7 @@ import { createHash } from 'crypto';
 import { db } from '@/lib/db';
 import { alerts, type Alert, type AlertSeverity, type AlertRuleId } from '@/lib/db/schema/insights';
 import { emitToRoom } from '@/lib/socket/server';
+import { createAuditLog } from '@/lib/audit';

 export interface AlertCandidate {
  ruleId: AlertRuleId;
@@ -108,6 +109,14 @@ export async function dismissAlert(alertId: string, portId: string, userId: stri
    .returning({ id: alerts.id, portId: alerts.portId });
  if (row) {
    emitToRoom(`port:${row.portId}`, 'alert:dismissed', { alertId: row.id, portId: row.portId });
+    void createAuditLog({
+      portId: row.portId,
+      userId,
+      action: 'update',
+      entityType: 'alert',
+      entityId: row.id,
+      metadata: { kind: 'dismiss' },
+    });
  }
 }

@@ -116,10 +125,21 @@ export async function acknowledgeAlert(
  portId: string,
  userId: string,
 ): Promise<void> {
-  await db
+  const [row] = await db
    .update(alerts)
    .set({ acknowledgedAt: sql`now()`, acknowledgedBy: userId })
-    .where(and(eq(alerts.id, alertId), eq(alerts.portId, portId)));
+    .where(and(eq(alerts.id, alertId), eq(alerts.portId, portId)))
+    .returning({ id: alerts.id, portId: alerts.portId });
+  if (row) {
+    void createAuditLog({
+      portId: row.portId,
+      userId,
+      action: 'update',
+      entityType: 'alert',
+      entityId: row.id,
+      metadata: { kind: 'acknowledge' },
+    });
+  }
 }

 export interface ListAlertsOptions {