letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
4b5f85cb7dd26933dd1a1beb686cdd2f27fcd2c3
pn-new-crm/docs/audit-findings-tmp/04-audit-log.md
Matt 4b5f85cb7d fix(audit): comprehensive 2026-05-15 audit fix wave + Documenso v2 polish 
Bundles the prior session's 50-task fix sweep (Documenso v2 + EOI/signing-
progress redesign + env-to-admin migration + dev-mode banner) with the
2026-05-18 audit fix wave (3 CRITICAL, 14 HIGH, 28 MEDIUM, 6 LOW).

CRITICAL (3):
 - C-01 interest-berths INNER JOIN -> LEFT JOIN so hard-deleted berths
   no longer silently drop interest links
 - C-02 /setup added to PUBLIC_PATHS; fresh-deploy bootstrap loop fixed
 - C-03 generic PATCH /interests/[id] no longer accepts pipelineStage —
   callers must go through /stage with the override-guard chain

HIGH (14/15):
 - H-01 explicit ON DELETE on previously-implicit NO ACTION FKs across
   interests/documents/reservations/reminders/invoices (migration 0070)
 - H-02 login page reads ?redirect= param with same-origin guard
 - H-03 CRM invite token moves to URL fragment so it never lands in
   nginx access logs / Referer headers
 - H-04 Retry-After header on sign-in-by-identifier 429 (RFC 6585 §4)
 - H-05 toggleAccount writes an audit row
 - H-06 upsertSetting masks any value whose key ends with _encrypted
 - H-07 archiveClient cascade fires per-interest audit rows
 - H-08 createSalesTransporter applies SMTP_TIMEOUTS
 - H-09 AppShell stable children — viewport flip across breakpoint no
   longer destroys in-progress form drafts
 - H-10 portal documents page swaps Unicode glyph status icons for
   Lucide CheckCircle2/XCircle/Circle + aria-labels
 - H-12 list components swap alert(...) for toast.warning(...)
 - H-13 5 icon-only buttons gain aria-label
 - H-14 parseBody treats empty bodies as {}
 - H-15 admin layout renders a 403 panel instead of silent bounce
 - H-11 not applicable — mobile-search-overlay IS a mobile bottom-sheet

MEDIUM (28+):
 - M-MT01-05 defense-in-depth port_id/parent-id filters on UPDATE/DELETE
   WHEREs across custom-fields, notes (all 6 entity types x update +
   delete), client-contacts, yacht ownerClient lookup, webhook reads
 - M-D01 documents-hub realtime event-name typo (file:created -> uploaded)
 - M-EM01 portal-auth emails thread through portId
 - M-EM02 sendEmail accepts cc/bcc params
 - M-EM04 notification_digest catalog key
 - M-IN01 portal presigned download URLs use 4h TTL
 - M-IN02 OpenAI client lazy-instantiated
 - M-IN04 stale pdfme refs updated to pdf-lib AcroForm
 - M-IN05 umami.testConnection returns tagged union
 - M-L01 reservations tenure_type unified with berths
 - M-L02 report-generators canonicalize stage values
 - M-AU01 audit log placeholder copy fixed
 - M-AU04 outcome_set / outcome_cleared distinct audit verbs
 - M-NEW-2 activity feed entity name+type separator
 - M-R01 portal allowlist narrowed + portal_session backstop in proxy
 - M-SC02 companies archived partial index
 - M-SC04 audit_logs.searchText documented as DB-managed
 - M-S01 storage_s3_access_key_encrypted admin field
 - M-U01 audit log empty state uses <EmptyState>
 - M-U09 invoice delete dialog -> <AlertDialog>
 - M-U10 toast.success on ClientForm + InterestForm create/edit
 - M-U11 settings-form-card logo preview alt text
 - M-U14 mobile topbar title on clients/yachts/interests/berths
 - M-U15 Invoices in mobile More-sheet

LOW (6/8):
 - L-AU01 severity defaults for security-relevant verbs
 - L-AU02 +13 missing actions in admin audit filter
 - L-AU03 +7 missing entity types in admin audit filter
 - L-AU04 dead listAuditLogs stubbed
 - L-D02 CLAUDE.md Owner-wins chain tightened

Bonus — Document detail polish (#67 partial, 3/6 deliverables):
 - state-aware action button per signer
 - watcher Add UI with display-name resolution
 - cleanSignerName cleanup

Prior session work bundled in:
 - Documenso v2 webhook + envelope-ID normalization + sequential signing
 - SigningProgress UI redesign (avatars, per-signer state, timestamps)
 - env->admin settings registry + RegistryDrivenForm + encrypted creds
 - Embedded-signing card + Test connection + setup help
 - Dev-mode EMAIL_REDIRECT_TO banner
 - Pipeline rules admin page
 - Sales email config card
 - Audit log details Sheet
 - EOI tab: Finalising badge, absolute timestamps, sequential indicator
 - Notes pipeline_stage_at_creation (migration 0069)
 - Documenso numeric ID dual-key webhook (migration 0068)
 - Dimensions criterion copy (migration 0067)

Tests: 1374/1374 vitest pass. tsc clean. lint clean.

See docs/AUDIT-FIX-WAVE-2026-05-18.md for the full progress report and
the user-input items still pending.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 13:28:50 +02:00

7.6 KiB
Raw Blame History

Audit Log Audit (AU-01-14) — agent #4

Headline: Core write path solid; major mutations all audit; mask helper covers expected PII; FTS indexed; AU-11 fix complete. Two HIGH issues: encrypted credential ciphertext bypasses masking (key is "value") and toggleAccount mutation is silent.

Counts: 0 critical · 2 high · 4 medium · 4 low

🟠 HIGH AU-01a: toggleAccount writes no audit row

  • File: src/lib/services/email-accounts.service.ts:86-116
  • What: Sets isActive on email account with no createAuditLog call. connectAccount (line 70) and disconnectAccount (line 139) do, but enable/disable in between is silent.
  • Why it matters: Silently disabling an email account suppresses bounce-detection or reroutes replies — compliance gap on a security-relevant config change.
  • Suggested fix: Add void createAuditLog({ action: 'update', entityType: 'email_account', entityId: accountId, newValue: { isActive: data.isActive }, ... }) inside toggleAccount.

🟠 HIGH AU-02: Encrypted credential ciphertext stored in audit log without masking

  • File: src/lib/services/settings.service.ts:66-76 + src/lib/services/sales-email-config.service.ts:281-299
  • What: updateSalesEmailConfig calls upsertSetting('sales_smtp_pass_encrypted', <ciphertext>, portId, meta). upsertSetting records newValue: { value: '<ciphertext>' }. maskSensitiveFields checks JSON keys against SENSITIVE_KEY_FRAGMENTS; the wrapping key "value" isn't in the list. Ciphertext lands verbatim in audit_logs.new_value.
  • Why it matters: Audit log is readable by all admins with admin.view_audit_log. DB read access exfils ciphertext; if EMAIL_CREDENTIAL_KEY is ever compromised, the historical audit log becomes a credential store. Industry standard: store only credentialUpdated: true for credential changes.
  • Suggested fix: In upsertSetting, detect when key ends with _encrypted (or accept redactValue?: boolean flag) and record newValue: { value: '[redacted]' }.

🟡 MEDIUM AU-03: FTS search_text covers only 4 fields; placeholder text misleads

  • File: src/lib/db/migrations/0014_black_banshee.sql:47-55 + src/components/admin/audit/audit-log-list.tsx:360
  • What: search_text GENERATED ALWAYS = action || entity_type || entity_id || user_id. Search input placeholder reads "entity id, action, vendor…" — implies you can search inside metadata/new_value. Searching "vendor" returns zero rows silently.
  • Suggested fix: Change placeholder to "action name, entity id, user id…" OR add metadata to GENERATED expression with jsonb_to_tsvector (larger index).

🟡 MEDIUM AU-08: Admin audit log shows field names but no old→new diff

  • File: src/components/admin/audit/audit-log-list.tsx:290-305 + src/components/admin/audit/audit-log-card.tsx:84-91
  • What: "Changes" column renders Object.keys(newValue).slice(0,3).join(', ') — no old→new diff, no row-expand. Dashboard activity-feed.tsx has working buildDiffLine() with 3 diff shapes, unused here.
  • Why it matters: Compliance audits can't confirm before/after state from UI alone; admins must dig into raw JSON.
  • Suggested fix: Add row-expand or detail sheet using buildDiffLine from activity-feed.tsx.

🟠 AU-10: Cascade-archived interests produce no individual audit rows

  • File: src/lib/services/clients.service.ts:578-618
  • What: archiveClient batch-archives open interests, writes ONE entityType: 'client' row with newValue: { cascadedInterestIds: [...] }. No per-interest rows. search_text doesn't include new_value, so searching for an interest ID returns nothing.
  • Why it matters: Auditor querying for a specific archived interest sees no archive event; must know to look at parent client row.
  • Suggested fix: Loop over archivedInterestIds and emit per-interest createAuditLog({ action: 'archive', entityType: 'interest', entityId, metadata: { cascadeSource: 'client_archive', clientId } }) (fire-and-forget).

🟡 MEDIUM AU-12: No audit log CSV export endpoint

  • File: (absent — no src/app/api/v1/admin/audit/export/route.ts)
  • What: No download button, no API. Expenses domain has reference impl at src/app/api/v1/expenses/export/csv/route.ts.
  • Why it matters: GDPR / marina licensing audits often require exports.
  • Suggested fix: GET /api/v1/admin/audit/export/csv reusing searchAuditLogs + filter params.

🟡 MEDIUM AU-13: Outcome change uses action: 'update', not distinct verb

  • File: src/lib/services/interests.service.ts:1047-1058
  • What: setInterestOutcome/clearInterestOutcome log action: 'update' with metadata.type: 'outcome_set'/'outcome_cleared'. No outcome_change in AuditAction or filter dropdown. metadata.type not in search_text — FTS can't isolate.
  • Suggested fix: Add 'outcome_change' to AuditAction union; use in both functions; add to dropdown; add to DEFAULT_SEVERITY_BY_ACTION as 'warning'.

🟢 LOW AU-14: Tier map sparse; new actions default to 'info'

  • File: src/lib/audit.ts:220-222
  • What: Only 2 entries (permission_denied: 'warning', hard_delete: 'critical'). password_change, portal_activate, revoke_invite, branding.logo.uploaded, rule_evaluated all default to 'info'. Severity≥warning filter misses security-relevant events.
  • Suggested fix: Add password_change/portal_activate/revoke_invite: 'warning'. reconcile_manual is in metadata.type — add severity: 'warning' at the call site in berths.service.ts.

🟢 LOW AU-14b: Action filter dropdown missing 12 verbs

  • File: src/components/admin/audit/audit-log-list.tsx:393-415
  • What: Dropdown has 20 actions; missing branding.logo.*, rule_evaluated, revoke/resend_invite, request/send_gdpr_export, password_change, portal_invite/activate/password_reset_request/password_reset. Free-text partially compensates.
  • Suggested fix: Add missing action verbs.

🟢 LOW AU-14c: Entity-type filter missing several domains

  • File: src/components/admin/audit/audit-log-list.tsx:88-102
  • What: Missing document_folder, file, company, yacht, email_account, audit_log, backup_job. Free-text on entity_type (in tsvector) works; dropdown is convenience.
  • Suggested fix: Add missing entity types.

🟢 LOW AU-14d: Dead code — listAuditLogs (ILIKE) in audit.service.ts

  • File: src/lib/services/audit.service.ts
  • What: listAuditLogs exported but zero import sites. Admin route uses searchAuditLogs exclusively. ILIKE search is dead.
  • Why it matters: Future dev might wire it up bypassing GIN index → seq scans at scale.
  • Suggested fix: Delete audit.service.ts or mark @deprecated.

Passing

  • AU-01 (10 sampled mutating endpoints all audit: clients/interests/companies/berths/documents/folders/tags/roles/settings/files create + update + archive)
  • AU-02 password/token fragment masking covers password, passwordHash, token, secret, api_key, apikey, auth, cookie, credentials recursively up to depth 4. email-accounts.service.ts correctly logs only metadata: { emailAddress, provider }; credentialsEnc stripped before any JSON serialization.
  • AU-04 action filter wired (exact eq() filter)
  • AU-05 entity-type filter wired (same path)
  • AU-06 user filter wired (UUID exact match)
  • AU-07 date-range filter (ISO strings → Date → gte/lte; UI validates inversion)
  • AU-09 reconcile_manual tag in metadata at berths.service.ts:473
  • AU-11 permission_denied feed filter at src/components/dashboard/activity-feed.tsx:185-189 (i.action !== 'permission_denied'); admin page correctly displays them with 'bg-red-800' badge
Reference in New Issue View Git Blame Copy Permalink