Skip to content

fix(admin): add IP+UA to org-settings audit log; preserve disabled_at for forensic history#3476

Closed
bokelley wants to merge 1 commit into
mainfrom
claude/issue-3466-audit-log-ip-disabled-at
Closed

fix(admin): add IP+UA to org-settings audit log; preserve disabled_at for forensic history#3476
bokelley wants to merge 1 commit into
mainfrom
claude/issue-3466-audit-log-ip-disabled-at

Conversation

@bokelley

Copy link
Copy Markdown
Contributor

Closes #3466. Follow-up to PR #3430 security review.

Summary

  • Audit log IP + user-agent: The organization_settings_updated audit entry on PATCH /api/organizations/:orgId/settings now records ip and user_agent in the details JSONB blob alongside the settings changes. Stored forensic-only; an inline comment documents that registry_audit_log.details is exposed exclusively via /api/admin/audit-logs (requireAdmin) — widen that endpoint with caution.
  • auto_provision_hierarchy_disabled_at column (migration 452): Before this PR, flipping the auto-provision flag OFF cleared enabled_at to NULL, erasing the "when was this last on?" record. Migration 452 adds a nullable disabled_at column and updates the trigger so flip-off sets disabled_at = NOW() and leaves enabled_at intact. enabled_at remains authoritative for the cohort gate in autoLinkByVerifiedDomain; disabled_at is forensic-only.
  • Organization TypeScript interface updated with auto_provision_hierarchy_disabled_at: Date | null.
  • Tests updated to reflect the new trigger behavior; new enable→disable cycle test confirms both timestamps survive.

Non-breaking justification

Adds optional fields to an existing JSONB blob and a nullable column to organizations with no default — existing rows are NULL, all read paths that don't select the column are unaffected. No interface renames, no required fields added, no enum changes.

Pre-PR review

  • code-reviewer: approved — both blockers (missing Organization interface field; no access-model comment) fixed in-pass; req.ip ?? null and spread order corrected after second pass
  • internal-tools-strategist: approved — migration sequencing clean (452 independent of 451); trigger DROP/CREATE pair added for idempotency; --empty changeset correct for server/infra change

Triage-managed PR. This bot does not currently iterate on
review comments or PR conversation threads (only on the source
issue). To unblock:

  • Push fixup commits directly: gh pr checkout <num>
    fix → push.
  • Or re-trigger: comment /triage execute on the source
    issue.

See #3121
for context.

Session: https://claude.ai/code/session_01LvoWBWSVtcMSrYBqmEYu8m


Generated by Claude Code

@bokelley bokelley added the claude-triaged Issue has been triaged by the Claude Code triage routine. Remove to re-triage. label Apr 28, 2026
@bokelley bokelley marked this pull request as ready for review April 28, 2026 19:46
@bokelley

Copy link
Copy Markdown
Contributor Author

Closing — duplicate of #3477 (capture IP + user-agent in org-settings audit) which just merged

@bokelley bokelley closed this Apr 28, 2026
@bokelley bokelley deleted the claude/issue-3466-audit-log-ip-disabled-at branch April 28, 2026 19:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

claude-triaged Issue has been triaged by the Claude Code triage routine. Remove to re-triage.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

audit: capture IP + user-agent on org-settings audit logs; add disabled_at for forensic preservation

2 participants