fix(admin): add IP+UA to org-settings audit log; preserve disabled_at for forensic history#3476
Closed
bokelley wants to merge 1 commit into
Closed
fix(admin): add IP+UA to org-settings audit log; preserve disabled_at for forensic history#3476bokelley wants to merge 1 commit into
bokelley wants to merge 1 commit into
Conversation
… for forensic history Closes #3466. Follow-up to PR #3430 security review. https://claude.ai/code/session_01LvoWBWSVtcMSrYBqmEYu8m
4 tasks
Contributor
Author
|
Closing — duplicate of #3477 (capture IP + user-agent in org-settings audit) which just merged |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #3466. Follow-up to PR #3430 security review.
Summary
organization_settings_updatedaudit entry onPATCH /api/organizations/:orgId/settingsnow recordsipanduser_agentin thedetailsJSONB blob alongside the settings changes. Stored forensic-only; an inline comment documents thatregistry_audit_log.detailsis exposed exclusively via/api/admin/audit-logs(requireAdmin) — widen that endpoint with caution.auto_provision_hierarchy_disabled_atcolumn (migration 452): Before this PR, flipping the auto-provision flag OFF clearedenabled_atto NULL, erasing the "when was this last on?" record. Migration 452 adds a nullabledisabled_atcolumn and updates the trigger so flip-off setsdisabled_at = NOW()and leavesenabled_atintact.enabled_atremains authoritative for the cohort gate inautoLinkByVerifiedDomain;disabled_atis forensic-only.OrganizationTypeScript interface updated withauto_provision_hierarchy_disabled_at: Date | null.enable→disable cycletest confirms both timestamps survive.Non-breaking justification
Adds optional fields to an existing JSONB blob and a nullable column to
organizationswith no default — existing rows are NULL, all read paths that don't select the column are unaffected. No interface renames, no required fields added, no enum changes.Pre-PR review
Organizationinterface field; no access-model comment) fixed in-pass;req.ip ?? nulland spread order corrected after second passDROP/CREATEpair added for idempotency;--emptychangeset correct for server/infra changeSession: https://claude.ai/code/session_01LvoWBWSVtcMSrYBqmEYu8m
Generated by Claude Code