feat(observability): extend audit log, PostHog, and storage metering coverage#5269
feat(observability): extend audit log, PostHog, and storage metering coverage#5269waleedlatif1 wants to merge 30 commits into
Conversation
…coverage Instruments previously-uncaptured resources and actions across the three observability layers (audit log, PostHog product analytics, usage metering): - Exfiltration audit: file downloads (workspace/public-share/v1), table, workflow, and workspace exports. - Credential access audited at the token-issuance boundary (success-only). - Full revenue trail: invoice paid/failed, overage billed, disputes, credit fulfillment, subscription lifecycle, plan/seat changes. - Session/login lifecycle audit via Better Auth hooks (login, blocked sign-in, logout, session revoke, account delete). - v1/admin programmatic surface and copilot tool handlers instrumented. - Dead audit/PostHog constants wired (lock/unlock, table, custom tool, etc.). - Storage metering extended to KB documents and copilot files. - PostHog person identify + workspace/organization group hygiene. Audit package hardened to null the actor FK for system actors (admin-api) and adds an awaitable recordAuditNow for pre-delete hooks. All instrumentation is fire-and-forget and never blocks or breaks the primary operation.
PR SummaryMedium Risk Overview Billing and revenue get explicit audit + analytics on threshold overage settlement (including credit-only paths), invoice pay/fail, credit purchases, charge disputes (with Stripe webhook idempotency), enterprise provisioning, subscription create/cancel, plan conversion, and subscription transfer. Seat reconcile now accepts an optional Realtime workflow variables track the latest writer on debounced updates and audit Storage metering for knowledge-base documents: quota check inside ingest transactions, Client analytics: Table lifecycle threads Reviewed by Cursor Bugbot for commit 2b7ae68. Configure here. |
Greptile SummaryThis PR extends three observability layers — audit log, PostHog analytics, and storage metering — to cover a large number of previously uninstrumented paths. All six previously raised review issues (actor FK nulling, catch-branch actor leakage, fire-and-forget blocking, TOCTOU in delete, copilot file delete order, and the payment-failed unguarded await) have been resolved in the developer's follow-up commits.
Confidence Score: 5/5All six issues raised in the prior review round have been addressed; the remaining code is a well-structured observability expansion with no net behavioral changes to core paths. Every critical concern from the previous review cycle — actor FK nulling in the catch branch, audit order in the GET credential handler, payment-failed unguarded await, copilot file delete ordering, and public-share actor misattribution — is resolved in the follow-up commits incorporated here. The new instrumentation is uniformly fire-and-forget (or wrapped in try/catch where awaited), the storage decrement is made atomic with the hard-delete transaction via RETURNING, and idempotency guards prevent double-emit on Stripe redelivery. No new bugs were identified. No files require special attention. The most complex changes — invoices.ts, knowledge/documents/service.ts, and log.ts — were re-verified and are correct. Important Files Changed
Sequence Diagram%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
participant Client
participant Route as API Route
participant Primary as Primary Operation (DB/Stripe)
participant Audit as recordAudit (fire-and-forget)
participant PH as PostHog captureServerEvent
Note over Route,PH: OAuth Token GET/POST — credential access
Client->>Route: GET /api/auth/oauth/token
Route->>Primary: refreshTokenIfNeeded()
Primary-->>Route: accessToken ✓
Route->>Audit: CREDENTIAL_ACCESSED (after success)
Route->>PH: credential_used (after success)
Route-->>Client: 200 accessToken
Note over Route,PH: KB Document hard-delete — atomic decrement
Client->>Route: DELETE /api/knowledge/documents
Route->>Primary: getHighestPrioritySubscription (pre-tx)
Route->>Primary: db.transaction DELETE + RETURNING
Primary->>Primary: decrementStorageUsageInTx (same tx)
Primary-->>Route: deletedDocs ✓
Route->>Primary: deleteDocumentStorageFiles (S3)
Note over Route,PH: Billing webhook — payment failed
Client->>Route: POST /billing/webhook (invoice.payment_failed)
Route->>Primary: isSubscriptionOrgScoped (guarded try/catch)
Route->>Primary: resolveBillingActorId (guarded try/catch)
Route->>Audit: INVOICE_PAYMENT_FAILED
Route->>PH: payment_failed
Route->>Primary: block users (independent of audit)
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
participant Client
participant Route as API Route
participant Primary as Primary Operation (DB/Stripe)
participant Audit as recordAudit (fire-and-forget)
participant PH as PostHog captureServerEvent
Note over Route,PH: OAuth Token GET/POST — credential access
Client->>Route: GET /api/auth/oauth/token
Route->>Primary: refreshTokenIfNeeded()
Primary-->>Route: accessToken ✓
Route->>Audit: CREDENTIAL_ACCESSED (after success)
Route->>PH: credential_used (after success)
Route-->>Client: 200 accessToken
Note over Route,PH: KB Document hard-delete — atomic decrement
Client->>Route: DELETE /api/knowledge/documents
Route->>Primary: getHighestPrioritySubscription (pre-tx)
Route->>Primary: db.transaction DELETE + RETURNING
Primary->>Primary: decrementStorageUsageInTx (same tx)
Primary-->>Route: deletedDocs ✓
Route->>Primary: deleteDocumentStorageFiles (S3)
Note over Route,PH: Billing webhook — payment failed
Client->>Route: POST /billing/webhook (invoice.payment_failed)
Route->>Primary: isSubscriptionOrgScoped (guarded try/catch)
Route->>Primary: resolveBillingActorId (guarded try/catch)
Route->>Audit: INVOICE_PAYMENT_FAILED
Route->>PH: payment_failed
Route->>Primary: block users (independent of audit)
Reviews (29): Last reviewed commit: "fix(billing): wrap new dispute/enterpris..." | Re-trigger Greptile |
Address Cursor Bugbot review: - GET OAuth token: emit CREDENTIAL_ACCESSED/credential_used after refreshTokenIfNeeded succeeds (matches POST), not before. - File export: audit on each actual success exit via a shared helper — including the non-markdown serve redirect (previously unaudited) and after the zip is generated (previously before asset fetch).
Address Greptile P1: setting actorId to the file owner made every anonymous external download read as a self-download, undermining the exfiltration trail. recordAudit now accepts a null actor; the public content/inline routes record actorId=null with the owner in metadata.sharedByUserId and rely on ip/user-agent for the forensic trail. The misleading owner-attributed file_downloaded PostHog event is dropped on these anonymous paths.
|
@cursor review |
- Admin workflow/workspace ZIP exports now audit only after the archive is built (via a local helper), so a zip/build failure no longer logs an export. - Remove redundant 'success-only placement' inline comments and tighten the remaining design-rationale notes (export helper now TSDoc).
|
@cursor review |
Address Cursor review: - handleDisputeClosed now records CHARGE_DISPUTE_CLOSED for every closed dispute (won/lost/warning_closed), unblocking only on favorable outcomes. dispute.status in the metadata distinguishes the outcome, so lost chargebacks are no longer missing from the trail. - Threshold overage now emits OVERAGE_BILLED + overage_billed even when credits fully cover the overage (settledVia: 'credits' vs 'stripe'), so credit-settled overages are audited instead of silently returning null.
Address Greptile P1: deleting the metadata row before the decrement meant a decrement failure left the quota permanently inflated with no record to retry from. Decrement first; only remove the metadata row once it succeeds.
|
@cursor review |
…tion - Copilot file delete now releases storage via a single transaction (releaseDeletedFileStorage): the soft-delete is the idempotency claim and the decrement shares the transaction, so neither a partial failure (inflated counter) nor a retry (double-decrement) can desync the quota. Resolves the conflicting Greptile/Cursor ordering findings. - Policy-blocked sign-ups now record USER_SIGNUP_BLOCKED instead of USER_SIGNIN_BLOCKED, so account-lifecycle events aren't mislabeled.
|
@cursor review |
Per design decision: copilot files are working/conversational artifacts, so gating their materialization on storage quota would fail an agent operation mid-flow when a user is over limit, and metering them would inflate usage enough to block KB/workspace uploads indirectly. Remove copilot quota gates + copilot ingest metering entirely (revert copilot-file-manager, metadata, and the upload route's copilot branch to baseline) and drop the now-unused releaseDeletedFileStorage. KB document metering + quota enforcement (the deliberate, persistent storage path) is unchanged.
|
@cursor review |
Address Cursor review: gate the group-sync effect on workspace metadata being loaded (activeWorkspace present) so the workspace and organization groups always update atomically. Acting during the load window paired the new workspace group with the previous workspace's org group; until metadata loads, events stay consistently attributed to the previous workspace.
|
@cursor review |
Address Cursor review: async exports only emitted TABLE_EXPORTED when the background job reached 'ready', so an authorized export whose job later failed or was abandoned left no audit trail — inconsistent with the sync export route, which audits before streaming. Move the audit + analytics to the async route's authorization point (after the job is claimed/dispatched) and remove it from the runner. Drop the now-unused userId from TableExportPayload.
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit f5f8a00. Configure here.
…king Address Greptile P1: the payment_failed audit hoisted an unguarded isSubscriptionOrgScoped DB read (for entity_type) directly before the attempt-count user-blocking block. A transient failure of that read would throw out of the handler and skip blocking. Wrap the whole audit/analytics block in try/catch (best-effort), and let the blocking compute its own isSubscriptionOrgScoped as it did originally — instrumentation can no longer abort payment processing.
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 2afd114. Configure here.
…n in Stripe webhook idempotency recordAudit/captureServerEvent calls added for charge disputes, enterprise subscription provisioning, and free->paid subscription creation ran unconditionally with no idempotency guard, unlike their sibling handlers in the same files. Stripe redelivers webhooks at-least-once, so a retry would double-record the audit row and PostHog event even though the underlying DB writes were already idempotent.
|
@greptileai review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 2b7ae68. Configure here.

Summary
Extends the three observability layers — audit log, PostHog product analytics, and usage metering — to cover resources and actions that were previously uninstrumented. Found via a codebase-wide coverage audit; every gap below was a real blind spot.
Audit log
CREDENTIAL_ACCESSED), success-only.v1/adminprogrammatic surface (member/role/export ops) and copilot tool handlers (skills, custom tools, tables) — both previously bypassed audit entirely.AuditActionconstants (lock/unlock, table update/delete, etc.).PostHog
Metering
Hardening
admin-api) with a readable label instead of silently FK-failing; adds an awaitablerecordAuditNowfor pre-delete hooks.Type of Change
Testing
check:api-validationpass.Checklist