riyadhafraa 8c64a6463f Audit-log app permission requirement changes
Task #113 asked for audit trail entries whenever an admin tightens
or loosens which permission an app requires. The two endpoints
(POST /apps/:id/permissions and DELETE /apps/:id/permissions/:permissionId)
already existed but were silent, so security investigations had no
record of who changed an app's gating.

Changes
- artifacts/api-server/src/routes/apps.ts:
  - POST /apps/:id/permissions now also fetches the app's slug + nameEn
    and the permission's name. After the existing onConflictDoNothing
    insert it inspects .returning() so the audit row only fires on a
    real insert (not on idempotent retries). On a true insert it writes
    an `app.permission.add` audit entry containing slug, nameEn,
    permissionId, and permissionName so the entry stays meaningful even
    if the app or permission is later deleted.
  - DELETE /apps/:id/permissions/:permissionId now reads the app's
    slug/nameEn and the permission name BEFORE deleting, then uses
    .returning() on the delete to detect a real removal and writes an
    `app.permission.remove` audit entry with the same identifying
    metadata.

The audit log filter dropdown is populated by a selectDistinct over
existing audit rows, so the two new actions appear automatically once
they've been used at least once. No filter or schema changes needed.

Verification
- Hit both endpoints via the existing app-permissions tests; new
  audit rows appear in the audit_logs table with the expected
  metadata (slug, nameEn, permissionId, permissionName).
- Pre-existing test failures (composite PK on app_permissions,
  PDF/exec-meeting tests) are unchanged and tracked by the
  already-listed tasks ("Fix the broken app-permissions tests…",
  "Stop drizzle push from failing on the existing app_permissions
  duplicate"). They are not caused by this change.

Deviations
- Deliberately did not add display-string cases for the new actions
  in the admin audit UI; the task scope ends at recording the trail
  and the new actions still surface in the filter dropdown. A
  follow-up (#174) was filed to add friendly summaries for them.
- Did not add automated tests; "Add automated tests for the expanded
  audit log coverage" already exists as a separate task.

Replit-Task-Id: 2c60418a-2352-4699-ae70-1f9124c4126a
2026-04-29 18:38:41 +00:00
2026-04-21 12:16:59 +00:00
2026-04-18 02:00:09 +00:00
2026-04-28 20:58:08 +00:00
2026-04-18 02:00:09 +00:00
2026-04-18 02:00:09 +00:00
S
Description
No description provided
139 MiB
Languages
TypeScript 69.4%
JavaScript 29%
CSS 0.6%
Shell 0.6%
Dockerfile 0.2%
Other 0.2%