feat(4-5/4-6): audit logging + zero-data-retention headers
Some checks failed
CI / Lint, Unit Tests & Build (push) Successful in 5m39s
CI / Deploy production (on server) (push) Failing after 18s

Audit Logging (story 4-6):
- Nouveau modèle AuditLog (userId, action, resource, metadata, ip, createdAt)
- Migration 20260529143000_add_audit_log appliquée
- lib/audit-log.ts : logAuditEvent (fire-and-forget) + logAuditEventAsync + getClientIp
- auth.ts : LOG LOGIN / LOGOUT / USER_CREATED sur chaque event NextAuth
- /api/chat : log AI_REQUEST avec tokens + byok flag dans onFinish
- /api/agents/run-for-note : log AI_REQUEST avec featureKey + noteId

Zero-data-retention (story 4-5):
- OpenAI provider : header OpenAI-No-Training: 1
- Anthropic provider : header Anthropic-No-Train: 1
- DeepSeek provider : header X-No-Train: 1

sprint-status: 4-5 et 4-6 → done

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Antigravity
2026-05-29 14:36:06 +00:00
parent cd54a983c3
commit 5703d5bd49
10 changed files with 141 additions and 3 deletions

View File

@@ -3,6 +3,7 @@ import { PrismaAdapter } from '@auth/prisma-adapter';
import { authConfig } from './auth.config';
import prisma from '@/lib/prisma';
import { buildAuthProviders } from '@/lib/auth-providers';
import { logAuditEvent } from '@/lib/audit-log';
export const { auth, signIn, signOut, handlers } = NextAuth({
...authConfig,
@@ -12,12 +13,14 @@ export const { auth, signIn, signOut, handlers } = NextAuth({
async createUser({ user }) {
const adminEmail = process.env.ADMIN_EMAIL?.toLowerCase();
if (!adminEmail || !user.id || user.email?.toLowerCase() !== adminEmail) {
logAuditEvent({ userId: user.id, action: 'USER_CREATED', metadata: { email: user.email } });
return;
}
await prisma.user.update({
where: { id: user.id },
data: { role: 'ADMIN', emailVerified: new Date() },
});
logAuditEvent({ userId: user.id, action: 'USER_CREATED', metadata: { email: user.email, role: 'ADMIN' } });
},
async signOut(message) {
const userId =
@@ -29,6 +32,8 @@ export const { auth, signIn, signOut, handlers } = NextAuth({
if (!userId) return;
logAuditEvent({ userId, action: 'LOGOUT' });
await prisma.$transaction([
prisma.user.update({
where: { id: userId },
@@ -52,6 +57,11 @@ export const { auth, signIn, signOut, handlers } = NextAuth({
});
}
}
logAuditEvent({
userId: user.id,
action: 'LOGIN',
metadata: { provider: account?.provider ?? 'credentials', email: user.email },
});
return true;
},
async jwt({ token, user, trigger, session }) {