Skip to content

feat(security-agent): add audit report backend#4081

Open
jeanduplessis wants to merge 3 commits into
mainfrom
jdp/security-agent-audit-backend
Open

feat(security-agent): add audit report backend#4081
jeanduplessis wants to merge 3 commits into
mainfrom
jdp/security-agent-audit-backend

Conversation

@jeanduplessis

@jeanduplessis jeanduplessis commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Security Agent now has the backend/API foundation for durable Security Finding Activity Events and owner-scoped Audit Reports, split out so it can land before the web UI.

Why this change is needed

Security owners need period-bounded evidence of material Security Finding actions and outcomes for investigation and compliance work without implying complete legacy reconstruction or aggregate historical SLA compliance. The schema, writers, and API need to land first because deployed services will write audit evidence before the UI consumes it.

How this is addressed

  • Extends the canonical audit ledger with owner-scoped, idempotent, deletion-safe Security Finding Activity Event fields and a regenerated migration.
  • Adds shared audit-event helpers used by Security Sync and Security Auto Analysis flows.
  • Emits reportable evidence across sync, analysis, dismissal, remediation, and deletion paths.
  • Adds server-side report assembly with UTC date ranges, deterministic finding timelines, privacy controls, fail-closed query budgets, and personal/organization tRPC endpoints.
  • Updates the Security Agent spec and context contract for Audit Report evidence, access, deletion, privacy, and availability guarantees.

Verification

  • Reviewed the backend split against the original feat(security-agent): add audit reports and refresh management UX #4069 scope and confirmed it excludes web route pages, React components, shared UI primitive changes, and the UI-only package dependency.
  • No browser or manual runtime verification was performed; this PR contains backend/API/database changes only.

Visual Changes

N/A

Reviewer Notes

Human Reviewer Flags

  • Deploy this PR before feat(security-agent): add audit report UI #4082. The migration must be applied before deployed writers emit the new Security Finding Activity Event fields and actions.
  • Schema-first deployment is required because authoritative finding transitions now write audit evidence in the same transaction.
  • Synchronous report assembly intentionally returns no partial data when its event-count, serialized-size, or timeout budgets are exceeded.
  • Organization report access is broader than ordinary member access and intentionally remains available after Security Agent, subscription, or integration disablement for authorized viewers.

Code Reviewer Agent

Code Reviewer Notes
  • Audit events use owner-partitioned idempotency, compact deletion-safe snapshots, strict payload validation, and event-time actor attribution.
  • Report assembly uses owner-scoped keyset pagination, deterministic grouping, safe link projection, and explicit legacy-evidence handling.
  • Focus review on route authorization, real-database multi-page report behavior, deleted-finding end-to-end evidence, and migration behavior on populated audit data.
  • The UI is intentionally excluded and stacked in feat(security-agent): add audit report UI #4082.

@jeanduplessis jeanduplessis mentioned this pull request Jun 17, 2026
Open
kilo-code-bot[bot]
kilo-code-bot Bot reviewed Jun 17, 2026
View reviewed changes
Comment thread packages/db/src/migrations/0166_curved_praxagora.sql
Comment thread apps/web/src/lib/security-agent/services/auto-dismiss-service.ts Outdated
Comment thread apps/web/src/lib/security-agent/services/auto-dismiss-service.ts
@kilo-code-bot

kilo-code-bot Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Code Review Summary

Status: 1 Issue Found | Recommendation: Address before merge

Executive Summary

Incremental changes address review feedback: actor_email removed from audit report rows, snapshot sanitization functions added (email redaction, URL validation, CVSS validation), and typed error class applied. Previous CREATE INDEX warning on the migration file carries forward unchanged.

Overview

Severity Count
CRITICAL 0
WARNING 1
SUGGESTION 0
Issue Details (click to expand)

WARNING

File Line Issue
packages/db/src/migrations/0166_curved_praxagora.sql 10-13 CREATE INDEX / CREATE UNIQUE INDEX without CONCURRENTLY may block writes if the security_audit_log table has production data
Files Reviewed (8 changed, 73 total)
  • .env.local.example
  • ENVIRONMENT.md
  • apps/web/.env.development.local.example
  • apps/web/.env.test
  • apps/web/src/lib/security-agent/db/security-audit-report.test.ts
  • apps/web/src/lib/security-agent/db/security-audit-report.ts
  • packages/worker-utils/src/security-finding-audit.ts
  • services/security-sync/src/sync.test.ts

(plus 65 unchanged files from previous review)

Fix these issues in Kilo Cloud

Previous Review Summaries (2 snapshots, latest commit ab27592)

Current summary above is authoritative. Previous snapshots are kept for context only.

Previous review (commit ab27592)

Status: 1 Issue Found | Recommendation: Address before merge

Executive Summary

Migration creates indexes without CONCURRENTLY on the security_audit_log table, which could block writes if the table already has production data. Previous issues in auto-dismiss-service.ts have been resolved in this revision.

Overview

Severity Count
CRITICAL 0
WARNING 1
SUGGESTION 0
Issue Details (click to expand)

WARNING

File Line Issue
packages/db/src/migrations/0166_curved_praxagora.sql 10-13 CREATE INDEX without CONCURRENTLY may block writes
Files Reviewed (73 files)
  • .specs/security-agent.md - spec updates for audit report
  • CONTEXT.md - domain context additions
  • apps/web/src/lib/security-agent/core/schemas.ts - new UI interaction enum and schema
  • apps/web/src/lib/security-agent/db/dashboard-stats.test.ts - new tests
  • apps/web/src/lib/security-agent/db/dashboard-stats.ts - SLA-aware dashboard stats
  • apps/web/src/lib/security-agent/db/security-analysis.ts - analysis query enhancements
  • apps/web/src/lib/security-agent/db/security-audit-report.test.ts - new audit report tests
  • apps/web/src/lib/security-agent/db/security-audit-report.ts - new audit report assembly
  • apps/web/src/lib/security-agent/db/security-findings.test.ts - package field tests
  • apps/web/src/lib/security-agent/db/security-findings.ts - per-finding audit events
  • apps/web/src/lib/security-agent/posthog-tracking.test.ts - new tracking tests
  • apps/web/src/lib/security-agent/posthog-tracking.ts - UI + remediation tracking
  • apps/web/src/lib/security-agent/router/shared-handlers.test.ts - expanded handler tests
  • apps/web/src/lib/security-agent/router/shared-handlers.ts - new handlers + audit events
  • apps/web/src/lib/security-agent/services/analysis-service.test.ts
  • apps/web/src/lib/security-agent/services/analysis-service.ts
  • apps/web/src/lib/security-agent/services/audit-log-service.ts
  • apps/web/src/lib/security-agent/services/auto-dismiss-service.test.ts
  • apps/web/src/lib/security-agent/services/auto-dismiss-service.ts - audit event integration (fixed)
  • apps/web/src/lib/security-agent/services/extraction-service.ts - JSON fallback extraction
  • apps/web/src/lib/security-agent/services/manual-analysis-client.test.ts
  • apps/web/src/lib/security-agent/services/manual-analysis-client.ts
  • apps/web/src/lib/security-agent/services/manual-dismiss-client.test.ts
  • apps/web/src/lib/security-agent/services/manual-dismiss-client.ts
  • apps/web/src/lib/security-agent/services/manual-remediation-client.test.ts
  • apps/web/src/lib/security-agent/services/manual-remediation-client.ts - typed rejection responses
  • apps/web/src/lib/security-agent/services/triage-service.ts - JSON fallback extraction
  • apps/web/src/lib/user/index.test.ts
  • apps/web/src/routers/organizations/organization-security-agent-router.ts
  • apps/web/src/routers/security-agent-router.ts
  • packages/db/src/migrations/0166_curved_praxagora.sql - migration (1 issue)
  • packages/db/src/migrations/meta/0166_snapshot.json
  • packages/db/src/migrations/meta/_journal.json
  • packages/db/src/schema-types.ts
  • packages/db/src/schema.test.ts
  • packages/db/src/schema.ts - audit log schema extensions
  • packages/worker-utils/package.json
  • packages/worker-utils/src/index.ts
  • packages/worker-utils/src/security-finding-audit.test.ts
  • packages/worker-utils/src/security-finding-audit.ts
  • packages/worker-utils/src/security-remediation-policy.test.ts
  • packages/worker-utils/src/security-remediation-policy.ts
  • services/security-auto-analysis/src/analysis-start-lifecycle.integration.test.ts
  • services/security-auto-analysis/src/analysis-start-lifecycle.ts
  • services/security-auto-analysis/src/auto-dismiss.test.ts
  • services/security-auto-analysis/src/auto-dismiss.ts
  • services/security-auto-analysis/src/callbacks.test.ts
  • services/security-auto-analysis/src/callbacks.ts
  • services/security-auto-analysis/src/db/queries.integration.test.ts
  • services/security-auto-analysis/src/db/queries.ts
  • services/security-auto-analysis/src/extraction.test.ts
  • services/security-auto-analysis/src/extraction.ts
  • services/security-auto-analysis/src/index.test.ts
  • services/security-auto-analysis/src/index.ts
  • services/security-auto-analysis/src/launch.test.ts
  • services/security-auto-analysis/src/launch.ts
  • services/security-auto-analysis/src/manual-analysis.test.ts
  • services/security-auto-analysis/src/manual-analysis.ts
  • services/security-auto-analysis/src/remediation-admission.integration.test.ts
  • services/security-auto-analysis/src/remediation.test.ts
  • services/security-auto-analysis/src/remediation.ts
  • services/security-auto-analysis/src/triage.test.ts
  • services/security-auto-analysis/src/triage.ts
  • services/security-auto-analysis/src/types.ts
  • services/security-sync/src/dismiss.test.ts
  • services/security-sync/src/dismiss.ts
  • services/security-sync/src/index.test.ts
  • services/security-sync/src/index.ts
  • services/security-sync/src/notifications/sweep.test.ts
  • services/security-sync/src/notifications/sweep.ts
  • services/security-sync/src/sync.test.ts
  • services/security-sync/src/sync.ts
  • services/security-sync/src/types.ts

Fix these issues in Kilo Cloud

Previous review (commit 2497209)

Status: 3 Issues Found | Recommendation: Address before merge

Executive Summary

Migration creates indexes without CONCURRENTLY on the security_audit_log table, which could block writes if the table already has production data. An identity function (toAuditFinding) and a removed confidence guard in countEligibleForAutoDismiss are minor code quality issues.

Overview

Severity Count
CRITICAL 0
WARNING 1
SUGGESTION 2
Issue Details (click to expand)

WARNING

File Line Issue
packages/db/src/migrations/0166_curved_praxagora.sql 10-13 CREATE INDEX without CONCURRENTLY may block writes

SUGGESTION

File Line Issue
apps/web/src/lib/security-agent/services/auto-dismiss-service.ts 84 toAuditFinding is a no-op identity function
apps/web/src/lib/security-agent/services/auto-dismiss-service.ts 558 Removed confidence guard could produce NaN counts
Files Reviewed (71 files)
  • .specs/security-agent.md - spec updates for audit report
  • CONTEXT.md - domain context additions
  • apps/web/src/lib/security-agent/core/schemas.ts - new UI interaction enum and schema
  • apps/web/src/lib/security-agent/db/dashboard-stats.test.ts - new tests
  • apps/web/src/lib/security-agent/db/dashboard-stats.ts - SLA-aware dashboard stats
  • apps/web/src/lib/security-agent/db/security-analysis.ts - analysis query enhancements
  • apps/web/src/lib/security-agent/db/security-audit-report.test.ts - new audit report tests
  • apps/web/src/lib/security-agent/db/security-audit-report.ts - new audit report assembly (1 issue)
  • apps/web/src/lib/security-agent/db/security-findings.test.ts - package field tests
  • apps/web/src/lib/security-agent/db/security-findings.ts - per-finding audit events
  • apps/web/src/lib/security-agent/posthog-tracking.test.ts - new tracking tests
  • apps/web/src/lib/security-agent/posthog-tracking.ts - UI + remediation tracking
  • apps/web/src/lib/security-agent/router/shared-handlers.test.ts - expanded handler tests
  • apps/web/src/lib/security-agent/router/shared-handlers.ts - new handlers + audit events
  • apps/web/src/lib/security-agent/services/analysis-service.test.ts
  • apps/web/src/lib/security-agent/services/analysis-service.ts
  • apps/web/src/lib/security-agent/services/audit-log-service.ts
  • apps/web/src/lib/security-agent/services/auto-dismiss-service.test.ts
  • apps/web/src/lib/security-agent/services/auto-dismiss-service.ts - audit event integration (2 issues)
  • apps/web/src/lib/security-agent/services/extraction-service.ts - JSON fallback extraction
  • apps/web/src/lib/security-agent/services/manual-analysis-client.test.ts
  • apps/web/src/lib/security-agent/services/manual-analysis-client.ts
  • apps/web/src/lib/security-agent/services/manual-dismiss-client.test.ts
  • apps/web/src/lib/security-agent/services/manual-dismiss-client.ts
  • apps/web/src/lib/security-agent/services/manual-remediation-client.test.ts
  • apps/web/src/lib/security-agent/services/manual-remediation-client.ts - typed rejection responses
  • apps/web/src/lib/security-agent/services/triage-service.ts - JSON fallback extraction
  • apps/web/src/lib/user/index.test.ts
  • apps/web/src/routers/organizations/organization-security-agent-router.ts
  • apps/web/src/routers/security-agent-router.ts
  • packages/db/src/migrations/0166_curved_praxagora.sql - migration (1 issue)
  • packages/db/src/migrations/meta/0166_snapshot.json
  • packages/db/src/migrations/meta/_journal.json
  • packages/db/src/schema-types.ts
  • packages/db/src/schema.test.ts
  • packages/db/src/schema.ts - audit log schema extensions
  • packages/worker-utils/package.json
  • packages/worker-utils/src/index.ts
  • packages/worker-utils/src/security-finding-audit.test.ts
  • packages/worker-utils/src/security-finding-audit.ts
  • packages/worker-utils/src/security-remediation-policy.test.ts
  • packages/worker-utils/src/security-remediation-policy.ts
  • services/security-auto-analysis/src/analysis-start-lifecycle.integration.test.ts
  • services/security-auto-analysis/src/analysis-start-lifecycle.ts
  • services/security-auto-analysis/src/auto-dismiss.test.ts
  • services/security-auto-analysis/src/auto-dismiss.ts
  • services/security-auto-analysis/src/callbacks.test.ts
  • services/security-auto-analysis/src/callbacks.ts
  • services/security-auto-analysis/src/db/queries.integration.test.ts
  • services/security-auto-analysis/src/db/queries.ts
  • services/security-auto-analysis/src/extraction.test.ts
  • services/security-auto-analysis/src/extraction.ts
  • services/security-auto-analysis/src/index.test.ts
  • services/security-auto-analysis/src/index.ts
  • services/security-auto-analysis/src/launch.test.ts
  • services/security-auto-analysis/src/launch.ts
  • services/security-auto-analysis/src/manual-analysis.test.ts
  • services/security-auto-analysis/src/manual-analysis.ts
  • services/security-auto-analysis/src/remediation-admission.integration.test.ts
  • services/security-auto-analysis/src/remediation.test.ts
  • services/security-auto-analysis/src/remediation.ts
  • services/security-auto-analysis/src/triage.test.ts
  • services/security-auto-analysis/src/triage.ts
  • services/security-auto-analysis/src/types.ts
  • services/security-sync/src/dismiss.test.ts
  • services/security-sync/src/dismiss.ts
  • services/security-sync/src/index.test.ts
  • services/security-sync/src/index.ts
  • services/security-sync/src/notifications/sweep.test.ts
  • services/security-sync/src/notifications/sweep.ts
  • services/security-sync/src/sync.test.ts
  • services/security-sync/src/sync.ts

Fix these issues in Kilo Cloud

Reviewed by deepseek-v4-pro-20260423 · 529,301 tokens

Review guidance: REVIEW.md from base branch main

St0rmz1
St0rmz1 reviewed Jun 17, 2026
View reviewed changes
Comment thread services/security-sync/src/sync.ts
St0rmz1
St0rmz1 reviewed Jun 17, 2026
View reviewed changes
Comment thread apps/web/src/lib/security-agent/db/security-audit-report.ts
St0rmz1
St0rmz1 reviewed Jun 17, 2026
View reviewed changes
Comment thread apps/web/src/lib/security-agent/db/security-audit-report.ts Outdated
pandemicsyn
pandemicsyn requested changes Jun 18, 2026
View reviewed changes

@pandemicsyn pandemicsyn left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found a few audit report SLA correctness issues that should be fixed before merge.

Comment thread apps/web/src/lib/security-agent/db/security-audit-report.ts
return { status: 'unknown', deadline, reason: 'invalid_terminal_timestamp' };
}
return {
status: fixedAtMs <= deadlineMs ? 'terminal_met' : 'terminal_missed',

@pandemicsyn pandemicsyn Jun 18, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Must-fix: This treats fixed_at === sla_due_at as terminal_met. The spec defines SLA report evidence as before vs at/after the recorded deadline, and SLA breach semantics make equality breached/missed. Use fixedAtMs < deadlineMs for met, otherwise terminal_missed, and add an equality regression test.

Comment thread apps/web/src/lib/security-agent/db/security-audit-report.ts
}

return {
status: cutoffMs <= deadlineMs ? 'open_within_deadline' : 'open_past_deadline',

@pandemicsyn pandemicsyn Jun 18, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Must-fix: This reports dataThrough === sla_due_at as open_within_deadline. At the exact deadline an open finding is already at/after the deadline, so the report should show it as past deadline. Use cutoffMs < deadlineMs for within-deadline and cover the equality case in tests.

Comment thread apps/web/src/lib/security-agent/db/security-audit-report.ts
firstDetectedAt: stringFromSnapshot(evidenceSnapshot, 'first_detected_at'),
canonicalFindingId: stringFromSnapshot(latestSnapshot, 'canonical_finding_id'),
deleted,
sla: buildSlaEvidence(evidenceSnapshot, reportParams.dataThrough),

@pandemicsyn pandemicsyn Jun 18, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Must-fix: Deleted findings still derive SLA evidence from the latest snapshot. If the final deletion evidence still has status: "open", the report can show deleted: true and sla.status: "open_past_deadline", which is contradictory and not trustworthy evidence. Pass deletion evidence into SLA derivation and return unknown unless a terminal timestamp is recorded.

Comment thread apps/web/src/lib/security-agent/db/security-audit-report.ts
(left, right) =>
left.effective_at.localeCompare(right.effective_at) || left.id.localeCompare(right.id)
);
const latestSnapshot = latestFindingSnapshot(rows);

@pandemicsyn pandemicsyn Jun 18, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Must-fix: SLA state is derived only from in-period snapshots, but open/terminal status is evaluated against dataThrough. A report can include an in-period open snapshot, miss a later out-of-period fixed event, and incorrectly report the finding as open/past deadline. Load latest state through dataThrough for included findings, or return unknown when the period rows do not prove cutoff state.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kilo-code-bot kilo-code-bot[bot] kilo-code-bot[bot] left review comments

@pandemicsyn pandemicsyn pandemicsyn approved these changes

@St0rmz1 St0rmz1 St0rmz1 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jeanduplessis @pandemicsyn @St0rmz1