feat(bookings): add booking audit logging to instant bookings (calcom#28176)

* feat(bookings): add booking audit logging to instant bookings

wire up BookingEventHandlerService.onBookingCreated in
InstantBookingCreateService to emit audit events, matching the
pattern already used in RegularBookingService and
RecurringBookingService.

* refactor: extract fireBookingEvents and reuse existing orgId

* refactor: derive orgId once and pass to both webhook trigger and audit event

* fix: add missing return in webhook map callback

* refactor: make creationSource required for instant bookings

Both callers (WEBAPP and API_V2) always set creationSource, so validate
it upfront and use CreationSource enum type instead of string | null.

* fix: use ErrorWithCode instead of Error, pass userUuid to audit events

* fix: pass null for hostUserUuid in instant booking audit data

Instant bookings have status AWAITING_HOST with no assigned host,
so the booker's UUID should not be recorded as hostUserUuid.

* fix: address devin review - hostUserUuid and creationSource validation

* fix: address review - bookingMeta, getOrgIdFromMemberOrTeamId, required creationSource

- pass userUuid via bookingMeta instead of separate param (matches RegularBookingService pattern)
- restore getOrgIdFromMemberOrTeamId for proper org resolution instead of eventType.team.parentId
- make creationSource required with runtime validation instead of defaulting to WEBAPP

* fix: enforce creationSource at compile time instead of runtime

use Required<Pick<>> to make creationSource required in the type
signature. removes the runtime check since TypeScript catches
missing creationSource at build time.

* fix: simplify type signature and derive hostUserUuid from booking relation

- Replace Required<Pick<CreateInstantBookingData, 'creationSource'>> with inline { creationSource: CreationSource }
- Include user relation in booking create query to derive hostUserUuid
- Pass newBooking.user?.uuid instead of hardcoding null for userUuid in audit data

Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>

* chore: trigger CI

* fix: add missing impersonatedByUserUuid to instant booking meta

The CreateBookingMeta type requires impersonatedByUserUuid. Set it to
null for non-impersonated instant bookings.

* fix: show 'awaiting host' in audit log for instant bookings

Use booking status AWAITING_HOST to display "Booked (awaiting host)"
instead of "Booked with Unknown" when no host has accepted yet.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: add booking audit for instant meeting accept via connect-and-join

Extract fireInstantBookingAcceptedAuditEvent to InstantBookingCreateService
and fire it right after the DB update, before side-effect notifications.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* test: add audit logging tests for instant booking creation

* fix: simulate audit failure in resilience test (identified by cubic)

The test 'should not throw when booking audit event fails' was not
actually simulating an audit failure. Added vi.spyOn on
BookingEventHandlerService.prototype.onBookingCreated to reject with
an error, and assert the spy was called, proving the try/catch in
fireBookingEvents properly catches the error without breaking the
booking flow.

Co-Authored-By: bot_apk <apk@cognition.ai>

* test: add audit event tests for connectAndJoin and fix InstantBooking audit test

* test

---------

Co-authored-by: Hariom Balhara <1780212+hariombalhara@users.noreply.github.com>
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: hariom@cal.com <hariombalhara@gmail.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: bot_apk <apk@cognition.ai>

Author: 5 people

apps/web/pages/api/book/instant-event.ts

@@ -25,6 +25,10 @@ async function handler(req: NextApiRequest & { userId?: number }) {
   // TODO: We should do the run-time schema validation here and pass a typed bookingData instead and then run-time schema could be removed from createBooking. Then we can remove the any type from req.body.
   const booking = await instantBookingService.createBooking({
     bookingData: req.body,
+    bookingMeta: {
+      userUuid: session?.user?.uuid,
+      impersonatedByUserUuid: null,
+    },
   });
 
   return booking;

packages/features/booking-audit/lib/actions/CreatedAuditActionService.ts

@@ -80,8 +80,11 @@ export class CreatedAuditActionService implements IAuditActionService {
 
   async getDisplayTitle({ storedData, dbStore }: GetDisplayTitleParams): Promise<TranslationWithParams> {
     const { fields } = this.parseStored(storedData);
+    if (fields.status === BookingStatus.AWAITING_HOST) {
+      return { key: "booking_audit_action.created_awaiting_host", params: {} };
+    }
     const hostUser = fields.hostUserUuid ? dbStore.getUserByUuid(fields.hostUserUuid) : null;
-    const hostName = hostUser?.name || "Unknown";
+    const hostName = hostUser?.name ?? "Unknown";
     if (fields.seatReferenceUid) {
       return { key: "booking_audit_action.created_with_seat", params: { host: hostName } };
     }

packages/features/bookings/di/InstantBookingCreateService.module.ts

@@ -1,5 +1,7 @@
 import { InstantBookingCreateService } from "@calcom/features/bookings/lib/service/InstantBookingCreateService";
+import { moduleLoader as bookingEventHandlerModuleLoader } from "@calcom/features/bookings/di/BookingEventHandlerService.module";
 import { createModule, bindModuleToClassOnToken } from "@calcom/features/di/di";
+import { moduleLoader as featuresRepositoryModuleLoader } from "@calcom/features/di/modules/FeaturesRepository";
 import { DI_TOKENS } from "@calcom/features/di/tokens";
 import { moduleLoader as prismaModuleLoader } from "@calcom/features/di/modules/Prisma";
 
@@ -14,6 +16,8 @@ const loadModule = bindModuleToClassOnToken({
   depsMap: {
     // TODO: In a followup PR, we aim to remove prisma dependency and instead inject the repositories as dependencies.
     prismaClient: prismaModuleLoader,
+    bookingEventHandler: bookingEventHandlerModuleLoader,
+    featuresRepository: featuresRepositoryModuleLoader,
   },
 });
 

packages/features/bookings/lib/service/InstantBookingCreateService.test.ts

@@ -178,6 +178,168 @@ describe("handleInstantMeeting", () => {
         })
       ).rejects.toThrow("Only Team Event Types are supported for Instant Meeting");
     });
+
+    it("should fire booking audit event with correct data when org has booking-audit feature", async () => {
+      const { BookingEventHandlerService } = await import("../onBookingEvents/BookingEventHandlerService");
+      const onBookingCreatedSpy = vi
+        .spyOn(BookingEventHandlerService.prototype, "onBookingCreated")
+        .mockResolvedValue(undefined);
+
+      const instantBookingCreateService = getInstantBookingCreateService();
+      const organizer = getOrganizer({
+        name: "Organizer",
+        email: "organizer@example.com",
+        id: 101,
+        schedules: [TestData.schedules.IstWorkHours],
+        credentials: [getGoogleCalendarCredential()],
+        selectedCalendars: [TestData.selectedCalendars.google],
+      });
+
+      const { dateString: plus1DateString } = getDate({ dateIncrement: 1 });
+
+      await createBookingScenario(
+        getScenarioData({
+          eventTypes: [
+            {
+              id: 1,
+              slotInterval: 45,
+              length: 45,
+              users: [{ id: 101 }],
+              team: { id: 1 },
+              instantMeetingExpiryTimeOffsetInSeconds: 90,
+            },
+          ],
+          organizer,
+          apps: [TestData.apps["daily-video"], TestData.apps["google-calendar"]],
+        })
+      );
+
+      mockSuccessfulVideoMeetingCreation({
+        metadataLookupKey: "dailyvideo",
+        videoMeetingData: {
+          id: "MOCK_ID",
+          password: "MOCK_PASS",
+          url: `http://mock-dailyvideo.example.com/meeting-1`,
+        },
+      });
+      mockCalendarToHaveNoBusySlots("googlecalendar", {
+        create: { uid: "MOCKED_GOOGLE_CALENDAR_EVENT_ID" },
+      });
+
+      const mockBookingData: CreateInstantBookingData = {
+        eventTypeId: 1,
+        timeZone: "UTC",
+        language: "en",
+        start: `${plus1DateString}T04:00:00.000Z`,
+        end: `${plus1DateString}T04:45:00.000Z`,
+        responses: {
+          name: "Test User",
+          email: "test@example.com",
+          attendeePhoneNumber: "+918888888888",
+        },
+        metadata: {},
+        instant: true,
+      };
+
+      const result = await instantBookingCreateService.createBooking({
+        bookingData: mockBookingData,
+      });
+
+      expect(result.message).toBe("Success");
+      expect(result.bookingId).toBeDefined();
+
+      expect(onBookingCreatedSpy).toHaveBeenCalledTimes(1);
+
+      const callArgs = onBookingCreatedSpy.mock.calls[0][0];
+      expect(callArgs.payload.booking.uid).toBe(result.bookingUid);
+      expect(callArgs.payload.config.isDryRun).toBe(false);
+      expect(callArgs.actor).toEqual(
+        expect.objectContaining({ identifiedBy: expect.any(String) })
+      );
+      expect(callArgs.auditData).toEqual(
+        expect.objectContaining({
+          startTime: expect.any(Number),
+          endTime: expect.any(Number),
+          status: expect.any(String),
+        })
+      );
+      expect(callArgs.source).toEqual(expect.any(String));
+
+      onBookingCreatedSpy.mockRestore();
+    });
+
+    it("should not throw when booking audit event fails", async () => {
+      const { BookingEventHandlerService } = await import("../onBookingEvents/BookingEventHandlerService");
+      const onBookingCreatedSpy = vi
+        .spyOn(BookingEventHandlerService.prototype, "onBookingCreated")
+        .mockRejectedValue(new Error("Audit event handler failure"));
+
+      const instantBookingCreateService = getInstantBookingCreateService();
+      const organizer = getOrganizer({
+        name: "Organizer",
+        email: "organizer@example.com",
+        id: 101,
+        schedules: [TestData.schedules.IstWorkHours],
+        credentials: [getGoogleCalendarCredential()],
+        selectedCalendars: [TestData.selectedCalendars.google],
+      });
+
+      const { dateString: plus1DateString } = getDate({ dateIncrement: 1 });
+
+      await createBookingScenario(
+        getScenarioData({
+          eventTypes: [
+            {
+              id: 1,
+              slotInterval: 45,
+              length: 45,
+              users: [{ id: 101 }],
+              team: { id: 1 },
+              instantMeetingExpiryTimeOffsetInSeconds: 90,
+            },
+          ],
+          organizer,
+          apps: [TestData.apps["daily-video"], TestData.apps["google-calendar"]],
+        })
+      );
+
+      mockSuccessfulVideoMeetingCreation({
+        metadataLookupKey: "dailyvideo",
+        videoMeetingData: {
+          id: "MOCK_ID",
+          password: "MOCK_PASS",
+          url: `http://mock-dailyvideo.example.com/meeting-1`,
+        },
+      });
+      mockCalendarToHaveNoBusySlots("googlecalendar", {
+        create: { uid: "MOCKED_GOOGLE_CALENDAR_EVENT_ID" },
+      });
+
+      const mockBookingData: CreateInstantBookingData = {
+        eventTypeId: 1,
+        timeZone: "UTC",
+        language: "en",
+        start: `${plus1DateString}T04:00:00.000Z`,
+        end: `${plus1DateString}T04:45:00.000Z`,
+        responses: {
+          name: "Test User",
+          email: "test@example.com",
+          attendeePhoneNumber: "+918888888888",
+        },
+        metadata: {},
+        instant: true,
+      };
+
+      const result = await instantBookingCreateService.createBooking({
+        bookingData: mockBookingData,
+      });
+
+      expect(result.message).toBe("Success");
+      expect(result.bookingId).toBeDefined();
+      expect(onBookingCreatedSpy).toHaveBeenCalled();
+
+      onBookingCreatedSpy.mockRestore();
+    });
   });
 });