feat(audit): drop misleading client_ip from audit log

jumpbetweenrows · jumpbetweenrows · commit c782a04eab75 · 2026-04-29T19:46:43.000-04:00
The pgwire socket address is the Fly edge proxy, not the real client, so
the recorded value was misleading. Stop writing it (always None on both
the deny path and the query-completed path), remove the field from the
admin API response and React audit page, and add a DEPRECATED comment to
the entity field. The DB column is kept for backward compatibility.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -208,7 +208,7 @@ policy_assignment  (id UUID v7, policy_id, data_source_id, user_id?, role_id?,
 admin_audit_log    (id UUID v7, resource_type, resource_id, action, actor_id, changes JSON, created_at)
 query_audit_log    (id UUID v7, user_id, username, data_source_id, datasource_name,
                     original_query, rewritten_query, policies_applied JSON,
-                    execution_time_ms, client_ip, client_info, created_at)
+                    execution_time_ms, client_info, created_at)
 ```
 
 Catalog entity IDs (schemas, tables, columns) are deterministic UUID v5 fingerprints derived from their natural keys. Re-discovering the same upstream object always produces the same ID, so re-syncs are safe upserts.
diff --git a/admin-ui/src/api/audit.ts b/admin-ui/src/api/audit.ts
@@ -22,7 +22,6 @@ export interface AuditLogEntry {
     }
   }>
   execution_time_ms: number | null
-  client_ip: string | null
   client_info: string | null
   created_at: string
   status: 'success' | 'error' | 'denied'
diff --git a/admin-ui/src/pages/QueryAuditPage.tsx b/admin-ui/src/pages/QueryAuditPage.tsx
@@ -300,7 +300,6 @@ export function QueryAuditPage() {
                             </div>
                           )}
                           <div className="flex gap-6 text-xs text-gray-500">
-                            {entry.client_ip && <span>IP: {entry.client_ip}</span>}
                             {entry.client_info && <span>App: {entry.client_info}</span>}
                           </div>
                         </div>
diff --git a/proxy/CLAUDE.md b/proxy/CLAUDE.md
@@ -97,7 +97,7 @@ A single shared WASM runtime created once at startup in `main.rs` and passed to
 
 **Column-level policies must be enforced at scan level**: All column-level policies (deny, mask, and any future types) MUST be enforced at the `TableScan` level (visibility-level for deny, `transform_up` Projection for mask) to prevent CTE/subquery alias bypass. `SubqueryAlias` and CTE nodes change the DFSchema qualifier from the real table name to the alias, causing top-level-only matching to miss. Top-level `apply_projection_qualified` is defense-in-depth only.
 
-**Audit logging**: after each query, `PolicyHook` spawns a `tokio::spawn` task to insert a `query_audit_log` row asynchronously. The row captures `original_query`, `rewritten_query`, `policies_applied` (JSON with name+version snapshot including decision function results), `client_ip`, and `client_info` (application_name from pgwire startup params).
+**Audit logging**: after each query, `PolicyHook` spawns a `tokio::spawn` task to insert a `query_audit_log` row asynchronously. The row captures `original_query`, `rewritten_query`, `policies_applied` (JSON with name+version snapshot including decision function results), and `client_info` (application_name from pgwire startup params).
 
 ### Decision Functions in PolicyHook
 
diff --git a/proxy/src/admin/audit_handlers.rs b/proxy/src/admin/audit_handlers.rs
@@ -79,7 +79,6 @@ pub async fn list_audit_logs(
                 rewritten_query: m.rewritten_query,
                 policies_applied,
                 execution_time_ms: m.execution_time_ms,
-                client_ip: m.client_ip,
                 client_info: m.client_info,
                 created_at: m.created_at,
                 status: m.status,
diff --git a/proxy/src/admin/dto.rs b/proxy/src/admin/dto.rs
@@ -892,7 +892,6 @@ pub struct AuditLogResponse {
     pub rewritten_query: Option<String>,
     pub policies_applied: serde_json::Value,
     pub execution_time_ms: Option<i64>,
-    pub client_ip: Option<String>,
     pub client_info: Option<String>,
     pub created_at: chrono::NaiveDateTime,
     pub status: String,
diff --git a/proxy/src/entity/query_audit_log.rs b/proxy/src/entity/query_audit_log.rs
@@ -16,6 +16,11 @@ pub struct Model {
     /// JSON array of {policy_id, version, name}
     pub policies_applied: String,
     pub execution_time_ms: Option<i64>,
+    /// DEPRECATED — logically dropped 2026-04-26. Always written as `None`.
+    /// The TCP peer address pgwire exposes is the Fly edge proxy, not the real
+    /// client, so the value was misleading. Column kept for backward DB compat.
+    /// Do NOT start writing it again without first parsing PROXY protocol v2 in
+    /// the accept loop and gating it behind `BR_TRUST_PROXY_PROTOCOL`.
     pub client_ip: Option<String>,
     pub client_info: Option<String>,
     pub created_at: DateTime,
diff --git a/proxy/src/hooks/policy.rs b/proxy/src/hooks/policy.rs
@@ -793,7 +793,6 @@ impl PolicyHook {
         };
         let username = metadata.get("user").cloned().unwrap_or_default();
         let datasource = metadata.get("datasource").cloned().unwrap_or_default();
-        let client_ip = Some(client.socket_addr().ip().to_string());
         let client_info = metadata.get("application_name").cloned();
 
         let session = match self.get_session(user_id, &datasource).await {
@@ -816,7 +815,7 @@ impl PolicyHook {
                 rewritten_query: sea_orm::Set(None),
                 policies_applied: sea_orm::Set("[]".to_string()),
                 execution_time_ms: sea_orm::Set(None),
-                client_ip: sea_orm::Set(client_ip),
+                client_ip: sea_orm::Set(None),
                 client_info: sea_orm::Set(client_info),
                 created_at: sea_orm::Set(now),
                 status: sea_orm::Set("denied".to_string()),
@@ -2439,7 +2438,6 @@ impl QueryHook for PolicyHook {
         };
         let username = metadata.get("user").cloned().unwrap_or_default();
         let datasource = metadata.get("datasource").cloned().unwrap_or_default();
-        let client_ip = Some(client.socket_addr().ip().to_string());
         let client_info = metadata.get("application_name").cloned();
 
         // Load session data
@@ -2668,7 +2666,6 @@ impl QueryHook for PolicyHook {
         let audit_ds_name = session.datasource_name.clone();
         let audit_orig_q = original_query;
         let audit_policies = serde_json::to_string(&policies_applied).unwrap_or_default();
-        let audit_ip = client_ip;
         let audit_info = client_info;
         let audit_status_owned = audit_status.to_string();
 
@@ -2684,7 +2681,7 @@ impl QueryHook for PolicyHook {
                 rewritten_query: sea_orm::Set(audit_rewritten),
                 policies_applied: sea_orm::Set(audit_policies),
                 execution_time_ms: sea_orm::Set(Some(elapsed_ms)),
-                client_ip: sea_orm::Set(audit_ip),
+                client_ip: sea_orm::Set(None),
                 client_info: sea_orm::Set(audit_info),
                 created_at: sea_orm::Set(now),
                 status: sea_orm::Set(audit_status_owned),

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,6 @@ export interface AuditLogEntry {`
`22`	`22`	`}`
`23`	`23`	`}>`
`24`	`24`	`execution_time_ms: number \| null`
`25`		`- client_ip: string \| null`
`26`	`25`	`client_info: string \| null`
`27`	`26`	`created_at: string`
`28`	`27`	`status: 'success' \| 'error' \| 'denied'`