feat(console): SOC2 audit log + account activity alerts (#1288)

* feat(console): SOC2 audit log + account activity alerts

- Add Audit Log settings page (owner-only) with filter + cursor pagination
- Log auth events (NextAuth login/logout, Firebase login/logout, OIDC login/logout)
- Log membership events (invite, accept, role-change, remove)
- New "account" event type in notification channels
- Immediate email dispatcher for security-severity events (no cron)
- Extend AuditLog with severity column + (workspaceId, timestamp) index

* fix(console): redact audit log + UX polish

Security:
- Stop persisting raw config object versions (prevVersion/newVersion) to
  AuditLog.changes — these can contain API keys, passwords and OAuth tokens.
  Only objectType + objectName are stored now.
- API allow-lists safe fields in the response, so any pre-existing rows with
  raw config payloads are also redacted on read.

UX:
- Audit log table is full-width
- Time column shows relative time (with absolute UTC tooltip)
- Drop the auth-method chip from the actor cell
- Drop the expandable raw-changes JSON row
- Render config-object events as 'Updated <type> <name>' with a link to the
  entity edit page (no link for delete)

* fix(console): mask secrets via outputFilter, keep full diff in audit log

Reuse the per-type outputFilter (the same one used by the config editor) to
mask sensitive fields, so prevVersion / newVersion can stay in the audit log:

- destinations: secrets at credentialsUi paths replaced with MASKED_SECRET
- services: airbyte_secret-marked fields masked
- streams: privateKey/publicKey plaintext + hash stripped
- types without a registered outputFilter (link, profilebuilder, function code):
  fall back to a generic name-based scrubber that masks fields whose key matches
  password / secret / token / apiKey / etc.

Rows written through this helper are tagged `_redacted: true`. The read API only
exposes prevVersion / newVersion when that flag is present, so any rows already
in the DB from before this fix continue to be redacted on read (objectType +
objectName only).

UI: expandable row shows the masked Before / After diff side-by-side.

* fix(console): break import cycle in audit-log helper

audit-log.ts imported config-objects.ts at module load, which transitively
pulls pages/api/[workspaceId]/domain-check.ts -> lib/api.ts -> nextauth.config
-> back to audit-log.ts. The cycle surfaced as 'Cannot access httpMethods
before initialization' on the first /api request.

Lazy-require config-objects on first call, and inline the MASKED_SECRET
constant so we don't need to pull lib/schema/destinations at load time.

* feat(console): audit log diff view + better link/time rendering

- API computes a flat diff [{ field, description }] from the masked
  prevVersion/newVersion server-side and returns it as `diff`. The raw
  prev/next blobs are no longer sent to the client. Masked secrets are
  surfaced as 'changed (secret value)' so the sentinel doesn't leak.
- API enriches connection (link) entries with a synthesized
  'from.name → to.name' display name (links have no name field of their own).
- UI Time column shows absolute UTC + relative ('ago') stacked.
- Entity name is the visible label; the underlying ID lives in a tooltip.
- Expandable row renders the diff as a small Field / Change table.

* fix(console): show entity names for old audit rows + +/- expand icon

- API derives objectName from prevVersion/newVersion server-side when the
  stored 'objectName' is empty. Pre-fix rows still showed entity IDs because
  they don't have the dedicated field — this fallback fixes that without
  exposing the raw versions to the client.
- Expand toggle uses an explicit +/- icon (lucide Plus/Minus) so the
  expandable rows are obvious. Rows without a diff render a fixed-width
  spacer so columns stay aligned.

* fix(console): default expand icon + diff for old rows too

- Drop the custom +/- expand icon. Use Antd's default chevron — it's the
  same widget shown elsewhere in the app and avoids a fragile manual layout.
- Compute the diff for non-redacted rows too. Re-run a name-based scrubber
  on the way out so credentials in legacy rows never reach the client.
  Without this, only post-fix rows showed an expand handle.

* fix(console): drop id/workspaceId noise + flatten diff UI

- API strips id, workspaceId, type, cloneId from prev/new before diffing.
  These are identity / metadata fields that the write path strips before
  saving (legacy audit-log payloads sometimes captured them inline, which
  surfaced as confusing 'id removed' rows).
- Replace the nested Antd Table in the expandable row with a plain
  two-column grid — same field/change information, no header bar, no row
  borders or stripes. Field name in monospace, description plain text.

* feat(console): extract AuditLogDiff component, polish layout

- New components/AuditLogDiff/AuditLogDiff.tsx — self-contained, full-width,
  responsive (stacks field/change on narrow widths). Card with header
  ('Changes' + N fields summary), thin row separators, no per-cell borders.
- Expanded row indents the card to align with the Time column (past Antd's
  expand-chevron gutter), with a subtle neutral-50 backdrop.

* feat(console): flatten create/delete diffs leaf-by-leaf

Recurse into plain objects even when one side is undefined, so creating an
entity produces:

  data.mode          added: "batch"
  data.batchSize     added: 10000
  data.dataLayout    added: "segment-single-table"
  …

instead of one '(root) → added: {…}' blob. Same for deletes — every leaf is
listed as 'removed (was …)'. Arrays stay atomic, so 'foo.bar → added: []'.

* feat(console): mask ssh_key, middle-truncate diff values + tooltip

- Add ssh_key, ssl_key, signing_key, encryption_key to the redaction patterns
  on both the write side (lib/server/audit-log.ts) and the read-side scrubber
  (pages/api/[workspaceId]/audit-log.ts). credentials.tunnel_method.ssh_key
  on Airbyte connectors is now masked even on legacy rows that didn't go
  through outputFilter at write time.
- Server: relax the per-value cap from 80 to 2000 chars so the client gets
  the full string to display.
- AuditLogDiff: middle-truncate long descriptions to ~100 chars and show the
  full text in an Antd Tooltip on hover. Truncated values get a 'help'
  cursor as a hover affordance.

* feat(console): icon-based diff + outputFilter on read

- Revert the regex extension (ssh_key etc). Use the per-type outputFilter on
  the read side instead — same masking the editor UI does. Pulls
  config-objects via lazy require so the leaf API route doesn't reintroduce
  the api.ts cycle. credentials.tunnel_method.ssh_key on Airbyte sources is
  now masked via airbyte_secret on legacy rows.
- API returns structured diff entries: { field, kind, prev?, next? } where
  kind is added | removed | changed | secret-changed | noop.
- AuditLogDiff renders each kind with an icon (+, −, →, key, no-change).
  changed rows show prev → next, both middle-truncated with full-text tooltip.
- For 'config-object-update' rows whose prev and next end up byte-identical
  (the user clicked Save without editing — produces a real audit row but
  empty diff), show a single 'no field-level changes' noop entry so the row
  is still expandable and the situation is explicit.

* fix(console): denylist for changes, mask sentinel parity, load-more loading

- Replace ALWAYS_SAFE_FIELDS allow-list with a small deny-list:
  prevVersion, newVersion (rendered server-side via 'diff' instead) and the
  internal _redacted marker. Everything else our audit-log helpers write is
  safe summary metadata; we shouldn't have to enumerate it here.
- Add isMasked() that recognizes both the local display sentinel
  ('*********') and the canonical sentinel ('__MASKED_BY_JITSU__') emitted
  by lib/schema/secrets#maskSecrets via outputFilter. Without this the
  secret-changed kind never fires for legacy rows masked through the
  per-type filter.
- UI: while a Load-more fetch is in flight, show a disabled loading
  button. The previous logic briefly fell through to 'End of log' because
  query.data is undefined during the in-flight request.

* refactor(console): pick summary fields explicitly, drop deny-list

The audit-log API never sent prev/new on the wire, but the previous code
expressed that as 'pass r.changes through, strip prev/new on the way out',
which inverted the intent. Switch to an explicit allow-list of summary
fields (objectType, objectName, actorEmail, …) — the raw config blobs
simply aren't enumerated, so they can't accidentally leak. The diff is the
only place the per-field changes show up.

* feat(console): admin-level audit log + reusable component

- Move /api/[workspaceId]/audit-log -> /api/audit-log with workspaceId as
  an optional query param. With workspaceId: workspace-scoped, requires
  manageUsers in that workspace. Without: cross-workspace, requires admin
  (verifyAdmin). API also bulk-fetches workspace name+slug per row and
  returns it as 'workspace' so the admin view can render a workspace
  column.
- Extract the table into components/AuditLog/AuditLog.tsx. When workspaceId
  is undefined the component runs in admin mode: adds a Workspace column
  with name + link to /<slug-or-id>, and uses each row's per-workspace
  slug to build entity edit links.
- /admin/audit-log: new page that renders <AuditLog /> in admin mode.
- /[workspaceId]/settings/audit-log: now a thin wrapper around <AuditLog
  workspaceId={...} workspaceSlug={...} />.
- Add 'Admin Audit Log' entry next to 'Admin Workspaces' in the workspace
  selector menu (admin users only).

* fix(console): throttle auth-login audit rows per (user, authType)

/api/fb-auth/create-session is called every time Firebase mints or
refreshes a session cookie — every short-lived ID-token rotation, every
reload after a long idle — not just on actual sign-in. That flooded the
audit log with dozens of 'Logged in' rows per user per day.

Suppress duplicate auth-login rows for the same (userId, authType)
inside a 30-minute window. Logouts still fire on every signout — they
are explicit user actions, not implicit refreshes.

* fix(console): replicas-safe auth-login dedup via Firebase auth_time

The previous in-memory throttle didn't work across replicas. Switch to a
DB-backed check keyed on the auth event's actual timestamp:

- authAuditLog gains an opts.authTime parameter. When provided, it queries
  for any auth-login row for this user with timestamp >= authTime; if
  found, it skips the write. Firebase rotates ID tokens on a schedule but
  auth_time only changes on actual re-authentication, so refresh calls
  collapse onto the original row instead of creating duplicates.
- create-session decodes the ID token (already does, for the user
  identity), pulls auth_time, and passes it through.
- NextAuth and OIDC don't need this — their callbacks only fire on actual
  auth flows, not on token refreshes.
- Drop the in-memory map and the per-(userId, authType) 30-min throttle.

* fix(console): hook firebase audit-login at the actual sign-in moment

Drop the dedup logic entirely. Replace it with explicit instrumentation
on the two client entry points users actually hit:

- New endpoint /api/fb-auth/audit-login that takes an idToken in the body,
  verifies it via Firebase Admin, and writes the auth-login row.
- firebase-client signIn (email/password) and signInWith (popup OAuth)
  both call audit-login right after Firebase reports success.
- create-session no longer logs — it's the cookie-mint endpoint and runs
  on every ID-token rotation, which is what was flooding the audit log.
- authAuditLog reverts to the simple (user, op, authType, workspaceId?)
  signature; no opts, no auth_time, no DB lookup. The signOut path was
  already correct (revoke-session is only hit at sign-out), so logout
  needs no changes.

Net: one audit row per actual user-driven sign-in, zero per token
refresh / session re-establish.

* fix(console): address audit-log + account-alerts review (#1288)

- show auth events in workspace-scoped audit-log via member-id OR clause
- gate member-removed audit on confirmed deletion + reject empty target
- skip role-changed audit when role is unchanged
- wire workspace-deleted (DELETE) and workspace-updated (PUT) audit rows
- account-alerts: also fan out to workspace members with notifications.account on
- detect secret rotations at write time (_rotatedSecrets) and surface them as secret-changed on read
- prettier reformat across the 9 files CI flagged

* fix(console): include members of deleted workspace in workspace-deleted alert

The recipient query had `w.deleted = false`, which silently dropped all
member recipients exactly for workspace-deleted events (the workspace
is flagged deleted before the alert dispatches).

* review fixes

* review fixes

---------

Co-authored-by: Ildar Nurislamov <absorbb@gmail.com>

Author: vklimontovich

libs/juava/src/objects.ts

@@ -11,6 +11,24 @@ export function deepMerge(target: any, source: any) {
   }, target);
 }
 
+export function deepCopy<T>(o: T): T {
+  if (typeof o !== "object") return o;
+  if (!o) return o;
+  if (Array.isArray(o)) {
+    const newO: any[] = [];
+    for (let i = 0; i < o.length; i++) {
+      const v = o[i];
+      newO[i] = !v || typeof v !== "object" ? v : deepCopy(v);
+    }
+    return newO as T;
+  }
+  const newO: Record<string, any> = {};
+  for (const [k, v] of Object.entries(o)) {
+    newO[k] = !v || typeof v !== "object" ? v : deepCopy(v);
+  }
+  return newO as T;
+}
+
 export function isEqual(x: any, y: any) {
   const ok = Object.keys,
     tx = typeof x,

webapps/console/components/AuditLog/AuditLog.tsx

@@ -0,0 +1,359 @@
+import React, { useMemo, useState } from "react";
+import { Alert, Button, DatePicker, Select, Table, Tag, Tooltip } from "antd";
+import dayjs, { Dayjs } from "dayjs";
+import utc from "dayjs/plugin/utc";
+import relativeTime from "dayjs/plugin/relativeTime";
+import { rpc } from "juava";
+import { useQuery } from "@tanstack/react-query";
+import Link from "next/link";
+import { AuditLogDiff } from "../AuditLogDiff/AuditLogDiff";
+
+dayjs.extend(utc);
+dayjs.extend(relativeTime);
+
+const { RangePicker } = DatePicker;
+
+type DiffEntry = {
+  field: string;
+  kind: "added" | "removed" | "changed" | "secret-changed" | "noop";
+  prev?: string;
+  next?: string;
+};
+
+export type AuditLogItem = {
+  id: string;
+  timestamp: string;
+  type: string;
+  severity?: string | null;
+  workspaceId?: string | null;
+  workspace?: { id: string; name?: string | null; slug?: string | null } | null;
+  userId?: string | null;
+  objectId?: string | null;
+  authType?: string | null;
+  changes?: any;
+  diff?: DiffEntry[];
+  actor?: { id: string; email?: string | null; name?: string | null } | null;
+};
+
+export type AuditLogPage = { items: AuditLogItem[]; nextCursor?: string };
+
+const eventTypeOptions = [
+  { value: "auth-login", label: "Login" },
+  { value: "auth-logout", label: "Logout" },
+  { value: "member-invited", label: "Member invited" },
+  { value: "member-joined", label: "Member joined" },
+  { value: "member-removed", label: "Member removed" },
+  { value: "member-role-changed", label: "Member role changed" },
+  { value: "workspace-deleted", label: "Workspace deleted" },
+  { value: "workspace-updated", label: "Workspace updated" },
+  { value: "config-object-create", label: "Config object created" },
+  { value: "config-object-update", label: "Config object updated" },
+  { value: "config-object-delete", label: "Config object deleted" },
+];
+
+const severityOptions = [
+  { value: "info", label: "Info" },
+  { value: "warning", label: "Warning" },
+  { value: "security", label: "Security" },
+];
+
+function severityTag(s?: string | null) {
+  if (!s) return null;
+  const color = s === "security" ? "red" : s === "warning" ? "orange" : "default";
+  return <Tag color={color}>{s}</Tag>;
+}
+
+function entityHref(objectType: string | undefined, objectId?: string | null): string | null {
+  if (!objectType || !objectId) return null;
+  switch (objectType) {
+    case "stream":
+      return `/streams?id=${encodeURIComponent(objectId)}`;
+    case "destination":
+      return `/destinations?id=${encodeURIComponent(objectId)}`;
+    case "service":
+      return `/services?id=${encodeURIComponent(objectId)}`;
+    case "function":
+      return `/functions?id=${encodeURIComponent(objectId)}`;
+    case "link":
+      return `/connections/edit?id=${encodeURIComponent(objectId)}`;
+    case "profilebuilder":
+    case "profile-builder":
+      return `/profile-builder`;
+    default:
+      return null;
+  }
+}
+
+const verbForOp: Record<string, string> = {
+  "config-object-create": "Created",
+  "config-object-update": "Updated",
+  "config-object-delete": "Deleted",
+};
+
+const objectTypeLabel: Record<string, string> = {
+  stream: "site",
+  destination: "destination",
+  service: "service",
+  function: "function",
+  link: "connection",
+  profilebuilder: "profile builder",
+  "profile-builder": "profile builder",
+};
+
+const EventCell: React.FC<{ item: AuditLogItem; workspaceSlug: string | undefined }> = ({ item, workspaceSlug }) => {
+  const c = item.changes || {};
+  if (item.type.startsWith("config-object-")) {
+    const verb = verbForOp[item.type] || item.type;
+    const objType = c.objectType as string | undefined;
+    const typeLabel = objType ? objectTypeLabel[objType] || objType : "object";
+    const name = (c.objectName as string | undefined) || item.objectId || "";
+    const isDelete = item.type === "config-object-delete";
+    const href = !isDelete && workspaceSlug ? entityHref(objType, item.objectId) : null;
+    const nameNode = (
+      <Tooltip title={item.objectId || undefined}>
+        {href ? (
+          <Link href={`/${workspaceSlug}${href}`} className="text-primary hover:underline">
+            {name}
+          </Link>
+        ) : (
+          <span className="font-medium">{name}</span>
+        )}
+      </Tooltip>
+    );
+    return (
+      <span>
+        {verb} {typeLabel} {nameNode}
+      </span>
+    );
+  }
+  switch (item.type) {
+    case "auth-login":
+      return <span>Logged in via {item.authType || "unknown"}</span>;
+    case "auth-logout":
+      return <span>Logged out via {item.authType || "unknown"}</span>;
+    case "member-invited":
+      return (
+        <span>
+          Invited <span className="font-medium">{c.targetEmail || "user"}</span>
+          {c.newRole ? <> as {c.newRole}</> : null}
+        </span>
+      );
+    case "member-joined":
+      return <span>Joined as {c.newRole || "member"}</span>;
+    case "member-removed":
+      return (
+        <span>
+          Removed <span className="font-medium">{c.targetEmail || c.targetUserId || "user"}</span>
+        </span>
+      );
+    case "member-role-changed":
+      return (
+        <span>
+          Changed <span className="font-medium">{c.targetEmail || c.targetUserId || "user"}</span> role:{" "}
+          {c.prevRole || "?"} → {c.newRole || "?"}
+        </span>
+      );
+    case "workspace-deleted":
+      return <span>Deleted workspace</span>;
+    case "workspace-updated":
+      return <span>Updated workspace</span>;
+    default:
+      return <span>{item.type}</span>;
+  }
+};
+
+export type AuditLogProps = {
+  /**
+   * When set, scopes the table to a single workspace and uses that workspace
+   * slug for entity edit links. When omitted, the table runs in admin mode:
+   * shows a Workspace column with name + link, and queries across all
+   * workspaces (server enforces admin-only access).
+   */
+  workspaceId?: string;
+  /**
+   * Slug used to build entity edit links inside config-object events. If the
+   * caller already has the workspace slug it can pass it; otherwise per-row
+   * `workspace.slug` (admin view) is used.
+   */
+  workspaceSlug?: string;
+  /** Heading text. Defaults to "Audit Log". */
+  title?: string;
+  description?: React.ReactNode;
+};
+
+export const AuditLog: React.FC<AuditLogProps> = ({ workspaceId, workspaceSlug, title = "Audit Log", description }) => {
+  const adminView = !workspaceId;
+  const [types, setTypes] = useState<string[]>([]);
+  const [severities, setSeverities] = useState<string[]>([]);
+  const [range, setRange] = useState<[Dayjs | null, Dayjs | null] | null>(null);
+  const [cursor, setCursor] = useState<string | undefined>(undefined);
+  const [pages, setPages] = useState<AuditLogItem[][]>([]);
+
+  const filterKey = useMemo(
+    () => JSON.stringify({ types, severities, from: range?.[0]?.toISOString(), to: range?.[1]?.toISOString() }),
+    [types, severities, range]
+  );
+
+  const query = useQuery<AuditLogPage, Error>(
+    ["audit-log", workspaceId || "$all", filterKey, cursor],
+    async () => {
+      const params: Record<string, string> = {};
+      if (workspaceId) params.workspaceId = workspaceId;
+      if (types.length) params.type = types.join(",");
+      if (severities.length) params.severity = severities.join(",");
+      if (range?.[0]) params.from = range[0].toISOString();
+      if (range?.[1]) params.to = range[1].toISOString();
+      if (cursor) params.cursor = cursor;
+      params.limit = "50";
+      return (await rpc(`/api/audit-log`, { query: params })) as AuditLogPage;
+    },
+    {
+      retry: false,
+      cacheTime: 0,
+      staleTime: 0,
+      refetchOnWindowFocus: false,
+      onSuccess: data => {
+        setPages(prev => (cursor ? [...prev, data.items] : [data.items]));
+      },
+    }
+  );
+
+  const items = useMemo(() => pages.flat(), [pages]);
+
+  const columns = useMemo(() => {
+    const base: any[] = [
+      {
+        title: "Time",
+        dataIndex: "timestamp",
+        key: "timestamp",
+        render: (ts: string) => (
+          <div className="flex flex-col">
+            <span className="font-mono text-xs">{dayjs(ts).utc().format("YYYY-MM-DD HH:mm:ss [UTC]")}</span>
+            <span className="text-text-light text-xs">{dayjs(ts).fromNow()}</span>
+          </div>
+        ),
+      },
+      {
+        title: "Severity",
+        dataIndex: "severity",
+        key: "severity",
+        render: severityTag,
+      },
+    ];
+    if (adminView) {
+      base.push({
+        title: "Workspace",
+        key: "workspace",
+        render: (_: any, item: AuditLogItem) => {
+          const w = item.workspace;
+          if (!w) return <span className="text-text-light">—</span>;
+          const target = w.slug || w.id;
+          return (
+            <Link href={`/${target}`} className="text-primary hover:underline">
+              {w.name || w.slug || w.id}
+            </Link>
+          );
+        },
+      });
+    }
+    base.push(
+      {
+        title: "Actor",
+        key: "actor",
+        render: (_: any, item: AuditLogItem) => item.actor?.email || item.actor?.name || "—",
+      },
+      {
+        title: "Event",
+        key: "event",
+        render: (_: any, item: AuditLogItem) => (
+          <EventCell item={item} workspaceSlug={workspaceSlug || item.workspace?.slug || item.workspace?.id} />
+        ),
+      }
+    );
+    return base;
+  }, [adminView, workspaceSlug]);
+
+  const reset = () => {
+    setCursor(undefined);
+    setPages([]);
+  };
+
+  return (
+    <div className="w-full flex flex-col gap-4">
+      <h1 className="text-2xl font-bold">{title}</h1>
+      {description ? (
+        <p className="text-text-light">{description}</p>
+      ) : (
+        <p className="text-text-light">
+          {adminView
+            ? "Cross-workspace record of authentication, membership, and configuration changes."
+            : "A workspace-scoped record of authentication, membership, and configuration changes."}
+        </p>
+      )}
+      <div className="flex flex-row gap-3 flex-wrap">
+        <Select
+          mode="multiple"
+          allowClear
+          placeholder="Event type"
+          style={{ minWidth: 240 }}
+          value={types}
+          options={eventTypeOptions}
+          onChange={v => {
+            setTypes(v);
+            reset();
+          }}
+        />
+        <Select
+          mode="multiple"
+          allowClear
+          placeholder="Severity"
+          style={{ minWidth: 160 }}
+          value={severities}
+          options={severityOptions}
+          onChange={v => {
+            setSeverities(v);
+            reset();
+          }}
+        />
+        <RangePicker
+          showTime
+          value={range as any}
+          onChange={v => {
+            setRange((v as any) || null);
+            reset();
+          }}
+        />
+      </div>
+      {query.isError ? <Alert type="error" message={`Failed to load audit log: ${query.error?.message}`} /> : null}
+      <Table
+        rowKey="id"
+        className="w-full"
+        columns={columns}
+        dataSource={items}
+        loading={query.isLoading}
+        pagination={false}
+        expandable={{
+          rowExpandable: (item: AuditLogItem) => Array.isArray(item.diff) && item.diff.length > 0,
+          expandedRowRender: (item: AuditLogItem) => (
+            <div className="pl-12 pr-4 py-2 bg-neutral-50">
+              <AuditLogDiff diff={item.diff || []} />
+            </div>
+          ),
+        }}
+      />
+      <div className="flex justify-center">
+        {query.isFetching ? (
+          <Button loading disabled>
+            Loading
+          </Button>
+        ) : query.data?.nextCursor ? (
+          <Button onClick={() => setCursor(query.data?.nextCursor)}>Load more</Button>
+        ) : items.length > 0 ? (
+          <span className="text-text-light text-sm">End of log</span>
+        ) : null}
+      </div>
+    </div>
+  );
+};
+
+export default AuditLog;