feat(web): add audit log entries for org membership changes

brendan-kellam · brendan-kellam · commit 6cca4b9b6eca · 2026-04-30T18:56:09.000-07:00
Adds three new audit actions covering the full membership lifecycle:

- org.member_added — fires from all five UserToOrg-creation paths
  (initial owner, auto-add on signup, magic invite-link join, email
  invite redemption, join-request approval). Two of those paths were
  previously silent.
- org.member_removed — fires when an admin removes a member via the
  Settings UI.
- org.member_left — fires when a user leaves the org themselves.

Each event uses a consistent (actor=user, target=user) shape so the
membership history can be reconstructed with a single query per state
transition. Existing audits (user.invite_accepted,
user.join_request_approved, user.owner_created) are preserved as
semantic detail.
diff --git a/docs/docs/configuration/audit-logs.mdx b/docs/docs/configuration/audit-logs.mdx
@@ -145,6 +145,9 @@ curl --request GET '$SOURCEBOT_URL/api/ee/audit' \
 | `user.signed_out`                     | `user` | `user` |
 | `org.member_promoted_to_owner`        | `user` | `user` |
 | `org.owner_demoted_to_member`         | `user` | `user` |
+| `org.member_added`                    | `user` | `user` |
+| `org.member_removed`                  | `user` | `user` |
+| `org.member_left`                     | `user` | `user` |
 
 
 ## Response schema
diff --git a/packages/web/src/actions.ts b/packages/web/src/actions.ts
@@ -1047,6 +1047,16 @@ export const approveAccountRequest = async (requestId: string) => sew(async () =
                     type: "account_join_request"
                 }
             });
+
+            await auditService.createAudit({
+                action: "org.member_added",
+                actor: { id: user.id, type: "user" },
+                target: { id: request.requestedById, type: "user" },
+                orgId: org.id,
+                metadata: {
+                    message: `${user.id} approved join request ${requestId} for ${request.requestedById}`,
+                },
+            });
             return {
                 success: true,
             }
diff --git a/packages/web/src/app/invite/actions.ts b/packages/web/src/app/invite/actions.ts
@@ -56,6 +56,16 @@ export const joinOrganization = async (inviteLinkId?: string) => sew(async () =>
         return addUserToOrgRes;
     }
 
+    await auditService.createAudit({
+        action: "org.member_added",
+        actor: { id: user.id, type: "user" },
+        target: { id: user.id, type: "user" },
+        orgId: org.id,
+        metadata: {
+            message: `${user.id} joined the organization via invite link`,
+        },
+    });
+
     return {
         success: true,
     }
@@ -135,6 +145,16 @@ export const redeemInvite = async (inviteId: string): Promise<{ success: boolean
         }
     });
 
+    await auditService.createAudit({
+        action: "org.member_added",
+        actor: { id: user.id, type: "user" },
+        target: { id: user.id, type: "user" },
+        orgId: invite.org.id,
+        metadata: {
+            message: `${user.id} joined the organization by accepting invite ${inviteId}`,
+        },
+    });
+
     return {
         success: true,
     };
diff --git a/packages/web/src/features/userManagement/actions.ts b/packages/web/src/features/userManagement/actions.ts
@@ -5,11 +5,14 @@ import { ErrorCode } from "@/lib/errorCodes";
 import { notFound, ServiceError } from "@/lib/serviceError";
 import { withAuth } from "@/middleware/withAuth";
 import { withMinimumOrgRole } from "@/middleware/withMinimumOrgRole";
+import { getAuditService } from "@/ee/features/audit/factory";
 import { OrgRole, Prisma } from "@sourcebot/db";
 import { StatusCodes } from "http-status-codes";
 
+const auditService = getAuditService();
+
 export const removeMemberFromOrg = async (memberId: string): Promise<{ success: boolean } | ServiceError> => sew(() =>
-    withAuth(async ({ org, role, prisma }) =>
+    withAuth(async ({ user, org, role, prisma }) =>
         withMinimumOrgRole(role, OrgRole.OWNER, async () => {
             const guardError = await prisma.$transaction(async (tx) => {
                 const targetMember = await tx.userToOrg.findUnique({
@@ -58,6 +61,16 @@ export const removeMemberFromOrg = async (memberId: string): Promise<{ success:
                 return guardError;
             }
 
+            await auditService.createAudit({
+                action: "org.member_removed",
+                actor: { id: user.id, type: "user" },
+                target: { id: memberId, type: "user" },
+                orgId: org.id,
+                metadata: {
+                    message: `${user.id} removed ${memberId} from the organization`,
+                },
+            });
+
             return { success: true };
         }))
 );
@@ -98,6 +111,16 @@ export const leaveOrg = async (): Promise<{ success: boolean } | ServiceError> =
             return guardError;
         }
 
+        await auditService.createAudit({
+            action: "org.member_left",
+            actor: { id: user.id, type: "user" },
+            target: { id: user.id, type: "user" },
+            orgId: org.id,
+            metadata: {
+                message: `${user.id} left the organization`,
+            },
+        });
+
         return {
             success: true,
         }
diff --git a/packages/web/src/lib/authUtils.ts b/packages/web/src/lib/authUtils.ts
@@ -104,6 +104,16 @@ export const onCreateUser = async ({ user }: { user: AuthJsUser }) => {
                 type: "org"
             }
         });
+
+        await auditService.createAudit({
+            action: "org.member_added",
+            actor: { id: user.id, type: "user" },
+            target: { id: user.id, type: "user" },
+            orgId: SINGLE_TENANT_ORG_ID,
+            metadata: {
+                message: `${user.id} joined the organization as the initial owner`,
+            },
+        });
     } else if (!defaultOrg.memberApprovalRequired) {
         const hasAvailability = await orgHasAvailability();
         if (!hasAvailability) {
@@ -118,6 +128,16 @@ export const onCreateUser = async ({ user }: { user: AuthJsUser }) => {
                 role: OrgRole.MEMBER,
             }
         });
+
+        await auditService.createAudit({
+            action: "org.member_added",
+            actor: { id: user.id, type: "user" },
+            target: { id: user.id, type: "user" },
+            orgId: SINGLE_TENANT_ORG_ID,
+            metadata: {
+                message: `${user.id} joined the organization (member approval not required)`,
+            },
+        });
     }
 
     // Dynamic import to avoid circular dependency:
