Skip to content

fix: audit hash-chain GDPR, serialization, and alerting (#541-544)#738

Merged
2witstudios merged 7 commits intomasterfrom
ppg/audit-hardening
Apr 9, 2026
Merged

fix: audit hash-chain GDPR, serialization, and alerting (#541-544)#738
2witstudios merged 7 commits intomasterfrom
ppg/audit-hardening

Conversation

@2witstudios
Copy link
Copy Markdown
Owner

@2witstudios 2witstudios commented Feb 28, 2026
edited
Loading

Summary

  • GDPR-safe hash chain ([Audit] Hash-chain GDPR fix #541): Hash computation excludes PII fields (userId, sessionId, ipAddress, userAgent, geoLocation) so the chain stays verifiable after right-to-erasure anonymization
  • Advisory lock serialization ([Audit] Hash-chain concurrent write race — activity_logs can fork #542): Replaced FOR UPDATE row locking with pg_advisory_xact_lock to prevent concurrent chain forks — works even on empty tables (genesis case)
  • Verification alerting ([Audit] Verification alerting #544): Added setChainAlertHandler callback and startPeriodicVerification cron scheduler that fires alerts on chain integrity failures
  • Code review hardening: Structured logging, info disclosure fixes, dead code removal, failure logging

Changes since initial review

  • Cron route uses loggers.security/loggers.api instead of console.log/error (F1)
  • breakPoint removed from API response — logged server-side only (F2)
  • Error responses return generic message, not error.message (F3)
  • 9 new contract tests for cron route (F4)
  • Removed vestigial lastHash write and unused getLastHash() (F5)
  • Adapter .catch() now logs warnings instead of silently dropping failures (F6)
  • Cron route switched from verifySecurityAuditChain to verifyAndAlert('periodic', ...)
  • Endgame prototype panes updated: advisory locks, ChainAlertHandler, [Audit] Hash-chain GDPR fix #541 fix status

Test plan

  • Chain verifiable after PII anonymization (4 GDPR-specific tests)
  • Advisory lock acquired before hash read (3 serialization tests)
  • Alert fires on broken chain, not on valid chain (14 alerting tests)
  • All 72 audit lib tests pass across 5 test files
  • 9 cron route contract tests pass (auth, valid/invalid chain, info disclosure, error handling)
  • No breakPoint in API response (info disclosure prevention)
  • Generic error messages in 500 responses
  • Adapter logs warnings on audit write failures
  • Manual: verify advisory lock behavior under concurrent load
  • Manual: confirm periodic verification fires at configured interval

🤖 Generated with Claude Code

2witstudios and others added 3 commits February 27, 2026 22:50
@2witstudios @claude
fix: exclude PII fields from audit hash chain for GDPR compliance (#541)
22d6efb 
Hash chain now only includes non-PII fields (eventType, serviceId, resourceType,
resourceId, details, riskScore, anomalyFlags, timestamp, previousHash) so the
chain remains verifiable after GDPR anonymization erases user data.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@2witstudios @claude
fix: use advisory locks to serialize audit hash chain writes (#542)
d679bb1 
Replace FOR UPDATE row locking with pg_advisory_xact_lock to prevent
concurrent chain forks. Advisory locks work even on an empty table
(genesis case) where no row exists to lock.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@2witstudios @claude
feat: add verification alerting for audit hash chain (#544)
d74f487 
Add alert handler callback and periodic cron verification scheduler.
Fires alerts when chain verification detects tampering or breaks.
Includes setChainAlertHandler, verifyAndAlert, startPeriodicVerification.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Feb 28, 2026
edited
Loading

Warning

Rate limit exceeded

@2witstudios has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 11 minutes and 47 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 11 minutes and 47 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2713797b-8d6c-409d-9adb-11c0020e6971

📥 Commits

Reviewing files that changed from the base of the PR and between b7671e8 and 1090687.

📒 Files selected for processing (14)
  • apps/web/src/app/api/cron/verify-audit-chain/__tests__/route.test.ts
  • apps/web/src/app/api/cron/verify-audit-chain/route.ts
  • packages/lib/src/audit/__tests__/audit-test-helpers.ts
  • packages/lib/src/audit/__tests__/mask-email.test.ts
  • packages/lib/src/audit/__tests__/security-audit-adapter.test.ts
  • packages/lib/src/audit/__tests__/security-audit-alerting.test.ts
  • packages/lib/src/audit/__tests__/security-audit-chain-verifier.test.ts
  • packages/lib/src/audit/__tests__/security-audit.test.ts
  • packages/lib/src/audit/index.ts
  • packages/lib/src/audit/security-audit-adapter.ts
  • packages/lib/src/audit/security-audit-alerting.ts
  • packages/lib/src/audit/security-audit-chain-verifier.ts
  • packages/lib/src/audit/security-audit.ts
  • packages/lib/src/index.ts
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ppg/audit-hardening

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@chatgpt-codex-connector
Copy link
Copy Markdown

chatgpt-codex-connector bot commented Feb 28, 2026

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

2witstudios and others added 4 commits February 28, 2026 08:12
@2witstudios @claude
fix: resolve TypeScript error in audit test mock callback type
9e776ae 
Use explicit `any` for transaction callback parameter in mock to avoid
Drizzle ORM complex generic type mismatch in test mocks.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@2witstudios
fix: improve audit alerting quality — structured logging, overlap gua…
56ea136 
…rd, shared test helpers

- Replace console.error with loggers.security for structured logging consistency
- Add overlap guard to prevent concurrent periodic verification runs
- Simplify unref() call (always available on Node.js Timeout)
- Extract shared MockSecurityAuditEntry type and createValidSecurityChain helper
- Add logger mocks to test files that import the alerting/verifier modules
@2witstudios @claude
fix: address code review findings — structured logging, info disclosu…
c4d7d0d 
…re, dead code

- F1: Replace console.log/error with loggers.security/api in cron route
- F2: Remove breakPoint from API response (info disclosure); log server-side only
- F3: Return generic 'Internal server error' instead of error.message
- F4: Add 9 contract tests for verify-audit-chain cron route
- F5: Remove vestigial lastHash write and unused getLastHash() method
- F6: Log dropped audit events in adapter instead of silent .catch()
- Switch cron route from verifySecurityAuditChain to verifyAndAlert
- Export verifyAndAlert from packages/lib barrel

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@2witstudios
Merge remote-tracking branch 'origin/master' into pu/audit-hardening
1090687 
# Conflicts:
#	apps/web/src/app/api/cron/verify-audit-chain/__tests__/route.test.ts
#	apps/web/src/app/api/cron/verify-audit-chain/route.ts
@vercel
Copy link
Copy Markdown

vercel bot commented Apr 9, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
pagespace-master-plan Ready Ready Preview, Comment Apr 9, 2026 3:56am

@2witstudios 2witstudios merged commit 9a2856e into master Apr 9, 2026
5 checks passed
2witstudios added a commit that referenced this pull request Apr 9, 2026
@2witstudios @claude
docs(prototype): update endgame panes for audit hardening (#738)
28b4659 
- CompliancePane: webhook URL -> ChainAlertHandler, #541 GDPR fix status
- ObservabilityPane: FOR UPDATE -> pg_advisory_xact_lock, verifyAndAlert
- GdprPane: mark security audit chain #541 fix as complete

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@2witstudios 2witstudios deleted the ppg/audit-hardening branch April 16, 2026 03:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@2witstudios