fix(audit-logs): include system events (null actor) in default org audit scope

SQL IN never matches NULL, so system/automated events inside org
workspaces were hidden unless includeDeparted=true. The default scope now
matches current members OR null-actor rows, still inside the org boundary.

Author: waleedlatif1

apps/sim/app/api/v1/audit-logs/query.test.ts

@@ -75,9 +75,11 @@ describe('buildOrgScopeCondition', () => {
     expectOrgLevelCondition(orgLevel, ORG_ID)
 
     expect(actorFilter).toMatchObject({
-      type: 'inArray',
-      column: 'actorId',
-      values: MEMBER_IDS,
+      type: 'or',
+      conditions: [
+        expect.objectContaining({ type: 'inArray', column: 'actorId', values: MEMBER_IDS }),
+        expect.objectContaining({ type: 'isNull', column: 'actorId' }),
+      ],
     })
   })
 
@@ -130,13 +132,15 @@ describe('buildOrgScopeCondition', () => {
     const [orgLevel, actorFilter] = condition.conditions!
     expectOrgLevelCondition(orgLevel, ORG_ID)
     expect(actorFilter).toMatchObject({
-      type: 'inArray',
-      column: 'actorId',
-      values: MEMBER_IDS,
+      type: 'or',
+      conditions: [
+        expect.objectContaining({ type: 'inArray', column: 'actorId', values: MEMBER_IDS }),
+        expect.objectContaining({ type: 'isNull', column: 'actorId' }),
+      ],
     })
   })
 
-  it('matches nothing when the org has no current members and includeDeparted is false', () => {
+  it('only matches system events when the org has no current members', () => {
     const condition = asCondition(
       buildOrgScopeCondition({
         organizationId: ORG_ID,
@@ -146,7 +150,9 @@ describe('buildOrgScopeCondition', () => {
       })
     )
 
-    expect(condition.strings?.join('')).toBe('1 = 0')
+    expect(condition.type).toBe('and')
+    const [, actorFilter] = condition.conditions!
+    expect(actorFilter).toMatchObject({ type: 'isNull', column: 'actorId' })
   })
 })
 

apps/sim/app/api/v1/audit-logs/query.ts

@@ -92,7 +92,8 @@ export interface OrgScopeParams {
  * rows in org-attached workspaces, plus org-level rows (`workspace_id IS
  * NULL`) tied to the org via `metadata.organizationId` or the organization
  * resource itself. Actor membership is never a standalone boundary — when
- * `includeDeparted` is false it only narrows the org scope.
+ * `includeDeparted` is false it only narrows the org scope to current members
+ * and system events (null actor).
  */
 export function buildOrgScopeCondition(params: OrgScopeParams): SQL<unknown> {
   const { organizationId, orgWorkspaceIds, orgMemberIds, includeDeparted } = params
@@ -117,11 +118,12 @@ export function buildOrgScopeCondition(params: OrgScopeParams): SQL<unknown> {
     return orgScope
   }
 
-  if (orgMemberIds.length === 0) {
-    return sql`1 = 0`
-  }
+  const currentActorCondition =
+    orgMemberIds.length > 0
+      ? or(inArray(auditLog.actorId, orgMemberIds), isNull(auditLog.actorId))!
+      : isNull(auditLog.actorId)
 
-  return and(orgScope, inArray(auditLog.actorId, orgMemberIds))!
+  return and(orgScope, currentActorCondition)!
 }
 
 function buildCursorCondition(cursor: string): SQL<unknown> | null {