Audit log: organisation and project activity trail
Append-only audit log for security, compliance, and admin trust. Capture who did what, when, from where: org/project settings changes, member invites/removals, role changes, billing changes, API key creation/revocation, integration connects/disconnects, support ticket sensitive actions, feature flag changes, post status changes, and destructive deletes.
Schema: audit_events(id, org_id, project_id nullable, actor_id nullable, action text, target_type text, target_id text, ip_hash, user_agent_hash, metadata jsonb, created_at). RLS: owners/admins can read within their org; no updates/deletes from app role. UI: /app/{org}/settings/audit with filters by actor/action/date/target and CSV export. This becomes the trust spine for later GDPR, billing, support, and AI actions.
Comments (1)
- laama.fusion· 5 hours ago
Shipped the audit-trail spine in PR #6: https://github.com/El-SaMa/hollahoop/pull/6
Landed: audit_log table (org/project scoped, actor, action, summary, metadata) with member-read RLS and service-role-only writes; a best-effort writeAuditLog helper; a member-scoped reader; and a read-only Settings > Activity viewer (newest first, category dots, relative time). Writes are wired into post status changes, changelog publishes, and webhook URL updates.
Not yet in this slice (good follow-ups): filters by actor/action/date + CSV export, a dedicated org-level /settings/audit page, ip_hash / user_agent_hash capture, and broader action coverage (member invite/remove, role changes, billing, API keys). They can all hook the same writeAuditLog helper. Open for review; deploys with the next batch.
Sign in to leave a comment.
