feat(ee): add enterprise audit logs settings page (#4111)

* feat(ee): add enterprise audit logs settings page with server-side search

Add a new audit logs page under enterprise settings that displays all
actions captured via recordAudit. Includes server-side search, resource
type filtering, date range selection, and cursor-based pagination.

- Add internal API route (app/api/audit-logs) with session auth
- Extract shared query logic (buildFilterConditions, buildOrgScopeCondition,
  queryAuditLogs) into app/api/v1/audit-logs/query.ts
- Refactor v1 and admin audit log routes to use shared query module
- Add React Query hook with useInfiniteQuery and cursor pagination
- Add audit logs UI with debounced search, combobox filters, expandable rows
- Gate behind requiresHosted + requiresEnterprise navigation flags
- Place all enterprise audit log code in ee/audit-logs/

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* lint

* fix(ee): fix build error and address PR review comments

- Fix import path: @/lib/utils → @/lib/core/utils/cn
- Guard against empty orgMemberIds array in buildOrgScopeCondition
- Skip debounce effect on mount when search is already synced

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* lint

* fix(ee): fix type error with unknown metadata in JSX expression

Use ternary instead of && chain to prevent unknown type from being
returned as ReactNode.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(ee): align skeleton filter width with actual component layout

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* lint

* feat(audit): add audit logging for passwords, credentials, and schedules

- Add PASSWORD_RESET_REQUESTED audit on forget-password with user lookup
- Add CREDENTIAL_CREATED/UPDATED/DELETED audit on credential CRUD routes
  with metadata (credentialType, providerId, updatedFields, envKey)
- Add SCHEDULE_CREATED audit on schedule creation with cron/timezone metadata
- Fix SCHEDULE_DELETED (was incorrectly using SCHEDULE_UPDATED for deletes)
- Enhance existing schedule update/disable/reactivate audit with structured
  metadata (operation, updatedFields, sourceType, previousStatus)
- Add CREDENTIAL resource type and Credential filter option to audit logs UI
- Enhance password reset completed description with user email

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(audit): align metadata with established recordAudit patterns

- Add actorName/actorEmail to all new credential and schedule audit calls
  to match the established pattern (e.g., api-keys, byok-keys, knowledge)
- Add resourceId and resourceName to forget-password audit call
- Enhance forget-password description with user email

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(testing): sync audit mock with new AuditAction and AuditResourceType entries

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor(audit-logs): derive resource type filter from AuditResourceType

Instead of maintaining a separate hardcoded list, the filter dropdown
now derives its options directly from the AuditResourceType const object.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(audit): enrich all recordAudit calls with structured metadata

- Move resource type filter options to ee/audit-logs/constants.ts
  (derived from AuditResourceType, no separate list to maintain)
- Remove export from internal cursor helpers in query.ts
- Add 5 new AuditAction entries: BYOK_KEY_UPDATED, ENVIRONMENT_DELETED,
  INVITATION_RESENT, WORKSPACE_UPDATED, ORG_INVITATION_RESENT
- Enrich ~80 recordAudit calls across the codebase with structured
  metadata (knowledge bases, connectors, documents, workspaces, members,
  invitations, workflows, deployments, templates, MCP servers, credential
  sets, organizations, permission groups, files, tables, notifications,
  copilot operations)
- Sync audit mock with all new entries

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(audit): remove redundant metadata fields duplicating top-level audit fields

Remove metadata entries that duplicate resourceName, workspaceId, or
other top-level recordAudit fields. Also remove noisy fileNames arrays
from bulk document upload audits (kept fileCount).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(audit): split audit types from server-only log module

Extract AuditAction, AuditResourceType, and their types into
lib/audit/types.ts (client-safe, no @sim/db dependency). The
server-only recordAudit stays in log.ts and re-exports the types
for backwards compatibility. constants.ts now imports from types.ts
directly, breaking the postgres -> tls client bundle chain.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(audit): escape LIKE wildcards in audit log search query

Escape %, _, and \ characters in the search parameter before embedding
in the LIKE pattern to prevent unintended broad matches.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(audit): use actual deletedCount in bulk API key revoke description

The description was using keys.length (requested count) instead of
deletedCount (actual count), which could differ if some keys didn't
exist.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(audit-logs): fix OAuth label displaying as "Oauth" in filter dropdown

ACRONYMS set stored 'OAuth' but lookup used toUpperCase() producing
'OAUTH' which never matched. Now store all acronyms uppercase and use
a display override map for special casing like OAuth.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/audit-logs/route.ts

@@ -0,0 +1,71 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { getSession } from '@/lib/auth'
+import { validateEnterpriseAuditAccess } from '@/app/api/v1/audit-logs/auth'
+import { formatAuditLogEntry } from '@/app/api/v1/audit-logs/format'
+import {
+  buildFilterConditions,
+  buildOrgScopeCondition,
+  queryAuditLogs,
+} from '@/app/api/v1/audit-logs/query'
+
+const logger = createLogger('AuditLogsAPI')
+
+export const dynamic = 'force-dynamic'
+
+export async function GET(request: Request) {
+  try {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const authResult = await validateEnterpriseAuditAccess(session.user.id)
+    if (!authResult.success) {
+      return authResult.response
+    }
+
+    const { orgMemberIds } = authResult.context
+
+    const { searchParams } = new URL(request.url)
+    const search = searchParams.get('search')?.trim() || undefined
+    const startDate = searchParams.get('startDate') || undefined
+    const endDate = searchParams.get('endDate') || undefined
+    const includeDeparted = searchParams.get('includeDeparted') === 'true'
+    const limit = Math.min(Math.max(Number(searchParams.get('limit')) || 50, 1), 100)
+    const cursor = searchParams.get('cursor') || undefined
+
+    if (startDate && Number.isNaN(Date.parse(startDate))) {
+      return NextResponse.json({ error: 'Invalid startDate format' }, { status: 400 })
+    }
+    if (endDate && Number.isNaN(Date.parse(endDate))) {
+      return NextResponse.json({ error: 'Invalid endDate format' }, { status: 400 })
+    }
+
+    const scopeCondition = await buildOrgScopeCondition(orgMemberIds, includeDeparted)
+    const filterConditions = buildFilterConditions({
+      action: searchParams.get('action') || undefined,
+      resourceType: searchParams.get('resourceType') || undefined,
+      actorId: searchParams.get('actorId') || undefined,
+      search,
+      startDate,
+      endDate,
+    })
+
+    const { data, nextCursor } = await queryAuditLogs(
+      [scopeCondition, ...filterConditions],
+      limit,
+      cursor
+    )
+
+    return NextResponse.json({
+      success: true,
+      data: data.map(formatAuditLogEntry),
+      nextCursor,
+    })
+  } catch (error: unknown) {
+    const message = error instanceof Error ? error.message : 'Unknown error'
+    logger.error('Audit logs fetch error', { error: message })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}

apps/sim/app/api/auth/forget-password/route.ts

@@ -1,6 +1,10 @@
+import { db } from '@sim/db'
+import { user } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
+import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { auth } from '@/lib/auth'
 import { isSameOrigin } from '@/lib/core/utils/validation'
 
@@ -51,6 +55,26 @@ export async function POST(request: NextRequest) {
       method: 'POST',
     })
 
+    const [existingUser] = await db
+      .select({ id: user.id, name: user.name, email: user.email })
+      .from(user)
+      .where(eq(user.email, email))
+      .limit(1)
+
+    if (existingUser) {
+      recordAudit({
+        actorId: existingUser.id,
+        actorName: existingUser.name,
+        actorEmail: existingUser.email,
+        action: AuditAction.PASSWORD_RESET_REQUESTED,
+        resourceType: AuditResourceType.PASSWORD,
+        resourceId: existingUser.id,
+        resourceName: existingUser.email ?? undefined,
+        description: `Password reset requested for ${existingUser.email}`,
+        request,
+      })
+    }
+
     return NextResponse.json({ success: true })
   } catch (error) {
     logger.error('Error requesting password reset:', { error })

apps/sim/app/api/billing/credits/route.ts

@@ -64,8 +64,12 @@ export async function POST(request: NextRequest) {
       actorEmail: session.user.email,
       action: AuditAction.CREDIT_PURCHASED,
       resourceType: AuditResourceType.BILLING,
+      resourceId: validation.data.requestId,
       description: `Purchased $${validation.data.amount} in credits`,
-      metadata: { amount: validation.data.amount, requestId: validation.data.requestId },
+      metadata: {
+        amountDollars: validation.data.amount,
+        requestId: validation.data.requestId,
+      },
       request,
     })
 

apps/sim/app/api/chat/manage/[id]/route.ts

@@ -233,6 +233,12 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
         resourceId: chatId,
         resourceName: title || existingChatRecord.title,
         description: `Updated chat deployment "${title || existingChatRecord.title}"`,
+        metadata: {
+          identifier: updatedIdentifier,
+          authType: updateData.authType || existingChatRecord.authType,
+          workflowId: workflowId || existingChatRecord.workflowId,
+          chatUrl,
+        },
         request,
       })
 

apps/sim/app/api/credential-sets/[id]/invite/[invitationId]/route.ts

@@ -159,7 +159,12 @@ export async function POST(
       resourceId: id,
       resourceName: result.set.name,
       description: `Resent credential set invitation to ${invitation.email}`,
-      metadata: { invitationId, targetEmail: invitation.email },
+      metadata: {
+        invitationId,
+        targetEmail: invitation.email,
+        providerId: result.set.providerId,
+        credentialSetName: result.set.name,
+      },
       request: req,
     })
 

apps/sim/app/api/credential-sets/[id]/invite/route.ts

@@ -187,7 +187,12 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       actorEmail: session.user.email ?? undefined,
       resourceName: result.set.name,
       description: `Created invitation for credential set "${result.set.name}"${email ? ` to ${email}` : ''}`,
-      metadata: { targetEmail: email || undefined },
+      metadata: {
+        invitationId: invitation.id,
+        targetEmail: email || undefined,
+        providerId: result.set.providerId,
+        credentialSetName: result.set.name,
+      },
       request: req,
     })
 

apps/sim/app/api/credential-sets/[id]/members/route.ts

@@ -197,7 +197,12 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
       actorEmail: session.user.email ?? undefined,
       resourceName: result.set.name,
       description: `Removed member from credential set "${result.set.name}"`,
-      metadata: { targetEmail: memberToRemove.email ?? undefined },
+      metadata: {
+        memberId,
+        memberUserId: memberToRemove.userId,
+        targetEmail: memberToRemove.email ?? undefined,
+        providerId: result.set.providerId,
+      },
       request: req,
     })
 

apps/sim/app/api/credential-sets/[id]/route.ts

@@ -142,6 +142,13 @@ export async function PUT(req: NextRequest, { params }: { params: Promise<{ id:
       actorEmail: session.user.email ?? undefined,
       resourceName: updated?.name ?? result.set.name,
       description: `Updated credential set "${updated?.name ?? result.set.name}"`,
+      metadata: {
+        organizationId: result.set.organizationId,
+        providerId: result.set.providerId,
+        updatedFields: Object.keys(updates).filter(
+          (k) => updates[k as keyof typeof updates] !== undefined
+        ),
+      },
       request: req,
     })
 
@@ -199,6 +206,7 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
       actorEmail: session.user.email ?? undefined,
       resourceName: result.set.name,
       description: `Deleted credential set "${result.set.name}"`,
+      metadata: { organizationId: result.set.organizationId, providerId: result.set.providerId },
       request: req,
     })
 

apps/sim/app/api/credential-sets/invite/[token]/route.ts

@@ -192,7 +192,12 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ tok
       resourceId: invitation.credentialSetId,
       resourceName: invitation.credentialSetName,
       description: `Accepted credential set invitation`,
-      metadata: { invitationId: invitation.id },
+      metadata: {
+        invitationId: invitation.id,
+        credentialSetId: invitation.credentialSetId,
+        providerId: invitation.providerId,
+        credentialSetName: invitation.credentialSetName,
+      },
       request: req,
     })
 

apps/sim/app/api/credential-sets/memberships/route.ts

@@ -116,6 +116,7 @@ export async function DELETE(req: NextRequest) {
       resourceType: AuditResourceType.CREDENTIAL_SET,
       resourceId: credentialSetId,
       description: `Left credential set`,
+      metadata: { credentialSetId },
       request: req,
     })