feat: complete audit coverage — comment, webhook, system-role, dispo, scenario

- comment.ts: create (body preview), resolve, delete - webhook.ts: create, update, delete, test (result in summary) - system-role-config.ts: update with before/after - dispo.ts: commitImportBatch (IMPORT with counts), cancelImportBatch - scenario.ts: applyScenario (CREATE with allocation count) Audit coverage now: 29/36 routers (81%). Remaining 7 are read-only (dashboard, staffing, chargeability-report, computation-graph, report, insights.detectAnomalies, notification read/dismiss). Co-Authored-By: claude-flow <ruv@ruv.net>
2026-03-22 22:46:34 +01:00
parent 66878f18f4
commit 7a7430851c
5 changed files with 157 additions and 8 deletions
@@ -3,6 +3,7 @@ import { TRPCError } from "@trpc/server";
 import { SystemRole } from "@planarchy/shared";
 import { createTRPCRouter, protectedProcedure } from "../trpc.js";
 import { createNotification } from "../lib/create-notification.js";
+import { createAuditEntry } from "../lib/audit.js";

 // ─── Helpers ──────────────────────────────────────────────────────────────────

@@ -155,6 +156,17 @@ export const commentRouter = createTRPCRouter({
        );
      }

+      void createAuditEntry({
+        db: ctx.db,
+        entityType: "Comment",
+        entityId: comment.id,
+        entityName: input.body.slice(0, 50),
+        action: "CREATE",
+        userId: ctx.dbUser?.id,
+        after: comment as unknown as Record<string, unknown>,
+        source: "ui",
+      });
+
      return comment;
    }),

@@ -188,13 +200,26 @@ export const commentRouter = createTRPCRouter({
        });
      }

-      return ctx.db.comment.update({
+      const updated = await ctx.db.comment.update({
        where: { id: input.id },
        data: { resolved: input.resolved },
        include: {
          author: { select: { id: true, name: true, email: true, image: true } },
        },
      });
+
+      void createAuditEntry({
+        db: ctx.db,
+        entityType: "Comment",
+        entityId: input.id,
+        action: "UPDATE",
+        userId: ctx.dbUser?.id,
+        summary: input.resolved ? "Resolved comment" : "Unresolved comment",
+        after: updated as unknown as Record<string, unknown>,
+        source: "ui",
+      });
+
+      return updated;
    }),

  /** Delete a comment (author or admin only). Hard-deletes, including all replies. */
@@ -227,5 +252,15 @@ export const commentRouter = createTRPCRouter({
      });

      await ctx.db.comment.delete({ where: { id: input.id } });
+
+      void createAuditEntry({
+        db: ctx.db,
+        entityType: "Comment",
+        entityId: input.id,
+        action: "DELETE",
+        userId: ctx.dbUser?.id,
+        before: existing as unknown as Record<string, unknown>,
+        source: "ui",
+      });
    }),
 });