feat(worker): 补齐敏感管理操作审计落库 + 修 redeliver 审计潜伏丢失(#137 可观测性)#330
Merged
Conversation
#137 深评指出:除消息编辑历史(message_audit)外,token 签发/撤销、ACL/成员/ webhook 等敏感管理操作大多无审计落库,跨公司出安全事件或线上故障时既无法追责也 无法定位。management_audit 表 + bestEffortRecordManagementAudit 早已存在,但许多 mutating 管理端点从未调用它。本次把以下敏感操作全部纳入审计(helper/shape 与既有 落库点一致,best-effort,绝不因审计失败而使已提交的管理操作失败,且不落任何密钥/token): 新增落库的管理操作: - channel.create POST /api/channels(频道创建,含 kind/mode/visibility) - membership.set POST /api/admin/membership(付费会员开通/降级,含 tier) - channel.role.assign PUT /api/channels/:slug/roles/:name(协作角色分配,含 role) - channel.role.remove DELETE /api/channels/:slug/roles/:name(仅实际删除时) - channel.join_link.create POST /api/channels/:slug/join-links - channel.join_link.revoke DELETE /api/channels/:slug/join-links/:code(仅实际撤销时) - channel.member.add POST /api/join/:code(人类凭 join-link 入群,actor=入群者) - channel.project_agent.invite POST /api/channels/:slug/project-agents(仅新建邀请时) - channel.project_agent.remove DELETE /api/channels/:slug/project-agents(邀请撤销本身) - channel.guard.update PUT completion-gate / decision-mode / loop-guard / workflow-guard - channel.guard.reset POST reset-guard / workflows/:id/reset-guard 已覆盖、未改动:token.issue(/tokens、/agents、/spawn、/rotate、runtime-token、 share-links)、token.revoke(/tokens、kick、project-agents 子 token、share-links)、 channel.permissions.update、channel.visibility.update、channel.member.add/remove(房主侧)、 channel.webhook.add/remove/redeliver、channel.archive。 migration 0030:拓宽 management_audit.action 的 CHECK 枚举以容纳上述新动作; 顺带修复 0025 遗漏——代码早已记录的 channel.webhook.redeliver 本不在枚举内, 越界值被 CHECK 拒绝后 best-effort 静默吞行,审计悄悄丢失,现一并补入。 (SQLite 无法 ALTER CHECK,按建新表/搬数据/换名重建。) wrangler:prod 与 xdream 两个部署目标各加 observability 块(enabled + head_sampling_rate:1), 开启 Cloudflare Workers 内建 Logs,无需外部服务/密钥,线上可查 console.error 与请求日志。 审计元数据仍走 safeMetadata 白名单,只落 kind/mode/visibility/tier/role/guard 等枚举字段, 不落 URL/secret/body。lark-notify 与 desktop 会话签发因当前测试装置难以覆盖,留作后续。 新增 test/management-audit-coverage.spec.ts 覆盖每个新落库操作;更新 management-audit.spec.ts 以纳入 channel.create(精确列表 + 分页计数)。
82a20fb to
610b538
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
补什么(#137 可观测性/运维审计,dimension 1)
management_audit+bestEffortRecordManagementAudit早已存在,但许多改状态的敏感管理端点从不落审计——出安全事件/线上故障时既无法追责也无法定位。做了(同 helper、同形状、不记密钥/token)
补审计到 11 个未覆盖端点:
channel.create、membership.set、channel.role.assign/remove、channel.join_link.create/revoke、channel.member.add(link 自助入)、channel.project_agent.invite/remove、channel.guard.update(completion-gate/decision-mode/loop/workflow)、channel.guard.reset。(token 签发/撤销、权限/可见性变更、成员增删、webhook 增删/重投、archive 本已覆盖。)management_audit.actionCHECK enum 收纳新 action。并修一个潜伏 bug:0025 的 CHECK 从没列channel.webhook.redeliver(代码却已记录)→ 越界 insert 被 CHECK 拒、又被 best-effort helper 静默吞 → redeliver 审计一直在丢。现纳入。(SQLite 不能 ALTER CHECK,重建表→拷行→改名。)management-audit.ts:扩 action union +safeMetadata白名单分支(kind/mode/visibility、tier、role、guard)——只有枚举字段进 metadata,绝不落 URL/密钥/正文。observability块(enabled、head_sampling_rate:1)——内置 Workers Logs,无外部服务/密钥。门禁(对 origin HEAD rebase 后亲验,与已合的 #137b/#137d 无冲突)
scope
lark-notify / 桌面配对 token 签发(需 Lark 配置/真配对,测不了)标 follow-up;squads/charter/昵称是内容非权限边界、刻意不记。
🤖 opus agent 实现(含修 redeliver 审计潜伏 bug)、收尾截断我接管(审+提交+复验)。