@CryogenicPlanetchecks…cryo/audit-tier2 → cryo/audit-tx-runner-m18 files · +800 −25review: @rohanprabhureview: @sarthakreview: @acsrujanreview: @anshugarg15updated 5h agomaster (merge bottom → top)AuditAction enum → master (reland of #10514, reverted in #10584)auditedTransaction (branded AuditedTx) → #10603Supersedes the production-based stack (#10355 / #10457 / #10510 / #10511 / #10513).
You are here: #10516
Part 3 (on master, stacks on #10515). The async Tier-2 path: non-critical control-plane events go through a durable queue into ClickHouse, plus blanket coverage via a global after-middleware.
queue/ (AuditQueue port + Vercel send), sink/ (ClickHouse async_insert), record_audit.ts (resolve actor → publish), consumer route app/api/queues/audit/route.ts (handleCallback → sink), vercel.json trigger.audit_logs DDL appended to clickhouse/schema.sql (prod SharedReplacingMergeTree) + docker-init (local), with MATERIALIZED is_internal/credential_id/actor_* + 3yr TTL.server/middleware/audit_after.ts) wired into getAuthRouter: map-gated, best-effort, never alters the response. The route→action map (actions.ts) reuses the AuditAction enum from Tier-1's schema.ts (duplicate enum removed).@vercel/queue.⚠️ Static-only (worktree has no deps). Two follow-ups for CI/review:
pnpm install must regenerate pnpm-lock.yaml for the new @vercel/queue dep — I couldn't run it here, so frozen-lockfile CI will fail until it's regenerated.deriveTargetId picks the last path param, so auth_configs/{nanoid}/{status} records {status} as the target — needs a per-route override (carried over from the earlier middleware PR).🤖 Generated with Claude Code
audit_logs is now defined in chorm (packages/db/src/clickhouse/audit_logs.ts, exported via @composio/db/clickhouse) as the source of truth; createTableSql(audit_logs) matches clickhouse/schema.sql exactly and doubles as the provisioning path.ORDER BY (org_id, project_id, createdAt, id) — the previous (project_id, …) key left org-wide reads unindexed. Changed while the table exists nowhere.insert() (InferInsert excludes MATERIALIZED columns by construction); async_insert settings injected at the service layer over the existing singleton client. Hand-rolled AuditClickHouseRowSchema removed.@clickhouse/client bumped ^1.11 → ^1.19 in apollo to dedupe with chorm; lockfile regenerated for @vercel/queue (the known CI follow-up).[!WARNING] This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite. Learn more
masterThis stack of pull requests is managed by Graphite. Learn more about stacking.
Review the following changes in direct dependencies. Learn more about Socket for GitHub.