portal

liderra/portal

Fork 0

Commit Graph

Author	SHA1	Message	Date
Дмитрий	60ab5be3eb	feat(audit): partitioning 7 audit-таблиц по месяцам (hole #2 Phase A) Закрывает последнюю дыру #2 аудита журналирования. Phase A (dev) — миграция схемы + retention tooling. Phase B (прод-rewrite через SQL под postgres) — отдельным шагом с явным approve. Решения заказчика: * Scope: все 7 таблиц (auth_log, activity_log, tenant_operations_log, webhook_log, balance_transactions, pd_processing_log, saas_admin_audit_log) * FK на webhook_log: W1 — удалить FK от failed_webhook_jobs+rejected_deals_log * Retention defaults: auth:24м, activity:36м, tenant_ops:24м, webhook:3м, balance:84м, pd:36м, saas_admin:84м. Cron Sundays 03:00 МСК * Hash-chain: per-partition (audit_chain_hash трг через TG_TABLE_NAME уже работает per-partition; совместимо с hole #1 per-RLS-scope fix) Phase A: * db/schema.sql v8.30→v8.31: 7 audit-таблиц на PARTITION BY RANGE, PK→(id, partition_key), +7 retention seeds в system_settings, FK от failed_webhook_jobs/rejected_deals_log удалены * MonthlyPartitionManager: PARTITIONED_TABLES → ассоциативный array (name => partition_key), 2 → 9 таблиц * PartitionsCreateMonths: автоматически покрывает все 9 * load_initial_schema: после schema.sql вызывает Artisan partitions:create-months --ahead=2 (без этого первый INSERT падает) * 2026_05_22_000001_tenant_operations_log: idempotency guard * VerifyAuditChains: per-partition scan через pg_inherits; fallback на single-scope для не-партиционированной таблицы; per-RLS-scope partition_clause сохранён внутри каждой партиции * AuditChainBreachMail: +partitionName param (NULL=fallback на tableName) * PartitionsDropExpired (новая): cron Sundays 03:00 МСК, retention из system_settings, dry-run mode, safety guard retention=0 * SchedulerHeartbeatTracker +partitions:drop-expired (10080 мин) Без Laravel-миграции для прода — она оставляла БД пустой при migrate:fresh. Подход: schema.sql декларирует партиционированные + ad-hoc SQL под postgres для прод-rewrite (отдельный commit + ручной деплой + pg_dump backup). Тесты: 1219/1231 (35/35 hole #2 specs, 88 assertions). 3 fail — pre-existing AdminPdSubjectRequestsControllerTest::executeErasure_* (FK actor_admin_user_id после partitioning pd_processing_log, отдельная задача для hole #4 follow-up, не блокирует). cspell +2 слова (партиционировать, дёшева). Pint --fix чистый. Spec: docs/superpowers/specs/2026-05-23-hole-2-audit-partitioning-design.md Plan: docs/superpowers/plans/2026-05-23-hole-2-audit-partitioning-plan.md	2026-05-23 15:50:37 +03:00
Дмитрий	378cfba406	fix(audit): per-RLS-scope hash-chain validation (hole #1 prod fix) Prod smoke revealed the chain is PER-RLS-SCOPE, not global: audit_chain_hash() trigger's prev-SELECT obeys each table's RLS policy under the inserting tenant's GUC. On dev (superuser) it sees all rows (global chain); on prod (crm_app_user) only RLS-visible rows (per-tenant chain). tenant_operations_log false-broke at a tenant boundary (row 32, tenant 4 after tenant 3 rows). Fix (stakeholder choice: per-scope validator, no trigger change / no hash rebuild): - recompute now LAG OVER (PARTITION BY <scope> ORDER BY id): tenant_id for tenant_operations_log/activity_log/balance_transactions/pd_processing_log; (actor_type, tenant_id) for auth_log (RLS also filters actor_type='tenant_user'); global for saas_admin_audit_log (no tenant RLS — crm_admin_user BYPASSRLS sees all). - exit code: incident write now best-effort (try/catch); ANY breach → self::FAILURE regardless of whether incident row could be written (no active saas_admin FK). Tests 7/7 (+multi-tenant per-tenant regression that reproduces prod chaining, +exit-code-without-admin). Console 21/21, pint clean, larastan 0.	2026-05-23 10:42:51 +03:00
Дмитрий	d170c886bc	feat(audit): hash-chain integrity validator — audit:verify-chains (hole #1 ) Closes hole #1: log_hash written by trigger but never verified → tampering invisible. audit:verify-chains (cron daily 04:00) recomputes SHA-256 chain for all 6 audit tables via SQL on pgsql_supplier (prod-safe). Serialization reproduces trigger exactly (ROW with log_hash=NULL::bytea). Break → incidents_log (high, dedup 24h) + AuditChainBreachMail to kdv1@bk.ru + non-zero exit. Tests 5/5, Console 19/19.	2026-05-23 10:27:55 +03:00

Author

SHA1

Message

Date

Дмитрий

60ab5be3eb

feat(audit): partitioning 7 audit-таблиц по месяцам (hole #2 Phase A)

Закрывает последнюю дыру #2 аудита журналирования. Phase A (dev) — миграция
схемы + retention tooling. Phase B (прод-rewrite через SQL под postgres) —
отдельным шагом с явным approve.

Решения заказчика:
* Scope: все 7 таблиц (auth_log, activity_log, tenant_operations_log,
  webhook_log, balance_transactions, pd_processing_log, saas_admin_audit_log)
* FK на webhook_log: W1 — удалить FK от failed_webhook_jobs+rejected_deals_log
* Retention defaults: auth:24м, activity:36м, tenant_ops:24м, webhook:3м,
  balance:84м, pd:36м, saas_admin:84м. Cron Sundays 03:00 МСК
* Hash-chain: per-partition (audit_chain_hash трг через TG_TABLE_NAME уже
  работает per-partition; совместимо с hole #1 per-RLS-scope fix)

Phase A:
* db/schema.sql v8.30→v8.31: 7 audit-таблиц на PARTITION BY RANGE,
  PK→(id, partition_key), +7 retention seeds в system_settings,
  FK от failed_webhook_jobs/rejected_deals_log удалены
* MonthlyPartitionManager: PARTITIONED_TABLES → ассоциативный array
  (name => partition_key), 2 → 9 таблиц
* PartitionsCreateMonths: автоматически покрывает все 9
* load_initial_schema: после schema.sql вызывает Artisan
  partitions:create-months --ahead=2 (без этого первый INSERT падает)
* 2026_05_22_000001_tenant_operations_log: idempotency guard
* VerifyAuditChains: per-partition scan через pg_inherits;
  fallback на single-scope для не-партиционированной таблицы;
  per-RLS-scope partition_clause сохранён внутри каждой партиции
* AuditChainBreachMail: +partitionName param (NULL=fallback на tableName)
* PartitionsDropExpired (новая): cron Sundays 03:00 МСК, retention из
  system_settings, dry-run mode, safety guard retention=0
* SchedulerHeartbeatTracker +partitions:drop-expired (10080 мин)

Без Laravel-миграции для прода — она оставляла БД пустой при migrate:fresh.
Подход: schema.sql декларирует партиционированные + ad-hoc SQL под postgres
для прод-rewrite (отдельный commit + ручной деплой + pg_dump backup).

Тесты: 1219/1231 (35/35 hole #2 specs, 88 assertions). 3 fail —
pre-existing AdminPdSubjectRequestsControllerTest::executeErasure_*
(FK actor_admin_user_id после partitioning pd_processing_log, отдельная
задача для hole #4 follow-up, не блокирует).

cspell +2 слова (партиционировать, дёшева). Pint --fix чистый.

Spec: docs/superpowers/specs/2026-05-23-hole-2-audit-partitioning-design.md
Plan: docs/superpowers/plans/2026-05-23-hole-2-audit-partitioning-plan.md

2026-05-23 15:50:37 +03:00

Дмитрий

378cfba406

fix(audit): per-RLS-scope hash-chain validation (hole #1 prod fix)

Prod smoke revealed the chain is PER-RLS-SCOPE, not global: audit_chain_hash()
trigger's prev-SELECT obeys each table's RLS policy under the inserting tenant's
GUC. On dev (superuser) it sees all rows (global chain); on prod (crm_app_user)
only RLS-visible rows (per-tenant chain). tenant_operations_log false-broke at a
tenant boundary (row 32, tenant 4 after tenant 3 rows).

Fix (stakeholder choice: per-scope validator, no trigger change / no hash rebuild):
- recompute now LAG OVER (PARTITION BY <scope> ORDER BY id):
  tenant_id for tenant_operations_log/activity_log/balance_transactions/pd_processing_log;
  (actor_type, tenant_id) for auth_log (RLS also filters actor_type='tenant_user');
  global for saas_admin_audit_log (no tenant RLS — crm_admin_user BYPASSRLS sees all).
- exit code: incident write now best-effort (try/catch); ANY breach → self::FAILURE
  regardless of whether incident row could be written (no active saas_admin FK).

Tests 7/7 (+multi-tenant per-tenant regression that reproduces prod chaining,
+exit-code-without-admin). Console 21/21, pint clean, larastan 0.

2026-05-23 10:42:51 +03:00

Дмитрий

d170c886bc

feat(audit): hash-chain integrity validator — audit:verify-chains (hole #1 )

Closes hole #1: log_hash written by trigger but never verified → tampering invisible.
audit:verify-chains (cron daily 04:00) recomputes SHA-256 chain for all 6 audit
tables via SQL on pgsql_supplier (prod-safe). Serialization reproduces trigger
exactly (ROW with log_hash=NULL::bytea). Break → incidents_log (high, dedup 24h)
+ AuditChainBreachMail to kdv1@bk.ru + non-zero exit. Tests 5/5, Console 19/19.

2026-05-23 10:27:55 +03:00

3 Commits