[CLEAN] Synthetic Benchmark PR #26523 - chore: Integrate confirmation booking audit

[tomerqodo]

Benchmark PR calcom#26523

Type: Clean (correct implementation)

Original PR Title: chore: Integrate confirmation booking audit
Original PR Description: ## What does this PR do?

Integrates booking audit logging for booking confirmation (acceptance) and rejection events. This is part of the booking audit integration plan (PR-2).

Note: This PR is stacked on calcom#26567 which refactors the link and verify-booking-token routes to use confirmHandler directly instead of the tRPC caller pattern.

Core Changes:

• handleConfirmation.ts: Added audit logging for single booking acceptance (onBookingAccepted) and bulk/recurring booking acceptance (onBulkBookingsAccepted). Refactored to use SimplifiedActorIdentifier union type for flexible actor specification.
• confirm.handler.ts: Added audit logging for booking rejection (onBookingRejected) via fireRejectionEvent helper. Passes actionSource/userUuid to handleConfirmation. Input type now requires actionSource and actor.
• zod-utils.ts: Added required actionSource field to the booking confirm input schema (values: WEBAPP, API_V1, API_V2, WEBHOOK, MAGIC_LINK)
• _router.tsx: Explicitly adds actionSource: "WEBAPP" and actor when calling confirmHandler from tRPC
• API v2 bookings.service.ts: Passes actionSource: "API_V2" and actor for confirm and decline operations
• link/route.ts & verify-booking-token/route.ts: Pass actionSource: "MAGIC_LINK" and actor for magic link confirmations

Payment Webhook Integration:

• handlePaymentSuccess.ts: Refactored to accept object params including appSlug for actor identification. Creates app actor from credentialId or falls back to appSlug.
• Payment webhooks (alby, btcpayserver, hitpay, paypal, stripe): Updated to pass their respective appSlug for audit actor identification
• Stripe webhook.ts: Added actor creation for payment setup success flow

Schema Changes:

• schema.prisma: Added MAGIC_LINK to BookingAuditSource enum
• Migration: Added 20260107093019_add_magic_link_source migration
• RejectedAuditActionService.ts: Changed rejectionReason from StringChangeSchema (old/new) to z.string().nullable() (single value). Changed status to use BookingStatusChangeSchema.
• dto/types.ts: Added ActorIdentification type export

Test Infrastructure:

• Refactored integration test utilities into reusable integration-utils.ts
• Updated route tests to mock confirmHandler directly and include makeUserActor mock

Updates since last revision

• PR is now stacked on refactor: Use confirmHandler directly in link and verify-booking-token routes[booking-audit-prerequisite] calcom/cal.com#26567 (refactor: Use confirmHandler directly in link and verify-booking-token routes)
• Added MAGIC_LINK as a new BookingAuditSource enum value with corresponding migration
• Magic link routes (/api/link and /api/verify-booking-token) now pass actionSource: "MAGIC_LINK" and actor to confirmHandler
• Updated tests to verify actor is passed correctly from makeUserActor

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. N/A - internal audit logging only.
• I confirm automated tests are in place that prove my fix is effective or that my feature works. N/A - audit logging is non-blocking and wrapped in try-catch.

How should this be tested?

1. Accept a single booking → verify audit log is created with onBookingAccepted
2. Accept recurring bookings → verify audit logs are created with onBulkBookingsAccepted and share the same operationId
3. Reject a booking → verify audit log is created with onBookingRejected
4. Confirm/decline via API v2 → verify actionSource is "API_V2"
5. Complete a payment via Stripe/PayPal/etc → verify audit log has correct app actor
6. New: Confirm via magic link → verify actionSource is "MAGIC_LINK"

Human Review Checklist

• Verify PR refactor: Use confirmHandler directly in link and verify-booking-token routes[booking-audit-prerequisite] calcom/cal.com#26567 is merged before this PR (stacked dependency)
• Verify the MAGIC_LINK migration runs correctly
• Verify all callers of handleConfirmation pass required actionSource and either userUuid or actor
• Verify the SimplifiedActorIdentifier union type correctly enforces mutual exclusivity of userUuid and actor
• Verify payment webhook handlers correctly identify their app via appSlug
• Verify the RejectedAuditData schema change (rejectionReason no longer has old/new) is acceptable
• Verify the guard clause behavior (skipping audit when actor is undefined) is acceptable
• Note: Bulk rejection (recurring events) currently only logs the primary booking, not all related bookings - confirm if this is acceptable

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have checked if my changes generate no new warnings

---

Link to Devin run: https://app.devin.ai/sessions/5914b63665314f9480f0cf5fd2d6fd13
Requested by: @hariombalhara
Original PR URL: calcom#26523

[github-actions]

Hey there and thank you for opening this pull request! 👋🏼

We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted.

Details:

No release type found in pull request title "[CLEAN] Synthetic Benchmark PR #26523 - chore: Integrate confirmation booking audit". Add a prefix to indicate what kind of release this pull request corresponds to. For reference, see https://www.conventionalcommits.org/

Available types:
 - feat: A new feature
 - fix: A bug fix
 - docs: Documentation only changes
 - style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
 - refactor: A code change that neither fixes a bug nor adds a feature
 - perf: A code change that improves performance
 - test: Adding missing tests or correcting existing tests
 - build: Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
 - ci: Changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
 - chore: Other changes that don't modify src or test files
 - revert: Reverts a previous commit

[github-actions]

This PR has been marked as stale due to inactivity. If you're still working on it or need any help, please let us know or update the PR to keep it active.