feat: add audit log controller and integrate with existing modules

Author: Marfuen

apps/api/src/app.module.ts

@@ -37,7 +37,10 @@ import { OrgChartModule } from './org-chart/org-chart.module';
 import { TrainingModule } from './training/training.module';
 import { EvidenceFormsModule } from './evidence-forms/evidence-forms.module';
 import { FrameworksModule } from './frameworks/frameworks.module';
+import { AuditModule } from './audit/audit.module';
+import { ControlsModule } from './controls/controls.module';
 import { RolesModule } from './roles/roles.module';
+import { SecretsModule } from './secrets/secrets.module';
 
 @Module({
   imports: [
@@ -88,6 +91,9 @@ import { RolesModule } from './roles/roles.module';
     EvidenceFormsModule,
     FrameworksModule,
     RolesModule,
+    AuditModule,
+    ControlsModule,
+    SecretsModule,
   ],
   controllers: [AppController],
   providers: [

apps/api/src/audit/audit-log.controller.ts

@@ -0,0 +1,61 @@
+import { Controller, Get, Query, UseGuards } from '@nestjs/common';
+import { ApiOperation, ApiQuery, ApiSecurity, ApiTags } from '@nestjs/swagger';
+import { db } from '@trycompai/db';
+import { AuthContext, OrganizationId } from '../auth/auth-context.decorator';
+import { HybridAuthGuard } from '../auth/hybrid-auth.guard';
+import { PermissionGuard } from '../auth/permission.guard';
+import { RequirePermission } from '../auth/require-permission.decorator';
+import type { AuthContext as AuthContextType } from '../auth/types';
+
+@ApiTags('Audit Logs')
+@Controller({ path: 'audit-logs', version: '1' })
+@UseGuards(HybridAuthGuard, PermissionGuard)
+@ApiSecurity('apikey')
+export class AuditLogController {
+  @Get()
+  @RequirePermission('app', 'read')
+  @ApiOperation({ summary: 'Get audit logs filtered by entity type and ID' })
+  @ApiQuery({ name: 'entityType', required: false, description: 'Filter by entity type (e.g. policy, task, control)' })
+  @ApiQuery({ name: 'entityId', required: false, description: 'Filter by entity ID' })
+  @ApiQuery({ name: 'take', required: false, description: 'Number of logs to return (max 100, default 50)' })
+  async getAuditLogs(
+    @OrganizationId() organizationId: string,
+    @AuthContext() authContext: AuthContextType,
+    @Query('entityType') entityType?: string,
+    @Query('entityId') entityId?: string,
+    @Query('take') take?: string,
+  ) {
+    // organizationId comes from auth context (not user input) — ensures tenant isolation
+    const where: Record<string, unknown> = { organizationId };
+    if (entityType) where.entityType = entityType;
+    if (entityId) where.entityId = entityId;
+
+    const parsedTake = take
+      ? Math.min(100, Math.max(1, parseInt(take, 10) || 50))
+      : 50;
+
+    const logs = await db.auditLog.findMany({
+      where,
+      include: {
+        user: {
+          select: { id: true, name: true, email: true, image: true },
+        },
+        member: true,
+        organization: true,
+      },
+      orderBy: { timestamp: 'desc' },
+      take: parsedTake,
+    });
+
+    return {
+      data: logs,
+      authType: authContext.authType,
+      ...(authContext.userId && {
+        authenticatedUser: {
+          id: authContext.userId,
+          email: authContext.userEmail,
+        },
+      }),
+    };
+  }
+}

apps/api/src/audit/audit-log.interceptor.ts

@@ -113,6 +113,7 @@ export class AuditLogInterceptor implements NestInterceptor {
                 request.url,
                 method,
                 responseBody,
+                requestBody,
               );
               const downloadDesc = extractDownloadDescription(
                 request.url,
@@ -128,7 +129,11 @@ export class AuditLogInterceptor implements NestInterceptor {
 
               if (commentCtx || versionDesc || policyActionDesc) {
                 // Comments and version operations don't produce meaningful diffs
-                changes = null;
+                // But preserve the comment/reason if provided in the request body
+                const comment = requestBody?.comment;
+                changes = comment && typeof comment === 'string'
+                  ? { reason: { previous: null, current: comment } }
+                  : null;
               } else if (relationMappingResult) {
                 changes = relationMappingResult.changes;
                 descriptionOverride ??= relationMappingResult.description;

apps/api/src/audit/audit-log.utils.ts

@@ -89,6 +89,7 @@ export function extractVersionDescription(
   path: string,
   method: string,
   responseBody: unknown,
+  requestBody?: Record<string, unknown>,
 ): string | null {
   const isVersionPath = /\/versions(?:\/|$)/.test(path);
   const isApprovalPath = /\/(accept|deny)-changes\/?$/.test(path);
@@ -177,6 +178,18 @@ export function extractPolicyActionDescription(
     return 'Regenerated policy';
   }
 
+  const pathWithoutQuery = path.split('?')[0];
+
+  // POST /v1/policies/:id/pdf (upload)
+  if (/\/pdf\/?$/.test(pathWithoutQuery) && method === 'POST') {
+    return 'Uploaded policy PDF';
+  }
+
+  // DELETE /v1/policies/:id/pdf (delete)
+  if (/\/pdf\/?$/.test(pathWithoutQuery) && method === 'DELETE') {
+    return 'Deleted policy PDF';
+  }
+
   // PATCH /v1/policies/:id with isArchived field
   if (method === 'PATCH' && requestBody && 'isArchived' in requestBody) {
     return requestBody.isArchived ? 'Archived policy' : 'Restored policy';

apps/api/src/audit/audit.module.ts

@@ -1,8 +1,12 @@
 import { Module } from '@nestjs/common';
 import { APP_INTERCEPTOR } from '@nestjs/core';
+import { AuthModule } from '../auth/auth.module';
+import { AuditLogController } from './audit-log.controller';
 import { AuditLogInterceptor } from './audit-log.interceptor';
 
 @Module({
+  imports: [AuthModule],
+  controllers: [AuditLogController],
   providers: [
     {
       provide: APP_INTERCEPTOR,

apps/api/src/frameworks/frameworks-scores.helper.ts

@@ -1,4 +1,5 @@
 import { db } from '@trycompai/db';
+import { filterComplianceMembers } from '../utils/compliance-filters';
 
 const TRAINING_VIDEO_IDS = ['sat-1', 'sat-2', 'sat-3', 'sat-4', 'sat-5'];
 
@@ -34,11 +35,8 @@ export async function getOverviewScores(organizationId: string) {
     (t) => t.status === 'todo' || t.status === 'in_progress',
   );
 
-  // People score
-  const activeEmployees = employees.filter((m) => {
-    const roles = m.role.includes(',') ? m.role.split(',') : [m.role];
-    return roles.includes('employee') || roles.includes('contractor');
-  });
+  // People score — filter to members with compliance:required permission
+  const activeEmployees = await filterComplianceMembers(employees, organizationId);
 
   let completedMembers = 0;