You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Record audit-log entries for custom-block lifecycle events (previously nothing was logged when a block was published/edited/unpublished)
New custom_block audit resource type + custom_block.published / .updated / .deleted actions
Emitted from the API routes after the DB write (fire-and-forget), scoped by the source workspace with organizationId in metadata so the org audit-log page surfaces them; the .deleted verb renders as a red badge and the "Custom Block" resource filter appears automatically
Type of Change
New feature
Testing
Tested manually (publish/edit/unpublish → entries appear in the org audit log). @sim/audit registry-sync tests updated + passing; bun run lint, tsc, and check:api-validation clean.
Low Risk
Observability-only additions after existing auth and DB writes; no change to permission rules or block behavior.
Overview
Adds audit logging for deploy-as-block lifecycle actions that previously had no org audit trail.
After successful publish (POST /custom-blocks), update (PATCH), and unpublish (DELETE), routes call recordAudit with workspace scoping and organizationId / block metadata so entries show on the org audit log. New registry entries are custom_block plus custom_block.published, .updated, and .deleted (delete is described as unpublish in the message).
authorizeManage now returns the manage context from getCustomBlockManageContext, which also loads name and type for audit payloads without an extra query. Test audit mocks mirror the new actions and resource type.
Reviewed by Cursor Bugbot for commit 03e0e23. Bugbot is set up for automated code reviews on this repo. Configure here.
This PR adds audit log entries for custom-block lifecycle events (publish, update, unpublish/delete), which were previously untracked. It introduces three new action constants (custom_block.published, .updated, .deleted) and a CUSTOM_BLOCK resource type to the shared @sim/audit package, extends getCustomBlockManageContext to return type and name from the DB, and emits fire-and-forget recordAudit calls in the POST/PATCH/DELETE routes after each successful DB write.
New audit constants: AuditAction.CUSTOM_BLOCK_PUBLISHED/UPDATED/DELETED and AuditResourceType.CUSTOM_BLOCK added to packages/audit/src/types.ts and kept in sync in the test mock.
Route changes: All three route handlers (POST, PATCH, DELETE) now call recordAudit after a successful DB write, scoping the event to the source workspace and embedding organizationId in metadata so the org audit-log page can surface it.
authorizeManage refactor: Returns the full ManageContext (including name and type) on success, eliminating the need for an extra DB round-trip to populate the audit payload.
Confidence Score: 5/5
Safe to merge — changes are additive, fire-and-forget audit calls cannot affect the existing request/response path, and the auth guard in authorizeManage already guarantees the context fields needed for the audit payload are non-null before any audit call is reached.
The implementation is straightforward: three new string constants, a small DB select extension, and three fire-and-forget audit calls placed after successful DB writes. The recordAudit function is documented as never-throwing, so none of the new call sites can introduce a regression in the happy path or error path. The authorizeManage refactor is a clean narrowing — it returns the same union type but also carries the context needed downstream, and the existing auth logic is unchanged.
No files require special attention.
Important Files Changed
Filename
Overview
packages/audit/src/types.ts
Adds CUSTOM_BLOCK_PUBLISHED / UPDATED / DELETED action constants and CUSTOM_BLOCK resource type, alphabetically ordered and consistent with the existing pattern.
packages/testing/src/mocks/audit.mock.ts
Mirrors the new audit constants in the test mock, keeping string values in sync with the types file and alphabetically ordered.
Extends getCustomBlockManageContext to return type and name fields from the DB so route handlers can populate audit metadata without an extra query.
apps/sim/app/api/custom-blocks/route.ts
Adds fire-and-forget recordAudit call after publishCustomBlock succeeds; passes workspaceId, actorId, and organizationId in metadata correctly.
apps/sim/app/api/custom-blocks/[id]/route.ts
Refactors authorizeManage to return a typed ManageContext on success, then emits audit events after update and delete DB writes; auth guard ensures sourceWorkspaceId is non-null before either call is reached.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
custom_blockaudit resource type +custom_block.published/.updated/.deletedactionsorganizationIdin metadata so the org audit-log page surfaces them; the.deletedverb renders as a red badge and the "Custom Block" resource filter appears automaticallyType of Change
Testing
Tested manually (publish/edit/unpublish → entries appear in the org audit log).
@sim/auditregistry-sync tests updated + passing;bun run lint, tsc, andcheck:api-validationclean.Checklist