feat(audit): harden API audit log redaction and schema

- Change query_json column from TEXT to JSON, ip/user_agent to CHAR(64)
  for PII redaction compliance
- Update repository, service, and views for hardened schema
- Add architecture contract test for security logging redaction
- Add search resource provider test coverage
- Include DB migration script for existing installs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-05 23:20:55 +02:00
parent c2a7d6b789
commit c6c5d06936
14 changed files with 255 additions and 77 deletions

View File

@@ -511,7 +511,7 @@ CREATE TABLE IF NOT EXISTS `api_audit_log` (
`request_id` CHAR(36) NOT NULL,
`method` VARCHAR(8) NOT NULL,
`path` VARCHAR(255) NOT NULL,
`query_json` TEXT NULL,
`query_json` JSON NULL,
`status_code` SMALLINT UNSIGNED NOT NULL,
`duration_ms` INT UNSIGNED NULL,
`error_code` VARCHAR(100) NULL,
@@ -519,8 +519,8 @@ CREATE TABLE IF NOT EXISTS `api_audit_log` (
`tenant_id` INT UNSIGNED NULL,
`api_token_id` INT UNSIGNED NULL,
`token_tenant_id` INT UNSIGNED NULL,
`ip` VARCHAR(45) NULL,
`user_agent` VARCHAR(255) NULL,
`ip` CHAR(64) NULL,
`user_agent` CHAR(64) NULL,
`created_at` DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
PRIMARY KEY (`id`),
UNIQUE KEY `uniq_api_audit_request_id_created` (`request_id`, `created_at`),