feat(audit-log): add audit events for templates, billing, credentials, env, deployments, passwords

Author: waleedlatif1

apps/sim/app/api/auth/reset-password/route.ts

@@ -1,6 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { auth } from '@/lib/auth'
 
 export const dynamic = 'force-dynamic'
@@ -45,6 +46,14 @@ export async function POST(request: NextRequest) {
       method: 'POST',
     })
 
+    recordAudit({
+      actorId: 'system',
+      action: AuditAction.PASSWORD_RESET,
+      resourceType: AuditResourceType.PASSWORD,
+      description: 'Password reset completed',
+      request,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error) {
     logger.error('Error during password reset:', { error })

apps/sim/app/api/billing/credits/route.ts

@@ -1,6 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { getCreditBalance } from '@/lib/billing/credits/balance'
 import { purchaseCredits } from '@/lib/billing/credits/purchase'
@@ -57,6 +58,17 @@ export async function POST(request: NextRequest) {
       return NextResponse.json({ error: result.error }, { status: 400 })
     }
 
+    recordAudit({
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.CREDIT_PURCHASED,
+      resourceType: AuditResourceType.BILLING,
+      description: `Purchased $${validation.data.amount} in credits`,
+      metadata: { amount: validation.data.amount, requestId: validation.data.requestId },
+      request,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error) {
     logger.error('Failed to purchase credits', { error, userId: session.user.id })

apps/sim/app/api/credential-sets/[id]/invite/[invitationId]/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getEmailSubject, renderPollingGroupInvitationEmail } from '@/components/emails'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { hasCredentialSetsAccess } from '@/lib/billing'
 import { getBaseUrl } from '@/lib/core/utils/urls'
@@ -148,6 +149,19 @@ export async function POST(
       userId: session.user.id,
     })
 
+    recordAudit({
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.CREDENTIAL_SET_INVITATION_CREATED,
+      resourceType: AuditResourceType.CREDENTIAL_SET,
+      resourceId: id,
+      resourceName: result.set.name,
+      description: `Resent credential set invitation to ${invitation.email}`,
+      metadata: { invitationId, email: invitation.email, resend: true },
+      request: req,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error) {
     logger.error('Error resending invitation', error)

apps/sim/app/api/credential-sets/invite/[token]/route.ts

@@ -8,6 +8,7 @@ import {
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { syncAllWebhooksForCredentialSet } from '@/lib/webhooks/utils.server'
 
@@ -184,6 +185,18 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ tok
       userId: session.user.id,
     })
 
+    recordAudit({
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.CREDENTIAL_SET_INVITATION_ACCEPTED,
+      resourceType: AuditResourceType.CREDENTIAL_SET,
+      resourceId: invitation.credentialSetId,
+      description: `Accepted credential set invitation`,
+      metadata: { invitationId: invitation.id },
+      request: req,
+    })
+
     return NextResponse.json({
       success: true,
       credentialSetId: invitation.credentialSetId,

apps/sim/app/api/credential-sets/memberships/route.ts

@@ -3,6 +3,7 @@ import { credentialSet, credentialSetMember, organization } from '@sim/db/schema
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { syncAllWebhooksForCredentialSet } from '@/lib/webhooks/utils.server'
 
@@ -106,6 +107,17 @@ export async function DELETE(req: NextRequest) {
       userId: session.user.id,
     })
 
+    recordAudit({
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.CREDENTIAL_SET_MEMBER_LEFT,
+      resourceType: AuditResourceType.CREDENTIAL_SET,
+      resourceId: credentialSetId,
+      description: `Left credential set`,
+      request: req,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error) {
     const message = error instanceof Error ? error.message : 'Failed to leave credential set'

apps/sim/app/api/environment/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
@@ -53,6 +54,17 @@ export async function POST(req: NextRequest) {
           },
         })
 
+      recordAudit({
+        actorId: session.user.id,
+        actorName: session.user.name,
+        actorEmail: session.user.email,
+        action: AuditAction.ENVIRONMENT_UPDATED,
+        resourceType: AuditResourceType.ENVIRONMENT,
+        description: 'Updated global environment variables',
+        metadata: { variableCount: Object.keys(variables).length },
+        request: req,
+      })
+
       return NextResponse.json({ success: true })
     } catch (validationError) {
       if (validationError instanceof z.ZodError) {

apps/sim/app/api/templates/[id]/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { eq, sql } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
@@ -247,6 +248,18 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
 
     logger.info(`[${requestId}] Successfully updated template: ${id}`)
 
+    recordAudit({
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.TEMPLATE_UPDATED,
+      resourceType: AuditResourceType.TEMPLATE,
+      resourceId: id,
+      resourceName: name ?? template.name,
+      description: `Updated template "${name ?? template.name}"`,
+      request,
+    })
+
     return NextResponse.json({
       data: updatedTemplate[0],
       message: 'Template updated successfully',
@@ -300,6 +313,19 @@ export async function DELETE(
     await db.delete(templates).where(eq(templates.id, id))
 
     logger.info(`[${requestId}] Deleted template: ${id}`)
+
+    recordAudit({
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.TEMPLATE_DELETED,
+      resourceType: AuditResourceType.TEMPLATE,
+      resourceId: id,
+      resourceName: template.name,
+      description: `Deleted template "${template.name}"`,
+      request,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error: any) {
     logger.error(`[${requestId}] Error deleting template: ${id}`, error)

apps/sim/app/api/templates/route.ts

@@ -11,6 +11,7 @@ import { and, desc, eq, ilike, or, sql } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { v4 as uuidv4 } from 'uuid'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { verifyEffectiveSuperUser } from '@/lib/templates/permissions'
@@ -285,6 +286,18 @@ export async function POST(request: NextRequest) {
 
     logger.info(`[${requestId}] Successfully created template: ${templateId}`)
 
+    recordAudit({
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.TEMPLATE_CREATED,
+      resourceType: AuditResourceType.TEMPLATE,
+      resourceId: templateId,
+      resourceName: data.name,
+      description: `Created template "${data.name}"`,
+      request,
+    })
+
     return NextResponse.json(
       {
         id: templateId,

apps/sim/app/api/workflows/[id]/deployments/[version]/route.ts

@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
 import { restorePreviousVersionWebhooks, saveTriggerWebhooksForDeploy } from '@/lib/webhooks/deploy'
@@ -297,6 +298,18 @@ export async function PATCH(
         }
       }
 
+      recordAudit({
+        actorId: actorUserId,
+        actorName: session?.user?.name,
+        actorEmail: session?.user?.email,
+        action: AuditAction.WORKFLOW_DEPLOYMENT_ACTIVATED,
+        resourceType: AuditResourceType.WORKFLOW,
+        resourceId: id,
+        description: `Activated deployment version ${versionNum}`,
+        metadata: { version: versionNum },
+        request,
+      })
+
       return createSuccessResponse({
         success: true,
         deployedAt: result.deployedAt,

apps/sim/lib/audit/log.ts

@@ -24,12 +24,17 @@ export const AuditAction = {
   CHAT_UPDATED: 'chat.updated',
   CHAT_DELETED: 'chat.deleted',
 
+  // Billing
+  CREDIT_PURCHASED: 'credit.purchased',
+
   // Credential Sets
   CREDENTIAL_SET_CREATED: 'credential_set.created',
   CREDENTIAL_SET_UPDATED: 'credential_set.updated',
   CREDENTIAL_SET_DELETED: 'credential_set.deleted',
   CREDENTIAL_SET_MEMBER_REMOVED: 'credential_set_member.removed',
+  CREDENTIAL_SET_MEMBER_LEFT: 'credential_set_member.left',
   CREDENTIAL_SET_INVITATION_CREATED: 'credential_set_invitation.created',
+  CREDENTIAL_SET_INVITATION_ACCEPTED: 'credential_set_invitation.accepted',
   CREDENTIAL_SET_INVITATION_REVOKED: 'credential_set_invitation.revoked',
 
   // Documents
@@ -81,6 +86,9 @@ export const AuditAction = {
   // OAuth
   OAUTH_DISCONNECTED: 'oauth.disconnected',
 
+  // Password
+  PASSWORD_RESET: 'password.reset',
+
   // Organizations
   ORGANIZATION_CREATED: 'organization.created',
   ORGANIZATION_UPDATED: 'organization.updated',
@@ -103,6 +111,11 @@ export const AuditAction = {
   // Schedules
   SCHEDULE_UPDATED: 'schedule.updated',
 
+  // Templates
+  TEMPLATE_CREATED: 'template.created',
+  TEMPLATE_UPDATED: 'template.updated',
+  TEMPLATE_DELETED: 'template.deleted',
+
   // Webhooks
   WEBHOOK_CREATED: 'webhook.created',
   WEBHOOK_DELETED: 'webhook.deleted',
@@ -113,6 +126,7 @@ export const AuditAction = {
   WORKFLOW_DEPLOYED: 'workflow.deployed',
   WORKFLOW_UNDEPLOYED: 'workflow.undeployed',
   WORKFLOW_DUPLICATED: 'workflow.duplicated',
+  WORKFLOW_DEPLOYMENT_ACTIVATED: 'workflow.deployment_activated',
   WORKFLOW_DEPLOYMENT_REVERTED: 'workflow.deployment_reverted',
   WORKFLOW_VARIABLES_UPDATED: 'workflow.variables_updated',
 
@@ -129,6 +143,7 @@ export type AuditActionType = (typeof AuditAction)[keyof typeof AuditAction]
  */
 export const AuditResourceType = {
   API_KEY: 'api_key',
+  BILLING: 'billing',
   BYOK_KEY: 'byok_key',
   CHAT: 'chat',
   CREDENTIAL_SET: 'credential_set',
@@ -142,8 +157,10 @@ export const AuditResourceType = {
   NOTIFICATION: 'notification',
   OAUTH: 'oauth',
   ORGANIZATION: 'organization',
+  PASSWORD: 'password',
   PERMISSION_GROUP: 'permission_group',
   SCHEDULE: 'schedule',
+  TEMPLATE: 'template',
   WEBHOOK: 'webhook',
   WORKFLOW: 'workflow',
   WORKSPACE: 'workspace',