{ "ursId": "URS-003", "title": "Audit Log Tracking of All User Actions", "timestamp": "2026-04-23T03:33:42.355Z", "durationMs": 51874, "config": { "inboxUrl": "http://localhost:61673", "dbHost": "localhost", "dbPort": 61674, "dbName": "cc_repinbox_dev" }, "setup": { "status": "pass" }, "scenarios": [ { "name": "Step 1: Rep login", "status": "pass", "description": "Step 1: Rep login", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-003-audit-log-tracking/2026-04-23T03-33-42-353Z/screenshots/step-01-rep-logged-in.png" ], "explanation": "The sales representative (Bob Kauffman) authenticates using valid credentials. On successful login the client-side logEvent() helper writes a user_log row with action=user:login to the audit_events table. This is verified in the DB validation phase to confirm that every login event is captured regardless of user role.", "expectedAuditActions": [ "user_log:user:login" ], "startedAt": "2026-04-23T03:33:50.168Z", "finishedAt": "2026-04-23T03:33:50.168Z", "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-003-audit-log-tracking/2026-04-23T03-33-42-353Z/videos/step-01-rep-login.webm" }, { "name": "Step 2: Create order", "status": "pass", "description": "Step 2: Create order", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-003-audit-log-tracking/2026-04-23T03-33-42-353Z/screenshots/step-02-order-step2-account-selected.png", "/Users/jason/projects/casecohort/code/validation_test_results/urs-003-audit-log-tracking/2026-04-23T03-33-42-353Z/screenshots/step-02-order-step3-products.png", "/Users/jason/projects/casecohort/code/validation_test_results/urs-003-audit-log-tracking/2026-04-23T03-33-42-353Z/screenshots/step-02-order-step4-review.png", "/Users/jason/projects/casecohort/code/validation_test_results/urs-003-audit-log-tracking/2026-04-23T03-33-42-353Z/screenshots/step-02-order-submitted.png" ], "explanation": "The rep navigates through the four-step order request wizard and submits a consignment order. The createOrderRequest service function calls logDecision with action=order_request_created and performed=true immediately after the INSERT, writing a synchronous audit row that proves the creation event. A separate decision:auto_approve_order row is written later by a delayed Restate handler once the ORDER_REQUEST_SUBMISSION_DELAY_MS grace window expires, and is therefore out of scope for this test's observation window.", "expectedAuditActions": [ "decision:order_request_created" ], "startedAt": "2026-04-23T03:34:00.791Z", "finishedAt": "2026-04-23T03:34:09.793Z", "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-003-audit-log-tracking/2026-04-23T03-33-42-353Z/videos/step-02-create-order.webm" }, { "name": "Step 3: Edit order item", "status": "pass", "description": "Step 3: Edit order item", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-003-audit-log-tracking/2026-04-23T03-33-42-353Z/screenshots/step-03-order-detail.png", "/Users/jason/projects/casecohort/code/validation_test_results/urs-003-audit-log-tracking/2026-04-23T03-33-42-353Z/screenshots/step-03-edit-dialog-open.png", "/Users/jason/projects/casecohort/code/validation_test_results/urs-003-audit-log-tracking/2026-04-23T03-33-42-353Z/screenshots/step-03-after-edit.png" ], "explanation": "The rep opens the newly created order and edits a line item quantity during the submission grace period. The editOrderRequestItem service function calls logDecision with action=update_order_request_item and performed=true, writing a synchronous audit row immediately. This confirms that data-modification events within an order are captured inline at the point of change.", "expectedAuditActions": [ "decision:update_order_request_item" ], "startedAt": "2026-04-23T03:34:18.783Z", "finishedAt": "2026-04-23T03:34:27.866Z", "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-003-audit-log-tracking/2026-04-23T03-33-42-353Z/videos/step-03-edit-order.webm" }, { "name": "Step 4: Admin login", "status": "pass", "description": "Step 4: Admin login", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-003-audit-log-tracking/2026-04-23T03-33-42-353Z/screenshots/step-04-admin-logged-in.png" ], "explanation": "The administrator (Dan Distributor) authenticates using valid credentials. The login event writes a user_log row with action=user:login to audit_events, identically to the rep's login in Step 1. This confirms that audit logging of authentication events is role-agnostic and applies uniformly to every authenticated user in the system.", "expectedAuditActions": [ "user_log:user:login" ], "startedAt": "2026-04-23T03:34:34.015Z", "finishedAt": "2026-04-23T03:34:34.015Z", "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-003-audit-log-tracking/2026-04-23T03-33-42-353Z/videos/step-04-admin-login.webm" } ], "dbValidations": [ { "name": "audit_events table has the expected schema", "query": "SELECT column_name\n FROM information_schema.columns\n WHERE table_schema = 'public' AND table_name = 'audit_events'", "status": "pass", "rows": [ { "column_name": "id" }, { "column_name": "organization_id" }, { "column_name": "user_id" }, { "column_name": "contact_id" }, { "column_name": "event_type" }, { "column_name": "action" }, { "column_name": "object_id" }, { "column_name": "secondary_object_id" }, { "column_name": "payload" }, { "column_name": "route" }, { "column_name": "trace_id" }, { "column_name": "created_at" }, { "column_name": "url" } ], "assertion": "Table public.audit_events should expose at least: id, organization_id, user_id, event_type, action, object_id, payload, created_at" }, { "name": "rep login was audited (Bob)", "query": "SELECT id, action, event_type, user_id, organization_id, payload, created_at\n FROM audit_events\n WHERE created_at >= $1\n AND user_id = $2\n AND event_type = 'user_log'\n AND action = 'user:login'\n ORDER BY created_at ASC", "status": "pass", "rows": [ { "id": "019db866-a1e2-73ee-bf1e-5bfc0b686ebb", "action": "user:login", "event_type": "user_log", "user_id": "17b8c9d0-e1f2-3456-1234-567890123456", "organization_id": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "payload": { "email": "bob.kauffman@stellartech.com" }, "created_at": "2026-04-23T03:33:47.125Z" }, { "id": "019db866-b84a-7f91-812b-12bc026210a4", "action": "user:login", "event_type": "user_log", "user_id": "17b8c9d0-e1f2-3456-1234-567890123456", "organization_id": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "payload": { "email": "bob.kauffman@stellartech.com" }, "created_at": "2026-04-23T03:33:52.868Z" }, { "id": "019db867-063a-74c5-bcd5-b130710b67df", "action": "user:login", "event_type": "user_log", "user_id": "17b8c9d0-e1f2-3456-1234-567890123456", "organization_id": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "payload": { "email": "bob.kauffman@stellartech.com" }, "created_at": "2026-04-23T03:34:12.860Z" } ], "assertion": "Bob logging in should produce at least one user_log row with action=user:login." }, { "name": "admin login was audited (Dan)", "query": "SELECT id, action, event_type, user_id, organization_id, payload, created_at\n FROM audit_events\n WHERE created_at >= $1\n AND user_id = $2\n AND event_type = 'user_log'\n AND action = 'user:login'\n ORDER BY created_at ASC", "status": "pass", "rows": [ { "id": "019db867-4bb5-7c84-90d3-9b92568a3a0c", "action": "user:login", "event_type": "user_log", "user_id": "c3d4e5f6-a7b8-9012-cdef-123456789012", "organization_id": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "payload": { "email": "dan.distributor@stellartech.com" }, "created_at": "2026-04-23T03:34:30.584Z" } ], "assertion": "Dan logging in should produce at least one user_log row with action=user:login." }, { "name": "order_request_created decision was audited for Bob", "query": "SELECT id, action, event_type, user_id, object_id, payload, created_at\n FROM audit_events\n WHERE created_at >= $1\n AND user_id = $2\n AND event_type = 'decision'\n AND action = 'order_request_created'\n ORDER BY created_at DESC", "status": "pass", "rows": [ { "id": "019db866-ec10-70ce-9fbb-9d8adb4fd3c8", "action": "order_request_created", "event_type": "decision", "user_id": "17b8c9d0-e1f2-3456-1234-567890123456", "object_id": "019db866-ec0e-7dfd-a59c-a8ac170acf9a", "payload": { "reason": "Order request OR-1 created (importSource=manual)", "priority": "normal", "itemCount": 1, "orderType": "consignment", "performed": true, "entityType": "order_request", "importSource": "manual", "requestNumber": "OR-1", "resolvedLocationId": "6ea3b4c5-d6e7-8901-6789-012345678901", "resolvedSalesAccountId": "fea7b8c9-d0e1-2345-0123-456789012345", "fulfillingOrganizationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "requestingOrganizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901" }, "created_at": "2026-04-23T03:34:06.055Z" } ], "assertion": "Creating an order request should produce a decision audit_events row with action=order_request_created for the acting user." }, { "name": "update_order_request_item decision was audited for Bob", "query": "SELECT id, action, event_type, user_id, object_id, payload, created_at\n FROM audit_events\n WHERE created_at >= $1\n AND user_id = $2\n AND event_type = 'decision'\n AND action = 'update_order_request_item'\n ORDER BY created_at DESC", "status": "pass", "rows": [ { "id": "019db867-2a9e-76ae-b9d4-6cda90b3cdb1", "action": "update_order_request_item", "event_type": "decision", "user_id": "17b8c9d0-e1f2-3456-1234-567890123456", "object_id": "019db866-ec0e-7dfd-a59c-a8ac170acf9a", "payload": { "reason": "Item quantity or notes updated during the submission grace period", "performed": true, "entityType": "order_request" }, "created_at": "2026-04-23T03:34:22.008Z" } ], "assertion": "Editing an order item should produce a decision audit_events row with action=update_order_request_item for the acting user." }, { "name": "audit rows for Bob have required fields populated", "query": "SELECT id,\n (event_type IS NULL) AS missing_event_type,\n (organization_id IS NULL) AS missing_org\n FROM audit_events\n WHERE created_at >= $1\n AND user_id = $2\n AND (\n event_type IS NULL OR\n organization_id IS NULL\n )", "status": "pass", "rows": [], "assertion": "Every audit_events row for Bob during the run should have non-null event_type and organization_id. (`created_at` is NOT NULL by schema constraint.)" }, { "name": "no audit rows leaked to other organizations (test actors only)", "query": "SELECT id, organization_id, user_id, event_type, action, created_at\n FROM audit_events\n WHERE created_at >= $1\n AND user_id = ANY($2::uuid[])\n AND organization_id <> ALL($3::uuid[])", "status": "pass", "rows": [], "assertion": "Audit rows written during the run by the test actors (Bob, Dan, Ryan) must belong to one of the demo organizations (ZuriMED or StellarTech)." } ], "overallStatus": "pass", "outputDir": "/Users/jason/projects/casecohort/code/validation_test_results/urs-003-audit-log-tracking/2026-04-23T03-33-42-353Z", "auditStartTime": "2026-04-23T03:33:40.539Z", "auditEventEvidence": [ { "createdAt": "2026-04-23T03:33:47.125Z", "eventType": "user_log", "action": "user:login", "userEmail": "bob.kauffman@stellartech.com", "userId": "17b8c9d0-e1f2-3456-1234-567890123456", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "bob.kauffman@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-23T03:33:52.868Z", "eventType": "user_log", "action": "user:login", "userEmail": "bob.kauffman@stellartech.com", "userId": "17b8c9d0-e1f2-3456-1234-567890123456", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "bob.kauffman@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-23T03:34:06.055Z", "eventType": "decision", "action": "order_request_created", "userEmail": "bob.kauffman@stellartech.com", "userId": "17b8c9d0-e1f2-3456-1234-567890123456", "organizationName": "ZuriMED", "organizationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "objectId": "019db866-ec0e-7dfd-a59c-a8ac170acf9a", "secondaryObjectId": null, "payload": { "reason": "Order request OR-1 created (importSource=manual)", "priority": "normal", "itemCount": 1, "orderType": "consignment", "performed": true, "entityType": "order_request", "importSource": "manual", "requestNumber": "OR-1", "resolvedLocationId": "6ea3b4c5-d6e7-8901-6789-012345678901", "resolvedSalesAccountId": "fea7b8c9-d0e1-2345-0123-456789012345", "fulfillingOrganizationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "requestingOrganizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901" }, "route": null, "traceId": null }, { "createdAt": "2026-04-23T03:34:12.860Z", "eventType": "user_log", "action": "user:login", "userEmail": "bob.kauffman@stellartech.com", "userId": "17b8c9d0-e1f2-3456-1234-567890123456", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "bob.kauffman@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-23T03:34:22.008Z", "eventType": "decision", "action": "reevaluate_order_request_issues", "userEmail": "bob.kauffman@stellartech.com", "userId": "17b8c9d0-e1f2-3456-1234-567890123456", "organizationName": "ZuriMED", "organizationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "objectId": "019db866-ec0e-7dfd-a59c-a8ac170acf9a", "secondaryObjectId": null, "payload": { "reason": "Order request issues were unchanged after an edit", "performed": false, "entityType": "order_request" }, "route": null, "traceId": null }, { "createdAt": "2026-04-23T03:34:22.008Z", "eventType": "decision", "action": "update_order_request_item", "userEmail": "bob.kauffman@stellartech.com", "userId": "17b8c9d0-e1f2-3456-1234-567890123456", "organizationName": "ZuriMED", "organizationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "objectId": "019db866-ec0e-7dfd-a59c-a8ac170acf9a", "secondaryObjectId": null, "payload": { "reason": "Item quantity or notes updated during the submission grace period", "performed": true, "entityType": "order_request" }, "route": null, "traceId": null }, { "createdAt": "2026-04-23T03:34:30.584Z", "eventType": "user_log", "action": "user:login", "userEmail": "dan.distributor@stellartech.com", "userId": "c3d4e5f6-a7b8-9012-cdef-123456789012", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "dan.distributor@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" } ], "auditQuery": "SELECT\n ae.created_at,\n ae.event_type,\n ae.action,\n ae.user_id,\n u.email AS user_email,\n ae.organization_id,\n o.name AS organization_name,\n ae.object_id,\n ae.secondary_object_id,\n ae.payload,\n ae.route,\n ae.trace_id\n FROM audit_events ae\n LEFT JOIN users u ON u.id = ae.user_id\n LEFT JOIN organizations o ON o.id = ae.organization_id\n WHERE ae.created_at >= $1\n AND ae.organization_id = ANY($2::uuid[])\n ORDER BY ae.created_at ASC", "auditAssertions": [ { "stepName": "Step 1: Rep login", "expectedAction": "user_log:user:login", "found": true }, { "stepName": "Step 2: Create order", "expectedAction": "decision:order_request_created", "found": true }, { "stepName": "Step 3: Edit order item", "expectedAction": "decision:update_order_request_item", "found": true }, { "stepName": "Step 4: Admin login", "expectedAction": "user_log:user:login", "found": true } ], "emailAssertions": [] }