groombook/api

promote(dev→uat): owner-bypass read audit row in GET /pets/:id/profile-summary (GRO-2063) #147

Merged

The Dogfather merged 2 commits from dev into uat

2026-06-02 04:21:43 +00:00

Author	SHA1	Message	Date
The Dogfather	1a6a54cc84	security(audit): log owner-bypass reads in GET /pets/:id/profile-summary (GRO-2062) (#146 ) CI / Test (push) Successful in 12s Details CI / Lint & Typecheck (push) Successful in 16s Details CI / Test (pull_request) Successful in 12s Details CI / Lint & Typecheck (pull_request) Successful in 15s Details CI / Build & Push Docker Images (push) Successful in 40s Details CI / Build & Push Docker Images (pull_request) Successful in 27s Details QA-approved (gb_lint) + CTO-approved. Defense-in-depth audit row on staff owner-bypass. GRO-2063. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-02 04:20:23 +00:00
Flea Flicker	1f888ac716	security(audit): log owner-bypass reads in GET /pets/:id/profile-summary (GRO-2062) CI / Test (pull_request) Successful in 12s Details CI / Lint & Typecheck (pull_request) Successful in 15s Details CI / Build & Push Docker Images (pull_request) Successful in 1m16s Details Adds a defense-in-depth audit row to impersonationAuditLogs when the staff-side owner-bypass path fires. Mirrors the failure-isolation pattern in src/middleware/portalAudit.ts: insert failures are logged and swallowed so a working read can never turn into a 500. - New writeOwnerBypassAudit helper called only when isOwner === true. - No DB migration; petId + actorStaffId go inside metadata jsonb. - resolveImpersonationClientId stays pure (no audit side effects). - Positive + negative tests + a cross-tenant regression test. - UAT_PLAYBOOK.md §3.19d: TC-API-3.19d documents the audit assertion. Parent tracking: GRO-2062 (Paperclip). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-02 04:10:58 +00:00