feat: add security agent audit log backend for SOC2 compliance

[jeanduplessis]

Summary

• Add an append-only security_audit_log table with XOR ownership (org or user), SecurityAuditLogAction enum enforced at the DB level via enumCheck, and a fire-and-forget logSecurityAudit service
• Integrate audit log calls into all security agent mutations (saveConfig, setEnabled, triggerSync, dismissFinding, startAnalysis, deleteFindingsByRepository, autoDismissEligible) in both personal and org routers, plus backend services (auto-dismiss, cron sync, analysis callback)
• Add tRPC query routers for both personal and org contexts with list (cursor-based pagination, filtering by action/actor/resource/date range/fuzzy search on metadata), getSummary, getActionTypes, and export (CSV/JSON, capped at 10k rows)
• Update softDeleteUser to anonymize actor PII on org-owned audit rows (user-owned rows cascade-delete via FK), with corresponding test
• UI component is not included in this PR (backend only)

Actions Logged

Action	Resource Type	Trigger
security.finding.dismissed	security_finding	Manual finding dismissal
security.finding.auto_dismissed	security_finding	Auto-dismiss by triage/sandbox
security.finding.analysis_started	security_finding	AI analysis triggered
security.finding.analysis_completed	security_finding	AI analysis finished
security.finding.deleted	security_finding	Findings deleted by repository
security.config.enabled	agent_config	Security agent enabled
security.config.disabled	agent_config	Security agent disabled
security.config.updated	agent_config	Settings changed (with before/after state)
security.sync.triggered	agent_config	Manual sync triggered
security.sync.completed	agent_config	Sync completed (cron)
security.audit_log.exported	audit_log	Audit log exported

Test Plan

• Schema enum snapshot test updated for SecurityAuditLogAction
• GDPR test: verifies softDeleteUser anonymizes actor_email/actor_name on org-owned security audit log rows while preserving actor_id and action
• pnpm typecheck passes clean

[kiloconnect]

Code Review Summary

Status: No New Issues Found | Recommendation: Address existing comments before merge

All significant issues have already been identified by prior reviewers. The existing inline comments cover:

Severity	Count
WARNING	4
SUGGESTION	4

Existing Issues (already commented)

WARNING

File	Line	Issue
src/routers/organizations/organization-security-audit-log-router.ts	204	Kilo admin actor masking missing from export audit log entry
src/routers/security-audit-log-router.ts	N/A	Personal audit log router missing Kilo admin masking
src/routers/organizations/organization-security-audit-log-router.ts	120	Pagination bug when using after cursor
src/routers/security-audit-log-router.ts	113	Same pagination bug as the org router

SUGGESTION

File	Line	Issue
src/routers/organizations/organization-security-agent-router.ts	231	before_state/after_state omit SLA fields
src/routers/security-agent-router.ts	211	Same — before_state/after_state omit SLA fields
src/routers/organizations/organization-security-audit-log-router.ts	N/A	export uses .select() (all columns)
src/routers/security-audit-log-router.ts	N/A	Same — export uses .select() (all columns)

Review Notes

What looks good

• GDPR compliance: security_audit_log is already handled in softDeleteUser (src/lib/user.ts) with actor PII anonymization, and tested in src/lib/user.test.ts
• Fire-and-forget pattern: logSecurityAudit correctly catches errors and reports to Sentry without blocking the main operation
• Schema design: XOR ownership constraint, enum check constraint, and proper indexing on the security_audit_log table
• Input validation: Zod schemas properly validate all inputs including datetime strings, enum values, and string length limits
• LIKE injection prevention: fuzzySearch correctly escapes %, _, and \ for LIKE pattern semantics
• Admin masking: maskKiloAdminActors properly hides internal admin details from non-admin users in both list and export endpoints
• rethrowAsPaymentRequired refactor: The try/catch restructuring in startAnalysis is correct — rethrowAsPaymentRequired returns never so TypeScript flow analysis works properly

Minor observations (not blocking)

• The fuzzySearch ILIKE on metadata::text will perform a sequential scan since JSONB-to-text casts can't use btree indexes. Consider a GIN index with gin_trgm_ops if this becomes a performance concern at scale.
• CSV export double-quotes all fields which provides basic protection against formula injection in spreadsheets, though a defense-in-depth approach could prefix formula-triggering characters (=, +, -, @) with a tab character.

Files Reviewed (10 files)

• src/app/api/internal/security-analysis-callback/[findingId]/route.ts - 0 new issues
• src/db/migrations/0027_unknown_shiva.sql - 0 new issues (migration)
• src/db/migrations/meta/0027_snapshot.json - 0 new issues (generated)
• src/db/schema.ts - 0 new issues
• src/lib/security-agent/core/enums.ts - 0 new issues
• src/lib/security-agent/services/audit-log-service.ts - 0 new issues
• src/routers/organizations/organization-security-agent-router.ts - 0 new issues
• src/routers/organizations/organization-security-audit-log-router.ts - 0 new issues
• src/routers/security-agent-router.ts - 0 new issues
• src/routers/security-audit-log-router.ts - 0 new issues

Fix these issues in Kilo Cloud