// Add a new audit log event in `front`. Use when instrumenting a new user or system action for WorkOS audit logging, including schema creation, `AuditAction` updates, and the correct emit call after the mutation path.
Step-by-step guide for adding support for a new LLM in Dust. Use when adding a new model, or updating a previous one.
Implement a new built-in webhook source provider in `front`. Use when adding a webhook provider such as Linear, GitHub, or Fathom, including provider research, OAuth prerequisites, provider-specific types and client code, preset registration, UI components, and end-to-end testing.
Write and refactor React forms using react-hook-form with Zod validation. Use when creating new form components, converting existing forms to react-hook-form, or implementing form validation patterns.
Writes React components without unnecessary useEffect. Use when creating/reviewing React components, refactoring effects, or when code uses useEffect to transform data or handle events.
Step-by-step guide for creating new internal MCP server integrations in Dust that connect to remote platforms (Jira, HubSpot, Salesforce, etc.). Use when adding a new MCP server, implementing a platform integration, or connecting Dust to a new external service.
Create, migrate, or query Elasticsearch indices in `front`. Use when adding a new front Elasticsearch index, changing mappings or settings, wiring indexing logic, or exposing Elasticsearch-backed analytics/search endpoints.
| name | dust-audit-log-event |
| description | Add a new audit log event in `front`. Use when instrumenting a new user or system action for WorkOS audit logging, including schema creation, `AuditAction` updates, and the correct emit call after the mutation path. |
Add audit events in front by creating the schema, registering the action string, and emitting the
event from the correct success or failure path. The goal is to produce a valid WorkOS event without
blocking the request path.
Before editing code, determine:
<resource>.<verb>Create front/admin/audit_log_schemas/<action>.json.
Rules:
targets should start with { "type": "workspace" } unless the event truly has no workspace
contextuser, space, trigger, tool,
agent, or api_keymetadata is optional, but every metadata value must be declared as "string"[AUDIT9])Example shape:
{
"action": "resource.verb",
"targets": [
{ "type": "workspace" },
{ "type": "resource" }
],
"metadata": {
"field_name": "string"
}
}
Update front/lib/api/audit/workos_audit.ts:
AuditAction unionEmit after the mutation succeeds unless the event explicitly represents failure.
For request-driven actions with an Authenticator, use:
emitAuditLogEventbuildWorkspaceTargetgetAuditLogContextPattern:
void emitAuditLogEvent({
auth,
action: "resource.verb",
targets: [
buildWorkspaceTarget(auth.getNonNullableWorkspace()),
{ type: "resource", id: resource.sId, name: resource.name },
],
context: getAuditLogContext(auth, req),
metadata: {
field_name: String(value),
},
});
For system-driven actions such as Temporal or inbound webhooks, use emitAuditLogEventDirect
with an explicit system actor:
void emitAuditLogEventDirect({
workspace,
action: "resource.verb",
actor: { type: "system", id: "temporal", name: "Directory Sync" },
targets: [buildWorkspaceTarget(workspace)],
context: { location: "internal" },
});
For non-HTTP code paths where you know the user but do not already have an Authenticator, create
one with Authenticator.fromUserIdAndWorkspaceId(...) and then use emitAuditLogEvent(...).
Use void, not await, for audit emission. Audit logging should not block the main write path.
WorkOS drops events whose schemas were never registered. After the PR is merged and before deploy, run one of:
npx tsx front/admin/register_audit_log_schemas.ts --changed
npx tsx front/admin/register_audit_log_schemas.ts --execute --changed
npx tsx front/admin/register_audit_log_schemas.ts --execute user.login api_key.created
Check all of the following:
front/admin/audit_log_schemas/<action>.jsonAuditActiontargets start with the workspace target when a workspace existsString(...) when neededgetAuditLogContext(auth, req) when req is availablevoidregister_audit_log_schemas.ts --execute --changed must be run after merge and before deployfront/lib/api/audit/workos_audit.tsfront/admin/audit_log_schemas/front/CODING_RULES.md entries [AUDIT1] through [AUDIT10]