菜单
Add a new audit log event in `front`. Use when instrumenting a new user or system action for WorkOS audit logging, including schema creation, `AuditAction` updates, and the correct emit call after the mutation path.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Implement a new LLM endpoint class (provider/api/region/model) in the `model_constructors` router with the integration test harness, test-first. Use when adding a stream (or batch) endpoint class for a model on a specific provider API + region during the LLM router refactoring.
Step-by-step guide for creating new internal MCP server integrations in Dust that connect to remote platforms (Jira, HubSpot, Salesforce, etc.). Use when adding a new MCP server, implementing a platform integration, or connecting Dust to a new external service.
Step-by-step guide for adding support for a new LLM in Dust. Use when adding a new model, or updating a previous one.
Step-by-step guide for creating and running SQL schema migrations in `front` or `connectors` using the `npm run migration:*` tooling (pg-schema-diff + Umzug). Use when adding or removing columns, tables, or indexes that require a coordinated deploy.
Implement a new built-in webhook source provider in `front`. Use when adding a webhook provider such as Linear, GitHub, or Fathom, including provider research, OAuth prerequisites, provider-specific types and client code, preset registration, UI components, and end-to-end testing.
Write and refactor React forms using react-hook-form with Zod validation. Use when creating new form components, converting existing forms to react-hook-form, or implementing form validation patterns.
| name | dust-audit-log-event |
| description | Add a new audit log event in `front`. Use when instrumenting a new user or system action for WorkOS audit logging, including schema creation, `AuditAction` updates, and the correct emit call after the mutation path. |
Add audit events in front by creating the schema, registering the action string, and emitting the
event from the correct success or failure path. The goal is to produce a valid WorkOS event without
blocking the request path.
Before editing code, determine:
<resource>.<verb>Create front/admin/audit_log_schemas/<action>.json.
Rules:
targets should start with { "type": "workspace" } unless the event truly has no workspace
contextuser, space, trigger, tool,
agent, or api_keymetadata is optional, but every metadata value must be declared as "string"[AUDIT9])Example shape:
{
"action": "resource.verb",
"targets": [
{ "type": "workspace" },
{ "type": "resource" }
],
"metadata": {
"field_name": "string"
}
}
Update front/lib/api/audit/workos_audit.ts:
AuditAction unionEmit after the mutation succeeds unless the event explicitly represents failure.
For request-driven actions with an Authenticator, use:
emitAuditLogEventbuildWorkspaceTargetgetAuditLogContextPattern:
void emitAuditLogEvent({
auth,
action: "resource.verb",
targets: [
buildWorkspaceTarget(auth.getNonNullableWorkspace()),
{ type: "resource", id: resource.sId, name: resource.name },
],
context: getAuditLogContext(auth, req),
metadata: {
field_name: String(value),
},
});
For system-driven actions such as Temporal or inbound webhooks, use emitAuditLogEventDirect
with an explicit system actor:
void emitAuditLogEventDirect({
workspace,
action: "resource.verb",
actor: { type: "system", id: "temporal", name: "Directory Sync" },
targets: [buildWorkspaceTarget(workspace)],
context: { location: "internal" },
});
For non-HTTP code paths where you know the user but do not already have an Authenticator, create
one with Authenticator.fromUserIdAndWorkspaceId(...) and then use emitAuditLogEvent(...).
Use void, not await, for audit emission. Audit logging should not block the main write path.
WorkOS drops events whose schemas were never registered, and validates each emitted event against the schema version we send. Register from your branch before merging, then commit the generated version map in the same PR — the same way a DB migration file ships with the code that needs it.
# Preview (dry-run) — does not touch WorkOS or the version map.
npx tsx front/admin/register_audit_log_schemas.ts --changed
# Register the new/changed schemas and write the version map.
npx tsx front/admin/register_audit_log_schemas.ts --execute --changed
# Or register specific actions.
npx tsx front/admin/register_audit_log_schemas.ts --execute user.login api_key.created
The --execute runs register the schemas with WorkOS and merge the latest version for each
registered action into front/lib/api/audit/schema_versions.json. Commit
schema_versions.json in the same PR. createAuditLogEvent reads it to send the right version
with every event; a stale or missing version causes WorkOS validation failures.
A CI test (audit_log_schemas.test.ts) fails if any AuditAction has no entry in the version map,
so a forgotten registration is caught before merge — just like a missing migration.
DangerJS also fails the PR if a schema file under front/admin/audit_log_schemas/ changed but its
version in schema_versions.json was not bumped relative to main (i.e. the registration step was
skipped). In the rare case the edit is a no-op WorkOS treats as identical (so no new version is
created), add the audit-log-ack label to override.
Check all of the following:
front/admin/audit_log_schemas/<action>.jsonAuditActiontargets start with the workspace target when a workspace existsString(...) when neededgetAuditLogContext(auth, req) when req is availablevoidregister_audit_log_schemas.ts --execute --changed must be run pre-merge and the regenerated front/lib/api/audit/schema_versions.json committed in the same PR (the audit_log_schemas.test.ts version check enforces this)front/lib/api/audit/workos_audit.tsfront/admin/audit_log_schemas/front/CODING_RULES.md entries [AUDIT1] through [AUDIT10]