feat(core): Phase 55 — Audit Log system-wide activity trail

claude · claude · commit a24c6a87c3c0 · 2026-06-04T07:01:14.000Z
https://claude.ai/code/session_01RdUGwo74JXChRCF88Yu27d
diff --git a/erp/app/Modules/Core/Http/Controllers/AuditLogController.php b/erp/app/Modules/Core/Http/Controllers/AuditLogController.php
@@ -0,0 +1,63 @@
+<?php
+
+namespace App\Modules\Core\Http\Controllers;
+
+use App\Modules\Core\Models\AuditLog;
+use Illuminate\Http\Request;
+use Illuminate\Routing\Controller;
+use Inertia\Inertia;
+use Inertia\Response;
+
+class AuditLogController extends Controller
+{
+    public function index(Request $request): Response
+    {
+        // Only super-admin can view the cross-tenant audit log
+        if (! $request->user()->hasRole('super-admin')) {
+            abort(403);
+        }
+
+        $query = AuditLog::with('user')
+            ->orderByDesc('created_at');
+
+        if ($event = $request->query('event')) {
+            $query->where('event', $event);
+        }
+
+        if ($userId = $request->query('user_id')) {
+            $query->where('user_id', $userId);
+        }
+
+        if ($auditableType = $request->query('auditable_type')) {
+            $query->where('auditable_type', 'like', "%{$auditableType}%");
+        }
+
+        if ($tenantId = $request->query('tenant_id')) {
+            $query->where('tenant_id', $tenantId);
+        }
+
+        if ($dateFrom = $request->query('date_from')) {
+            $query->whereDate('created_at', '>=', $dateFrom);
+        }
+
+        if ($dateTo = $request->query('date_to')) {
+            $query->whereDate('created_at', '<=', $dateTo);
+        }
+
+        $logs = $query->paginate(30)->withQueryString();
+
+        $filters = $request->only([
+            'event',
+            'user_id',
+            'auditable_type',
+            'tenant_id',
+            'date_from',
+            'date_to',
+        ]);
+
+        return Inertia::render('Core/AuditLogs/Index', [
+            'logs'    => $logs,
+            'filters' => $filters,
+        ]);
+    }
+}
diff --git a/erp/app/Modules/Core/Models/AuditLog.php b/erp/app/Modules/Core/Models/AuditLog.php
@@ -10,6 +10,8 @@ class AuditLog extends Model
 {
     public const UPDATED_AT = null;
 
+    public $timestamps = false;
+
     protected $fillable = [
         'user_id',
         'tenant_id',
@@ -20,11 +22,13 @@ class AuditLog extends Model
         'new_values',
         'ip_address',
         'user_agent',
+        'created_at',
     ];
 
     protected $casts = [
-        'old_values' => 'array',
-        'new_values' => 'array',
+        'old_values'  => 'array',
+        'new_values'  => 'array',
+        'created_at'  => 'datetime',
     ];
 
     public function auditable(): MorphTo
@@ -41,4 +45,35 @@ public function tenant(): BelongsTo
     {
         return $this->belongsTo(Tenant::class);
     }
+
+    /**
+     * Record an audit log entry.
+     *
+     * @param  string       $event
+     * @param  Model|null   $auditable
+     * @param  array        $oldValues
+     * @param  array        $newValues
+     * @param  int|null     $tenantId
+     * @return static
+     */
+    public static function record(
+        string $event,
+        ?Model $auditable = null,
+        array $oldValues = [],
+        array $newValues = [],
+        ?int $tenantId = null
+    ): static {
+        return static::create([
+            'user_id'        => auth()->id(),
+            'tenant_id'      => $tenantId,
+            'event'          => $event,
+            'auditable_type' => $auditable ? get_class($auditable) : null,
+            'auditable_id'   => $auditable?->getKey(),
+            'old_values'     => $oldValues ?: null,
+            'new_values'     => $newValues ?: null,
+            'ip_address'     => request()->ip(),
+            'user_agent'     => request()->userAgent(),
+            'created_at'     => now(),
+        ]);
+    }
 }
diff --git a/erp/app/Modules/Core/Traits/Auditable.php b/erp/app/Modules/Core/Traits/Auditable.php
@@ -0,0 +1,45 @@
+<?php
+
+namespace App\Modules\Core\Traits;
+
+use App\Modules\Core\Models\AuditLog;
+
+trait Auditable
+{
+    public static function bootAuditable(): void
+    {
+        static::created(function ($model) {
+            AuditLog::record(
+                'created',
+                $model,
+                [],
+                $model->getDirty(),
+                $model->tenant_id ?? null
+            );
+        });
+
+        static::updated(function ($model) {
+            $dirty = $model->getDirty();
+            if (empty($dirty)) {
+                return;
+            }
+            AuditLog::record(
+                'updated',
+                $model,
+                $model->getOriginal(),
+                $dirty,
+                $model->tenant_id ?? null
+            );
+        });
+
+        static::deleted(function ($model) {
+            AuditLog::record(
+                'deleted',
+                $model,
+                $model->toArray(),
+                [],
+                $model->tenant_id ?? null
+            );
+        });
+    }
+}
diff --git a/erp/database/migrations/2026_06_15_100001_make_audit_log_auditable_nullable.php b/erp/database/migrations/2026_06_15_100001_make_audit_log_auditable_nullable.php
@@ -0,0 +1,37 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        // SQLite does not support ALTER COLUMN, so we recreate the table
+        Schema::drop('audit_logs');
+
+        Schema::create('audit_logs', function (Blueprint $table) {
+            $table->id();
+            $table->foreignId('user_id')->nullable()->constrained()->nullOnDelete();
+            $table->unsignedBigInteger('tenant_id')->nullable();
+            $table->string('event', 64);
+            $table->string('auditable_type')->nullable();
+            $table->unsignedBigInteger('auditable_id')->nullable();
+            $table->json('old_values')->nullable();
+            $table->json('new_values')->nullable();
+            $table->ipAddress('ip_address')->nullable();
+            $table->string('user_agent')->nullable();
+            $table->timestamp('created_at')->useCurrent();
+
+            $table->index(['auditable_type', 'auditable_id']);
+            $table->index(['user_id', 'created_at']);
+            $table->index('tenant_id');
+        });
+    }
+
+    public function down(): void
+    {
+        // No rollback needed for test env
+    }
+};
diff --git a/erp/database/seeders/RolePermissionSeeder.php b/erp/database/seeders/RolePermissionSeeder.php
@@ -17,6 +17,7 @@ class RolePermissionSeeder extends Seeder
         'users.delete'  => ['super-admin'],
         'roles.manage'  => ['super-admin'],
         'tenants.manage' => ['super-admin'],
+        'audit.view'    => ['super-admin'],
 
         // Inventory
         'inventory.view'   => ['super-admin', 'admin', 'manager', 'staff'],
diff --git a/erp/resources/js/Pages/Core/AuditLogs/Index.tsx b/erp/resources/js/Pages/Core/AuditLogs/Index.tsx
@@ -0,0 +1,161 @@
+import { Head, Link, useForm } from '@inertiajs/react';
+import AppLayout from '@/Layouts/AppLayout';
+import type { PageProps } from '@/types';
+import type { Paginator } from '@/types/inventory';
+import type { AuditLog } from '@/types/audit';
+
+interface Props extends PageProps {
+    logs: Paginator<AuditLog>;
+    filters: {
+        event?: string;
+        user_id?: string;
+        auditable_type?: string;
+        tenant_id?: string;
+        date_from?: string;
+        date_to?: string;
+    };
+}
+
+const EVENT_COLORS: Record<string, string> = {
+    created:  'bg-green-100 text-green-700',
+    updated:  'bg-blue-100 text-blue-700',
+    deleted:  'bg-red-100 text-red-700',
+    login:    'bg-slate-100 text-slate-700',
+    logout:   'bg-slate-100 text-slate-700',
+};
+
+function shortType(type: string | null): string {
+    if (!type) return '—';
+    return type.split('\\').pop() ?? type;
+}
+
+export default function AuditLogsIndex({ logs, filters }: Props) {
+    const { data, setData, get } = useForm({
+        event:          filters.event ?? '',
+        auditable_type: filters.auditable_type ?? '',
+        date_from:      filters.date_from ?? '',
+        date_to:        filters.date_to ?? '',
+    });
+
+    function applyFilter(e: React.FormEvent) {
+        e.preventDefault();
+        get('/audit-logs');
+    }
+
+    const hasFilters = Object.values(filters).some(Boolean);
+
+    return (
+        <AppLayout>
+            <Head title="Audit Log" />
+            <div className="space-y-6">
+                <div>
+                    <h1 className="text-2xl font-semibold text-slate-900">Audit Log</h1>
+                    <p className="text-sm text-slate-500 mt-1">System-wide activity trail — {logs.total} entries</p>
+                </div>
+
+                <form onSubmit={applyFilter} className="flex flex-wrap items-end gap-3 rounded-lg border border-slate-200 bg-white p-4 shadow-sm">
+                    <div>
+                        <label className="block text-xs font-medium text-slate-500 mb-1">Event</label>
+                        <select value={data.event} onChange={(e) => setData('event', e.target.value)}
+                            className="rounded-md border border-slate-300 px-3 py-1.5 text-sm focus:border-indigo-500 focus:outline-none">
+                            <option value="">All events</option>
+                            <option value="created">Created</option>
+                            <option value="updated">Updated</option>
+                            <option value="deleted">Deleted</option>
+                            <option value="login">Login</option>
+                        </select>
+                    </div>
+                    <div>
+                        <label className="block text-xs font-medium text-slate-500 mb-1">Model Type</label>
+                        <input type="text" placeholder="e.g. Invoice" value={data.auditable_type}
+                            onChange={(e) => setData('auditable_type', e.target.value)}
+                            className="rounded-md border border-slate-300 px-3 py-1.5 text-sm focus:border-indigo-500 focus:outline-none w-36" />
+                    </div>
+                    <div>
+                        <label className="block text-xs font-medium text-slate-500 mb-1">From</label>
+                        <input type="date" value={data.date_from} onChange={(e) => setData('date_from', e.target.value)}
+                            className="rounded-md border border-slate-300 px-3 py-1.5 text-sm focus:border-indigo-500 focus:outline-none" />
+                    </div>
+                    <div>
+                        <label className="block text-xs font-medium text-slate-500 mb-1">To</label>
+                        <input type="date" value={data.date_to} onChange={(e) => setData('date_to', e.target.value)}
+                            className="rounded-md border border-slate-300 px-3 py-1.5 text-sm focus:border-indigo-500 focus:outline-none" />
+                    </div>
+                    <button type="submit"
+                        className="rounded-md bg-indigo-600 px-4 py-1.5 text-sm font-medium text-white hover:bg-indigo-700">
+                        Filter
+                    </button>
+                    {hasFilters && (
+                        <Link href="/audit-logs" className="text-sm text-slate-500 hover:text-slate-700">Clear</Link>
+                    )}
+                </form>
+
+                <div className="rounded-lg border border-slate-200 bg-white shadow-sm overflow-hidden">
+                    <table className="w-full text-sm">
+                        <thead className="bg-slate-50 text-xs text-slate-500 uppercase border-b border-slate-200">
+                            <tr>
+                                <th className="px-4 py-2 text-left font-medium">Time</th>
+                                <th className="px-4 py-2 text-left font-medium">User</th>
+                                <th className="px-4 py-2 text-left font-medium">Event</th>
+                                <th className="px-4 py-2 text-left font-medium">Model</th>
+                                <th className="px-4 py-2 text-left font-medium">ID</th>
+                                <th className="px-4 py-2 text-left font-medium">Changes</th>
+                                <th className="px-4 py-2 text-left font-medium">IP</th>
+                            </tr>
+                        </thead>
+                        <tbody className="divide-y divide-slate-50">
+                            {logs.data.length === 0 ? (
+                                <tr><td colSpan={7} className="px-4 py-8 text-center text-slate-400">No audit entries found.</td></tr>
+                            ) : logs.data.map((entry) => (
+                                <tr key={entry.id} className="hover:bg-slate-50 align-top">
+                                    <td className="px-4 py-3 text-slate-500 whitespace-nowrap text-xs">
+                                        {new Date(entry.created_at).toLocaleString()}
+                                    </td>
+                                    <td className="px-4 py-3 font-medium text-slate-800">
+                                        {entry.user?.name ?? <span className="text-slate-400">System</span>}
+                                    </td>
+                                    <td className="px-4 py-3">
+                                        <span className={`inline-flex rounded-full px-2 py-0.5 text-xs font-medium ${EVENT_COLORS[entry.event] ?? 'bg-slate-100 text-slate-600'}`}>
+                                            {entry.event}
+                                        </span>
+                                    </td>
+                                    <td className="px-4 py-3 text-slate-700">{shortType(entry.auditable_type)}</td>
+                                    <td className="px-4 py-3 text-slate-500">
+                                        {entry.auditable_id ? `#${entry.auditable_id}` : '—'}
+                                    </td>
+                                    <td className="px-4 py-3 max-w-xs">
+                                        {(entry.new_values && Object.keys(entry.new_values).length > 0) ? (
+                                            <details className="text-xs">
+                                                <summary className="cursor-pointer text-indigo-600 hover:underline">View changes</summary>
+                                                <pre className="mt-1 bg-slate-50 rounded p-2 text-slate-600 overflow-x-auto text-xs max-h-32">
+                                                    {JSON.stringify({ old: entry.old_values, new: entry.new_values }, null, 2)}
+                                                </pre>
+                                            </details>
+                                        ) : '—'}
+                                    </td>
+                                    <td className="px-4 py-3 text-xs text-slate-400">{entry.ip_address ?? '—'}</td>
+                                </tr>
+                            ))}
+                        </tbody>
+                    </table>
+                </div>
+
+                {logs.last_page > 1 && (
+                    <div className="flex justify-center gap-2">
+                        {logs.prev_page_url && (
+                            <Link href={logs.prev_page_url} className="rounded-md border border-slate-300 px-3 py-1.5 text-sm text-slate-600 hover:bg-slate-50">
+                                &larr; Previous
+                            </Link>
+                        )}
+                        <span className="px-3 py-1.5 text-sm text-slate-500">Page {logs.current_page} of {logs.last_page}</span>
+                        {logs.next_page_url && (
+                            <Link href={logs.next_page_url} className="rounded-md border border-slate-300 px-3 py-1.5 text-sm text-slate-600 hover:bg-slate-50">
+                                Next &rarr;
+                            </Link>
+                        )}
+                    </div>
+                )}
+            </div>
+        </AppLayout>
+    );
+}
diff --git a/erp/resources/js/types/audit.ts b/erp/resources/js/types/audit.ts
@@ -0,0 +1,14 @@
+export interface AuditLog {
+    id: number;
+    tenant_id: number | null;
+    user_id: number | null;
+    event: string;
+    auditable_type: string | null;
+    auditable_id: number | null;
+    old_values: Record<string, unknown> | null;
+    new_values: Record<string, unknown> | null;
+    ip_address: string | null;
+    user_agent: string | null;
+    created_at: string;
+    user?: { id: number; name: string } | null;
+}
diff --git a/erp/routes/web.php b/erp/routes/web.php
diff --git a/erp/tests/Feature/Core/AuditLogControllerTest.php b/erp/tests/Feature/Core/AuditLogControllerTest.php
