From 17dd2e02bab4d00a93479eb6af1a8c6ddc0c7224 Mon Sep 17 00:00:00 2001 From: "alexei.dolgolyov" Date: Tue, 9 Jun 2026 16:35:08 +0300 Subject: [PATCH 01/13] fix: resolve comprehensive review findings (security, concurrency, perf, Android, UI) Multi-dimension review of v0.8.2. Excludes the deliberately deferred default_config.yaml weak-default-key item (C1). Backend: - calibration: create_default_calibration no longer exceeds led_count for small odd counts (bounded trim + regression test) - game-integration: generic webhook now requires auth_token; constant-time compare_digest in all adapters; per-IP failed-auth rate limit on the ingest route; auth_token encrypted at rest via secret_box (migration-safe) - playlist engine: serialize _state/_task under the lifecycle lock to close a delete-mid-play race (+ concurrency tests) - main: stop the calibration session on shutdown (restore prior target) - home_assistant: validate HA host via the LAN classifier on create/update - perf: drop slow preview-WS clients instead of blocking the send loop; cache composite full-strip resize linspaces; effect_stream lava reuses scratch Frontend: - setup/auto-calibration wizard: guard _state after awaits (cancel-safe), await session teardown before output start, busy-gate skip-calibration, manual display input keeps focus, move focus on step change - calibration: destroy EntitySelect on modal close - color-strips test: dirty-flag-gated render + cached ctx/ImageData - a11y/TV: focus-visible for new wizard/auto-cal/corner controls, aria-labels on the spatial corner/edge picker; theme-aware syntax tokens; dead/undefined CSS tokens removed; .modal-error styled; i18n titles (en/ru/zh) Android: - ApiKeyManager: EncryptedSharedPreferences with verified, data-safe legacy migration that never rotates an existing key - CaptureService: validate MediaProjection token before promoting; satisfy the startForeground 5s contract on the bail path - NotificationListener: connection-scoped executor with lazy fallback - BLE: request BLUETOOTH_SCAN/CONNECT at runtime + guard handler-thread SecurityExceptions - Root: cancellation-aware su grant probe Adds 14 tests. Gate: ruff + tsc 5.9.3 + esbuild + pytest (2185 passed) + compileDebugKotlin all green. --- android/app/build.gradle.kts | 4 + android/app/src/main/AndroidManifest.xml | 3 +- .../java/com/ledgrab/android/ApiKeyManager.kt | 122 ++++++++++++- .../java/com/ledgrab/android/BleBridge.kt | 37 +++- .../com/ledgrab/android/CaptureService.kt | 77 +++++--- .../android/LedGrabNotificationListener.kt | 99 ++++++++-- .../java/com/ledgrab/android/MainActivity.kt | 36 +++- .../src/main/java/com/ledgrab/android/Root.kt | 46 ++++- .../com/ledgrab/android/RootScreenrecord.kt | 19 +- .../java/com/ledgrab/android/ScreenCapture.kt | 8 + .../ledgrab/api/routes/game_integration.py | 78 ++++++++ .../src/ledgrab/api/routes/home_assistant.py | 21 +++ .../src/ledgrab/core/capture/calibration.py | 24 +++ server/src/ledgrab/core/devices/ddp_client.py | 9 + .../game_integration/adapters/cs2_adapter.py | 5 +- .../adapters/dota2_adapter.py | 5 +- .../adapters/generic_webhook_adapter.py | 33 +++- .../core/game_integration/mapping_adapter.py | 6 +- .../core/processing/composite_stream.py | 13 +- .../core/processing/device_test_mode.py | 22 ++- .../ledgrab/core/processing/effect_stream.py | 11 +- .../core/processing/wled_target_processor.py | 13 +- .../ledgrab/core/scenes/playlist_engine.py | 60 ++++-- server/src/ledgrab/main.py | 7 + server/src/ledgrab/static/css/calibration.css | 25 +++ server/src/ledgrab/static/css/components.css | 64 ++++--- server/src/ledgrab/static/css/modal.css | 6 +- .../static/js/features/auto-calibration.ts | 30 +++ .../ledgrab/static/js/features/calibration.ts | 8 + .../static/js/features/color-strips/test.ts | 73 ++++++-- .../static/js/features/setup-wizard.ts | 46 ++++- server/src/ledgrab/static/locales/en.json | 10 + server/src/ledgrab/static/locales/ru.json | 10 + server/src/ledgrab/static/locales/zh.json | 10 + .../src/ledgrab/storage/game_integration.py | 48 ++++- .../ledgrab/templates/modals/calibration.html | 26 +-- .../routes/test_game_integration_routes.py | 58 ++++++ .../core/test_generic_webhook_adapter.py | 17 +- server/tests/core/test_playlist_engine.py | 172 ++++++++++++++++++ .../storage/test_game_integration_store.py | 81 +++++++++ server/tests/test_calibration.py | 16 ++ .../test_home_assistant_host_validation.py | 52 ++++++ 42 files changed, 1358 insertions(+), 152 deletions(-) create mode 100644 server/tests/test_home_assistant_host_validation.py diff --git a/android/app/build.gradle.kts b/android/app/build.gradle.kts index 6f920a5..4327d64 100644 --- a/android/app/build.gradle.kts +++ b/android/app/build.gradle.kts @@ -210,6 +210,10 @@ dependencies { implementation("androidx.core:core-splashscreen:1.0.1") // QR code generation for displaying server URL on TV implementation("com.google.zxing:core:3.5.3") + // EncryptedSharedPreferences (Android Keystore-backed) for the per-install + // server API key (see ApiKeyManager). Falls back to plain SharedPreferences + // when the keystore is unavailable. + implementation("androidx.security:security-crypto:1.1.0-alpha06") // USB-serial drivers (CH340, CP2102, FTDI, Prolific, CDC-ACM) for // driving Adalight/AmbiLED controllers plugged into Android TV boxes. implementation("com.github.mik3y:usb-serial-for-android:3.8.1") diff --git a/android/app/src/main/AndroidManifest.xml b/android/app/src/main/AndroidManifest.xml index 0417e90..249c233 100644 --- a/android/app/src/main/AndroidManifest.xml +++ b/android/app/src/main/AndroidManifest.xml @@ -14,7 +14,8 @@ - + + // Best-effort persist into the encrypted store; cache regardless + // so we still return the recovered key if the write keeps failing. + runCatching { prefs.edit().putString(KEY_API_KEY, recovered).commit() } + cached = recovered + Log.i(TAG, "Recovered existing API key from legacy storage") + return recovered + } val generated = generateKey() // commit() (synchronous disk write) on the FIRST write so // the key is durable before MainActivity encodes it into a @@ -74,6 +106,88 @@ class ApiKeyManager(context: Context) { } } + /** + * Build the backing store, preferring EncryptedSharedPreferences. Returns + * (store, isEncrypted). Any keystore failure falls back to the plain prefs + * file so the local API key is never lost on a broken-keystore device. + */ + private fun buildPrefs(context: Context): Pair { + return try { + val masterKey = MasterKey.Builder(context) + .setKeyScheme(MasterKey.KeyScheme.AES256_GCM) + .build() + val store = EncryptedSharedPreferences.create( + context, + ENCRYPTED_PREFS_NAME, + masterKey, + EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV, + EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM, + ) + store to true + } catch (e: Exception) { + // Keystore unavailable/corrupt — degrade to plain prefs rather + // than crashing. Worst case the key is stored unencrypted on a + // single-user TV box, which is the pre-existing behaviour. + Log.w(TAG, "EncryptedSharedPreferences unavailable, using plain prefs: ${e.message}") + context.getSharedPreferences(PREFS_NAME, Context.MODE_PRIVATE) to false + } + } + + /** + * One-time migration: if a key exists in the legacy plain-text prefs file + * (from before encrypted storage), copy it into the encrypted store and + * remove the plain copy. Preserves the existing key so already-scanned QR + * clients keep working — generating a fresh key here would silently 401 + * every LAN client (see the Data Migration Policy in CLAUDE.md). + */ + private fun migrateLegacyKeyIfPresent() { + // Don't migrate if the encrypted store already holds a key. + if (!prefs.getString(KEY_API_KEY, null).isNullOrEmpty()) return + runCatching { + val legacy = appContext.getSharedPreferences(PREFS_NAME, Context.MODE_PRIVATE) + val legacyKey = legacy.getString(KEY_API_KEY, null) + if (legacyKey != null && legacyKey.length >= MIN_KEY_LENGTH) { + // commit() returns false on write failure WITHOUT throwing, so the + // runCatching wrapper alone does NOT protect this path. Verify the + // encrypted store both committed AND reads back the identical value + // before touching the legacy copy — otherwise a silent write + // failure could delete the only surviving copy of the key and + // rotate it on next launch (401s every paired client — the exact + // silent-data-loss the Data Migration Policy forbids). + val ok = prefs.edit().putString(KEY_API_KEY, legacyKey).commit() + if (ok && prefs.getString(KEY_API_KEY, null) == legacyKey) { + // Keep the value as a .migrated backup (don't hard-delete) per + // the migration policy; remove only the live legacy key so the + // plaintext copy no longer answers reads. + legacy.edit() + .putString(KEY_API_KEY_MIGRATED, legacyKey) + .remove(KEY_API_KEY) + .apply() + Log.i(TAG, "Migrated API key from plain to encrypted storage") + } else { + // Leave the legacy key untouched; getOrCreateKey() will recover + // it via recoverLegacyKey() rather than minting a fresh one. + Log.w(TAG, "Encrypted key write unverified — keeping legacy key, not migrating") + } + } + }.onFailure { Log.w(TAG, "Legacy API key migration failed: ${it.message}") } + } + + /** + * Recover a still-present key from the legacy plain store — either the live + * key (failed/never-run migration) or the `.migrated` backup. Returns null + * when on the plain-prefs path (no legacy/encrypted split) or no valid key + * survives. Guarantees [getOrCreateKey] never rotates an existing key as long + * as the legacy file survives. + */ + private fun recoverLegacyKey(): String? { + if (!encrypted) return null + val legacy = appContext.getSharedPreferences(PREFS_NAME, Context.MODE_PRIVATE) + val candidate = legacy.getString(KEY_API_KEY, null) + ?: legacy.getString(KEY_API_KEY_MIGRATED, null) + return candidate?.takeIf { it.length >= MIN_KEY_LENGTH } + } + private fun generateKey(): String { val bytes = ByteArray(KEY_BYTES) SecureRandom().nextBytes(bytes) @@ -88,7 +202,11 @@ class ApiKeyManager(context: Context) { companion object { private const val TAG = "ApiKeyManager" private const val PREFS_NAME = "ledgrab_auth" + private const val ENCRYPTED_PREFS_NAME = "ledgrab_auth_enc" private const val KEY_API_KEY = "api_key" + // Backup of a migrated legacy key, kept in the plain store per the + // Data Migration Policy (never hard-delete user data on rename/move). + private const val KEY_API_KEY_MIGRATED = "api_key_migrated" private const val KEY_BYTES = 32 private const val MIN_KEY_LENGTH = 32 diff --git a/android/app/src/main/java/com/ledgrab/android/BleBridge.kt b/android/app/src/main/java/com/ledgrab/android/BleBridge.kt index 71aa5de..06f81cb 100644 --- a/android/app/src/main/java/com/ledgrab/android/BleBridge.kt +++ b/android/app/src/main/java/com/ledgrab/android/BleBridge.kt @@ -103,12 +103,32 @@ object BleBridge { } try { - bleHandler.post { scanner.startScan(callback) } + // startScan runs on the BLE handler thread; a denied + // BLUETOOTH_SCAN throws SecurityException there, which would + // crash the whole process (an uncaught exception on a handler + // thread is fatal). Catch it inside the posted body and report. + bleHandler.post { + try { + scanner.startScan(callback) + } catch (e: SecurityException) { + Log.w(TAG, "BLUETOOTH_SCAN permission denied — scan skipped", e) + } catch (e: Exception) { + Log.w(TAG, "BLE startScan failed: ${e.message}") + } + } Thread.sleep(timeoutMs) } catch (_: InterruptedException) { Thread.currentThread().interrupt() } finally { - try { bleHandler.post { scanner.stopScan(callback) } } catch (_: SecurityException) {} + bleHandler.post { + try { + scanner.stopScan(callback) + } catch (e: SecurityException) { + Log.w(TAG, "BLUETOOTH_SCAN permission denied — stopScan skipped", e) + } catch (e: Exception) { + Log.w(TAG, "BLE stopScan failed: ${e.message}") + } + } } return seen.values.toList() } @@ -136,7 +156,18 @@ object BleBridge { newState == BluetoothProfile.STATE_CONNECTED && status == BluetoothGatt.GATT_SUCCESS -> { Log.d(TAG, "GATT connected to $address, discovering services") - gatt.discoverServices() + // Runs on the BLE handler thread; a denied + // BLUETOOTH_CONNECT throws SecurityException here, which + // would crash the process. Catch and fail the connect. + try { + gatt.discoverServices() + } catch (e: SecurityException) { + Log.e(TAG, "BLUETOOTH_CONNECT denied during discoverServices", e) + readyDeferred.complete(false) + } catch (e: Exception) { + Log.w(TAG, "discoverServices failed: ${e.message}") + readyDeferred.complete(false) + } } newState == BluetoothProfile.STATE_DISCONNECTED -> { Log.w(TAG, "GATT disconnected from $address (status=$status)") diff --git a/android/app/src/main/java/com/ledgrab/android/CaptureService.kt b/android/app/src/main/java/com/ledgrab/android/CaptureService.kt index a6e0c07..0252f32 100644 --- a/android/app/src/main/java/com/ledgrab/android/CaptureService.kt +++ b/android/app/src/main/java/com/ledgrab/android/CaptureService.kt @@ -105,12 +105,48 @@ class CaptureService : Service() { override fun onStartCommand(intent: Intent?, flags: Int, startId: Int): Int { val useRoot = intent?.getBooleanExtra(EXTRA_USE_ROOT, false) ?: false - // CRITICAL: startForeground must be called IMMEDIATELY — before - // any other work, especially before getMediaProjection(). The - // service type must match the work; pass it explicitly via - // ServiceCompat so we stay compatible back to API 24. + // CRITICAL (Android 14+): for the MediaProjection path, validate the + // projection token BEFORE promoting to a foreground service with the + // mediaProjection FGS type. On service recreation (system redelivery + // or a stale relaunch) the consent token is gone — promoting first and + // then discovering the dead token causes a spurious foreground-service + // start + immediate stop, which on strict OEMs flickers the + // notification or trips a stopSelf loop. Bail out cleanly here, before + // startForeground, when the MediaProjection consent data is missing. val localIp = NetworkUtils.getLocalIpAddress(this) ?: "—" val url = "http://$localIp:$SERVER_PORT" + + val mediaProjectionResultData: Intent? = + if (!useRoot) extractProjectionResultData(intent) else null + if (!useRoot && (intent == null || mediaProjectionResultData == null)) { + // MediaProjection mode can't recover from a redelivery — + // the consent token in the original intent is single-use. + // + // We were launched via startForegroundService(), so the OS REQUIRES + // a startForeground() within ~5s even on this immediate-stop path, + // or it raises the fatal ForegroundServiceDidNotStartInTimeException. + // Promote with a benign SPECIAL_USE type (NOT mediaProjection — we + // have no valid consent token, and requesting that type without an + // active projection is exactly what we're avoiding) just long enough + // to satisfy the contract, then stop. + Log.w(TAG, "MediaProjection start without a valid consent token — stopping") + runCatching { + val bailType = if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) { + ServiceInfo.FOREGROUND_SERVICE_TYPE_SPECIAL_USE + } else { + 0 + } + ServiceCompat.startForeground(this, NOTIFICATION_ID, buildNotification(url), bailType) + }.onFailure { Log.w(TAG, "Bail-path startForeground failed: ${it.message}") } + stopSelf() + return START_NOT_STICKY + } + + // startForeground must be called IMMEDIATELY after the token check — + // before any heavier work like getMediaProjection(). The service type + // must match the work; pass it explicitly via ServiceCompat so we stay + // compatible back to API 24. The MEDIA_PROJECTION type is only used + // here once resultData is confirmed non-null (checked above). try { val type = if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) { var t = if (useRoot) { @@ -152,20 +188,13 @@ class CaptureService : Service() { // otherwise `isRunning=true` sticks forever when startForeground throws. isRunning = true - if (intent == null && !useRoot) { - // MediaProjection mode can't recover from a redelivery — - // the consent token in the original intent is single-use. - Log.w(TAG, "Service restarted without intent (MediaProjection mode) — stopping") - isRunning = false - stopSelf() - return START_NOT_STICKY - } - try { if (useRoot) { startRootCapture(url) } else { - startMediaProjectionCapture(intent!!, url) + // mediaProjectionResultData is guaranteed non-null here — the + // token was validated before startForeground above. + startMediaProjectionCapture(intent!!, mediaProjectionResultData!!, url) } } catch (e: Exception) { Log.e(TAG, "Failed to start capture", e) @@ -294,20 +323,24 @@ class CaptureService : Service() { } } - private fun startMediaProjectionCapture(intent: Intent, url: String) { - val resultCode = intent.getIntExtra(EXTRA_RESULT_CODE, 0) + /** + * Extract the single-use MediaProjection consent token from the start + * intent, or null if the intent is missing/redelivered without it. + * Called BEFORE startForeground so the mediaProjection FGS type is only + * ever requested when a valid token is present (see onStartCommand). + */ + private fun extractProjectionResultData(intent: Intent?): Intent? { + if (intent == null) return null @Suppress("DEPRECATION") - val resultData = if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) { + return if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) { intent.getParcelableExtra(EXTRA_RESULT_DATA, Intent::class.java) } else { intent.getParcelableExtra(EXTRA_RESULT_DATA) } + } - if (resultData == null) { - Log.e(TAG, "No MediaProjection result data") - stopSelf() - return - } + private fun startMediaProjectionCapture(intent: Intent, resultData: Intent, url: String) { + val resultCode = intent.getIntExtra(EXTRA_RESULT_CODE, 0) val projectionManager = getSystemService(Context.MEDIA_PROJECTION_SERVICE) as MediaProjectionManager diff --git a/android/app/src/main/java/com/ledgrab/android/LedGrabNotificationListener.kt b/android/app/src/main/java/com/ledgrab/android/LedGrabNotificationListener.kt index ea79608..14f92bb 100644 --- a/android/app/src/main/java/com/ledgrab/android/LedGrabNotificationListener.kt +++ b/android/app/src/main/java/com/ledgrab/android/LedGrabNotificationListener.kt @@ -6,7 +6,9 @@ import android.service.notification.StatusBarNotification import android.util.Log import com.chaquo.python.Python import java.util.concurrent.ConcurrentHashMap +import java.util.concurrent.ExecutorService import java.util.concurrent.Executors +import java.util.concurrent.RejectedExecutionException /** * Captures posted OS notifications and forwards the posting app's display @@ -25,7 +27,20 @@ class LedGrabNotificationListener : NotificationListenerService() { // Serial executor: the Python receiver does a (non-concurrency-safe) history // disk write and may play a sound, so pushes must not overlap. Off the main // looper to keep the system service responsive. - private val pushExecutor = Executors.newSingleThreadExecutor() + // + // Tied to the listener-connection lifecycle (onListenerConnected / + // onListenerDisconnected), NOT onDestroy: this is a system-rebindable + // service, so it can be connected/disconnected multiple times across a + // single onCreate..onDestroy span. Managing the executor here — combined + // with the runCatching guard at the submit site — keeps a notification + // that races teardown from triggering RejectedExecutionException on a + // shut-down executor. @Volatile so the connect/disconnect callbacks (which + // may run on a different thread than onNotificationPosted) publish safely. + @Volatile private var pushExecutor: ExecutorService? = null + + // Guards executor creation so the lazy submit-site fallback and + // onListenerConnected can't race two executors into existence. + private val executorLock = Any() // packageName -> resolved human-readable label. Matches the app_name the // Windows/Linux backends pass, so per-app colors/filters keep working. @@ -51,17 +66,34 @@ class LedGrabNotificationListener : NotificationListenerService() { val label = resolveAppLabel(notification.packageName) - pushExecutor.execute { - try { - Python.getInstance() - .getModule(PY_MODULE) - .callAttr("push_notification", label) - } catch (t: Throwable) { - // Never crash a system-bound service. Python.getInstance() throws - // IllegalStateException if Python.start() hasn't run (e.g. the - // service was bound at boot before the app process initialized). - // Log at debug — the label is potentially sensitive on a shared TV. - Log.d(TAG, "push_notification failed: ${t.message}") + // Obtain (creating if needed) the executor. onListenerConnected normally + // creates it, but that callback is not reliably invoked on every + // OEM/version (re)bind, and a notification can arrive before it fires — + // lazily creating here keeps a missing/late onListenerConnected from + // permanently disabling notification forwarding. A late submit onto an + // executor that onListenerDisconnected is shutting down throws + // RejectedExecutionException — guard with runCatching so a notification + // racing teardown can never crash this system-bound service. + val executor = ensureExecutor() + runCatching { + executor.execute { + try { + Python.getInstance() + .getModule(PY_MODULE) + .callAttr("push_notification", label) + } catch (t: Throwable) { + // Never crash a system-bound service. Python.getInstance() throws + // IllegalStateException if Python.start() hasn't run (e.g. the + // service was bound at boot before the app process initialized). + // Log at debug — the label is potentially sensitive on a shared TV. + Log.d(TAG, "push_notification failed: ${t.message}") + } + } + }.onFailure { e -> + if (e is RejectedExecutionException) { + Log.d(TAG, "push rejected — listener disconnecting") + } else { + throw e } } } @@ -69,24 +101,59 @@ class LedGrabNotificationListener : NotificationListenerService() { /** Resolve (and cache) a package's human-readable label; fall back to the package name. */ private fun resolveAppLabel(pkg: String): String { labelCache[pkg]?.let { return it } + // Only cache SUCCESSFUL resolutions. Caching the package-name fallback + // would permanently pin a wrong label if the PackageManager lookup + // failed transiently (e.g. the app was mid-install / still updating). val resolved = runCatching { val info = packageManager.getApplicationInfo(pkg, 0) packageManager.getApplicationLabel(info).toString() - }.getOrDefault(pkg) - labelCache[pkg] = resolved - return resolved + }.getOrNull() + if (resolved != null) { + labelCache[pkg] = resolved + return resolved + } + return pkg + } + + /** + * Return the push executor, creating it under [executorLock] if absent. + * Safe against a concurrent onListenerConnected/onNotificationPosted race + * (single executor) and against a missing onListenerConnected callback. + */ + private fun ensureExecutor(): ExecutorService { + pushExecutor?.let { return it } + synchronized(executorLock) { + return pushExecutor ?: Executors.newSingleThreadExecutor().also { pushExecutor = it } + } } override fun onListenerConnected() { Log.i(TAG, "Notification listener connected") + // Spin up the push executor on connect. The system can disconnect and + // later reconnect this service without destroying it, so own the + // executor here rather than in onCreate/onDestroy. onNotificationPosted + // also lazily creates it (via ensureExecutor) in case this callback is + // late or skipped on some ROMs. + ensureExecutor() } override fun onListenerDisconnected() { Log.i(TAG, "Notification listener disconnected") + // Tear the executor down on disconnect; a fresh one is created on the + // next onListenerConnected. Null out first so any in-flight + // onNotificationPosted snapshots see null (skips submit) rather than + // racing a shutdown executor. + pushExecutor?.let { exec -> + pushExecutor = null + exec.shutdown() + } } override fun onDestroy() { - pushExecutor.shutdown() + // Defensive: onListenerDisconnected normally clears this first, but + // shut down here too in case onDestroy fires without a prior disconnect. + pushExecutor?.shutdown() + pushExecutor = null super.onDestroy() } diff --git a/android/app/src/main/java/com/ledgrab/android/MainActivity.kt b/android/app/src/main/java/com/ledgrab/android/MainActivity.kt index d6a3ff3..b28831c 100644 --- a/android/app/src/main/java/com/ledgrab/android/MainActivity.kt +++ b/android/app/src/main/java/com/ledgrab/android/MainActivity.kt @@ -34,6 +34,7 @@ import kotlinx.coroutines.Dispatchers import kotlinx.coroutines.MainScope import kotlinx.coroutines.cancel import kotlinx.coroutines.launch +import kotlinx.coroutines.runInterruptible import kotlinx.coroutines.withContext /** @@ -56,6 +57,7 @@ class MainActivity : Activity() { private const val REQUEST_POST_NOTIFICATIONS = 1002 private const val REQUEST_RECORD_AUDIO = 1003 private const val REQUEST_CAMERA = 1004 + private const val REQUEST_BLUETOOTH = 1005 private const val QR_SIZE_PX = 560 private const val NOTIF_PREFS = "ledgrab_notif" private const val KEY_NOTIF_ACCESS_PROMPTED = "notif_access_prompted" @@ -189,7 +191,13 @@ class MainActivity : Activity() { toggleButton.text = getString(R.string.btn_starting) statusText.text = getString(R.string.status_checking_root) uiScope.launch(Dispatchers.IO) { - val rooted = Root.requestGrant() + // runInterruptible so a config change (rotation) during the + // up-to-10s `su` probe cancels the coroutine AND interrupts the + // blocking probe thread — Root.requestGrant honours the interrupt, + // destroys the su child, and rethrows, so we don't leak the + // process + drain thread. Without this, IO-dispatcher cancellation + // would not interrupt the blocking waitFor(). + val rooted = runInterruptible { Root.requestGrant() } withContext(Dispatchers.Main) { toggleButton.isEnabled = true toggleButton.text = originalText @@ -214,6 +222,7 @@ class MainActivity : Activity() { ensureNotificationPermission() ensureNotificationListenerAccess() ensureCameraPermission() + ensureBluetoothPermissions() ContextCompat.startForegroundService(this, CaptureService.createRootIntent(this)) updateUI() } @@ -236,6 +245,7 @@ class MainActivity : Activity() { ensureNotificationListenerAccess() ensureAudioPermission() ensureCameraPermission() + ensureBluetoothPermissions() val intent = CaptureService.createIntent(this, resultCode, resultData) ContextCompat.startForegroundService(this, intent) updateUI() @@ -536,6 +546,30 @@ class MainActivity : Activity() { } } + /** + * Request BLUETOOTH_SCAN + BLUETOOTH_CONNECT (API 31+) so the embedded + * server can discover and drive BLE LED controllers (SP110E / Triones / + * Zengge). On API < 31 these are install-time legacy permissions + * (BLUETOOTH / BLUETOOTH_ADMIN / ACCESS_FINE_LOCATION, maxSdk=30) and + * need no runtime grant — so this is a no-op there. Fire-and-forget, + * like [ensureAudioPermission]: screen capture works without BLE, and + * BleBridge degrades gracefully (empty scan / failed connect) when the + * grant is denied, so we don't block on the result. If first granted + * here, BLE devices become reachable on the next scan/connect. + */ + private fun ensureBluetoothPermissions() { + if (Build.VERSION.SDK_INT < Build.VERSION_CODES.S) return + val needed = listOf( + Manifest.permission.BLUETOOTH_SCAN, + Manifest.permission.BLUETOOTH_CONNECT, + ).filter { + checkSelfPermission(it) != PackageManager.PERMISSION_GRANTED + } + if (needed.isEmpty()) return + @Suppress("DEPRECATION") + requestPermissions(needed.toTypedArray(), REQUEST_BLUETOOTH) + } + /** Whether the user has granted notification-listener access to this app. */ private fun isNotificationAccessGranted(): Boolean = NotificationManagerCompat.getEnabledListenerPackages(this).contains(packageName) diff --git a/android/app/src/main/java/com/ledgrab/android/Root.kt b/android/app/src/main/java/com/ledgrab/android/Root.kt index 2576bc7..e3ab186 100644 --- a/android/app/src/main/java/com/ledgrab/android/Root.kt +++ b/android/app/src/main/java/com/ledgrab/android/Root.kt @@ -20,6 +20,11 @@ import java.util.concurrent.TimeUnit object Root { private const val TAG = "Root" + // Slice length for the cancellation-aware su probe wait loop. Short + // enough that coroutine cancellation is honoured promptly, long enough + // to avoid busy-spinning while Magisk's grant dialog is up. + private const val POLL_SLICE_MS = 100L + private val SU_PATHS = listOf( "/system/bin/su", "/system/xbin/su", @@ -49,17 +54,19 @@ object Root { return false } + var process: Process? = null val granted = try { // redirectErrorStream merges stderr into stdout so a single // drain thread is enough — avoids the classic pipe-buffer // deadlock where waitFor() blocks because stderr filled up. - val process = ProcessBuilder("su", "-c", "id") + val proc = ProcessBuilder("su", "-c", "id") .redirectErrorStream(true) .start() + process = proc val outputBuilder = StringBuilder() val drain = Thread({ try { - BufferedReader(InputStreamReader(process.inputStream)).use { r -> + BufferedReader(InputStreamReader(proc.inputStream)).use { r -> val buf = CharArray(512) while (true) { val n = r.read(buf) @@ -72,17 +79,35 @@ object Root { } }, "Root-su-drain").apply { isDaemon = true; start() } - val finished = process.waitFor(timeoutSeconds, TimeUnit.SECONDS) + // Cancellation-aware wait: callers run this on a coroutine + // (MainActivity wraps it in runInterruptible), so a config change + // mid-probe cancels the coroutine and interrupts this thread. + // Poll waitFor() in short slices and honour interruption so we + // don't leak the `su` child + its drain thread for up to 10s. + // The catch(InterruptedException) below destroys the process; we + // re-arm the interrupt and rethrow so coroutine cancellation + // propagates cleanly. + val deadlineNanos = System.nanoTime() + TimeUnit.SECONDS.toNanos(timeoutSeconds) + var finished = false + while (System.nanoTime() < deadlineNanos) { + if (proc.waitFor(POLL_SLICE_MS, TimeUnit.MILLISECONDS)) { + finished = true + break + } + // Throws InterruptedException if the thread was interrupted + // by coroutine cancellation — handled below to tear down. + if (Thread.interrupted()) throw InterruptedException("su probe cancelled") + } if (!finished) { - process.destroyForcibly() + proc.destroyForcibly() drain.join(500) Log.w(TAG, "su -c id timed out after ${timeoutSeconds}s") false } else { drain.join(500) val output = synchronized(outputBuilder) { outputBuilder.toString() } - if (process.exitValue() != 0) { - Log.w(TAG, "su -c id exited with ${process.exitValue()} output='${output.trim()}'") + if (proc.exitValue() != 0) { + Log.w(TAG, "su -c id exited with ${proc.exitValue()} output='${output.trim()}'") false } else { val rooted = output.contains("uid=0") @@ -90,8 +115,17 @@ object Root { rooted } } + } catch (e: InterruptedException) { + // Coroutine cancelled mid-probe (e.g. config change). Kill the + // su child so it doesn't outlive the cancelled work, re-arm the + // interrupt flag, and rethrow so the coroutine cancels cleanly. + // Do NOT cache a result — the probe never completed. + runCatching { process?.destroyForcibly() } + Thread.currentThread().interrupt() + throw e } catch (e: Exception) { Log.w(TAG, "su invocation failed: ${e.message}") + runCatching { process?.destroyForcibly() } false } diff --git a/android/app/src/main/java/com/ledgrab/android/RootScreenrecord.kt b/android/app/src/main/java/com/ledgrab/android/RootScreenrecord.kt index 93d9534..8547940 100644 --- a/android/app/src/main/java/com/ledgrab/android/RootScreenrecord.kt +++ b/android/app/src/main/java/com/ledgrab/android/RootScreenrecord.kt @@ -89,14 +89,15 @@ class RootScreenrecord( running = true try { - imageReader = buildImageReader() - decoder = buildDecoder(imageReader!!) - process = spawnScreenrecord() ?: run { + val reader = buildImageReader().also { imageReader = it } + val codec = buildDecoder(reader).also { decoder = it } + val proc = spawnScreenrecord() ?: run { stop() return false } - startInputPump(process!!.inputStream, decoder!!) - startOutputDrain(decoder!!) + process = proc + startInputPump(proc.inputStream, codec) + startOutputDrain(codec) Log.i(TAG, "Root capture pipeline started (${width}x$height @ ${fps}fps)") return true } catch (e: Exception) { @@ -178,6 +179,14 @@ class RootScreenrecord( buffer.get(frameBuffer, row * rowBytes, rowBytes) } } + // CONTRACT: frameBuffer is REUSED across frames (single-threaded + // reader callback — no copy here). Safety depends on the Python + // receiver copying the bytes before this callback returns and + // overwrites the buffer for the next frame. It does: + // PythonBridge.pushRootFrame → root_screenrecord_engine.push_frame + // (server/src/ledgrab/core/capture_engines/root_screenrecord_engine.py) + // does `rgba[:, :, :3].copy()`, so the queued frame owns its + // pixels independently of this buffer. Do NOT remove that copy. bridge.pushRootFrame(frameBuffer, width, height) framesDeliveredCounter.incrementAndGet() } catch (e: Exception) { diff --git a/android/app/src/main/java/com/ledgrab/android/ScreenCapture.kt b/android/app/src/main/java/com/ledgrab/android/ScreenCapture.kt index 2ce7c52..53ed275 100644 --- a/android/app/src/main/java/com/ledgrab/android/ScreenCapture.kt +++ b/android/app/src/main/java/com/ledgrab/android/ScreenCapture.kt @@ -147,6 +147,14 @@ class ScreenCapture( } } + // CONTRACT: frameBuffer is REUSED across frames (single-threaded + // capture handler — no copy here). Safety depends on the Python + // receiver copying the bytes before this callback returns and + // overwrites the buffer for the next frame. It does: + // PythonBridge.pushFrame → mediaprojection_engine.push_frame + // (server/src/ledgrab/core/capture_engines/mediaprojection_engine.py) + // does `rgba[:, :, :3].copy()`, so the queued frame owns its + // pixels independently of this buffer. Do NOT remove that copy. bridge.pushFrame(frameBuffer, captureWidth, captureHeight) // Advance the pacing accumulator. If we fell badly behind diff --git a/server/src/ledgrab/api/routes/game_integration.py b/server/src/ledgrab/api/routes/game_integration.py index b07f7e5..40b06ea 100644 --- a/server/src/ledgrab/api/routes/game_integration.py +++ b/server/src/ledgrab/api/routes/game_integration.py @@ -6,6 +6,7 @@ adapter metadata, and diagnostics. import threading import time +from collections import defaultdict from typing import Any from fastapi import APIRouter, Depends, HTTPException, Request @@ -57,6 +58,73 @@ _prev_states: dict[str, dict[str, Any]] = {} _integration_stats: dict[str, dict[str, Any]] = {} +# ── Failed-auth rate limiter (brute-force defence on the ingest route) ───── +# +# The ingest route is high-frequency (games push at 16-64 Hz), so we do NOT +# rate-limit every event — that would throttle legitimate gameplay traffic. +# Instead we throttle only FAILED-auth attempts per source IP (the only thing +# an attacker without the token can produce). This mirrors the IP-based +# limiter in routes/webhooks.py (~30/min) but scopes it to failures so a +# brute-forcer is locked out after _AUTH_FAIL_LIMIT bad tokens per minute +# while authenticated high-rate ingestion is completely unaffected. +_AUTH_FAIL_LIMIT = 30 +_AUTH_FAIL_WINDOW = 60.0 # seconds +_AUTH_FAIL_HITS_HARD_CAP = 1024 +_LOOPBACK_HOSTS = frozenset({"127.0.0.1", "::1", "localhost"}) +_auth_fail_hits: dict[str, list[float]] = defaultdict(list) +_auth_fail_lock = threading.Lock() + + +def _rate_limit_key(request: Request) -> str: + """Pick a stable client identifier for rate-limiting. + + When the immediate peer is loopback (assumed reverse-proxy), use the + first ``X-Forwarded-For`` entry; otherwise use the peer's IP. + """ + peer = request.client.host if request.client else "unknown" + if peer in _LOOPBACK_HOSTS: + xff = request.headers.get("x-forwarded-for", "") + if xff: + return xff.split(",", 1)[0].strip() or peer + return peer + + +def _check_auth_fail_rate_limit(client_ip: str) -> None: + """Raise 429 if *client_ip* exceeded the failed-auth attempt limit.""" + now = time.time() + window_start = now - _AUTH_FAIL_WINDOW + with _auth_fail_lock: + timestamps = [t for t in _auth_fail_hits[client_ip] if t > window_start] + _auth_fail_hits[client_ip] = timestamps + if len(timestamps) >= _AUTH_FAIL_LIMIT: + raise HTTPException( + status_code=429, + detail="Too many failed authentication attempts. Try again later.", + ) + + +def _record_auth_failure(client_ip: str) -> None: + """Record a failed-auth attempt for *client_ip* (bounded memory).""" + now = time.time() + window_start = now - _AUTH_FAIL_WINDOW + with _auth_fail_lock: + _auth_fail_hits[client_ip].append(now) + # Periodic cleanup of stale IPs to prevent unbounded growth. + if len(_auth_fail_hits) > 100: + stale = [ip for ip, ts in _auth_fail_hits.items() if not ts or ts[-1] < window_start] + for ip in stale: + del _auth_fail_hits[ip] + # Hard cap against an attacker spraying many distinct X-Forwarded-For + # values; drop the oldest-touched IPs. + if len(_auth_fail_hits) > _AUTH_FAIL_HITS_HARD_CAP: + ordered = sorted( + _auth_fail_hits.items(), + key=lambda kv: kv[1][-1] if kv[1] else 0.0, + ) + for ip, _ in ordered[: len(ordered) - _AUTH_FAIL_HITS_HARD_CAP]: + _auth_fail_hits.pop(ip, None) + + def _schema_to_fields(schema: dict[str, Any]) -> list[dict[str, Any]]: """Convert a JSON Schema object into a flat list of field descriptors. @@ -387,7 +455,16 @@ async def ingest_event( called before standard API auth. No AuthRequired dependency — adapter-level auth is used instead. + + Rate limiting is scoped to FAILED-auth attempts per source IP (see + ``_check_auth_fail_rate_limit``) so legitimate high-rate ingestion is + never throttled, but a brute-forcer is locked out after the threshold. """ + client_ip = _rate_limit_key(request) + # Block IPs that have already burned through the failed-auth budget, + # before doing any work (cheap brute-force lockout). + _check_auth_fail_rate_limit(client_ip) + try: config = store.get_integration(integration_id) except EntityNotFoundError: @@ -405,6 +482,7 @@ async def ingest_event( # Adapter-level auth check headers = dict(request.headers) if not adapter_cls.validate_auth(headers, payload.data, config.adapter_config): + _record_auth_failure(client_ip) raise HTTPException(status_code=403, detail="Adapter authentication failed") # Parse payload through adapter diff --git a/server/src/ledgrab/api/routes/home_assistant.py b/server/src/ledgrab/api/routes/home_assistant.py index d982831..0ffeceb 100644 --- a/server/src/ledgrab/api/routes/home_assistant.py +++ b/server/src/ledgrab/api/routes/home_assistant.py @@ -2,6 +2,7 @@ import asyncio import json +from urllib.parse import urlparse from fastapi import APIRouter, Depends, HTTPException, Query @@ -28,6 +29,7 @@ from ledgrab.storage.base_store import EntityNotFoundError from ledgrab.storage.home_assistant_source import HomeAssistantSource from ledgrab.storage.home_assistant_store import HomeAssistantStore from ledgrab.utils import get_logger +from ledgrab.utils.net_classify import validate_lan_host logger = get_logger(__name__) @@ -37,6 +39,23 @@ router = APIRouter() _REDACTED_TOKEN = "***" +def _validate_ha_host(host: str | None) -> None: + """Reject literal public/link-local/metadata IPs for a HA source host. + + HA sources are LAN-by-design (loopback + private ranges allowed), so we + gate the user-supplied ``host`` with the same shared classifier the LED + device providers use (``validate_lan_host``). The HA host is stored as + ``host:port`` (e.g. ``192.168.1.100:8123``), so strip the port first via + ``urlparse`` — which also handles bracketed IPv6 literals. Hostnames / + mDNS labels pass through (classified UNPARSEABLE). Raises ``ValueError`` + on a literal public IP, which the callers translate to HTTP 400. + """ + if not host: + return + bare_host = urlparse(f"//{host.strip()}").hostname or host.strip() + validate_lan_host(bare_host) + + def _to_response( source: HomeAssistantSource, manager: HomeAssistantManager, @@ -99,6 +118,7 @@ async def create_ha_source( manager: HomeAssistantManager = Depends(get_ha_manager), ): try: + _validate_ha_host(data.host) source = store.create_source( name=data.name, host=data.host, @@ -153,6 +173,7 @@ async def update_ha_source( manager: HomeAssistantManager = Depends(get_ha_manager), ): try: + _validate_ha_host(data.host) source = store.update_source( source_id, name=data.name, diff --git a/server/src/ledgrab/core/capture/calibration.py b/server/src/ledgrab/core/capture/calibration.py index 2d3af4c..b29c112 100644 --- a/server/src/ledgrab/core/capture/calibration.py +++ b/server/src/ledgrab/core/capture/calibration.py @@ -824,6 +824,30 @@ def create_default_calibration( right_count = max(1, right_count) left_count = max(1, left_count) + # The max(1, ...) floors above can push the total above led_count for + # small counts (e.g. led_count=5 -> top=2,right=1,bottom=2,left=1 = 6). + # Trim the largest edge that stays >= 1 until the total matches exactly. + edge_order = ["bottom", "top", "right", "left"] + counts = { + "bottom": bottom_count, + "top": top_count, + "right": right_count, + "left": left_count, + } + overshoot = sum(counts.values()) - led_count + while overshoot > 0: + # Pick the largest edge that can still be reduced (stays >= 1). + trimmable = [e for e in edge_order if counts[e] > 1] + if not trimmable: + break + target_edge = max(trimmable, key=lambda e: counts[e]) + counts[target_edge] -= 1 + overshoot -= 1 + bottom_count = counts["bottom"] + top_count = counts["top"] + right_count = counts["right"] + left_count = counts["left"] + config = CalibrationConfig( layout="clockwise", start_position="bottom_left", diff --git a/server/src/ledgrab/core/devices/ddp_client.py b/server/src/ledgrab/core/devices/ddp_client.py index 7c3ac41..d93e6af 100644 --- a/server/src/ledgrab/core/devices/ddp_client.py +++ b/server/src/ledgrab/core/devices/ddp_client.py @@ -154,6 +154,15 @@ class DDPClient: all buses (observed in multi-bus setups). We reorder pixel channels here so the hardware receives the correct byte order directly. + TODO(ddp-multibus): currently UNUSED — ``send_pixels_numpy`` (the hot + send path) does NOT call this, so the per-bus color-order config + captured by ``set_buses`` is never applied to outgoing pixels. This + is intentionally left in place (not deleted) because it encodes real + multi-bus handling: if a multi-bus WLED setup needs per-bus byte + reordering, wire this into ``send_pixels_numpy`` before the payload + view is built (note it allocates a copy, so only call it when + ``self._buses`` actually requires reordering). + Args: pixel_array: (N, 3) uint8 numpy array in RGB order diff --git a/server/src/ledgrab/core/game_integration/adapters/cs2_adapter.py b/server/src/ledgrab/core/game_integration/adapters/cs2_adapter.py index 4355b38..a63f54e 100644 --- a/server/src/ledgrab/core/game_integration/adapters/cs2_adapter.py +++ b/server/src/ledgrab/core/game_integration/adapters/cs2_adapter.py @@ -260,7 +260,10 @@ class CS2Adapter(GameAdapter): auth_section = payload.get("auth", {}) actual_token = auth_section.get("token", "") - return bool(actual_token and actual_token == expected_token) + if not actual_token: + return False + # Constant-time comparison to avoid a timing oracle. + return secrets.compare_digest(actual_token, expected_token) @classmethod def get_config_schema(cls) -> dict[str, Any]: diff --git a/server/src/ledgrab/core/game_integration/adapters/dota2_adapter.py b/server/src/ledgrab/core/game_integration/adapters/dota2_adapter.py index 0c1a1ba..35a170e 100644 --- a/server/src/ledgrab/core/game_integration/adapters/dota2_adapter.py +++ b/server/src/ledgrab/core/game_integration/adapters/dota2_adapter.py @@ -177,7 +177,10 @@ class Dota2Adapter(GameAdapter): auth_section = payload.get("auth", {}) actual_token = auth_section.get("token", "") - return bool(actual_token and actual_token == expected_token) + if not actual_token: + return False + # Constant-time comparison to avoid a timing oracle. + return secrets.compare_digest(actual_token, expected_token) @classmethod def get_config_schema(cls) -> dict[str, Any]: diff --git a/server/src/ledgrab/core/game_integration/adapters/generic_webhook_adapter.py b/server/src/ledgrab/core/game_integration/adapters/generic_webhook_adapter.py index c699d3e..f875773 100644 --- a/server/src/ledgrab/core/game_integration/adapters/generic_webhook_adapter.py +++ b/server/src/ledgrab/core/game_integration/adapters/generic_webhook_adapter.py @@ -4,6 +4,7 @@ Allows users to define custom JSON path mappings via the adapter_config rather than a YAML file. Delegates all parsing logic to MappingAdapter. """ +import secrets from typing import Any, ClassVar from ledgrab.core.game_integration.base_adapter import GameAdapter @@ -54,11 +55,18 @@ class GenericWebhookAdapter(GameAdapter): payload: dict[str, Any], adapter_config: dict[str, Any], ) -> bool: - """Validate auth using a configurable header token.""" + """Validate auth using a configurable header token. + + Secure-by-default: this adapter is explicitly network-facing + (it accepts unauthenticated HTTP POSTs from anywhere on the LAN), + so a missing/empty ``auth_token`` REJECTS the request rather than + accepting it. A token must be configured for ingestion to work. + """ expected_token = adapter_config.get("auth_token") if not expected_token: - # No auth configured - return True + # No token configured — reject (secure-by-default for a + # network-facing adapter; an open webhook is a LAN attack surface). + return False auth_header = adapter_config.get("auth_header", "Authorization") actual_value = headers.get(auth_header, "") @@ -67,18 +75,27 @@ class GenericWebhookAdapter(GameAdapter): if actual_value.startswith("Bearer "): actual_value = actual_value[7:] - return bool(actual_value and actual_value == expected_token) + if not actual_value: + return False + + # Constant-time comparison to avoid a token-length/timing oracle. + return secrets.compare_digest(actual_value, expected_token) @classmethod def get_config_schema(cls) -> dict[str, Any]: """Return generic webhook config schema.""" return { "type": "object", + "required": ["auth_token"], "properties": { "auth_token": { "type": "string", "title": "Auth Token", - "description": "Optional token for authenticating incoming webhooks.", + "description": ( + "Required token for authenticating incoming webhooks. " + "Without it, ingestion is rejected (this adapter is " + "network-facing and secure-by-default)." + ), }, "auth_header": { "type": "string", @@ -136,15 +153,17 @@ class GenericWebhookAdapter(GameAdapter): "HTTP POST requests with JSON payloads.\n\n" "**Steps:**\n" "1. Configure your event mappings above — map JSON paths to standard events\n" - "2. Set an auth token (optional but recommended)\n" + "2. Set an auth token (REQUIRED — without it incoming webhooks are rejected)\n" "3. Point your game/application to:\n" " `POST http://:8080/api/v1/game-integrations//event`\n\n" "**Mapping example:**\n" "- Source path: `player.stats.health` → Event: `health` (min: 0, max: 100)\n" "- Source path: `events.kill_count` → Event: `kill` (trigger: on_increase)\n\n" - "**Auth:**\n" + "**Auth (required):**\n" "- Set `Authorization: Bearer ` header in your webhook sender\n" "- Or configure a custom auth header name in the adapter config\n" + "- A token is mandatory: this endpoint is reachable from the LAN, so\n" + " an unconfigured token rejects all incoming events.\n" ) diff --git a/server/src/ledgrab/core/game_integration/mapping_adapter.py b/server/src/ledgrab/core/game_integration/mapping_adapter.py index d59a2e6..808daaa 100644 --- a/server/src/ledgrab/core/game_integration/mapping_adapter.py +++ b/server/src/ledgrab/core/game_integration/mapping_adapter.py @@ -10,6 +10,7 @@ The MappingAdapter class is a concrete GameAdapter whose behavior is entirely driven by the parsed YAML definition. """ +import secrets import time from pathlib import Path from typing import Any @@ -241,7 +242,10 @@ class MappingAdapter(GameAdapter): expected_key = "auth_token" expected_value = adapter_config.get(expected_key, "") actual_value = headers.get(header_name, "") - return bool(expected_value and actual_value == expected_value) + if not (expected_value and actual_value): + return False + # Constant-time comparison to avoid a timing oracle. + return secrets.compare_digest(actual_value, expected_value) logger.warning(f"Unknown auth type '{auth_type}' in mapping adapter '{self._name}'") return False diff --git a/server/src/ledgrab/core/processing/composite_stream.py b/server/src/ledgrab/core/processing/composite_stream.py index e3a5c9d..1f53b6d 100644 --- a/server/src/ledgrab/core/processing/composite_stream.py +++ b/server/src/ledgrab/core/processing/composite_stream.py @@ -69,6 +69,9 @@ class CompositeColorStripStream(ColorStripStream): # (src_len, dst_len) -> (src_x, dst_x, buffer) cache for zone resizing self._resize_cache: Dict[tuple, tuple] = {} + # (src_len, target_n) -> (src_x, dst_x) cache for full-strip resizing + # (output reuses the preallocated self._resize_buf from _ensure_pool) + self._resize_linspace_cache: Dict[tuple, tuple] = {} # layer_index -> (source_id, consumer_id, stream) self._sub_streams: Dict[int, tuple] = {} # layer_index -> (vs_id, value_stream) @@ -314,8 +317,14 @@ class CompositeColorStripStream(ColorStripStream): n_src = len(colors) if n_src == target_n: return colors - src_x = np.linspace(0, 1, n_src) - dst_x = np.linspace(0, 1, target_n) + # Cache the (src_x, dst_x) linspace arrays keyed by (n_src, target_n) + # exactly like the zone path, so they are not reallocated every frame. + lkey = (n_src, target_n) + linspaces = self._resize_linspace_cache.get(lkey) + if linspaces is None: + linspaces = (np.linspace(0, 1, n_src), np.linspace(0, 1, target_n)) + self._resize_linspace_cache[lkey] = linspaces + src_x, dst_x = linspaces buf = self._resize_buf for ch in range(3): np.copyto( diff --git a/server/src/ledgrab/core/processing/device_test_mode.py b/server/src/ledgrab/core/processing/device_test_mode.py index 7a8227f..aa15226 100644 --- a/server/src/ledgrab/core/processing/device_test_mode.py +++ b/server/src/ledgrab/core/processing/device_test_mode.py @@ -137,16 +137,34 @@ class DeviceTestModeMixin: await self._send_pixels_to_device(device_id, pixels) async def _send_clear_pixels(self, device_id: str) -> None: - """Send all-black pixels to clear LED output.""" + """Send all-black pixels to clear LED output. + + This is the explicit teardown path — unlike the per-frame + ``_send_pixels_to_device`` swallow, a clear that must actually take + effect retries once before giving up, so a single transient send + error doesn't leave the device lit after a session ends. + """ ds = self._devices[device_id] pixels = [(0, 0, 0)] * ds.led_count - await self._send_pixels_to_device(device_id, pixels) + try: + client = await self._get_idle_client(device_id) + await client.send_pixels(pixels) + except Exception as e: + logger.warning(f"Clear send to {device_id} failed, retrying once: {e}") + client = await self._get_idle_client(device_id) + await client.send_pixels(pixels) async def _send_pixels_to_device(self, device_id: str, pixels) -> None: """Send pixels to a device via cached idle client. Reuses a cached connection to avoid repeated serial reconnections (which trigger Arduino bootloader reset on Adalight devices). + + Send failures are logged and swallowed (best-effort per-frame send). + Callers that need a *guaranteed* clear — e.g. session teardown that + must "never leave the device dark" — must NOT rely on this returning + cleanly; use ``_send_clear_pixels`` (which retries once) and treat a + propagated exception as a failed clear. """ try: client = await self._get_idle_client(device_id) diff --git a/server/src/ledgrab/core/processing/effect_stream.py b/server/src/ledgrab/core/processing/effect_stream.py index 4b98069..e63b61c 100644 --- a/server/src/ledgrab/core/processing/effect_stream.py +++ b/server/src/ledgrab/core/processing/effect_stream.py @@ -973,13 +973,18 @@ class EffectColorStripStream(ColorStripStream): # Use noise at very low frequency for blob movement np.multiply(self._s_arange, scale * 0.03, out=self._s_f32_a) - # Two blob layers at different speeds for organic movement + # Two blob layers at different speeds for organic movement. + # fbm() returns a shared internal buffer that the next fbm() call + # overwrites, so each layer must be copied out — write into the + # preallocated scratch buffers instead of allocating per frame. self._s_f32_a += t * speed * 0.1 - layer1 = self._noise.fbm(self._s_f32_a, octaves=3).copy() + layer1 = self._s_layer1 + np.copyto(layer1, self._noise.fbm(self._s_f32_a, octaves=3)) np.multiply(self._s_arange, scale * 0.05, out=self._s_f32_a) self._s_f32_a += t * speed * 0.07 + 100.0 - layer2 = self._noise.fbm(self._s_f32_a, octaves=2).copy() + layer2 = self._s_layer2 + np.copyto(layer2, self._noise.fbm(self._s_f32_a, octaves=2)) # Combine: create blob-like shapes with soft edges combined = self._s_f32_a diff --git a/server/src/ledgrab/core/processing/wled_target_processor.py b/server/src/ledgrab/core/processing/wled_target_processor.py index b820522..6bd0a59 100644 --- a/server/src/ledgrab/core/processing/wled_target_processor.py +++ b/server/src/ledgrab/core/processing/wled_target_processor.py @@ -739,10 +739,19 @@ class WledTargetProcessor(TargetProcessor): self._last_preview_data = data - async def _send_safe(ws): + # Bound each per-client send to roughly one frame interval so a slow or + # backpressured preview WebSocket can never throttle the device send + # cadence. Clients that time out or error are dropped from the set. + eff_fps = self._effective_fps if self._effective_fps > 0 else 30 + send_timeout = 1.0 / eff_fps + + async def _send_safe(ws) -> bool: try: - await ws.send_bytes(data) + await asyncio.wait_for(ws.send_bytes(data), timeout=send_timeout) return True + except asyncio.TimeoutError: + logger.debug("LED preview broadcast WS send timed out (slow client dropped)") + return False except Exception as e: logger.debug("LED preview broadcast WS send failed: %s", e) return False diff --git a/server/src/ledgrab/core/scenes/playlist_engine.py b/server/src/ledgrab/core/scenes/playlist_engine.py index 71a0763..1a401ef 100644 --- a/server/src/ledgrab/core/scenes/playlist_engine.py +++ b/server/src/ledgrab/core/scenes/playlist_engine.py @@ -138,22 +138,42 @@ class PlaylistEngine: """Stop the playlist only if ``playlist_id`` is the one running. Used when a playlist is deleted or edited so a stale snapshot can't keep - cycling. + cycling. The read-compare and the stop happen atomically under the + lifecycle lock so a concurrent natural-end / start can't slip a + different playlist in between the check and the stop. """ - if self._state is not None and self._state.playlist_id == playlist_id: - await self.stop() + async with self._lifecycle_lock: + state = self._state + if state is None or state.playlist_id != playlist_id: + return + was_running = self._task is not None + await self._cancel_task() + stopped_id = self._state.playlist_id if self._state else playlist_id + self._state = None + if was_running: + self._fire_event("stopped", playlist_id=stopped_id) + logger.info("Playlist stopped") # ===== Query API (used by routes) ===== def is_running(self) -> bool: - return self._task is not None and not self._task.done() + # Snapshot the task ref so a concurrent clear (set to None at an await + # boundary) can't turn the deref into an attribute error mid-read. + task = self._task + return task is not None and not task.done() def get_running_playlist_id(self) -> str | None: - return self._state.playlist_id if self._state else None + state = self._state + return state.playlist_id if state else None def get_state(self) -> dict: - if self._state is not None and self.is_running(): - return self._state.to_dict() + # Snapshot both refs once: the event loop won't preempt this sync method + # between the reads, but snapshotting also guards against ever returning + # a half-cleared state (running True while _state is already None). + state = self._state + task = self._task + if state is not None and task is not None and not task.done(): + return state.to_dict() return dict(_IDLE_STATE) # ===== Internal ===== @@ -201,13 +221,25 @@ class PlaylistEngine: break # Natural end (non-loop or guard). Clear state without recursing - # through stop() (which would try to cancel this very task). Guard - # against a concurrent start_playlist having already replaced us: - # only clear if we are still the engine's current task. - if self._task is asyncio.current_task(): - self._task = None - ended_id = self._state.playlist_id if self._state else None - self._state = None + # through stop() (which would try to cancel this very task). Take + # the lifecycle lock so the clear + 'stopped' event are atomic with + # respect to a concurrent start/stop/stop_if_running — otherwise the + # two could interleave and emit duplicate or contradictory terminal + # events. _run never calls _cancel_task and never otherwise holds + # this lock, so acquiring it here cannot deadlock; if a canceller + # holding the lock cancels us while we wait to acquire it, the + # acquire raises CancelledError and we fall through to the handler. + ended_id = None + should_fire = False + async with self._lifecycle_lock: + # Re-check under the lock: a concurrent start_playlist may have + # replaced us while we waited. Only clear if we're still current. + if self._task is asyncio.current_task(): + self._task = None + ended_id = self._state.playlist_id if self._state else None + self._state = None + should_fire = True + if should_fire: self._fire_event("stopped", playlist_id=ended_id) logger.info("Playlist '%s' finished", playlist_id) except asyncio.CancelledError: diff --git a/server/src/ledgrab/main.py b/server/src/ledgrab/main.py index a28402b..2a1b08c 100644 --- a/server/src/ledgrab/main.py +++ b/server/src/ledgrab/main.py @@ -453,6 +453,13 @@ async def lifespan(app: FastAPI): # Stop the playlist engine so its cycling task can't apply scenes mid-shutdown. await _bounded("playlist_engine.stop", playlist_engine.stop(), timeout=1.0) + # Tear down any active calibration session BEFORE stop_all so the device + # isn't left stuck in the white-chase and its prior target is restored. + # stop() is a no-op when no session is active. + from ledgrab.core.capture.calibration_session import get_calibration_session + + await _bounded("calibration_session.stop", get_calibration_session().stop(), timeout=1.0) + # Stop discovery watcher and OS notification listener so they stop # firing events into a shutting-down processor manager. if discovery_watcher is not None: diff --git a/server/src/ledgrab/static/css/calibration.css b/server/src/ledgrab/static/css/calibration.css index b4c5b3c..6cf8f99 100644 --- a/server/src/ledgrab/static/css/calibration.css +++ b/server/src/ledgrab/static/css/calibration.css @@ -79,6 +79,12 @@ opacity: 1; } +.preview-screen-total:focus-visible { + opacity: 1; + outline: 2px solid var(--primary-color); + outline-offset: 2px; +} + .preview-screen-total.mismatch { color: #FFC107; } @@ -123,6 +129,12 @@ background: rgba(128, 128, 128, 0.25); } +.edge-toggle:focus-visible { + background: rgba(128, 128, 128, 0.25); + outline: 2px solid var(--primary-color); + outline-offset: 2px; +} + .preview-edge.edge-disabled { opacity: 0.25; pointer-events: none; @@ -374,6 +386,13 @@ color: rgba(76, 175, 80, 0.6); } +.preview-corner:focus-visible { + color: rgba(76, 175, 80, 0.6); + outline: 2px solid var(--primary-color); + outline-offset: 2px; + border-radius: 4px; +} + .preview-corner.active:hover { transform: none; } @@ -412,6 +431,12 @@ background: rgba(255, 255, 255, 0.25); } +.direction-toggle:focus-visible { + background: rgba(255, 255, 255, 0.25); + outline: 2px solid var(--primary-color); + outline-offset: 2px; +} + .direction-toggle #direction-icon { font-size: 14px; } diff --git a/server/src/ledgrab/static/css/components.css b/server/src/ledgrab/static/css/components.css index 2f390dc..d1f8bb5 100644 --- a/server/src/ledgrab/static/css/components.css +++ b/server/src/ledgrab/static/css/components.css @@ -328,7 +328,7 @@ select.field-invalid { display: block; border: 1px solid var(--border-color); border-radius: var(--radius-sm); - background: var(--surface-2, color-mix(in srgb, var(--text-color) 6%, var(--bg-color))); + background: var(--lux-bg-2); overflow: hidden; transition: border-color 0.15s ease, box-shadow 0.15s ease; } @@ -396,10 +396,10 @@ select.field-invalid { /* Token palette — restrained, three accents plus muted operators. */ .jinja-hl .tok-str { color: var(--success-color); } -.jinja-hl .tok-num { color: #d19a66; } +.jinja-hl .tok-num { color: var(--ch-amber); } .jinja-hl .tok-fn { color: var(--primary-color); font-weight: 600; } -.jinja-hl .tok-raw { color: #c678dd; font-style: italic; } -.jinja-hl .tok-var { color: #61afef; } +.jinja-hl .tok-raw { color: var(--ch-violet); font-style: italic; } +.jinja-hl .tok-var { color: var(--ch-cyan); } .jinja-hl .tok-op { color: var(--text-muted); } /* ── Template-input rows ─────────────────────────────────────── */ @@ -496,8 +496,8 @@ select.field-invalid { font-size: 0.76rem; padding: 1px 6px; border-radius: var(--radius-pill); - background: color-mix(in srgb, #61afef 16%, transparent); - color: #61afef; + background: color-mix(in srgb, var(--ch-cyan) 16%, transparent); + color: var(--ch-cyan); } .jinja-hints-examples { margin: 4px 0 0; padding-left: 0; list-style: none; } @@ -918,7 +918,12 @@ input:-webkit-autofill:focus { .discovery-item:focus-visible, .tag-chip-remove:focus-visible, .cs-filter-reset:focus-visible, -.graph-filter-clear:focus-visible { +.graph-filter-clear:focus-visible, +.wizard-discovery-item:focus-visible, +.wizard-display-item:focus-visible, +.autocal-corner-btn:focus-visible, +.autocal-direction-btn:focus-visible, +.scene-target-add-slot:focus-visible { outline: 2px solid var(--primary-color); outline-offset: 2px; } @@ -1118,7 +1123,8 @@ textarea:focus-visible { font-weight: 700; line-height: 1; } -.scene-target-add-slot:hover:not(:disabled) { +.scene-target-add-slot:hover:not(:disabled), +.scene-target-add-slot:focus-visible:not(:disabled) { background: repeating-linear-gradient(135deg, color-mix(in srgb, var(--st-ch) 12%, transparent) 0 6px, @@ -1625,14 +1631,14 @@ textarea:focus-visible { padding: 6px 12px; border: 1px solid var(--border-color, #333); border-radius: 6px; - background: var(--surface-2, #1e1e2e); + background: var(--lux-bg-2); color: var(--text-secondary, #999); font-size: 0.8rem; cursor: pointer; transition: background 0.15s, color 0.15s, border-color 0.15s; } .type-picker-tab:hover { - background: var(--surface-3, #2a2a3e); + background: var(--lux-bg-3); color: var(--text-primary, #e0e0e0); } .type-picker-tab.active { @@ -2326,7 +2332,7 @@ textarea:focus-visible { .autocal-step-desc { font-size: 0.85rem; - color: var(--text-muted, var(--secondary-text-color)); + color: var(--text-muted); line-height: 1.5; margin: 0; } @@ -2355,7 +2361,8 @@ textarea:focus-visible { font-weight: 500; text-align: center; } -.autocal-corner-btn:hover { +.autocal-corner-btn:hover, +.autocal-corner-btn:focus-visible { border-color: var(--primary-color); background: color-mix(in srgb, var(--primary-color) 8%, var(--card-bg)); color: var(--primary-color); @@ -2424,7 +2431,8 @@ textarea:focus-visible { font-weight: 500; text-align: center; } -.autocal-direction-btn:hover { +.autocal-direction-btn:hover, +.autocal-direction-btn:focus-visible { border-color: var(--primary-color); background: color-mix(in srgb, var(--primary-color) 8%, var(--card-bg)); color: var(--primary-color); @@ -2442,7 +2450,7 @@ textarea:focus-visible { border: 1px solid color-mix(in srgb, var(--primary-color) 20%, var(--border-color)); border-radius: var(--radius-sm, 6px); font-size: 0.8rem; - color: var(--text-muted, var(--secondary-text-color)); + color: var(--text-muted); } .autocal-led-dot { @@ -2489,7 +2497,7 @@ textarea:focus-visible { justify-content: center; font-size: 0.7rem; font-weight: 700; - color: var(--text-muted, var(--secondary-text-color)); + color: var(--text-muted); transition: border-color 0.2s, background 0.2s, color 0.2s; flex-shrink: 0; } @@ -2618,7 +2626,7 @@ textarea:focus-visible { } .autocal-solved-key { - color: var(--text-muted, var(--secondary-text-color)); + color: var(--text-muted); flex-shrink: 0; min-width: 68px; } @@ -2720,7 +2728,7 @@ textarea:focus-visible { font-size: 0.7rem; font-weight: 700; background: var(--bg-secondary, var(--bg-2, #2a2a2a)); - color: var(--text-muted, var(--secondary-text-color)); + color: var(--text-muted); border: 1.5px solid var(--border-color); transition: background 0.2s, color 0.2s, border-color 0.2s; } @@ -2775,7 +2783,7 @@ textarea:focus-visible { } .wizard-step-desc { font-size: 0.85rem; - color: var(--text-muted, var(--secondary-text-color)); + color: var(--text-muted); line-height: 1.5; margin: 0; } @@ -2829,7 +2837,7 @@ textarea:focus-visible { font-weight: 600; letter-spacing: 0.04em; text-transform: uppercase; - color: var(--text-muted, var(--secondary-text-color)); + color: var(--text-muted); padding-bottom: 4px; } .wizard-section-label--scan { @@ -2860,7 +2868,7 @@ textarea:focus-visible { gap: 10px; padding: 14px 12px; font-size: 0.85rem; - color: var(--text-muted, var(--secondary-text-color)); + color: var(--text-muted); background: var(--card-bg); border: 1px solid var(--border-color); border-radius: var(--radius-md, 8px); @@ -2868,7 +2876,7 @@ textarea:focus-visible { .wizard-discovery-empty { padding: 14px 12px; font-size: 0.85rem; - color: var(--text-muted, var(--secondary-text-color)); + color: var(--text-muted); background: var(--card-bg); border: 1px solid var(--border-color); border-radius: var(--radius-md, 8px); @@ -2891,7 +2899,8 @@ textarea:focus-visible { width: 100%; transition: border-color 0.15s, background 0.15s; } -.wizard-discovery-item:hover { +.wizard-discovery-item:hover, +.wizard-discovery-item:focus-visible { border-color: var(--primary-color); background: color-mix(in srgb, var(--primary-color) 5%, var(--card-bg)); } @@ -2899,7 +2908,7 @@ textarea:focus-visible { .wizard-discovery-icon .icon { width: 20px; height: 20px; } .wizard-discovery-details { display: flex; flex-direction: column; gap: 2px; flex: 1; min-width: 0; } .wizard-discovery-name { font-size: 0.88rem; font-weight: 600; color: var(--text-color); white-space: nowrap; overflow: hidden; text-overflow: ellipsis; } -.wizard-discovery-url { font-size: 0.78rem; color: var(--text-muted, var(--secondary-text-color)); white-space: nowrap; overflow: hidden; text-overflow: ellipsis; } +.wizard-discovery-url { font-size: 0.78rem; color: var(--text-muted); white-space: nowrap; overflow: hidden; text-overflow: ellipsis; } .wizard-discovery-badge { font-size: 0.68rem; font-weight: 700; @@ -2926,7 +2935,8 @@ textarea:focus-visible { width: 100%; transition: border-color 0.15s, background 0.15s; } -.wizard-display-item:hover { +.wizard-display-item:hover, +.wizard-display-item:focus-visible { border-color: var(--primary-color); background: color-mix(in srgb, var(--primary-color) 5%, var(--card-bg)); } @@ -2938,7 +2948,7 @@ textarea:focus-visible { .wizard-display-icon .icon { width: 20px; height: 20px; } .wizard-display-details { display: flex; flex-direction: column; gap: 2px; flex: 1; } .wizard-display-name { font-size: 0.88rem; font-weight: 600; color: var(--text-color); } -.wizard-display-dims { font-size: 0.78rem; color: var(--text-muted, var(--secondary-text-color)); } +.wizard-display-dims { font-size: 0.78rem; color: var(--text-muted); } .wizard-display-check { color: var(--primary-color); } .wizard-display-check .icon { width: 16px; height: 16px; } .wizard-display-fallback { display: flex; flex-direction: column; gap: 12px; } @@ -2953,7 +2963,7 @@ textarea:focus-visible { border: 1px solid var(--border-color); border-radius: var(--radius-md, 8px); } -.wizard-scaffold-label { font-size: 0.88rem; color: var(--text-muted, var(--secondary-text-color)); } +.wizard-scaffold-label { font-size: 0.88rem; color: var(--text-muted); } /* Calibrate container */ .wizard-calibrate-container { @@ -2990,7 +3000,7 @@ textarea:focus-visible { padding: 12px 16px; } .wizard-done-item { display: flex; justify-content: space-between; align-items: center; font-size: 0.85rem; gap: 12px; } -.wizard-done-label { color: var(--text-muted, var(--secondary-text-color)); } +.wizard-done-label { color: var(--text-muted); } .wizard-done-value { font-weight: 600; color: var(--text-color); text-align: right; } /* Wizard form rows */ diff --git a/server/src/ledgrab/static/css/modal.css b/server/src/ledgrab/static/css/modal.css index 8ca6cd2..718b500 100644 --- a/server/src/ledgrab/static/css/modal.css +++ b/server/src/ledgrab/static/css/modal.css @@ -2512,7 +2512,11 @@ padding-top: 8px; } -.error-message { +/* `.modal-error` is the convention recommended in contexts/frontend.md and is + used by several modals; it aliases `.error-message` so both render the same + inline error banner. */ +.error-message, +.modal-error { background: color-mix(in srgb, var(--danger-color) 10%, transparent); /* --danger-color tint */ border: 1px solid var(--danger-color); color: var(--danger-color); diff --git a/server/src/ledgrab/static/js/features/auto-calibration.ts b/server/src/ledgrab/static/js/features/auto-calibration.ts index ca583c8..d64a908 100644 --- a/server/src/ledgrab/static/js/features/auto-calibration.ts +++ b/server/src/ledgrab/static/js/features/auto-calibration.ts @@ -98,6 +98,9 @@ export interface AutoCalOptions { let _state: AutoCalState | null = null; let _opts: AutoCalOptions | null = null; let _deviceEntitySelect: EntitySelect | null = null; +/** First render after mount: let the containing Modal's autofocus win; only + * steal focus on subsequent step transitions (for D-pad / TV navigation). */ +let _firstRender = true; // ── Public API ───────────────────────────────────────────────────────────── @@ -119,6 +122,7 @@ let _deviceEntitySelect: EntitySelect | null = null; */ export async function mountAutoCalibration(opts: AutoCalOptions): Promise { await unmountAutoCalibration(); + _firstRender = true; _opts = opts; let cssSourceType = 'picture'; @@ -177,6 +181,27 @@ function _render(): void { case 'corners': _renderCorners(); break; case 'preview': _renderPreview(); break; } + _focusFirstControl(); +} + +/** + * Move focus to the step's first focusable control after a re-render so D-pad / + * TV WebView users don't land on a node that was just removed. Skipped on the + * very first render so it doesn't fight the Modal's own initial autofocus. + */ +function _focusFirstControl(): void { + if (_firstRender) { + _firstRender = false; + return; + } + const container = _opts?.container; + if (!container) return; + requestAnimationFrame(() => { + const el = container.querySelector( + 'button:not([disabled]),[href],input:not([disabled]),select:not([disabled]),textarea:not([disabled])' + ) as HTMLElement | null; + if (el && el.offsetParent !== null) el.focus(); + }); } // ── Step 1: Device picker ────────────────────────────────────────────────── @@ -309,10 +334,15 @@ export async function autoCalSetCorner(position: StartPosition): Promise { // LED is at index 0; advance to ~5% to show movement direction await _setPosition(0); await _delay(350); + // User may have cancelled during the delay (unmount sets _state = null). + if (!_state) return; const advance = Math.max(4, Math.round(_state.ledCount * 0.04)); await _setPosition(advance); + if (!_state) return; _state.busy = false; } catch (err: unknown) { + // _state may have been torn down mid-await by a cancel. + if (!_state) return; _state.busy = false; _state.errorMsg = _errMsg(err); _state.step = 'corner'; // revert on error diff --git a/server/src/ledgrab/static/js/features/calibration.ts b/server/src/ledgrab/static/js/features/calibration.ts index 63545d3..d9d578c 100644 --- a/server/src/ledgrab/static/js/features/calibration.ts +++ b/server/src/ledgrab/static/js/features/calibration.ts @@ -64,6 +64,14 @@ class CalibrationModal extends Modal { if (testGroup) testGroup.style.display = 'none'; const testSection = document.getElementById('calibration-test-setup-section'); if (testSection) testSection.style.display = 'none'; + // Destroy the test-device EntitySelect; otherwise the instance leaks and + // leaves a stale enhanced trigger button in the DOM until the next open. + if (_calTestDeviceEntitySelect) { + _calTestDeviceEntitySelect.destroy(); + _calTestDeviceEntitySelect = null; + } + const testDeviceSelect = document.getElementById('calibration-test-device') as HTMLSelectElement | null; + if (testDeviceSelect) testDeviceSelect.onchange = null; } else { const deviceId = (this.$('calibration-device-id') as HTMLInputElement).value; if (deviceId) clearTestMode(deviceId); diff --git a/server/src/ledgrab/static/js/features/color-strips/test.ts b/server/src/ledgrab/static/js/features/color-strips/test.ts index aca20c0..23529b0 100644 --- a/server/src/ledgrab/static/js/features/color-strips/test.ts +++ b/server/src/ledgrab/static/js/features/color-strips/test.ts @@ -151,6 +151,15 @@ let _cssTestWs: WebSocket | null = null; let _cssTestRaf: number | null = null; let _cssTestLatestRgb: Uint8Array | null = null; let _cssTestMeta: any = null; +// Set true when a WS frame updates the latest RGB / layer data; the render loop +// only repaints when a new frame has arrived, then clears it. Avoids re-rendering +// the same frame every RAF tick on low-powered devices (e.g. Android TV WebView). +let _cssTestFrameDirty: boolean = false; +// Per-canvas render caches: reuse the 2d context and a single ImageData buffer +// instead of calling getContext()/createImageData() and resetting width/height +// every frame. ImageData is rebuilt only when the canvas LED count changes. +const _cssTestCtxCache = new WeakMap(); +const _cssTestImageDataCache = new WeakMap(); let _cssTestSourceId: string | null = null; let _cssTestIsComposite: boolean = false; let _cssTestLayerData: any = null; // { layerCount, ledCount, layers: [Uint8Array], composite: Uint8Array } @@ -234,6 +243,7 @@ function _testKeyColorsSource(sourceId: string) { _cssTestLatestRgb = null; _cssTestMeta = null; _cssTestLayerData = null; + _cssTestFrameDirty = false; const modal = document.getElementById('test-css-source-modal') as HTMLElement | null; if (!modal) return; @@ -414,6 +424,7 @@ function _openTestModal(sourceId: string) { _cssTestIsComposite = false; _cssTestIsKeyColors = false; _cssTestLayerData = null; + _cssTestFrameDirty = false; const modal = document.getElementById('test-css-source-modal') as HTMLElement | null; if (!modal) return; @@ -636,6 +647,8 @@ function _cssTestConnect(sourceId: string, ledCount: number, fps?: number) { // Standard format: raw RGB _cssTestLatestRgb = raw; } + // Mark a new frame so the render loop repaints on the next RAF tick. + _cssTestFrameDirty = true; // Track FPS for api_input sources if (_cssTestIsApiInput) { @@ -756,6 +769,7 @@ export function applyCssTestSettings() { _cssTestLatestRgb = null; _cssTestMeta = null; _cssTestLayerData = null; + _cssTestFrameDirty = false; // Read selected input source from selector (both CSS and CSPT modes) const inputSel = document.getElementById('css-test-cspt-input-select') as HTMLSelectElement | null; @@ -774,6 +788,9 @@ export function applyCssTestSettings() { function _cssTestRenderLoop() { _cssTestRaf = requestAnimationFrame(_cssTestRenderLoop); if (!_cssTestMeta) return; + // Skip repaint when no new WS frame has arrived since the last render. + if (!_cssTestFrameDirty) return; + _cssTestFrameDirty = false; const isPicture = _cssTestMeta.edges && _cssTestMeta.edges.length > 0; @@ -786,14 +803,40 @@ function _cssTestRenderLoop() { } } +// Returns a cached 2d context and a reusable ImageData for the canvas, only +// resizing the canvas / rebuilding the ImageData when the requested dimensions +// differ from the cached ones. Returns null if a 2d context is unavailable. +function _cssTestAcquireCanvas( + canvas: HTMLCanvasElement, + w: number, + h: number, +): { ctx: CanvasRenderingContext2D; imageData: ImageData } | null { + let ctx = _cssTestCtxCache.get(canvas); + if (!ctx) { + const got = canvas.getContext('2d'); + if (!got) return null; + ctx = got; + _cssTestCtxCache.set(canvas, ctx); + } + // Only touch width/height when they actually change (resetting them clears + // the backing store and is expensive). + if (canvas.width !== w) canvas.width = w; + if (canvas.height !== h) canvas.height = h; + let cached = _cssTestImageDataCache.get(canvas); + if (!cached || cached.w !== w || cached.h !== h) { + cached = { w, h, imageData: ctx.createImageData(w, h) }; + _cssTestImageDataCache.set(canvas, cached); + } + return { ctx, imageData: cached.imageData }; +} + function _cssTestRenderStrip(rgbBytes: Uint8Array) { const canvas = document.getElementById('css-test-strip-canvas') as HTMLCanvasElement | null; if (!canvas) return; const ledCount = rgbBytes.length / 3; - canvas.width = ledCount; - canvas.height = 1; - const ctx = canvas.getContext('2d')!; - const imageData = ctx.createImageData(ledCount, 1); + const acquired = _cssTestAcquireCanvas(canvas, ledCount, 1); + if (!acquired) return; + const { ctx, imageData } = acquired; const data = imageData.data; for (let i = 0; i < ledCount; i++) { const si = i * 3; @@ -824,10 +867,9 @@ function _cssTestRenderLayers(data: any) { function _cssTestRenderStripCanvas(canvas: HTMLCanvasElement, rgbBytes: Uint8Array) { const ledCount = rgbBytes.length / 3; if (ledCount <= 0) return; - canvas.width = ledCount; - canvas.height = 1; - const ctx = canvas.getContext('2d')!; - const imageData = ctx.createImageData(ledCount, 1); + const acquired = _cssTestAcquireCanvas(canvas, ledCount, 1); + if (!acquired) return; + const { ctx, imageData } = acquired; const data = imageData.data; for (let i = 0; i < ledCount; i++) { const si = i * 3; @@ -852,13 +894,17 @@ function _cssTestRenderRect(rgbBytes: Uint8Array, edges: any[]) { const canvas = document.getElementById(`css-test-edge-${edge}`) as HTMLCanvasElement | null; if (!canvas) continue; const count = indices.length; - if (count === 0) { canvas.width = 0; continue; } + if (count === 0) { + if (canvas.width !== 0) canvas.width = 0; + continue; + } const isH = edge === 'top' || edge === 'bottom'; - canvas.width = isH ? count : 1; - canvas.height = isH ? 1 : count; - const ctx = canvas.getContext('2d')!; - const imageData = ctx.createImageData(canvas.width, canvas.height); + const w = isH ? count : 1; + const h = isH ? 1 : count; + const acquired = _cssTestAcquireCanvas(canvas, w, h); + if (!acquired) continue; + const { ctx, imageData } = acquired; const px = imageData.data; for (let i = 0; i < count; i++) { const si = indices[i] * 3; @@ -1185,6 +1231,7 @@ export function closeTestCssSourceModal() { _cssTestIsComposite = false; _cssTestIsKeyColors = false; _cssTestLayerData = null; + _cssTestFrameDirty = false; _cssTestNotificationIds = []; _cssTestIsApiInput = false; _cssTestStopFpsSampling(); diff --git a/server/src/ledgrab/static/js/features/setup-wizard.ts b/server/src/ledgrab/static/js/features/setup-wizard.ts index a218390..3cc05ea 100644 --- a/server/src/ledgrab/static/js/features/setup-wizard.ts +++ b/server/src/ledgrab/static/js/features/setup-wizard.ts @@ -76,6 +76,9 @@ interface WizardState { let _state: WizardState | null = null; let _modal: SetupWizardModal | null = null; +/** First render after open: let the Modal's own autofocus win; only steal focus + * on subsequent step transitions (for D-pad / TV navigation). */ +let _firstRender = true; const STEPS: WizardStep[] = ['welcome', 'device', 'display', 'scaffold', 'calibrate', 'start', 'done']; @@ -95,6 +98,7 @@ class SetupWizardModal extends Modal { /** Open the wizard (first-run or on-demand). */ export function openSetupWizard(): void { if (!_modal) _modal = new SetupWizardModal(); + _firstRender = true; _state = { step: 'welcome', deviceId: '', @@ -201,8 +205,18 @@ export async function wizardNext(): Promise { _renderStep(); await _runScaffold(); } else if (step === 'calibrate') { - // "Skip calibration" path — move to start - void unmountAutoCalibration(); + // "Skip calibration" path — move to start. + // Mark busy BEFORE the await so a fast second tap on Skip/Next can't + // re-enter wizardNext (gated at the top) and fire a second teardown + + // start during the up-to-10s unmount await. _startOutput() manages + // busy itself afterward. + _state.busy = true; + _renderStep(); + // Await teardown first: unmountAutoCalibration() POSTs session/stop, which + // restores the device's prior target. Starting output before that completes + // would let the stop clobber the just-started target. + await unmountAutoCalibration(); + if (!_state) return; _state.step = 'start'; _renderStep(); await _startOutput(); @@ -361,12 +375,15 @@ async function _loadDisplays(): Promise { } } -export function wizardSelectDisplay(index: number, displayName: string): void { +export function wizardSelectDisplay(index: number, displayName: string, skipRender = false): void { if (!_state) return; _state.displayIndex = index; _state.displayName = displayName; _state.errorMsg = ''; - _renderStep(); + // The manual display-index fallback passes skipRender=true: a full + // _renderStep() rebuilds the container via innerHTML, destroying the input + // and losing focus/caret on every keystroke (unusable on Android TV WebView). + if (!skipRender) _renderStep(); } // ───────────────────────────────────────────────────────────────────────────── @@ -469,6 +486,25 @@ function _renderStep(): void { const html = _buildStepHtml(_state); container.innerHTML = html; _attachStepListeners(_state.step); + _focusFirstControl(container); +} + +/** + * Move focus to the step's first focusable control after a re-render so D-pad / + * TV WebView users don't land on a node that was just removed. Skipped on the + * very first render so it doesn't fight the Modal's own initial autofocus. + */ +function _focusFirstControl(container: HTMLElement): void { + if (_firstRender) { + _firstRender = false; + return; + } + requestAnimationFrame(() => { + const el = container.querySelector( + 'button:not([disabled]),[href],input:not([disabled]),select:not([disabled]),textarea:not([disabled])' + ) as HTMLElement | null; + if (el && el.offsetParent !== null) el.focus(); + }); } function _renderProgressBar(): void { @@ -654,7 +690,7 @@ function _buildDisplayStep(state: WizardState): string { + oninput="wizardSelectDisplay(parseInt(this.value)||0, 'Display '+this.value, true)"> `; } else { diff --git a/server/src/ledgrab/static/locales/en.json b/server/src/ledgrab/static/locales/en.json index 33d6e27..a36cfec 100644 --- a/server/src/ledgrab/static/locales/en.json +++ b/server/src/ledgrab/static/locales/en.json @@ -645,6 +645,16 @@ "calibration.roi.width": "Width (%)", "calibration.roi.height": "Height (%)", "calibration.border_width.hint": "How many pixels from the screen edge to sample for LED colors (1-100)", + "calibration.edge.top": "Toggle top edge test LEDs", + "calibration.edge.right": "Toggle right edge test LEDs", + "calibration.edge.bottom": "Toggle bottom edge test LEDs", + "calibration.edge.left": "Toggle left edge test LEDs", + "calibration.corner.top_left": "Set start position: top left", + "calibration.corner.top_right": "Set start position: top right", + "calibration.corner.bottom_right": "Set start position: bottom right", + "calibration.corner.bottom_left": "Set start position: bottom left", + "calibration.direction.toggle": "Toggle direction", + "calibration.edge_inputs.toggle": "Toggle edge LED inputs", "calibration.button.cancel": "Cancel", "calibration.button.save": "Save", "calibration.saved": "Calibration saved", diff --git a/server/src/ledgrab/static/locales/ru.json b/server/src/ledgrab/static/locales/ru.json index 4f5047c..f907246 100644 --- a/server/src/ledgrab/static/locales/ru.json +++ b/server/src/ledgrab/static/locales/ru.json @@ -702,6 +702,16 @@ "calibration.roi.width": "Ширина (%)", "calibration.roi.height": "Высота (%)", "calibration.border_width.hint": "Сколько пикселей от края экрана выбирать для цвета LED (1-100)", + "calibration.edge.top": "Переключить тестовые светодиоды верхнего края", + "calibration.edge.right": "Переключить тестовые светодиоды правого края", + "calibration.edge.bottom": "Переключить тестовые светодиоды нижнего края", + "calibration.edge.left": "Переключить тестовые светодиоды левого края", + "calibration.corner.top_left": "Задать начальную позицию: верхний левый угол", + "calibration.corner.top_right": "Задать начальную позицию: верхний правый угол", + "calibration.corner.bottom_right": "Задать начальную позицию: нижний правый угол", + "calibration.corner.bottom_left": "Задать начальную позицию: нижний левый угол", + "calibration.direction.toggle": "Переключить направление", + "calibration.edge_inputs.toggle": "Переключить поля ввода светодиодов по краям", "calibration.button.cancel": "Отмена", "calibration.button.save": "Сохранить", "calibration.saved": "Калибровка сохранена", diff --git a/server/src/ledgrab/static/locales/zh.json b/server/src/ledgrab/static/locales/zh.json index 66097cb..2058c38 100644 --- a/server/src/ledgrab/static/locales/zh.json +++ b/server/src/ledgrab/static/locales/zh.json @@ -698,6 +698,16 @@ "calibration.roi.width": "宽度 (%)", "calibration.roi.height": "高度 (%)", "calibration.border_width.hint": "从屏幕边缘采样多少像素来确定 LED 颜色(1-100)", + "calibration.edge.top": "切换顶部边缘测试 LED", + "calibration.edge.right": "切换右侧边缘测试 LED", + "calibration.edge.bottom": "切换底部边缘测试 LED", + "calibration.edge.left": "切换左侧边缘测试 LED", + "calibration.corner.top_left": "设置起始位置:左上角", + "calibration.corner.top_right": "设置起始位置:右上角", + "calibration.corner.bottom_right": "设置起始位置:右下角", + "calibration.corner.bottom_left": "设置起始位置:左下角", + "calibration.direction.toggle": "切换方向", + "calibration.edge_inputs.toggle": "切换边缘 LED 输入", "calibration.button.cancel": "取消", "calibration.button.save": "保存", "calibration.saved": "校准已保存", diff --git a/server/src/ledgrab/storage/game_integration.py b/server/src/ledgrab/storage/game_integration.py index 080b4d9..3669e2b 100644 --- a/server/src/ledgrab/storage/game_integration.py +++ b/server/src/ledgrab/storage/game_integration.py @@ -10,6 +10,48 @@ from dataclasses import dataclass, field from datetime import datetime, timezone from typing import Any, List +from ledgrab.utils import secret_box + +# Keys inside ``adapter_config`` that hold secrets and must be encrypted at +# rest (and decrypted on load). Mirrors the secret_box pattern used by +# storage/http_endpoint.py for its ``auth_token`` field. +_SECRET_CONFIG_KEYS = ("auth_token",) + + +def _encrypt_adapter_config(adapter_config: dict[str, Any]) -> dict[str, Any]: + """Return a copy of *adapter_config* with secret values encrypted. + + ``secret_box.encrypt`` is a no-op on already-encrypted envelopes, so this + is safe to call repeatedly and on configs that were never plaintext. + """ + result = dict(adapter_config) + for key in _SECRET_CONFIG_KEYS: + value = result.get(key) + if isinstance(value, str) and value: + result[key] = secret_box.encrypt(value) + return result + + +def _decrypt_adapter_config(adapter_config: dict[str, Any]) -> dict[str, Any]: + """Return a copy of *adapter_config* with secret values decrypted. + + Migration-safe: ``secret_box.decrypt`` returns the input unchanged when it + is not an encryption envelope, so legacy plaintext rows still load. On a + corrupt/undecryptable envelope, fall back to dropping the value rather than + crashing the whole store load. + """ + result = dict(adapter_config) + for key in _SECRET_CONFIG_KEYS: + value = result.get(key) + if isinstance(value, str) and value: + if secret_box.is_encrypted(value): + try: + result[key] = secret_box.decrypt(value) + except Exception: + result[key] = "" + # else: legacy plaintext — leave as-is (migration-safe read path). + return result + @dataclass class EventMapping: @@ -89,7 +131,8 @@ class GameIntegrationConfig: "name": self.name, "adapter_type": self.adapter_type, "enabled": self.enabled, - "adapter_config": dict(self.adapter_config), + # Encrypt secret values (e.g. webhook auth_token) at rest. + "adapter_config": _encrypt_adapter_config(self.adapter_config), "event_mappings": [m.to_dict() for m in self.event_mappings], "created_at": self.created_at.isoformat(), "updated_at": self.updated_at.isoformat(), @@ -110,7 +153,8 @@ class GameIntegrationConfig: name=data["name"], adapter_type=data["adapter_type"], enabled=data.get("enabled", True), - adapter_config=data.get("adapter_config", {}), + # Decrypt secret values; tolerant of legacy-plaintext rows. + adapter_config=_decrypt_adapter_config(data.get("adapter_config", {})), event_mappings=mappings, created_at=( datetime.fromisoformat(data["created_at"]) diff --git a/server/src/ledgrab/templates/modals/calibration.html b/server/src/ledgrab/templates/modals/calibration.html index 2e45d5d..0f2b5ab 100644 --- a/server/src/ledgrab/templates/modals/calibration.html +++ b/server/src/ledgrab/templates/modals/calibration.html @@ -56,10 +56,10 @@
- -
0 / 0
+
0 / 0
@@ -104,16 +104,16 @@
- - - - + + + + - - - - + + + + @@ -144,7 +144,7 @@
-
+
@@ -170,13 +170,13 @@
-
+
-
+
diff --git a/server/tests/api/routes/test_game_integration_routes.py b/server/tests/api/routes/test_game_integration_routes.py index 542a2e8..7b293ad 100644 --- a/server/tests/api/routes/test_game_integration_routes.py +++ b/server/tests/api/routes/test_game_integration_routes.py @@ -341,6 +341,64 @@ class TestEventIngestion: assert len(recent) == 1 +# --------------------------------------------------------------------------- +# Failed-auth rate limiting (brute-force defence on the ingest route) +# --------------------------------------------------------------------------- + + +@pytest.fixture +def _reset_auth_fail_limiter(): + """Clear the module-level failed-auth hit map before and after each test. + + The limiter keeps per-IP state in a process-global dict, so without this + reset, attempts from earlier tests would bleed into later ones. + """ + from ledgrab.api.routes import game_integration as gi + + gi._auth_fail_hits.clear() + yield + gi._auth_fail_hits.clear() + + +class TestIngestRateLimiting: + def test_failed_auth_attempts_are_rate_limited(self, client, _reset_auth_fail_limiter): + from ledgrab.api.routes import game_integration as gi + + created = _create_integration( + client, + adapter_config={"auth_token": "correct_token"}, + ) + integration_id = created["id"] + url = f"/api/v1/game-integrations/{integration_id}/event" + bad = {"x-auth-token": "wrong_token"} + + # Burn through the failed-auth budget — each returns 403. + for _ in range(gi._AUTH_FAIL_LIMIT): + resp = client.post(url, json={"data": {"health": 1}}, headers=bad) + assert resp.status_code == 403 + + # The next attempt from the same IP is throttled with 429. + resp = client.post(url, json={"data": {"health": 1}}, headers=bad) + assert resp.status_code == 429 + + def test_successful_ingest_not_rate_limited(self, client, event_bus, _reset_auth_fail_limiter): + from ledgrab.api.routes import game_integration as gi + + created = _create_integration( + client, + adapter_config={"auth_token": "correct_token"}, + ) + integration_id = created["id"] + url = f"/api/v1/game-integrations/{integration_id}/event" + good = {"x-auth-token": "correct_token"} + + # High-rate legitimate ingestion well past the failed-auth threshold + # must NOT be throttled — only failures count toward the limit. + for _ in range(gi._AUTH_FAIL_LIMIT + 10): + resp = client.post(url, json={"data": {"health": 50}}, headers=good) + assert resp.status_code == 204 + + # --------------------------------------------------------------------------- # Status / diagnostics tests # --------------------------------------------------------------------------- diff --git a/server/tests/core/test_generic_webhook_adapter.py b/server/tests/core/test_generic_webhook_adapter.py index 5e3544a..aaec6e4 100644 --- a/server/tests/core/test_generic_webhook_adapter.py +++ b/server/tests/core/test_generic_webhook_adapter.py @@ -102,9 +102,20 @@ class TestGenericWebhookParsing: class TestGenericWebhookAuth: - def test_no_auth_configured(self) -> None: + def test_no_auth_configured_rejects(self) -> None: + # Secure-by-default: a network-facing webhook adapter with no token + # configured must REJECT, not accept (otherwise it is open to the LAN). result = GenericWebhookAdapter.validate_auth({}, {}, {}) - assert result is True + assert result is False + + def test_empty_token_rejects(self) -> None: + # An explicitly empty token is still "no token" → reject. + result = GenericWebhookAdapter.validate_auth( + {"Authorization": "Bearer "}, + {}, + {"auth_token": ""}, + ) + assert result is False def test_bearer_auth_valid(self) -> None: result = GenericWebhookAdapter.validate_auth( @@ -156,6 +167,8 @@ class TestGenericWebhookMetadata: assert "auth_token" in schema["properties"] assert "mappings" in schema["properties"] assert "auth_header" in schema["properties"] + # auth_token is mandatory (secure-by-default). + assert "auth_token" in schema.get("required", []) def test_setup_instructions(self) -> None: instructions = GenericWebhookAdapter.get_setup_instructions() diff --git a/server/tests/core/test_playlist_engine.py b/server/tests/core/test_playlist_engine.py index 6c9c039..e0b8bb7 100644 --- a/server/tests/core/test_playlist_engine.py +++ b/server/tests/core/test_playlist_engine.py @@ -315,3 +315,175 @@ class TestEvents: async def test_stop_when_idle_fires_nothing(self, engine): await engine.stop() assert _fired_actions(engine) == [] + + +# --------------------------------------------------------------------------- +# Concurrency — delete-mid-play race (H5). The engine reads/mutates _task and +# _state across await boundaries; a deletion firing stop_if_running() while the +# _run loop is between its get_playlist re-read and the natural-end clear must +# still produce exactly ONE terminal 'stopped' transition (no duplicate / +# contradictory WS events), and get_state() must never raise nor return a +# half-cleared snapshot during the window. +# --------------------------------------------------------------------------- + + +class _DeletableStore: + """Wraps a real playlist store; ``delete_playlist`` records a tombstone so + a later ``get_playlist`` re-read raises (like the real store after a delete) + and the engine's ``_run`` loop breaks out at the cycle boundary. + """ + + def __init__(self, real): + self._real = real + self._deleted: set[str] = set() + + def get_playlist(self, playlist_id): + if playlist_id in self._deleted: + raise KeyError(playlist_id) + return self._real.get_playlist(playlist_id) + + def delete_playlist(self, playlist_id): + self._deleted.add(playlist_id) + + +class TestConcurrencyDeleteRace: + async def test_delete_and_stop_if_running_emit_single_stopped( + self, engine, playlist_store, applied + ): + # A looping playlist so _run re-reads get_playlist every cycle, giving + # us a deterministic parking point to interleave the delete + stop. + pl = _make_playlist(playlist_store, "Racy", [("scene_a", 50), ("scene_b", 50)], loop=True) + + gated = _DeletableStore(playlist_store) + engine._playlist_store = gated + + # The dwell sleep is the engine's only await between the get_playlist + # re-read and the natural-end clear. We gate the FIRST dwell: when _run + # parks there we set `entered`, then await `release`. While _run is + # suspended the test deletes the playlist and kicks stop_if_running, so + # they race _run's resumed natural-end clear under the lifecycle lock. + entered = asyncio.Event() + release = asyncio.Event() + first_dwell = {"done": False} + + async def _interleaving_sleep(_duration): + if not first_dwell["done"]: + first_dwell["done"] = True + entered.set() + await release.wait() + await _REAL_SLEEP(0.005) + + with patch("asyncio.sleep", _interleaving_sleep): + await engine.start_playlist(pl.id) + + # Wait until _run is parked inside the first dwell (mid-cycle). + await asyncio.wait_for(entered.wait(), timeout=2.0) + + # get_state during the window must not raise and must be coherent: + # either fully running or fully idle — never half-cleared. + snap = engine.get_state() + assert isinstance(snap, dict) + assert "is_running" in snap + + # Concurrently: delete from the store AND call stop_if_running for + # the same id. Kick stop_if_running first as a task so it contends + # for the lifecycle lock with the (soon to resume) _run natural-end. + gated.delete_playlist(pl.id) + stop_task = asyncio.create_task(engine.stop_if_running(pl.id)) + + # Release _run: it finishes the dwell, re-reads (KeyError -> break), + # and races stop_task into the natural-end clear under the lock. + release.set() + + await asyncio.wait_for(stop_task, timeout=2.0) + # Drain whatever remains of the run task. + run_task = engine._task + if run_task is not None: + try: + await asyncio.wait_for(asyncio.shield(run_task), timeout=2.0) + except (asyncio.CancelledError, KeyError): + pass + + # Exactly one terminal 'stopped' transition (no duplicate/contradictory). + stopped = [e for e in _fired_events(engine) if e.get("action") == "stopped"] + assert len(stopped) == 1, f"expected exactly one stopped, got {len(stopped)}: {stopped}" + assert stopped[0]["playlist_id"] == pl.id + + # Engine fully idle and get_state coherent afterwards. + assert engine.is_running() is False + final = engine.get_state() + assert final["is_running"] is False + assert final["playlist_id"] is None + + async def test_natural_end_after_delete_emits_single_stopped( + self, engine, playlist_store, applied + ): + # Drive the OTHER ordering: the delete causes _run to break and run its + # (now lock-wrapped) natural-end clear+'stopped', while a stop_if_running + # for the same id is fired AFTER the dwell is released but races into the + # same lock. Whoever wins, exactly one 'stopped' must surface and the + # late stop_if_running must be a clean no-op (state already cleared). + pl = _make_playlist(playlist_store, "Ending", [("scene_a", 50)], loop=False) + + gated = _DeletableStore(playlist_store) + engine._playlist_store = gated + + entered = asyncio.Event() + release = asyncio.Event() + first_dwell = {"done": False} + + async def _interleaving_sleep(_duration): + if not first_dwell["done"]: + first_dwell["done"] = True + entered.set() + await release.wait() + await _REAL_SLEEP(0.005) + + with patch("asyncio.sleep", _interleaving_sleep): + await engine.start_playlist(pl.id) + await asyncio.wait_for(entered.wait(), timeout=2.0) + + # Delete and release so _run resumes -> non-loop break -> natural end. + gated.delete_playlist(pl.id) + release.set() + + # Let the run task drive its natural-end clear to completion. + run_task = engine._task + if run_task is not None: + await asyncio.wait_for(asyncio.shield(run_task), timeout=2.0) + + # A late stop_if_running for the same id is now a clean no-op. + await engine.stop_if_running(pl.id) + + stopped = [e for e in _fired_events(engine) if e.get("action") == "stopped"] + assert len(stopped) == 1, f"expected exactly one stopped, got {len(stopped)}: {stopped}" + assert stopped[0]["playlist_id"] == pl.id + assert engine.is_running() is False + assert engine.get_state()["playlist_id"] is None + + async def test_get_state_never_half_cleared_under_concurrent_stop(self, engine, playlist_store): + # Hammer get_state() while start/stop churn the lifecycle, asserting it + # never raises and never reports running with a None playlist_id. + pl = _make_playlist(playlist_store, "Churn", [("scene_a", 50)], loop=True) + + async def _churn(): + for _ in range(20): + await engine.start_playlist(pl.id) + await engine.stop() + + async def _poll(): + for _ in range(500): + s = engine.get_state() + # Coherence invariant: running implies a concrete playlist_id. + if s["is_running"]: + assert s["playlist_id"] is not None + await _REAL_SLEEP(0) + + async def _fast(_duration): + await _REAL_SLEEP(0) + + with patch("asyncio.sleep", _fast): + await asyncio.gather(_churn(), _poll()) + + await engine.stop() + assert engine.is_running() is False diff --git a/server/tests/storage/test_game_integration_store.py b/server/tests/storage/test_game_integration_store.py index e686647..66afc8f 100644 --- a/server/tests/storage/test_game_integration_store.py +++ b/server/tests/storage/test_game_integration_store.py @@ -5,6 +5,7 @@ import pytest from ledgrab.storage.base_store import EntityNotFoundError from ledgrab.storage.game_integration import EventMapping, GameIntegrationConfig from ledgrab.storage.game_integration_store import GameIntegrationStore +from ledgrab.utils import secret_box @pytest.fixture @@ -272,3 +273,83 @@ class TestGetReferences: config = store.create_integration(name="Test", adapter_type="webhook") refs = store.get_references(config.id) assert refs == [] + + +# --------------------------------------------------------------------------- +# Secret encryption (adapter_config.auth_token) tests +# --------------------------------------------------------------------------- + + +class TestAdapterConfigSecretEncryption: + def test_auth_token_round_trips(self): + config = GameIntegrationConfig.create_from_kwargs( + name="Webhook", + adapter_type="generic_webhook", + adapter_config={"auth_token": "super-secret", "auth_header": "X-Token"}, + ) + restored = GameIntegrationConfig.from_dict(config.to_dict()) + # Decrypted at runtime — plaintext is recovered. + assert restored.adapter_config["auth_token"] == "super-secret" + # Non-secret fields are untouched. + assert restored.adapter_config["auth_header"] == "X-Token" + + def test_stored_token_is_not_plaintext(self): + config = GameIntegrationConfig.create_from_kwargs( + name="Webhook", + adapter_type="generic_webhook", + adapter_config={"auth_token": "plaintext-secret"}, + ) + stored = config.to_dict() + raw_token = stored["adapter_config"]["auth_token"] + assert raw_token != "plaintext-secret" + assert secret_box.is_encrypted(raw_token) + + def test_legacy_plaintext_row_still_decrypts(self): + # Simulate a row written before encryption was added: auth_token is + # bare plaintext (not an ENC: envelope). It must still load. + legacy = { + "id": "gi_legacy01", + "name": "Legacy Webhook", + "adapter_type": "generic_webhook", + "enabled": True, + "adapter_config": {"auth_token": "legacy-plaintext"}, + "event_mappings": [], + "created_at": "2024-01-01T00:00:00+00:00", + "updated_at": "2024-01-01T00:00:00+00:00", + } + restored = GameIntegrationConfig.from_dict(legacy) + assert restored.adapter_config["auth_token"] == "legacy-plaintext" + + def test_no_auth_token_key_is_safe(self): + config = GameIntegrationConfig.create_from_kwargs( + name="NoSecret", + adapter_type="cs2", + adapter_config={"max_gold": 99999}, + ) + restored = GameIntegrationConfig.from_dict(config.to_dict()) + assert restored.adapter_config == {"max_gold": 99999} + + def test_db_stores_token_encrypted(self, tmp_db): + store = GameIntegrationStore(tmp_db) + store.create_integration( + name="Webhook", + adapter_type="generic_webhook", + adapter_config={"auth_token": "db-secret"}, + ) + rows = tmp_db.load_all("game_integrations") + assert len(rows) == 1 + raw_token = rows[0]["adapter_config"]["auth_token"] + assert raw_token != "db-secret" + assert secret_box.is_encrypted(raw_token) + + def test_db_round_trip_after_reload(self, tmp_db): + store1 = GameIntegrationStore(tmp_db) + created = store1.create_integration( + name="Webhook", + adapter_type="generic_webhook", + adapter_config={"auth_token": "reload-secret"}, + ) + # New store instance reads from disk and must decrypt. + store2 = GameIntegrationStore(tmp_db) + fetched = store2.get_integration(created.id) + assert fetched.adapter_config["auth_token"] == "reload-secret" diff --git a/server/tests/test_calibration.py b/server/tests/test_calibration.py index 7170e0e..dfd0c95 100644 --- a/server/tests/test_calibration.py +++ b/server/tests/test_calibration.py @@ -291,6 +291,22 @@ def test_create_default_calibration_small_count(): assert config.get_total_leds() == 4 +@pytest.mark.parametrize("led_count", [4, 5, 6, 7, 9, 11, 13, 60, 144, 300]) +def test_create_default_calibration_total_matches_count(led_count): + """Total LED count must equal led_count exactly, with every edge >= 1. + + Regression for small odd counts where the per-edge max(1, ...) floor used + to push the total above led_count (e.g. led_count=5 produced a total of 6). + """ + config = create_default_calibration(led_count) + + assert config.get_total_leds() == led_count + assert config.leds_top >= 1 + assert config.leds_right >= 1 + assert config.leds_bottom >= 1 + assert config.leds_left >= 1 + + def test_create_default_calibration_invalid(): """Test default calibration with invalid LED count.""" with pytest.raises(ValueError): diff --git a/server/tests/test_home_assistant_host_validation.py b/server/tests/test_home_assistant_host_validation.py new file mode 100644 index 0000000..c0028b2 --- /dev/null +++ b/server/tests/test_home_assistant_host_validation.py @@ -0,0 +1,52 @@ +"""Tests for Home Assistant source host classification. + +The HA source host is user-supplied and stored as ``host:port`` (e.g. +``192.168.1.100:8123``). Before the WebSocket runtime connects to it, the +route layer gates the host with the shared LAN classifier so an +(authenticated or default-anonymous) caller cannot weaponise it into a +public network-scan oracle — mirroring the LED device providers. +""" + +import pytest + +from ledgrab.api.routes.home_assistant import _validate_ha_host + + +@pytest.mark.parametrize( + "host", + [ + "127.0.0.1:8123", + "10.0.0.5:8123", + "192.168.1.100:8123", + "172.16.0.10", # no port + "homeassistant.local:8123", # mDNS label + "hass", # bare hostname + "[fe80::1]:8123", # bracketed IPv6 link-local + port + "[fc00::1]:8123", # bracketed IPv6 ULA + port + "169.254.169.254:80", # link-local — allowed by the shared LAN policy + "", # empty passes (upstream schema requires non-empty) + None, # update path may pass None (host unchanged) + ], +) +def test_validate_ha_host_accepts_lan(host) -> None: + """Loopback / private / link-local / hostnames must not raise. + + Link-local (169.254/16, fe80::/10) is part of the shared + ``validate_lan_host`` LAN policy used by every LED device provider, so + HA reuses it unchanged rather than hand-rolling a stricter variant. + """ + _validate_ha_host(host) + + +@pytest.mark.parametrize( + "host", + [ + "1.1.1.1:8123", # public IPv4 + port + "8.8.8.8", # public IPv4, no port + "[2606:4700:4700::1111]:8123", # public IPv6 + port + ], +) +def test_validate_ha_host_rejects_public(host) -> None: + """Genuinely-public IPs (the network-scan-oracle risk) are rejected.""" + with pytest.raises(ValueError, match="LedGrab is LAN-only"): + _validate_ha_host(host) From 1afe7d6fcc7524f7252b38f149deac6b71e96c98 Mon Sep 17 00:00:00 2001 From: "alexei.dolgolyov" Date: Tue, 9 Jun 2026 17:14:50 +0300 Subject: [PATCH 02/13] chore(activity-log): scaffold feature plan and phase subplans --- plans/activity-log/CONTEXT.md | 68 ++++++++++ plans/activity-log/PLAN.md | 116 +++++++++++++++++ plans/activity-log/phase-1-storage.md | 102 +++++++++++++++ .../phase-2-recorder-retention.md | 118 ++++++++++++++++++ plans/activity-log/phase-3-instrumentation.md | 108 ++++++++++++++++ plans/activity-log/phase-4-api.md | 79 ++++++++++++ plans/activity-log/phase-5-frontend-tab.md | 91 ++++++++++++++ .../phase-6-dashboard-settings.md | 74 +++++++++++ 8 files changed, 756 insertions(+) create mode 100644 plans/activity-log/CONTEXT.md create mode 100644 plans/activity-log/PLAN.md create mode 100644 plans/activity-log/phase-1-storage.md create mode 100644 plans/activity-log/phase-2-recorder-retention.md create mode 100644 plans/activity-log/phase-3-instrumentation.md create mode 100644 plans/activity-log/phase-4-api.md create mode 100644 plans/activity-log/phase-5-frontend-tab.md create mode 100644 plans/activity-log/phase-6-dashboard-settings.md diff --git a/plans/activity-log/CONTEXT.md b/plans/activity-log/CONTEXT.md new file mode 100644 index 0000000..d3b5ba6 --- /dev/null +++ b/plans/activity-log/CONTEXT.md @@ -0,0 +1,68 @@ +# CONTEXT — Activity / Audit Log + +Living scratchpad for the feature. The orchestrator updates this between phases. Tier-2 +context (survives across phases; graduates to CLAUDE.md only if it's a lasting project truth). + +## Config (from approval) + +- **Mode:** Automated · **Execution:** Orchestrator · **Strategy:** Incremental +- **Base/merge target:** `master` · **Branch:** `feature/activity-log` · **Branch point:** `17dd2e0` +- Final merge ALWAYS requires user approval (even in Automated mode). + +## Product decisions (locked) + +- Placement: BOTH a top-level **Activity** tab AND a Dashboard **Recent Activity** widget, + plus a Settings retention panel. +- Scope: all four categories — entity CRUD, auth, device connect/disconnect, capture & system. +- Detail: **action metadata only** (no before/after diffs). +- Durability: **export on demand (CSV/JSON)** + existing whole-DB backup. **No** separate + backup subsystem. +- WebUI work uses the `frontend-design` skill (Phases 5–6). + +## Key codebase facts (verified during planning) + +- `fire_entity_event(entity_type, action, entity_id)` @ `api/dependencies.py:202` — central + hook, called by every entity route synchronously in-request; has `_deps` store access. +- `ProcessorManager.fire_event(dict)` / `subscribe_events()` @ `core/processing/processor_manager.py` + back `/api/v1/events/ws` (`api/routes/output_targets_control.py:206`). `fire_event` does + `put_nowait` (no `call_soon_threadsafe`) — fine for the existing consumer; recorder marshals. +- Frontend realtime: `core/events-ws.ts` re-dispatches `server:`; `_ALLOWED_SERVER_EVENT_TYPES` + (line 39) is parity-checked by `tests/test_events_ws_parity.py`. Must add `activity_logged`. +- Actor: `request.state.auth_label` set in `api/auth.py` (129 authenticated, 83 anonymous). +- Storage: `Database` singleton (`storage/database.py`, single conn, RLock, WAL, + `synchronous=FULL`, `get_setting/set_setting`). `BaseSqliteStore` loads ALL rows to memory → + AVOID for the log. Migrations: `storage/data_migrations.py` (`ALL_MIGRATIONS`, idempotent). +- Backup/restore is **whole-DB** (`Database.backup_to`/`restore_from`, no STORE_MAP allowlist) + → the new `activity_log` table is auto-covered. No `system.py` STORE_MAP edit needed. +- Background-engine pattern: `core/backup/auto_backup.py` (start/stop loop, `_prune`, settings). +- Thread-marshal precedent: `utils/log_broadcaster.py` (`ensure_loop` + `call_soon_threadsafe`). +- Device seams: `device_health_changed` (`core/processing/device_health.py`, on transition) + + `device_discovered`/`device_lost` (`core/devices/discovery_watcher.py`, **zeroconf thread**). +- **No** API-key create/rotate/revoke routes exist (only `GET /system/api-keys`) → those auth + events are DESCOPED. +- Existing **Log Viewer** (`utils/log_broadcaster.py`) = ephemeral debug-log tail; the audit + log is a different, persistent, structured feature. Differentiate; do not duplicate. + +## Frozen contracts (fill as phases complete) + +- ActivityLogEntry fields / dict shape: _(Phase 1/2 handoff)_ +- ActivityLogFilters shape: _(Phase 1 handoff)_ +- recorder.record(...) signature + actor ContextVar import path: _(Phase 2 handoff)_ +- API endpoints + query params + page envelope + settings bounds: _(Phase 4 handoff)_ + +## Failed approaches / rejected designs + +- Buffered async-writer subsystem (asyncio.Queue): REJECTED — unsafe from the zeroconf thread + and adds a shutdown-flush ordering hazard. Using direct synchronous-on-loop writes with + `call_soon_threadsafe` marshaling instead (simpler + correct). +- Using `BaseSqliteStore` for the log: REJECTED — loads all rows into memory. +- Separate activity-log backup subsystem: REJECTED — whole-DB backup already covers the table; + export-on-demand is the portability story. + +## Deferred / open + +- Setup-scaffold first-run noise suppression (batch/suppress flag) — deferred (nice-to-have). + +## Phase progress notes + +_(Orchestrator appends a short note per phase: what landed, commit sha, any warnings.)_ diff --git a/plans/activity-log/PLAN.md b/plans/activity-log/PLAN.md new file mode 100644 index 0000000..67819cd --- /dev/null +++ b/plans/activity-log/PLAN.md @@ -0,0 +1,116 @@ +# Feature: Activity / Audit Log + +**Branch:** `feature/activity-log` +**Base branch:** `master` (merge target) +**Branch point:** `17dd2e02bab4d00a93479eb6af1a8c6ddc0c7224` (use for clean review diffs) +**Created:** 2026-06-09 +**Status:** 🟡 In Progress +**Strategy:** Incremental +**Mode:** Automated +**Execution:** Orchestrator +**Remote:** origin → https://git.dolgolyov-family.by/alexei.dolgolyov/ledgrab.git + +## Summary + +A persistent, queryable audit log of meaningful LedGrab actions, surfaced in the WebUI. +Captures four categories — entity CRUD, authentication, device connect/disconnect, and +capture & system events — as **action-metadata-only** records (who/what/when + entity +type/name/id + a human-readable message + small structured metadata; **no before/after +diffs**). Surfaced as a dedicated top-level **Activity** tab with smart filtering + live +updates, a compact **Recent Activity** widget on the Dashboard, and a **Settings** panel +for retention. Durability rides on the existing whole-DB `ledgrab.db` backup; portability +is an on-demand CSV/JSON **export** (no separate backup subsystem). + +## Design pillars (the load-bearing decisions) + +1. **Dedicated `activity_log` table + repository — NOT `BaseSqliteStore`.** That base loads + every row into an in-memory cache and uses a generic `id/name/data` blob — wrong for an + append-heavy, unbounded log. We use a purpose-built indexed table with query-on-demand + keyset pagination. +2. **Central choke-point instrumentation.** `fire_entity_event()` (`api/dependencies.py:202`) + is already called by every entity route on create/update/delete and has `_deps` access to + resolve names. The recorder hooks there for all entity CRUD. Non-entity events get explicit + `recorder.record(...)` calls. +3. **Actor via `ContextVar`.** Set inside `verify_api_key` (next to `request.state.auth_label`), + default `"system"`, reset per-request. The recorder reads it without threading actor + through every call. +4. **Direct synchronous write on the event-loop thread** (no separate buffered-writer + subsystem — simpler, and the request already did a `synchronous=FULL` entity write). + Cross-thread callers (zeroconf discovery thread) marshal via `loop.call_soon_threadsafe`, + mirroring `utils/log_broadcaster.py`. The "server shutting down" event is recorded as the + FIRST action in the lifespan shutdown block, before any teardown. +5. **Reuse the existing realtime bus.** A new `activity_logged` event over `/api/v1/events/ws` + (one `events-ws.ts` allowlist entry + `test_events_ws_parity.py` update). No new socket. +6. **Never log secrets.** API-key *tokens* are never stored — only labels/ids. +7. **Differentiate from the existing Log Viewer.** `utils/log_broadcaster.py` is an ephemeral + 500-line debug-log tail. The audit log is persistent, structured, semantic. Cross-link in + the Settings panel; never duplicate. + +## Build & Test Commands + +- **Build (frontend):** `cd server && npm run build` +- **Type-check (TS):** `cd server && npx tsc --noEmit` +- **Test:** `cd server && py -3.13 -m pytest tests/ --no-cov -q` +- **Lint (Python):** `cd server && ruff check src/ tests/ --fix` +- **Events parity test (load-bearing for P2):** included in pytest (`tests/test_events_ws_parity.py`) + +> Scope checks to the files actually edited: backend phases run ruff + pytest; frontend-only +> phases run `tsc --noEmit` + `npm run build` (no pytest/ruff). Phases touching both run both. + +## Phases + +- [ ] Phase 1: Storage — model, migration, repository [domain: data] → [subplan](./phase-1-storage.md) +- [ ] Phase 2: Recorder, actor context, retention, lifecycle [domain: backend] → [subplan](./phase-2-recorder-retention.md) +- [ ] Phase 3: Event instrumentation (4 categories) [domain: backend] → [subplan](./phase-3-instrumentation.md) +- [ ] Phase 4: REST API — query/filter/export/settings/clear [domain: backend] → [subplan](./phase-4-api.md) +- [ ] Phase 5: Frontend — Activity tab + smart filtering + live updates [domain: frontend] → [subplan](./phase-5-frontend-tab.md) +- [ ] Phase 6: Dashboard widget + Settings panel + docs [domain: frontend] → [subplan](./phase-6-dashboard-settings.md) + +## Parallelizable Phase Groups (Orchestrator mode only) + +- Phases 3 and 4 are **parallelizable only after the schema is frozen at end of Phase 2**. + Both depend on the P2 recorder/schema; P4 registers the router in `api/__init__.py`, P3 + edits `dependencies.py`/`auth.py` (different files, shared schema contract). To keep the + Automated run simple and low-risk, they run **sequentially** (3 → 4) unless time pressure + warrants worktree-isolated parallelism. Phases 5 → 6 are sequential (6 reuses P5 formatters + and the feature module). + +## Phase Progress Log + +| Phase | Domain | Status | Review | Build | Committed | +|-------|--------|--------|--------|-------|-----------| +| Phase 1: Storage | data | ⬜ Not Started | ⬜ | ⬜ | ⬜ | +| Phase 2: Recorder/Retention | backend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | +| Phase 3: Instrumentation | backend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | +| Phase 4: REST API | backend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | +| Phase 5: Frontend tab | frontend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | +| Phase 6: Dashboard/Settings | frontend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | + +## Outstanding Warnings + +| Phase | Warning | Severity | Status (open / resolved / accepted) | +|-------|---------|----------|-------------------------------------| +| | | | | + +## Final Review + +- [ ] Comprehensive code review +- [ ] Security review (auth/PII-in-logs/secrets/log-injection — triggered) +- [ ] All Outstanding Warnings resolved or consciously accepted +- [ ] Full build passes (`npm run build` + `tsc --noEmit`) +- [ ] Full test suite passes (`pytest`) +- [ ] Merged to `master` + +## Amendment Log + +_(Filled in if the plan is amended mid-implementation.)_ + +- 2026-06-09: Plan reviewer (pre-implementation) → ⚠️ with 3 Critical Gaps, all resolved + before Phase 1: (G1) descoped non-existent API-key mutation events; (G2) dropped the + buffered-writer subsystem for a direct synchronous-on-loop write with `call_soon_threadsafe` + marshaling for thread-origin events; (G3) record "server shutting down" first in the shutdown + block (no buffer to flush). Concerns folded in: device events via `device_health_changed` + + `device_discovered/_lost`; actor ContextVar in `verify_api_key`; name-on-delete passed + explicitly; settings-audit scoped + self-key excluded; parity allowlist before emit site. + Adopted suggestions: rowid keyset tiebreaker; log the disable action. Deferred: setup-scaffold + noise suppression. diff --git a/plans/activity-log/phase-1-storage.md b/plans/activity-log/phase-1-storage.md new file mode 100644 index 0000000..5b13255 --- /dev/null +++ b/plans/activity-log/phase-1-storage.md @@ -0,0 +1,102 @@ +# Phase 1: Storage — model, migration, repository + +**Status:** ⬜ Not Started +**Parent plan:** [PLAN.md](./PLAN.md) +**Domain:** data + +## Objective + +Create the persistent foundation for the audit log: an `ActivityLogEntry` dataclass, an +additive idempotent SQLite migration that creates a dedicated indexed `activity_log` table, +and a purpose-built `ActivityLogRepository` (NOT `BaseSqliteStore`) supporting append, +keyset-paginated filtered query, count, time/count-based prune, and streaming export. + +## Tasks + +- [ ] Create `server/src/ledgrab/storage/activity_log.py`: + - `ActivityCategory` and `ActivitySeverity` string enums (or `Literal` unions used as + constants). Categories: `auth`, `device`, `entity`, `capture`, `system`. Severities: + `info`, `warning`, `error`. + - `@dataclass ActivityLogEntry` with fields: `id: str` (e.g. `al_`), `ts: datetime` + (UTC, server-assigned), `category: str`, `action: str`, `severity: str`, `actor: str`, + `entity_type: str | None`, `entity_id: str | None`, `entity_name: str | None`, + `message: str`, `metadata: dict` (small JSON; default empty). Provide `to_row()` / + `from_row()` (column tuple/dict ↔ dataclass; `metadata` JSON-encoded; `ts` isoformat). +- [ ] Add migration to `server/src/ledgrab/storage/data_migrations.py`: + - New `DataMigration` subclass `AddActivityLogTableMigration` with unique `name` + (next sequential id, e.g. `"NNN_add_activity_log"` — match existing naming) and + `apply(conn)` creating `activity_log` with an INTEGER PRIMARY KEY AUTOINCREMENT `seq` + (monotonic keyset tiebreaker) plus columns: `id TEXT UNIQUE NOT NULL`, `ts TEXT NOT NULL`, + `category TEXT NOT NULL`, `action TEXT NOT NULL`, `severity TEXT NOT NULL`, + `actor TEXT NOT NULL`, `entity_type TEXT`, `entity_id TEXT`, `entity_name TEXT`, + `message TEXT NOT NULL`, `metadata TEXT NOT NULL DEFAULT '{}'`. + - Indexes: `(ts DESC, seq DESC)` (primary keyset/sort), `category`, `severity`, `actor`, + `(entity_type, entity_id)`. Use `CREATE TABLE/INDEX IF NOT EXISTS` for idempotency. + - Append the instance to `ALL_MIGRATIONS` (never reorder existing entries). +- [ ] Create `server/src/ledgrab/storage/activity_log_repository.py`: + - `class ActivityLogRepository` taking `db: Database` (NOT subclassing `BaseSqliteStore`). + - `record(entry: ActivityLogEntry) -> None`: single parameterized INSERT via + `db.execute(...)` (auto-commit). The `seq` is DB-assigned. **Caller guarantees this runs + on the event-loop thread** (see Phase 2 — cross-thread marshaling lives in the recorder). + - `query(filters: ActivityLogFilters, *, before_seq: int | None, limit: int) -> list[ActivityLogEntry]`: + keyset pagination `WHERE seq < ? ORDER BY seq DESC LIMIT ?` plus optional filters — + `category IN (...)`, `severity IN (...)`, `actor = ?`, `entity_type = ?`, `entity_id = ?`, + `ts >= ?` / `ts <= ?`, `message LIKE ?` (free-text, `%q%`, escaped). All parameterized. + - `count(filters) -> int`. + - `prune(*, before_ts: datetime | None, max_entries: int | None) -> int`: delete rows older + than `before_ts`, and/or trim to the newest `max_entries` by `seq`. Returns rows deleted. + - `clear() -> int`: delete all rows (used by the API clear endpoint; the clear action is + itself audited by the recorder, not here). Returns rows deleted. + - `iter_export(filters) -> Iterator[ActivityLogEntry]`: cursor-based streaming for export + (does not load all rows into memory). + - Define a small `ActivityLogFilters` dataclass (all-optional fields) in the repository or + `activity_log.py` and reuse it across query/count/prune/export. +- [ ] Unit tests in `server/tests/storage/test_activity_log_repository.py`: + - insert + read back round-trip (incl. metadata JSON, UTC ts); + - filter by each dimension (category/severity/actor/entity/date/free-text); + - keyset pagination stability across two pages with same-`ts` rows (seq tiebreaker); + - prune by age and by max_entries; + - clear; count; export iterator yields all matching rows; + - migration idempotency (constructing the repo twice / running migrations twice is safe). + +## Files to Modify/Create + +- `server/src/ledgrab/storage/activity_log.py` — new: dataclass + enums + filters + row codec +- `server/src/ledgrab/storage/data_migrations.py` — modify: add migration + append to `ALL_MIGRATIONS` +- `server/src/ledgrab/storage/activity_log_repository.py` — new: repository +- `server/tests/storage/test_activity_log_repository.py` — new: unit tests + +## Acceptance Criteria + +- `activity_log` table + indexes created idempotently on startup (running migrations twice is a no-op). +- Query is keyset-paginated and index-backed; a 10k-row table never loads fully into memory. +- Pagination is stable when many rows share the same millisecond `ts` (uses `seq` tiebreaker). +- `prune` removes by age AND by max-entry cap; `clear` empties the table; `export` streams. +- All filters use parameterized SQL (no string interpolation of user input). +- New unit tests pass; `ruff check` clean; existing tests still green. + +## Notes + +- Reference patterns: `storage/database.py` (`execute`, `transaction`, `get_setting`), + `storage/data_migrations.py` (`DataMigration`, `MigrationRunner`, `ALL_MIGRATIONS`), + `storage/sync_clock.py` (dataclass `to_dict`/`from_dict` style). +- 🔒 **Migration-safety addendum (data domain):** this migration is purely additive (new + table) — no rename, no field/key/file move, no data movement → no data-loss risk. Still + idempotent (`IF NOT EXISTS`). Rollback = drop the table; no user data is transformed. +- Do NOT wire the repository into `main.py` or `dependencies.py` here — that is Phase 2. +- `Database`'s connection is created with the existing threading model; the repository must + not assume it can be called from arbitrary threads. Thread marshaling is Phase 2's job. + +## Review Checklist + +- [ ] All tasks completed +- [ ] Code follows project conventions (dataclass codec style, migration naming) +- [ ] No unintended side effects (no startup wiring yet) +- [ ] Build passes (ruff + pytest) +- [ ] Tests pass (new + existing) + +## Handoff to Next Phase + + diff --git a/plans/activity-log/phase-2-recorder-retention.md b/plans/activity-log/phase-2-recorder-retention.md new file mode 100644 index 0000000..cc9fea0 --- /dev/null +++ b/plans/activity-log/phase-2-recorder-retention.md @@ -0,0 +1,118 @@ +# Phase 2: Recorder, actor context, retention, lifecycle + +**Status:** ⬜ Not Started +**Parent plan:** [PLAN.md](./PLAN.md) +**Domain:** backend + +## Objective + +Build the runtime layer over the Phase 1 repository: a thread-safe `ActivityRecorder` facade +that persists an entry AND pushes a live `activity_logged` event; an actor `ContextVar` +populated by the auth layer; a background `ActivityLogRetentionEngine` mirroring +`AutoBackupEngine`; and the `main.py`/`dependencies.py` wiring (init, DI getter, retention +start/stop, shutdown ordering). After this phase the audit log records nothing yet (no call +sites) — that is Phase 3 — but the full machinery is live and unit-tested. + +## Tasks + +- [ ] Create `server/src/ledgrab/core/activity_log/__init__.py` and + `server/src/ledgrab/core/activity_log/recorder.py`: + - `ActivityRecorder(repo: ActivityLogRepository, processor_manager, *, loop=None)`. + - `record(category, action, *, severity="info", actor=None, entity_type=None, + entity_id=None, entity_name=None, message, metadata=None) -> None`: + - resolve `actor` from the actor `ContextVar` when not supplied, default `"system"`; + - build an `ActivityLogEntry` (id `al_`, `ts=datetime.now(timezone.utc)`); + - **thread-safe write:** if called on the event loop thread, write inline via + `repo.record(entry)` then fire the live event; if called from another thread (zeroconf + discovery), marshal the whole write+emit onto the loop via + `loop.call_soon_threadsafe(...)`. Capture the loop lazily (mirror + `utils/log_broadcaster.py:ensure_loop`/`call_soon_threadsafe`). Never raise into the + caller — audit recording is best-effort and must not break the audited action; log + failures at `warning`. + - live push: `processor_manager.fire_event({"type": "activity_logged", "entry": entry_as_dict})`. + - Provide a tiny helper to serialize an entry to the same dict shape the API returns + (reuse in Phase 4 / frontend). + - `enabled` flag honored: when retention settings say `enabled=false`, `record()` is a + no-op — EXCEPT the "audit log disabled" event itself, which must be recorded before the + flag takes effect (see retention engine). +- [ ] Actor `ContextVar`: + - Add `current_actor: ContextVar[str]` (module-level, e.g. in `core/activity_log/context.py` + or `api/auth.py`). In `verify_api_key` (`api/auth.py`), set it next to the existing + `request.state.auth_label = ...` (both the authenticated label and the `"anonymous"` + branch). Default `"system"` when unset. Ensure no cross-request leakage (set on every + auth evaluation). +- [ ] Create `server/src/ledgrab/core/activity_log/retention.py`: + - `ActivityLogRetentionEngine(repo, db, recorder)` mirroring `core/backup/auto_backup.py`: + `_load_settings()`/`_save_settings()` via `db.get_setting("activity_log")` / + `db.set_setting("activity_log", {...})`, `DEFAULT_SETTINGS = {"enabled": True, + "max_days": 90, "max_entries": 20000}`. + `async start()` → spawn `_retention_loop()` (`asyncio.create_task`); loop sleeps a sane + interval (e.g. hourly) then calls `repo.prune(before_ts=now-max_days, max_entries=...)`. + `async stop()` → cancel + await task. `get_settings()` / `async update_settings(...)` + that persist and apply (changing `enabled` is logged via the recorder BEFORE disabling). +- [ ] Wiring: + - `main.py`: instantiate `activity_log_repo = ActivityLogRepository(db)` (module level near + other stores); in `lifespan` startup build `activity_recorder` + `activity_log_retention_engine`, + pass to `init_dependencies(...)`, and `await activity_log_retention_engine.start()`. + - In `lifespan` **shutdown**: record a `system` / `server_shutting_down` event via the + recorder as the **first** shutdown action (before engines/db close), then + `await _bounded("activity_log_retention.stop", activity_log_retention_engine.stop(), timeout=0.5)`. + - `api/dependencies.py`: add `activity_recorder` + `activity_log_repo` + + `activity_log_retention_engine` to `_deps`, parameters to `init_dependencies`, and + getters `get_activity_recorder()`, `get_activity_log_repo()`, + `get_activity_log_retention_engine()`. +- [ ] Realtime allowlist (order matters — do allowlist FIRST so the parity test stays green): + - Add `'activity_logged'` to `_ALLOWED_SERVER_EVENT_TYPES` in + `server/src/ledgrab/static/js/core/events-ws.ts` (+ a one-line comment naming the source). + - Confirm `tests/test_events_ws_parity.py` passes with the new emit type. +- [ ] Unit tests `server/tests/core/test_activity_recorder.py` + + `test_activity_log_retention.py`: + - recorder persists an entry AND calls `fire_event` with `type=="activity_logged"`; + - actor resolves from ContextVar; defaults to `"system"`; failure in repo doesn't raise; + - cross-thread `record()` (call from a `threading.Thread`) routes through the loop and persists; + - retention prunes per settings; settings round-trip via db; disabling logs the disable event. + +## Files to Modify/Create + +- `server/src/ledgrab/core/activity_log/__init__.py` — new +- `server/src/ledgrab/core/activity_log/recorder.py` — new +- `server/src/ledgrab/core/activity_log/context.py` — new (actor ContextVar) *(or place in auth.py)* +- `server/src/ledgrab/core/activity_log/retention.py` — new +- `server/src/ledgrab/api/auth.py` — modify: set actor ContextVar in `verify_api_key` +- `server/src/ledgrab/main.py` — modify: instantiate, wire lifespan start/shutdown +- `server/src/ledgrab/api/dependencies.py` — modify: `_deps`, `init_dependencies`, getters +- `server/src/ledgrab/static/js/core/events-ws.ts` — modify: allowlist `activity_logged` +- `server/tests/core/test_activity_recorder.py` — new +- `server/tests/core/test_activity_log_retention.py` — new + +## Acceptance Criteria + +- Recorder persists + fires `activity_logged`; never raises into callers; thread-safe from + non-loop threads. +- Actor ContextVar populated by auth; default `"system"`; no cross-request leakage. +- Retention engine starts/stops cleanly in lifespan; prunes by age + count; settings persist. +- `server_shutting_down` is recorded before teardown; no lost-on-graceful-shutdown entries. +- `test_events_ws_parity.py` green (allowlist updated). Existing tests still green; `ruff` clean. + +## Notes + +- Reference: `core/backup/auto_backup.py` (engine shape, settings persistence, `_bounded` + shutdown in `main.py`), `utils/log_broadcaster.py` (`ensure_loop`, `call_soon_threadsafe` + thread marshaling), `core/processing/processor_manager.py:247` (`fire_event`). +- **Do not add any instrumentation call sites in this phase** — only the machinery. Phase 3 + adds the `record(...)` calls. (Intermediate commit emits nothing; that is fine and green.) +- Freeze the `ActivityLogEntry` dict shape here — Phase 4 (API response) and Phase 5 + (frontend `entry`) consume it. + +## Review Checklist + +- [ ] All tasks completed +- [ ] Code follows project conventions (engine/DI patterns) +- [ ] No unintended side effects (no call sites yet; lifespan order correct) +- [ ] Build passes (ruff + pytest, incl. parity test) +- [ ] Tests pass (new + existing) + +## Handoff to Next Phase + + diff --git a/plans/activity-log/phase-3-instrumentation.md b/plans/activity-log/phase-3-instrumentation.md new file mode 100644 index 0000000..9b24d4e --- /dev/null +++ b/plans/activity-log/phase-3-instrumentation.md @@ -0,0 +1,108 @@ +# Phase 3: Event instrumentation (4 categories) + +**Status:** ⬜ Not Started +**Parent plan:** [PLAN.md](./PLAN.md) +**Domain:** backend · 🔒 security-sensitive (security reviewer triggers) + +## Objective + +Emit audit records at the real call sites for all four categories, using the Phase 2 recorder. +Maximize coverage via the central `fire_entity_event` choke point; add explicit +`recorder.record(...)` calls for non-entity events. Never log secrets. + +## Tasks + +### Entity CRUD (via the choke point) +- [ ] In `api/dependencies.py`, extend `fire_entity_event` to ALSO record an audit entry: + - Signature gains an optional `entity_name: str | None = None`. + - For `created`/`updated`: if `entity_name` not supplied, best-effort resolve from the + matching store in `_deps` keyed by `entity_type` (entity still present). For `deleted`: + **do not** resolve post-hoc — rely on the explicit `entity_name` passed by the handler + (deletes are the most important; a name-less delete entry is unacceptable). + - Map `action` → severity (`info`), category `entity`. Build a human message + (e.g. `"Target 'Desk' updated"`). Read actor from the ContextVar. + - Recording is best-effort (never break the entity operation). +- [ ] Update entity **delete** handlers to pass `entity_name` into `fire_entity_event` + (the entity object is already loaded for the 404 check). Cover the representative/most-used + entities at minimum: output targets, sync clocks, devices, picture/audio/color-strip + sources, automations, scene presets/playlists, templates, gradients. (Create/update can rely + on hook resolution but pass the name where trivially available.) + +### Authentication (DESCOPED: no key create/rotate/revoke — those routes don't exist) +- [ ] In `api/auth.py`, record: + - auth **failures**: missing/invalid Bearer token (HTTP), rejected LAN-without-keys, rejected + WS origin (4403), WS auth handshake failure (4401). Category `auth`, severity `warning`. + Include the caller IP/label and the reason in `metadata` — **never** the attempted token. + - WS **session establishment** (successful `accept_and_authenticate_ws`): category `auth`, + severity `info`, actor = authenticated label. + - (Do NOT record per-request HTTP auth *success* — too frequent.) + +### Device connect/disconnect (use existing discrete seams) +- [ ] Hook `device_health_changed` (`core/processing/device_health.py`, fired only on + `online != prev_online`) → record online/offline transition. Category `device`, + severity `info` (online) / `warning` (offline). +- [ ] Hook `device_discovered` / `device_lost` (`core/devices/discovery_watcher.py`, **runs on + the zeroconf thread** → recorder must marshal to the loop, which Phase 2 handles). Category + `device`. +- [ ] ADB connect/disconnect (`api/routes/system_settings.py:adb_connect/adb_disconnect`). + +### Capture & system events (explicit record calls) +- [ ] Target processing start/stop + bulk (`api/routes/output_targets_control.py`). +- [ ] Scene activation (`scene_presets.py:activate_scene_preset`), playlist start/stop + (`scene_playlists.py`), automation activate/deactivate (`automation_engine.py`). +- [ ] System: backup create/restore/delete (`backup.py`), update apply/dismiss (`update.py`), + restart/shutdown (`backup.py`), calibration start/stop/cancel (`calibration.py`). +- [ ] Settings changes: scope to high-value settings only (auto-backup, update, shutdown + action). **Exclude the activity-log's own `"activity_log"` settings key** to avoid + self-referential churn. + +### Tests +- [ ] `server/tests/test_activity_instrumentation.py` (or per-area): + - representative entity create/update/delete produces a record with correct category/actor/ + name (incl. a delete carrying its name); + - an auth failure produces a `warning` record and the token never appears in any field; + - a device health transition and a discovery event produce records; + - a capture start and a backup/restore produce records. + +## Files to Modify/Create + +- `server/src/ledgrab/api/dependencies.py` — modify: `fire_entity_event` records + `entity_name` +- entity **delete** route handlers under `api/routes/` — modify: pass `entity_name` +- `server/src/ledgrab/api/auth.py` — modify: auth-failure + WS-session records +- `server/src/ledgrab/core/processing/device_health.py` — modify: online/offline record +- `server/src/ledgrab/core/devices/discovery_watcher.py` — modify: discovered/lost record +- `server/src/ledgrab/api/routes/system_settings.py` — modify: ADB + settings records +- `server/src/ledgrab/api/routes/output_targets_control.py` — modify: start/stop records +- `server/src/ledgrab/api/routes/{scene_presets,scene_playlists,backup,update,calibration}.py` — modify +- `server/src/ledgrab/core/automations/automation_engine.py` — modify: activate/deactivate records +- `server/tests/test_activity_instrumentation.py` — new + +## Acceptance Criteria + +- All four categories emit records at the named sites; entity deletes carry the entity name. +- API-key tokens / secrets never appear in any audit field (test-enforced). +- Recording never breaks the audited action (best-effort; failures swallowed + logged). +- Actor is the authenticated label for request-originated events, `"system"` for engine/thread + events. New + existing tests green; `ruff` clean. + +## Notes + +- Get the recorder via the Phase 2 DI getter; for engine/thread sites that lack DI, use the + module singleton/accessor Phase 2 exposes. +- Keep messages human-readable and localized-agnostic (English source strings; the frontend + renders structured fields, not server message translation — message is a fallback/summary). +- This is the security-sensitive phase — the security reviewer runs here AND at final review. + +## Review Checklist + +- [ ] All tasks completed +- [ ] Code follows project conventions +- [ ] No unintended side effects (audited actions still succeed on recorder failure) +- [ ] No secrets logged (token never recorded) — explicitly verified +- [ ] Build passes (ruff + pytest) +- [ ] Tests pass (new + existing) + +## Handoff to Next Phase + + diff --git a/plans/activity-log/phase-4-api.md b/plans/activity-log/phase-4-api.md new file mode 100644 index 0000000..1cd15e5 --- /dev/null +++ b/plans/activity-log/phase-4-api.md @@ -0,0 +1,79 @@ +# Phase 4: REST API — query / filter / export / settings / clear + +**Status:** ⬜ Not Started +**Parent plan:** [PLAN.md](./PLAN.md) +**Domain:** backend + +## Objective + +Expose the audit log over the REST API: a filtered, keyset-paginated list endpoint; a +streaming CSV/JSON export honoring the same filters; retention settings get/update; and a +destructive clear. Apply the project's auth posture (stricter auth on export + clear). + +## Tasks + +- [ ] `server/src/ledgrab/api/schemas/activity_log.py` (Pydantic): + - `ActivityLogEntryResponse` (matches the frozen Phase 2 entry dict shape). + - `ActivityLogPageResponse` { `entries: list[...]`, `next_before_seq: int | None`, + `total: int` (optional/over filters), `has_more: bool` }. + - `ActivityLogSettingsResponse` / `UpdateActivityLogSettingsRequest` + (`enabled`, `max_days`, `max_entries`) with validation bounds. +- [ ] `server/src/ledgrab/api/routes/activity_log.py` — `APIRouter(prefix="/api/v1/activity-log")`: + - `GET ""` — list. Query params: `categories`, `severities`, `actor`, `entity_type`, + `entity_id`, `since`/`until` (ISO), `q` (free-text), `before_seq` (cursor), `limit` + (default 50, capped e.g. 200). `AuthRequired`. Maps params → `ActivityLogFilters`, + calls `repo.query(...)`, returns page envelope. + - `GET "/export"` — streaming export. Same filters; `format=csv|json`. Uses + `StreamingResponse` over `repo.iter_export(...)`. **`require_authenticated()`** (may + contain IPs/labels). Sets `Content-Disposition` with a timestamped filename. + - `GET "/settings"` / `PUT "/settings"` — retention settings via the retention engine. + `AuthRequired`; updates apply immediately. + - `DELETE ""` — clear all entries. **`require_authenticated()`**. The clear is itself + audited (recorder records a `system`/`activity_log_cleared` entry AFTER the wipe, so the + log shows who cleared it and when). + - Register the router in `server/src/ledgrab/api/__init__.py` (aggregator). +- [ ] API tests `server/tests/api/routes/test_activity_log_api.py`: + - list returns entries; each filter narrows results; `before_seq` cursor paginates without + overlap/gaps; `limit` cap enforced; + - export CSV and JSON both stream and honor filters; export requires authentication + (401 for loopback-anonymous when keys configured); + - settings get/update round-trip + validation rejects out-of-range; + - clear empties the log, requires auth, and leaves exactly one post-clear audit entry. + +## Files to Modify/Create + +- `server/src/ledgrab/api/schemas/activity_log.py` — new +- `server/src/ledgrab/api/routes/activity_log.py` — new +- `server/src/ledgrab/api/__init__.py` — modify: register router +- `server/tests/api/routes/test_activity_log_api.py` — new + +## Acceptance Criteria + +- List is filterable on every dimension and keyset-paginated (stable, no dupes/gaps). +- Export streams CSV + JSON, honors filters, and requires authentication. +- Settings get/update works and validates bounds; changes take effect immediately. +- Clear requires authentication and is itself audited. +- New + existing tests green; `ruff` clean. + +## Notes + +- Auth helpers: `AuthRequired` dependency for normal endpoints; `require_authenticated()` for + export + clear (pattern: backup download / secret reveal). See `api/auth.py` + `server/CLAUDE.md`. +- Follow the existing route/schema conventions (one schema file per entity, router registered + in `api/__init__.py`). Reference `api/routes/backup.py` for settings-style GET/PUT + a + `StreamingResponse`/download pattern. +- Reuse the entry→dict serializer from Phase 2 to keep the response shape single-sourced. +- Backup/restore: no `STORE_MAP` change needed — backup is whole-DB; the table is auto-covered. + +## Review Checklist + +- [ ] All tasks completed +- [ ] Code follows project conventions (router registration, schema-per-entity, auth posture) +- [ ] No unintended side effects +- [ ] Build passes (ruff + pytest) +- [ ] Tests pass (new + existing) + +## Handoff to Next Phase + + diff --git a/plans/activity-log/phase-5-frontend-tab.md b/plans/activity-log/phase-5-frontend-tab.md new file mode 100644 index 0000000..0e2a509 --- /dev/null +++ b/plans/activity-log/phase-5-frontend-tab.md @@ -0,0 +1,91 @@ +# Phase 5: Frontend — Activity tab + smart filtering + live updates + +**Status:** ⬜ Not Started +**Parent plan:** [PLAN.md](./PLAN.md) +**Domain:** frontend · uses the `frontend-design` skill + +## Objective + +Build the dedicated top-level **Activity** tab: a read-only, smart-filterable, +keyset-paginated log viewer with an entry detail view, live-append of new events, and export. +This is a viewer (Dashboard-style), NOT a CRUD card section. + +## Tasks + +- [ ] `core/ui.ts`: add `formatTimestamp(isoOrMs)` (Today/Yesterday/Date · HH:MM, i18n-aware) + and `formatRelativeTime(isoOrMs)` ("2m ago"), with `tabular-nums` styling guidance for the + list. Reuse existing `time.*` i18n key conventions. +- [ ] `features/activity-log.ts`: + - `export async function loadActivityLog()` — fetch first page from + `GET /activity-log` (via `fetchWithAuth`), render the toolbar + list into the panel. + - **Smart filter toolbar:** category (multi, IconSelect/chips), severity (chips), actor + (EntitySelect/text), entity type, date range, free-text search (debounced). Quick presets: + Today / Errors / Auth / Devices. Filters drive server-side query params (no client-side + filtering of a partial page). Re-query on change; reset cursor. + - **List:** one row per entry — severity icon, category badge, relative time (title=absolute), + actor, message, entity crosslink (use `navigateToCard(...)` when the referenced entity is + resolvable). Keyset "load more" (or infinite scroll) using `next_before_seq`. + - **Detail:** expandable row / drawer showing full metadata JSON, exact timestamp, ids. + - **Live append:** `document.addEventListener('server:activity_logged', e => …)` — prepend + the new entry if it passes the active filters; show a subtle "new" affordance. (Depends on + the Phase 2 allowlist entry — already shipped.) + - **Export button:** triggers `GET /activity-log/export?format=…` with current filters via an + authed blob download (use `fetchWithAuth` → blob URL, per frontend.md auth rules). + - Empty / loading / error states; re-render on `languageChanged`. +- [ ] Tab wiring: + - `core/tab-registry.ts`: add `activity_log: { loadFnName: 'loadActivityLog', autoRefresh: false }`. + - `templates/index.html`: sidebar tab button (`data-tab`, `switchTab('activity_log')`, + history/clock SVG icon, `data-i18n`) + `
`. + - `app.ts`: import + `Object.assign(window, { loadActivityLog, … })`; `global.d.ts` decls. +- [ ] Icons: add a history/audit icon to `core/icon-paths.ts` + `core/icons.ts`; severity icons + (info/warning/error) reuse existing constants where possible. +- [ ] i18n: add `activity_log.*` keys to `static/locales/{en,ru,zh}.json` (title, filter labels, + category/severity names, column labels, presets, empty/error, export, "N entries"). +- [ ] Tutorials: add an Activity-tab step to the getting-started tour in + `features/tutorials.ts` + `tour.*` keys in all 3 locales. + +## Files to Modify/Create + +- `server/src/ledgrab/static/js/core/ui.ts` — modify: timestamp/relative-time formatters +- `server/src/ledgrab/static/js/features/activity-log.ts` — new: the viewer +- `server/src/ledgrab/static/js/core/tab-registry.ts` — modify: register tab +- `server/src/ledgrab/templates/index.html` — modify: tab button + panel +- `server/src/ledgrab/static/js/app.ts` — modify: import + window globals +- `server/src/ledgrab/static/js/global.d.ts` — modify: window decls +- `server/src/ledgrab/static/js/core/icon-paths.ts` / `core/icons.ts` — modify: icons +- `server/src/ledgrab/static/locales/{en,ru,zh}.json` — modify: i18n keys +- `server/src/ledgrab/static/js/features/tutorials.ts` — modify: tour step +- `server/src/ledgrab/static/css/*` — modify/new: list + toolbar styling (follow base.css vars) + +## Acceptance Criteria + +- New **Activity** tab loads, lists entries, and paginates via keyset "load more". +- Filters hit server-side query params; quick presets work; free-text is debounced. +- New events append live via `server:activity_logged` and respect active filters. +- Export downloads CSV/JSON with auth, honoring current filters. +- Fully localized (en/ru/zh); empty/loading/error states; re-renders on language change. +- No plain ``; SVG icons only. + +## Notes + +- **Use the `frontend-design` skill** for the widget + settings panel layout. +- Reuse Phase 5's render helper and i18n namespace — no duplicated row markup or keys. +- Settings UI model: `features/settings.ts switchSettingsTab` + `modals/settings.html` rail. +- Frontend-only phase → run `tsc --noEmit` + `npm run build`; do NOT run pytest/ruff (docs + + TS only). +- Backup/restore cross-ref: no `STORE_MAP` edit needed (whole-DB backup covers the table) — + confirm nothing else (graph editor) needs syncing for this viewer (verified: not needed). + +## Review Checklist + +- [ ] All tasks completed +- [ ] Code follows frontend conventions (i18n ×3, icons, selectors, CSS vars, settings pattern) +- [ ] No unintended side effects +- [ ] Build passes (`tsc --noEmit` + `npm run build`) +- [ ] Manual smoke: widget live-updates + links; settings save/clear/export; docs updated + +## Handoff to Next Phase + + From 1ac4a0f66d154b483619354f3c7b9fe14618d7b5 Mon Sep 17 00:00:00 2001 From: "alexei.dolgolyov" Date: Tue, 9 Jun 2026 17:40:37 +0300 Subject: [PATCH 03/13] feat(activity-log): phase 1 - storage model, migration, repository - ActivityLogEntry dataclass + ActivityCategory/ActivitySeverity + ActivityLogFilters - additive idempotent migration 002_add_activity_log (indexed activity_log table, seq keyset tiebreaker) - ActivityLogRepository (record/query/count/prune/clear/iter_export), keyset pagination, parameterized SQL - 102 unit + adversarial tests (SQL-injection, pagination, prune, codec, migration idempotency) --- plans/activity-log/CONTEXT.md | 6 +- plans/activity-log/PLAN.md | 4 +- plans/activity-log/phase-1-storage.md | 101 +- server/src/ledgrab/storage/activity_log.py | 171 ++++ .../storage/activity_log_repository.py | 293 ++++++ server/src/ledgrab/storage/data_migrations.py | 50 + .../storage/test_activity_log_adversarial.py | 884 ++++++++++++++++++ .../storage/test_activity_log_repository.py | 609 ++++++++++++ 8 files changed, 2100 insertions(+), 18 deletions(-) create mode 100644 server/src/ledgrab/storage/activity_log.py create mode 100644 server/src/ledgrab/storage/activity_log_repository.py create mode 100644 server/tests/storage/test_activity_log_adversarial.py create mode 100644 server/tests/storage/test_activity_log_repository.py diff --git a/plans/activity-log/CONTEXT.md b/plans/activity-log/CONTEXT.md index d3b5ba6..0776c6a 100644 --- a/plans/activity-log/CONTEXT.md +++ b/plans/activity-log/CONTEXT.md @@ -45,8 +45,8 @@ context (survives across phases; graduates to CLAUDE.md only if it's a lasting p ## Frozen contracts (fill as phases complete) -- ActivityLogEntry fields / dict shape: _(Phase 1/2 handoff)_ -- ActivityLogFilters shape: _(Phase 1 handoff)_ +- ActivityLogEntry fields / dict shape: **frozen** — see phase-1-storage.md Handoff section. 11 fields: `id`, `ts`, `category`, `action`, `severity`, `actor`, `message`, `entity_type`, `entity_id`, `entity_name`, `metadata`. `seq` is DB-only (not on dataclass). +- ActivityLogFilters shape: **frozen** — 8 optional fields: `categories`, `severities`, `actor`, `entity_type`, `entity_id`, `since`, `until`, `message_like`. See phase-1-storage.md Handoff. - recorder.record(...) signature + actor ContextVar import path: _(Phase 2 handoff)_ - API endpoints + query params + page envelope + settings bounds: _(Phase 4 handoff)_ @@ -65,4 +65,4 @@ context (survives across phases; graduates to CLAUDE.md only if it's a lasting p ## Phase progress notes -_(Orchestrator appends a short note per phase: what landed, commit sha, any warnings.)_ +Phase 1 landed (2026-06-09): `activity_log.py` (dataclass + enums + filters + codec), `AddActivityLogTableMigration` (`002_add_activity_log`) appended to `ALL_MIGRATIONS`, `ActivityLogRepository` (record/query/count/prune/clear/iter_export), 41 new tests — all green. Full suite 2226 passed, 0 failed. Schema and method signatures frozen in phase-1-storage.md Handoff. Gotcha: `Database.execute` takes a positional tuple — use `?` placeholders (not `:name`), otherwise Python 3.14 will raise `ProgrammingError`. diff --git a/plans/activity-log/PLAN.md b/plans/activity-log/PLAN.md index 67819cd..b74fc71 100644 --- a/plans/activity-log/PLAN.md +++ b/plans/activity-log/PLAN.md @@ -59,7 +59,7 @@ is an on-demand CSV/JSON **export** (no separate backup subsystem). ## Phases -- [ ] Phase 1: Storage — model, migration, repository [domain: data] → [subplan](./phase-1-storage.md) +- [x] Phase 1: Storage — model, migration, repository [domain: data] → [subplan](./phase-1-storage.md) - [ ] Phase 2: Recorder, actor context, retention, lifecycle [domain: backend] → [subplan](./phase-2-recorder-retention.md) - [ ] Phase 3: Event instrumentation (4 categories) [domain: backend] → [subplan](./phase-3-instrumentation.md) - [ ] Phase 4: REST API — query/filter/export/settings/clear [domain: backend] → [subplan](./phase-4-api.md) @@ -79,7 +79,7 @@ is an on-demand CSV/JSON **export** (no separate backup subsystem). | Phase | Domain | Status | Review | Build | Committed | |-------|--------|--------|--------|-------|-----------| -| Phase 1: Storage | data | ⬜ Not Started | ⬜ | ⬜ | ⬜ | +| Phase 1: Storage | data | ✅ Done | ✅ Passed | ✅ Passed | ✅ | | Phase 2: Recorder/Retention | backend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | | Phase 3: Instrumentation | backend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | | Phase 4: REST API | backend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | diff --git a/plans/activity-log/phase-1-storage.md b/plans/activity-log/phase-1-storage.md index 5b13255..0cb7518 100644 --- a/plans/activity-log/phase-1-storage.md +++ b/plans/activity-log/phase-1-storage.md @@ -1,6 +1,6 @@ # Phase 1: Storage — model, migration, repository -**Status:** ⬜ Not Started +**Status:** ✅ Done **Parent plan:** [PLAN.md](./PLAN.md) **Domain:** data @@ -13,7 +13,7 @@ keyset-paginated filtered query, count, time/count-based prune, and streaming ex ## Tasks -- [ ] Create `server/src/ledgrab/storage/activity_log.py`: +- [x] Create `server/src/ledgrab/storage/activity_log.py`: - `ActivityCategory` and `ActivitySeverity` string enums (or `Literal` unions used as constants). Categories: `auth`, `device`, `entity`, `capture`, `system`. Severities: `info`, `warning`, `error`. @@ -22,7 +22,7 @@ keyset-paginated filtered query, count, time/count-based prune, and streaming ex `entity_type: str | None`, `entity_id: str | None`, `entity_name: str | None`, `message: str`, `metadata: dict` (small JSON; default empty). Provide `to_row()` / `from_row()` (column tuple/dict ↔ dataclass; `metadata` JSON-encoded; `ts` isoformat). -- [ ] Add migration to `server/src/ledgrab/storage/data_migrations.py`: +- [x] Add migration to `server/src/ledgrab/storage/data_migrations.py`: - New `DataMigration` subclass `AddActivityLogTableMigration` with unique `name` (next sequential id, e.g. `"NNN_add_activity_log"` — match existing naming) and `apply(conn)` creating `activity_log` with an INTEGER PRIMARY KEY AUTOINCREMENT `seq` @@ -33,7 +33,7 @@ keyset-paginated filtered query, count, time/count-based prune, and streaming ex - Indexes: `(ts DESC, seq DESC)` (primary keyset/sort), `category`, `severity`, `actor`, `(entity_type, entity_id)`. Use `CREATE TABLE/INDEX IF NOT EXISTS` for idempotency. - Append the instance to `ALL_MIGRATIONS` (never reorder existing entries). -- [ ] Create `server/src/ledgrab/storage/activity_log_repository.py`: +- [x] Create `server/src/ledgrab/storage/activity_log_repository.py`: - `class ActivityLogRepository` taking `db: Database` (NOT subclassing `BaseSqliteStore`). - `record(entry: ActivityLogEntry) -> None`: single parameterized INSERT via `db.execute(...)` (auto-commit). The `seq` is DB-assigned. **Caller guarantees this runs @@ -51,7 +51,7 @@ keyset-paginated filtered query, count, time/count-based prune, and streaming ex (does not load all rows into memory). - Define a small `ActivityLogFilters` dataclass (all-optional fields) in the repository or `activity_log.py` and reuse it across query/count/prune/export. -- [ ] Unit tests in `server/tests/storage/test_activity_log_repository.py`: +- [x] Unit tests in `server/tests/storage/test_activity_log_repository.py`: - insert + read back round-trip (incl. metadata JSON, UTC ts); - filter by each dimension (category/severity/actor/entity/date/free-text); - keyset pagination stability across two pages with same-`ts` rows (seq tiebreaker); @@ -89,14 +89,89 @@ keyset-paginated filtered query, count, time/count-based prune, and streaming ex ## Review Checklist -- [ ] All tasks completed -- [ ] Code follows project conventions (dataclass codec style, migration naming) -- [ ] No unintended side effects (no startup wiring yet) -- [ ] Build passes (ruff + pytest) -- [ ] Tests pass (new + existing) +- [x] All tasks completed +- [x] Code follows project conventions (dataclass codec style, migration naming) +- [x] No unintended side effects (no startup wiring yet) +- [x] Build passes (ruff + pytest) +- [x] Tests pass (new + existing) ## Handoff to Next Phase - +### ActivityLogEntry — final field list and dict shape + +```python +@dataclass +class ActivityLogEntry: + id: str # "al_" — caller-assigned + ts: datetime # UTC-aware; stored as ISO-8601 string in DB + category: str # ActivityCategory constant + action: str # verb-object label, e.g. "entity.created" + severity: str # ActivitySeverity constant + actor: str # API-key label or "system" + message: str # human-readable description + entity_type: str | None # e.g. "output_target" + entity_id: str | None # stable entity id + entity_name: str | None # name at time of event + metadata: dict # JSON-serialisable; default {} +``` + +`to_row()` returns a flat dict with 11 keys (same names); `metadata` is JSON string, `ts` is isoformat string. `seq` is NOT in `to_row()` — it is DB-assigned. + +### ActivityLogFilters — shape (all fields optional, default None) + +```python +@dataclass +class ActivityLogFilters: + categories: Sequence[str] | None # category IN (...) + severities: Sequence[str] | None # severity IN (...) + actor: str | None # exact match + entity_type: str | None # exact match + entity_id: str | None # exact match + since: datetime | None # ts >= since + until: datetime | None # ts <= until + message_like: str | None # LIKE %value% (escaped) +``` + +### Migration name used + +`"002_add_activity_log"` — appended as position [1] in `ALL_MIGRATIONS`. + +### ActivityLogRepository — exact method signatures + +```python +class ActivityLogRepository: + def __init__(self, db: Database) -> None + def record(self, entry: ActivityLogEntry) -> None + def query( + self, + filters: ActivityLogFilters, + *, + before_seq: int | None = None, + limit: int = 50, + ) -> list[ActivityLogEntry] + def count(self, filters: ActivityLogFilters | None = None) -> int + def prune( + self, + *, + before_ts: datetime | None = None, + max_entries: int | None = None, + ) -> int + def clear(self) -> int + def iter_export( + self, filters: ActivityLogFilters | None = None + ) -> Iterator[ActivityLogEntry] +``` + +### Key behavioural notes for Phase 2/3/4 + +- `record()` expects to be called from the event-loop thread (or with `Database` RLock already held). Phase 2 is responsible for thread marshaling via `loop.call_soon_threadsafe`. +- `query()` returns entries in **ascending chronological order within the page** (reversed internally from DESC fetch for display convenience). The smallest `seq` on a page is `page[0]`'s seq — pass that as `before_seq` for the next page. +- `count(None)` == `count(ActivityLogFilters())` — both count all rows. +- `prune(before_ts=X, max_entries=N)` applies both predicates independently (age prune first, then count cap). +- `iter_export` holds `db._lock` for the entire iteration. Phase 4 should stream the response and consume promptly. +- `ActivityLogCategory` and `ActivityLogSeverity` are plain classes with string class-attributes and an `ALL` tuple — NOT `enum.Enum`. +- Imports for Phase 2/3/4: + ```python + from ledgrab.storage.activity_log import ActivityLogEntry, ActivityLogFilters, ActivityCategory, ActivitySeverity + from ledgrab.storage.activity_log_repository import ActivityLogRepository + ``` diff --git a/server/src/ledgrab/storage/activity_log.py b/server/src/ledgrab/storage/activity_log.py new file mode 100644 index 0000000..84ff3df --- /dev/null +++ b/server/src/ledgrab/storage/activity_log.py @@ -0,0 +1,171 @@ +"""Activity / audit log data model. + +Defines the ``ActivityLogEntry`` dataclass together with its category and +severity enumerations and the ``ActivityLogFilters`` query object. Row-level +codec (``to_row`` / ``from_row``) converts between the dataclass and a flat +SQLite column dict. +""" + +from __future__ import annotations + +import json +from dataclasses import dataclass, field +from datetime import datetime, timezone +from typing import Sequence + + +# --------------------------------------------------------------------------- +# Enumerations (string constants, not enum.Enum, to stay consistent with the +# rest of the codebase which uses plain string literals) +# --------------------------------------------------------------------------- + + +class ActivityCategory: + """Valid ``category`` values for an ``ActivityLogEntry``.""" + + AUTH = "auth" + DEVICE = "device" + ENTITY = "entity" + CAPTURE = "capture" + SYSTEM = "system" + + ALL: tuple[str, ...] = (AUTH, DEVICE, ENTITY, CAPTURE, SYSTEM) + + +class ActivitySeverity: + """Valid ``severity`` values for an ``ActivityLogEntry``.""" + + INFO = "info" + WARNING = "warning" + ERROR = "error" + + ALL: tuple[str, ...] = (INFO, WARNING, ERROR) + + +# --------------------------------------------------------------------------- +# Entry dataclass +# --------------------------------------------------------------------------- + + +@dataclass +class ActivityLogEntry: + """One immutable audit record. + + Fields + ------ + id Stable application-assigned identifier, e.g. ``al_``. + ts UTC timestamp of the event (server-assigned at record time). + category Broad bucket — one of :class:`ActivityCategory`. + action Verb-object label, e.g. ``"entity.created"`` or ``"auth.rejected"``. + severity One of :class:`ActivitySeverity`. + actor Who triggered the action, e.g. an API-key label or ``"system"``. + entity_type Optional: kind of entity involved, e.g. ``"output_target"``. + entity_id Optional: stable entity identifier. + entity_name Optional: human-readable entity name at the time of the event. + message Human-readable description suitable for display. + metadata Small structured context (device address, error code, …). + Must be JSON-serialisable; defaults to empty dict. + """ + + id: str + ts: datetime + category: str + action: str + severity: str + actor: str + message: str + entity_type: str | None = None + entity_id: str | None = None + entity_name: str | None = None + metadata: dict = field(default_factory=dict) + + # -- Row codec ----------------------------------------------------------- + + def to_row(self) -> dict: + """Return a flat dict suitable for a parameterised SQLite INSERT. + + ``ts`` is stored as an ISO-8601 string (UTC). ``metadata`` is stored + as a JSON string. ``seq`` is DB-assigned and is NOT included. + """ + return { + "id": self.id, + "ts": self.ts.isoformat(), + "category": self.category, + "action": self.action, + "severity": self.severity, + "actor": self.actor, + "entity_type": self.entity_type, + "entity_id": self.entity_id, + "entity_name": self.entity_name, + "message": self.message, + "metadata": json.dumps(self.metadata, ensure_ascii=False), + } + + @staticmethod + def from_row(row: dict) -> "ActivityLogEntry": + """Reconstruct an ``ActivityLogEntry`` from a SQLite row dict. + + ``row`` may include the ``seq`` column — it is ignored here (callers + that need ``seq`` for keyset pagination access it directly from the + row before calling this method). + """ + raw_meta = row.get("metadata") or "{}" + try: + metadata = json.loads(raw_meta) + except (json.JSONDecodeError, TypeError): + metadata = {} + + raw_ts = row["ts"] + ts = datetime.fromisoformat(raw_ts) + # Ensure tz-aware UTC even if stored without offset (legacy rows) + if ts.tzinfo is None: + ts = ts.replace(tzinfo=timezone.utc) + + return ActivityLogEntry( + id=row["id"], + ts=ts, + category=row["category"], + action=row["action"], + severity=row["severity"], + actor=row["actor"], + entity_type=row.get("entity_type"), + entity_id=row.get("entity_id"), + entity_name=row.get("entity_name"), + message=row["message"], + metadata=metadata, + ) + + +# --------------------------------------------------------------------------- +# Filters dataclass +# --------------------------------------------------------------------------- + + +@dataclass +class ActivityLogFilters: + """Optional query-time filters for :class:`ActivityLogRepository`. + + All fields are optional. ``None`` / empty sequence means "no restriction + on this dimension". + + Fields + ------ + categories Restrict to entries whose ``category`` is in this set. + severities Restrict to entries whose ``severity`` is in this set. + actor Exact match on the ``actor`` field. + entity_type Exact match on the ``entity_type`` field. + entity_id Exact match on the ``entity_id`` field. + since Inclusive lower bound on ``ts`` (``ts >= since``). + until Inclusive upper bound on ``ts`` (``ts <= until``). + message_like Free-text substring match on ``message`` (LIKE ``%value%``). + The value is escaped — no SQL injection risk. + """ + + categories: Sequence[str] | None = None + severities: Sequence[str] | None = None + actor: str | None = None + entity_type: str | None = None + entity_id: str | None = None + since: datetime | None = None + until: datetime | None = None + message_like: str | None = None diff --git a/server/src/ledgrab/storage/activity_log_repository.py b/server/src/ledgrab/storage/activity_log_repository.py new file mode 100644 index 0000000..b54df49 --- /dev/null +++ b/server/src/ledgrab/storage/activity_log_repository.py @@ -0,0 +1,293 @@ +"""Append-only repository for the persistent activity / audit log. + +Design notes +------------ +* Does NOT subclass ``BaseSqliteStore`` — that base loads every row into an + in-memory cache at construction time, which is wrong for an unbounded, + append-heavy log. +* All SQL parameters are passed as positional ``?`` placeholders — no user + input is interpolated into the query string. +* Keyset pagination is implemented via the ``seq`` INTEGER PRIMARY KEY + AUTOINCREMENT column, which is strictly monotonic and survives rows with + identical ``ts`` values. +* The repository takes a ``Database`` instance and calls ``db.execute`` / + ``db.transaction`` directly. +* Thread safety: ``Database.execute`` holds the ``RLock`` for the duration of + each call. The repository itself adds no extra locking. Callers that + originate from non-event-loop threads MUST marshal via + ``loop.call_soon_threadsafe`` (that is Phase 2's responsibility). +""" + +from __future__ import annotations + +import sqlite3 +from datetime import datetime +from typing import Iterator + +from ledgrab.storage.activity_log import ActivityLogEntry, ActivityLogFilters +from ledgrab.storage.database import Database +from ledgrab.utils import get_logger + +logger = get_logger(__name__) + +_TABLE = "activity_log" + + +def _build_filter_clause( + filters: ActivityLogFilters, + params: list, + *, + extra_where: str | None = None, +) -> str: + """Return a WHERE clause string and append bound parameters to *params*. + + The caller is responsible for providing the opening ``WHERE`` keyword when + the returned string is non-empty, or ``AND`` when appending to an existing + predicate. This function returns only the condition fragment(s) joined by + ``AND``, or an empty string when *filters* has no restrictions. + + ``extra_where`` is prepended (with AND) before the filter conditions if + provided (used for the ``seq < ?`` keyset predicate). + """ + conditions: list[str] = [] + + if extra_where: + conditions.append(extra_where) + + if filters.categories: + placeholders = ",".join("?" * len(filters.categories)) + conditions.append(f"category IN ({placeholders})") + params.extend(filters.categories) + + if filters.severities: + placeholders = ",".join("?" * len(filters.severities)) + conditions.append(f"severity IN ({placeholders})") + params.extend(filters.severities) + + if filters.actor is not None: + conditions.append("actor = ?") + params.append(filters.actor) + + if filters.entity_type is not None: + conditions.append("entity_type = ?") + params.append(filters.entity_type) + + if filters.entity_id is not None: + conditions.append("entity_id = ?") + params.append(filters.entity_id) + + if filters.since is not None: + conditions.append("ts >= ?") + params.append(filters.since.isoformat()) + + if filters.until is not None: + conditions.append("ts <= ?") + params.append(filters.until.isoformat()) + + if filters.message_like is not None: + # Escape LIKE special characters in the user-supplied substring so that + # a literal '%' or '_' in the message does not act as a wildcard. + escaped = filters.message_like.replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_") + conditions.append("message LIKE ? ESCAPE '\\'") + params.append(f"%{escaped}%") + + return " AND ".join(conditions) + + +class ActivityLogRepository: + """Purpose-built repository for the ``activity_log`` table. + + Parameters + ---------- + db: + The shared ``Database`` singleton. The migration that creates the + ``activity_log`` table must have been applied before the first call to + :meth:`record`. Construction triggers migration via + ``MigrationRunner`` so users can create the repository directly + without a separate startup step. + """ + + def __init__(self, db: Database) -> None: + self._db = db + # Apply pending migrations (idempotent; most runs are no-ops) + from ledgrab.storage.data_migrations import ALL_MIGRATIONS, MigrationRunner + + MigrationRunner(db).run(ALL_MIGRATIONS) + + # -- Write --------------------------------------------------------------- + + def record(self, entry: ActivityLogEntry) -> None: + """Append *entry* to the log. + + The ``seq`` column is assigned by SQLite (AUTOINCREMENT) — ``entry`` + does not carry a ``seq`` field. + + Caller contract: this must be called from the event-loop thread (or + from a context already serialised through the ``Database`` RLock). + Cross-thread callers must marshal via ``loop.call_soon_threadsafe``; + that is Phase 2's responsibility. + """ + row = entry.to_row() + self._db.execute( + f"INSERT INTO {_TABLE} " + f"(id, ts, category, action, severity, actor, " + f" entity_type, entity_id, entity_name, message, metadata) " + f"VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)", + ( + row["id"], + row["ts"], + row["category"], + row["action"], + row["severity"], + row["actor"], + row["entity_type"], + row["entity_id"], + row["entity_name"], + row["message"], + row["metadata"], + ), + ) + + # -- Read ---------------------------------------------------------------- + + def query( + self, + filters: ActivityLogFilters, + *, + before_seq: int | None = None, + limit: int = 50, + ) -> list[ActivityLogEntry]: + """Return the newest matching entries, oldest-first within the page. + + Keyset pagination: pass the smallest ``seq`` seen on the previous page + as *before_seq* to get the next page. Entries are fetched in + ``seq DESC`` order from SQLite and then reversed before returning so + that the caller receives them in chronological order within the page. + + Parameters + ---------- + filters: + Optional filter criteria. + before_seq: + Exclusive upper bound on ``seq``. ``None`` returns the first + (newest) page. + limit: + Maximum number of entries to return. + """ + params: list = [] + keyset = "seq < ?" if before_seq is not None else None + if before_seq is not None: + params.append(before_seq) + + where_fragment = _build_filter_clause(filters, params, extra_where=keyset) + where_clause = f"WHERE {where_fragment}" if where_fragment else "" + params.append(limit) + + sql = ( + f"SELECT seq, id, ts, category, action, severity, actor, " + f"entity_type, entity_id, entity_name, message, metadata " + f"FROM {_TABLE} " + f"{where_clause} " + f"ORDER BY seq DESC " + f"LIMIT ?" + ) + + cursor = self._db.execute(sql, tuple(params)) + rows = cursor.fetchall() + # Reverse to return chronological order within the page + return [ActivityLogEntry.from_row(dict(row)) for row in reversed(rows)] + + def count(self, filters: ActivityLogFilters | None = None) -> int: + """Return the number of entries matching *filters* (or all entries).""" + if filters is None: + filters = ActivityLogFilters() + params: list = [] + where_fragment = _build_filter_clause(filters, params) + where_clause = f"WHERE {where_fragment}" if where_fragment else "" + + sql = f"SELECT COUNT(*) AS cnt FROM {_TABLE} {where_clause}" + cursor = self._db.execute(sql, tuple(params)) + row = cursor.fetchone() + return int(row["cnt"]) + + # -- Maintenance --------------------------------------------------------- + + def prune( + self, + *, + before_ts: datetime | None = None, + max_entries: int | None = None, + ) -> int: + """Delete old / excess entries; return the total rows deleted. + + Both predicates are applied independently: + + 1. Delete all rows where ``ts < before_ts`` (age-based pruning). + 2. Keep only the newest ``max_entries`` rows, deleting the rest + (count-based pruning). + + The two operations run in separate statements so that each can be + independently enabled or disabled. + """ + deleted = 0 + + if before_ts is not None: + cursor = self._db.execute( + f"DELETE FROM {_TABLE} WHERE ts < ?", + (before_ts.isoformat(),), + ) + deleted += cursor.rowcount + + if max_entries is not None and max_entries >= 0: + # Find the seq of the Nth newest row; delete everything older than it. + cursor = self._db.execute( + f"SELECT seq FROM {_TABLE} ORDER BY seq DESC LIMIT 1 OFFSET ?", + (max_entries,), + ) + cutoff_row = cursor.fetchone() + if cutoff_row is not None: + cutoff_seq = cutoff_row["seq"] + cursor = self._db.execute( + f"DELETE FROM {_TABLE} WHERE seq <= ?", + (cutoff_seq,), + ) + deleted += cursor.rowcount + + return deleted + + def clear(self) -> int: + """Delete all entries; return the number of rows deleted.""" + cursor = self._db.execute(f"DELETE FROM {_TABLE}") + return cursor.rowcount + + # -- Export -------------------------------------------------------------- + + def iter_export(self, filters: ActivityLogFilters | None = None) -> Iterator[ActivityLogEntry]: + """Yield all matching entries in ascending ``seq`` order. + + Uses a server-side cursor so the entire result set is never loaded + into memory — safe for large tables. The connection's ``RLock`` is + held for the duration of the iteration; callers should consume this + iterator promptly. + """ + if filters is None: + filters = ActivityLogFilters() + + params: list = [] + where_fragment = _build_filter_clause(filters, params) + where_clause = f"WHERE {where_fragment}" if where_fragment else "" + + sql = ( + f"SELECT seq, id, ts, category, action, severity, actor, " + f"entity_type, entity_id, entity_name, message, metadata " + f"FROM {_TABLE} " + f"{where_clause} " + f"ORDER BY seq ASC" + ) + + # Use the raw connection directly to get a streaming cursor. + # We borrow the lock for the full iteration. + with self._db._lock: # noqa: SLF001 — internal access; no public cursor API + cursor: sqlite3.Cursor = self._db._conn.execute(sql, tuple(params)) # noqa: SLF001 + for row in cursor: + yield ActivityLogEntry.from_row(dict(row)) diff --git a/server/src/ledgrab/storage/data_migrations.py b/server/src/ledgrab/storage/data_migrations.py index b8515d1..ea26de3 100644 --- a/server/src/ledgrab/storage/data_migrations.py +++ b/server/src/ledgrab/storage/data_migrations.py @@ -213,7 +213,57 @@ class StaticToSingleColorMigration(DataMigration): return rows_changed +class AddActivityLogTableMigration(DataMigration): + """Create the ``activity_log`` table and its indexes. + + This is a purely additive migration — it does not touch any existing table. + ``CREATE TABLE / INDEX IF NOT EXISTS`` ensures idempotency if the migration + somehow runs twice (e.g. after a partial restore). + """ + + name = "002_add_activity_log" + + def apply(self, conn: sqlite3.Connection) -> int: + conn.execute( + """ + CREATE TABLE IF NOT EXISTS activity_log ( + seq INTEGER PRIMARY KEY AUTOINCREMENT, + id TEXT UNIQUE NOT NULL, + ts TEXT NOT NULL, + category TEXT NOT NULL, + action TEXT NOT NULL, + severity TEXT NOT NULL, + actor TEXT NOT NULL, + entity_type TEXT, + entity_id TEXT, + entity_name TEXT, + message TEXT NOT NULL, + metadata TEXT NOT NULL DEFAULT '{}' + ) + """ + ) + # Primary read path: newest-first keyset pagination + conn.execute( + "CREATE INDEX IF NOT EXISTS idx_activity_log_ts_seq " + "ON activity_log (ts DESC, seq DESC)" + ) + # Filter indexes + conn.execute( + "CREATE INDEX IF NOT EXISTS idx_activity_log_category " "ON activity_log (category)" + ) + conn.execute( + "CREATE INDEX IF NOT EXISTS idx_activity_log_severity " "ON activity_log (severity)" + ) + conn.execute("CREATE INDEX IF NOT EXISTS idx_activity_log_actor " "ON activity_log (actor)") + conn.execute( + "CREATE INDEX IF NOT EXISTS idx_activity_log_entity " + "ON activity_log (entity_type, entity_id)" + ) + return 0 + + # Master list — ORDER MATTERS. Append new migrations; never reorder. ALL_MIGRATIONS: list[DataMigration] = [ StaticToSingleColorMigration(), + AddActivityLogTableMigration(), ] diff --git a/server/tests/storage/test_activity_log_adversarial.py b/server/tests/storage/test_activity_log_adversarial.py new file mode 100644 index 0000000..28070e7 --- /dev/null +++ b/server/tests/storage/test_activity_log_adversarial.py @@ -0,0 +1,884 @@ +"""Adversarial / edge-case tests for ActivityLogRepository (Phase 1 — storage layer). + +These tests are intentionally skeptical — they derive expected behaviour from the +acceptance criteria in plans/activity-log/phase-1-storage.md, NOT from what the +code happens to do today. If a test fails, it is a real bug. + +Coverage areas +-------------- +1. SQL-injection / parameterization safety (message_like with %, _, ;, --, quotes, etc.) +2. Keyset pagination edge cases (empty table, before_seq bounds, stability, + ordering contract, no duplicates/gaps) +3. Prune edge cases (before_ts only, max_entries only, both, + max_entries=0, larger than count, deleted count, + keeps NEWEST entries) +4. Filter combination edge cases (AND semantics, empty sequence vs None, + since/until inclusive bounds, tz-aware datetimes) +5. Codec / data integrity (metadata round-trip: nested, unicode, JSON-escape; + entity_* None vs empty string; microsecond ts) +6. Migration idempotency (table + all indexes present; double-run is no-op) +7. iter_export vs query consistency (same filters yield same rows; empty table; filter) +""" + +from __future__ import annotations + +import uuid +from datetime import datetime, timedelta, timezone + +import pytest + +from ledgrab.storage.activity_log import ( + ActivityCategory, + ActivityLogEntry, + ActivityLogFilters, + ActivitySeverity, +) +from ledgrab.storage.activity_log_repository import ActivityLogRepository +from ledgrab.storage.database import Database + + +# --------------------------------------------------------------------------- +# Helpers (mirror the implementer's helpers so tests are self-contained) +# --------------------------------------------------------------------------- + + +def _now() -> datetime: + return datetime.now(timezone.utc) + + +_SENTINEL = object() + + +def _entry( + *, + id: str | None = None, + ts: datetime | None = None, + category: str = ActivityCategory.ENTITY, + action: str = "entity.created", + severity: str = ActivitySeverity.INFO, + actor: str = "test_actor", + entity_type: str | None = "output_target", + entity_id: object = _SENTINEL, + entity_name: str | None = "My Target", + message: str = "Created output target", + metadata: dict | None = None, +) -> ActivityLogEntry: + resolved_entity_id: str | None = ( + f"ot_{uuid.uuid4().hex[:8]}" if entity_id is _SENTINEL else entity_id # type: ignore[assignment] + ) + return ActivityLogEntry( + id=id or f"al_{uuid.uuid4().hex[:8]}", + ts=ts or _now(), + category=category, + action=action, + severity=severity, + actor=actor, + entity_type=entity_type, + entity_id=resolved_entity_id, + entity_name=entity_name, + message=message, + metadata=metadata if metadata is not None else {}, + ) + + +@pytest.fixture +def repo(tmp_db: Database) -> ActivityLogRepository: + """Fresh ActivityLogRepository backed by a temp database.""" + return ActivityLogRepository(tmp_db) + + +def _get_seq(repo: ActivityLogRepository, entry_id: str) -> int: + cursor = repo._db.execute("SELECT seq FROM activity_log WHERE id = ?", (entry_id,)) + row = cursor.fetchone() + assert row is not None, f"No row found for id={entry_id!r}" + return int(row["seq"]) + + +# --------------------------------------------------------------------------- +# 1. SQL-injection / parameterization safety +# --------------------------------------------------------------------------- + + +class TestSQLInjectionSafety: + """All user-supplied filter values must be treated as literal text, not SQL.""" + + def test_message_like_percent_is_literal(self, repo: ActivityLogRepository) -> None: + """A literal '%' in message_like must NOT act as a LIKE wildcard.""" + repo.record(_entry(message="100% done")) + repo.record(_entry(message="all done")) + repo.record(_entry(message="percent sign here")) + + results = repo.query(ActivityLogFilters(message_like="100%"), limit=10) + assert len(results) == 1, "% in message_like should be a literal percent, not a wildcard" + assert results[0].message == "100% done" + + def test_message_like_underscore_is_literal(self, repo: ActivityLogRepository) -> None: + """A literal '_' in message_like must NOT act as a single-char wildcard.""" + repo.record(_entry(message="device_01")) + repo.record(_entry(message="device001")) # would match if _ were a wildcard + repo.record(_entry(message="some other message")) + + results = repo.query(ActivityLogFilters(message_like="device_01"), limit=10) + assert ( + len(results) == 1 + ), "_ in message_like should be a literal underscore, not a single-char wildcard" + assert results[0].message == "device_01" + + def test_message_like_single_quote_does_not_break_query( + self, repo: ActivityLogRepository + ) -> None: + """A single quote in message_like must not cause a SQL syntax error.""" + repo.record(_entry(message="it's working")) + repo.record(_entry(message="no quote here")) + + # Must not raise + results = repo.query(ActivityLogFilters(message_like="it's"), limit=10) + assert len(results) == 1 + assert results[0].message == "it's working" + + def test_message_like_semicolon_does_not_execute_second_statement( + self, repo: ActivityLogRepository + ) -> None: + """';' in message_like must not let a second SQL statement execute.""" + repo.record(_entry(message="a; DROP TABLE activity_log; --")) + repo.record(_entry(message="safe message")) + + # If injection succeeded, table would be dropped and next call would error + results = repo.query( + ActivityLogFilters(message_like="a; DROP TABLE activity_log; --"), limit=10 + ) + # Table must still exist + assert repo.count() == 2 + assert len(results) == 1 + + def test_message_like_sql_comment_sequence(self, repo: ActivityLogRepository) -> None: + """'--' (SQL comment) in message_like must be treated literally.""" + repo.record(_entry(message="value -- comment")) + repo.record(_entry(message="value no comment")) + + results = repo.query(ActivityLogFilters(message_like="value --"), limit=10) + assert len(results) == 1 + assert results[0].message == "value -- comment" + + def test_message_like_backslash_literal(self, repo: ActivityLogRepository) -> None: + """Backslash in message_like must be treated as a literal character.""" + repo.record(_entry(message="path\\to\\file")) + repo.record(_entry(message="path/to/file")) + + results = repo.query(ActivityLogFilters(message_like="path\\to"), limit=10) + assert len(results) == 1 + assert results[0].message == "path\\to\\file" + + def test_message_like_classic_injection_pattern(self, repo: ActivityLogRepository) -> None: + """Classic ') OR '1'='1 injection attempt must return no false positives.""" + repo.record(_entry(message="innocent message")) + repo.record(_entry(message="another message")) + + # If injection worked, all rows would match + results = repo.query(ActivityLogFilters(message_like="') OR '1'='1"), limit=10) + assert ( + len(results) == 0 + ), "Injection payload matched rows it shouldn't — parameterization may be broken" + + def test_message_like_all_wildcards_returns_nothing_for_no_match( + self, repo: ActivityLogRepository + ) -> None: + """'%_%' as a literal search term should return no rows unless that exact + substring appears in a message.""" + repo.record(_entry(message="some message")) + + results = repo.query(ActivityLogFilters(message_like="%_%"), limit=10) + # '%_%' as literal text does not appear in "some message" + assert ( + len(results) == 0 + ), "% and _ in message_like were treated as SQL wildcards instead of literals" + + def test_actor_exact_match_not_like(self, repo: ActivityLogRepository) -> None: + """actor filter is exact match — SQL wildcards in value must not act as wildcards.""" + repo.record(_entry(actor="alice")) + repo.record(_entry(actor="alice_admin")) + + results = repo.query(ActivityLogFilters(actor="alice"), limit=10) + assert ( + len(results) == 1 + ), "actor filter is exact-match; 'alice' should not match 'alice_admin'" + assert results[0].actor == "alice" + + def test_entity_id_exact_match_not_like(self, repo: ActivityLogRepository) -> None: + """entity_id filter is exact match — prefix should not leak.""" + repo.record(_entry(entity_id="ot_abc")) + repo.record(_entry(entity_id="ot_abc_extra")) + + results = repo.query(ActivityLogFilters(entity_id="ot_abc"), limit=10) + assert len(results) == 1 + + +# --------------------------------------------------------------------------- +# 2. Keyset pagination edge cases +# --------------------------------------------------------------------------- + + +class TestKeysetPaginationEdges: + def test_empty_table_returns_empty_list(self, repo: ActivityLogRepository) -> None: + """Query on empty table must return [] not raise.""" + results = repo.query(ActivityLogFilters(), limit=10) + assert results == [] + + def test_before_seq_none_is_first_page(self, repo: ActivityLogRepository) -> None: + """before_seq=None must return the newest (first) page.""" + base = datetime(2026, 1, 1, tzinfo=timezone.utc) + for i in range(5): + repo.record(_entry(ts=base + timedelta(seconds=i), message=f"e{i}")) + + page = repo.query(ActivityLogFilters(), before_seq=None, limit=3) + assert len(page) == 3 + # Page should contain the 3 newest entries + messages = {e.message for e in page} + assert "e4" in messages + assert "e3" in messages + assert "e2" in messages + + def test_before_seq_smaller_than_all_rows_returns_empty( + self, repo: ActivityLogRepository + ) -> None: + """before_seq=1 (smaller than all autoincrement seqs) returns empty page.""" + for i in range(5): + repo.record(_entry(message=f"e{i}")) + + # seq starts at 1, so before_seq=1 means seq < 1 — no rows + results = repo.query(ActivityLogFilters(), before_seq=1, limit=10) + assert ( + results == [] + ), "before_seq=1 should yield empty page since autoincrement starts at 1 (seq<1 = nothing)" + + def test_before_seq_larger_than_max_returns_full_first_page( + self, repo: ActivityLogRepository + ) -> None: + """before_seq larger than any seq in the table behaves like before_seq=None.""" + for i in range(5): + repo.record(_entry(message=f"e{i}")) + + page_none = repo.query(ActivityLogFilters(), before_seq=None, limit=5) + page_large = repo.query(ActivityLogFilters(), before_seq=999_999, limit=5) + + ids_none = {e.id for e in page_none} + ids_large = {e.id for e in page_large} + assert ids_none == ids_large + + def test_page_boundary_limit_equals_row_count(self, repo: ActivityLogRepository) -> None: + """When limit == total rows, one page covers all rows and a second page is empty.""" + for i in range(5): + repo.record(_entry(message=f"e{i}")) + + page1 = repo.query(ActivityLogFilters(), limit=5) + assert len(page1) == 5 + + first_seq = _get_seq(repo, page1[0].id) + page2 = repo.query(ActivityLogFilters(), before_seq=first_seq, limit=5) + assert page2 == [] + + def test_ordering_contract_page_zero_is_smallest_seq(self, repo: ActivityLogRepository) -> None: + """Within a page, page[0] must have the smallest seq (ascending chrono order). + The acceptance criteria state: 'The smallest seq on a page is page[0]'s seq — + pass that as before_seq for the next page.'""" + base = datetime(2026, 1, 1, tzinfo=timezone.utc) + for i in range(6): + repo.record(_entry(ts=base + timedelta(seconds=i), message=f"e{i}")) + + page = repo.query(ActivityLogFilters(), limit=6) + seqs = [_get_seq(repo, e.id) for e in page] + assert seqs == sorted( + seqs + ), "page must be in ascending seq order (page[0] is oldest/smallest seq)" + + def test_no_duplicates_across_full_walk(self, repo: ActivityLogRepository) -> None: + """Walking the entire table page by page yields each row exactly once.""" + total = 11 + base = datetime(2026, 1, 1, tzinfo=timezone.utc) + for i in range(total): + repo.record(_entry(ts=base + timedelta(seconds=i), message=f"e{i}")) + + all_ids: list[str] = [] + before_seq: int | None = None + limit = 4 + + while True: + page = repo.query(ActivityLogFilters(), before_seq=before_seq, limit=limit) + if not page: + break + all_ids.extend(e.id for e in page) + before_seq = _get_seq(repo, page[0].id) + + assert len(all_ids) == total, "Total rows from all pages must equal inserted count" + assert len(set(all_ids)) == total, "No duplicate IDs across pages" + + def test_no_gaps_across_full_walk(self, repo: ActivityLogRepository) -> None: + """Walking the entire table page by page with limit=1 yields every row.""" + total = 7 + for i in range(total): + repo.record(_entry(message=f"e{i}")) + + all_ids: list[str] = [] + before_seq: int | None = None + while True: + page = repo.query(ActivityLogFilters(), before_seq=before_seq, limit=1) + if not page: + break + all_ids.append(page[0].id) + before_seq = _get_seq(repo, page[0].id) + + assert len(all_ids) == total + + def test_many_rows_same_ts_no_duplicates_or_gaps(self, repo: ActivityLogRepository) -> None: + """With many identical timestamps, pagination via seq prevents any dup or gap.""" + same_ts = datetime(2026, 5, 1, 10, 0, 0, tzinfo=timezone.utc) + count = 9 + for i in range(count): + repo.record(_entry(ts=same_ts, message=f"same-ts {i}")) + + all_ids: list[str] = [] + before_seq: int | None = None + limit = 4 + while True: + page = repo.query(ActivityLogFilters(), before_seq=before_seq, limit=limit) + if not page: + break + all_ids.extend(e.id for e in page) + before_seq = _get_seq(repo, page[0].id) + + assert len(all_ids) == count + assert len(set(all_ids)) == count, "Duplicates found in same-ts pagination walk" + + def test_next_page_cursor_is_page_zero_seq(self, repo: ActivityLogRepository) -> None: + """The documented contract: pass page[0].seq as before_seq for next page. + Verify the next page does NOT overlap with the current page.""" + for i in range(6): + repo.record(_entry(message=f"e{i}")) + + page1 = repo.query(ActivityLogFilters(), limit=3) + cursor = _get_seq(repo, page1[0].id) # page[0] = smallest seq on page + page2 = repo.query(ActivityLogFilters(), before_seq=cursor, limit=3) + + ids1 = {e.id for e in page1} + ids2 = {e.id for e in page2} + assert ids1.isdisjoint(ids2), "Pages overlap — cursor contract broken" + + +# --------------------------------------------------------------------------- +# 3. Prune edge cases +# --------------------------------------------------------------------------- + + +class TestPruneEdgeCases: + def test_prune_before_ts_only_no_max_entries(self, repo: ActivityLogRepository) -> None: + """before_ts alone removes only old rows; recent rows untouched.""" + cutoff = datetime(2026, 3, 1, tzinfo=timezone.utc) + repo.record(_entry(ts=cutoff - timedelta(days=2), message="old")) + repo.record(_entry(ts=cutoff + timedelta(days=1), message="new")) + + deleted = repo.prune(before_ts=cutoff) + assert deleted == 1 + remaining = repo.query(ActivityLogFilters(), limit=10) + assert len(remaining) == 1 + assert remaining[0].message == "new" + + def test_prune_max_entries_only_no_before_ts(self, repo: ActivityLogRepository) -> None: + """max_entries alone trims to N newest; no age filter applied.""" + for i in range(6): + repo.record(_entry(message=f"e{i}")) + + deleted = repo.prune(max_entries=2) + assert deleted == 4 + assert repo.count() == 2 + + def test_prune_max_entries_zero_deletes_all(self, repo: ActivityLogRepository) -> None: + """max_entries=0 means keep nothing — all rows deleted.""" + for i in range(5): + repo.record(_entry()) + + deleted = repo.prune(max_entries=0) + assert deleted == 5 + assert repo.count() == 0 + + def test_prune_max_entries_larger_than_count_is_noop(self, repo: ActivityLogRepository) -> None: + """max_entries > actual count must not delete anything.""" + for i in range(3): + repo.record(_entry(message=f"e{i}")) + + deleted = repo.prune(max_entries=100) + assert deleted == 0 + assert repo.count() == 3 + + def test_prune_keeps_newest_entries_by_seq(self, repo: ActivityLogRepository) -> None: + """max_entries prune MUST keep the rows with the HIGHEST seq values.""" + base = datetime(2026, 1, 1, tzinfo=timezone.utc) + all_ids = [] + for i in range(6): + e = _entry(ts=base + timedelta(seconds=i), message=f"e{i}") + all_ids.append(e.id) + repo.record(e) + + # keep only 2 + repo.prune(max_entries=2) + remaining = repo.query(ActivityLogFilters(), limit=10) + remaining_ids = {r.id for r in remaining} + + # Must keep the last two inserted (highest seq = newest) + assert all_ids[-1] in remaining_ids, "Newest entry (e5) must be kept" + assert all_ids[-2] in remaining_ids, "Second newest entry (e4) must be kept" + # Oldest must be gone + assert all_ids[0] not in remaining_ids, "Oldest entry (e0) must be pruned" + + def test_prune_both_returns_sum_of_deleted(self, repo: ActivityLogRepository) -> None: + """prune(before_ts, max_entries) returns the TOTAL rows deleted by both steps.""" + base = datetime(2026, 4, 1, tzinfo=timezone.utc) + # 4 old entries (before base) + for i in range(4): + repo.record(_entry(ts=base - timedelta(hours=i + 1), message=f"old{i}")) + # 4 new entries (after base) + for i in range(4): + repo.record(_entry(ts=base + timedelta(hours=i + 1), message=f"new{i}")) + + # prune old, then keep only 2 new + deleted = repo.prune(before_ts=base, max_entries=2) + # 4 old + 2 of the 4 new = 6 total + assert deleted == 6 + assert repo.count() == 2 + + def test_prune_no_args_is_noop(self, repo: ActivityLogRepository) -> None: + """prune() with no args should delete 0 rows.""" + for i in range(3): + repo.record(_entry()) + + deleted = repo.prune() + assert deleted == 0 + assert repo.count() == 3 + + def test_prune_before_ts_boundary_is_exclusive(self, repo: ActivityLogRepository) -> None: + """prune(before_ts=X) uses strict < X; a row exactly at X must survive.""" + ts = datetime(2026, 5, 1, 12, 0, 0, tzinfo=timezone.utc) + repo.record(_entry(ts=ts - timedelta(seconds=1), message="before")) + repo.record(_entry(ts=ts, message="exact boundary")) + repo.record(_entry(ts=ts + timedelta(seconds=1), message="after")) + + deleted = repo.prune(before_ts=ts) + assert deleted == 1 # only "before" deleted + remaining = {r.message for r in repo.query(ActivityLogFilters(), limit=10)} + assert "exact boundary" in remaining + assert "before" not in remaining + + +# --------------------------------------------------------------------------- +# 4. Filter combination edge cases +# --------------------------------------------------------------------------- + + +class TestFilterCombinationEdges: + def test_multiple_filters_are_anded(self, repo: ActivityLogRepository) -> None: + """All non-None filters must be AND-ed together, not OR-ed.""" + repo.record( + _entry(actor="alice", category=ActivityCategory.AUTH, severity=ActivitySeverity.ERROR) + ) + repo.record( + _entry(actor="alice", category=ActivityCategory.DEVICE, severity=ActivitySeverity.INFO) + ) + repo.record( + _entry(actor="bob", category=ActivityCategory.AUTH, severity=ActivitySeverity.ERROR) + ) + + results = repo.query( + ActivityLogFilters( + actor="alice", + categories=[ActivityCategory.AUTH], + severities=[ActivitySeverity.ERROR], + ), + limit=10, + ) + assert len(results) == 1 + r = results[0] + assert r.actor == "alice" + assert r.category == ActivityCategory.AUTH + assert r.severity == ActivitySeverity.ERROR + + def test_empty_categories_sequence_means_no_restriction( + self, repo: ActivityLogRepository + ) -> None: + """An empty list for categories must behave the same as None (no restriction). + The acceptance criteria state empty sequence == None for this dimension.""" + repo.record(_entry(category=ActivityCategory.AUTH)) + repo.record(_entry(category=ActivityCategory.DEVICE)) + + # empty list + results_empty = repo.query(ActivityLogFilters(categories=[]), limit=10) + # None + results_none = repo.query(ActivityLogFilters(categories=None), limit=10) + + assert len(results_empty) == len(results_none), ( + "categories=[] and categories=None should behave identically (no restriction); " + f"got {len(results_empty)} vs {len(results_none)}" + ) + + def test_empty_severities_sequence_means_no_restriction( + self, repo: ActivityLogRepository + ) -> None: + """An empty list for severities must behave the same as None (no restriction).""" + repo.record(_entry(severity=ActivitySeverity.INFO)) + repo.record(_entry(severity=ActivitySeverity.ERROR)) + + results_empty = repo.query(ActivityLogFilters(severities=[]), limit=10) + results_none = repo.query(ActivityLogFilters(severities=None), limit=10) + + assert len(results_empty) == len( + results_none + ), "severities=[] and severities=None should behave identically" + + def test_since_is_inclusive(self, repo: ActivityLogRepository) -> None: + """since is an INCLUSIVE lower bound: ts >= since.""" + ts = datetime(2026, 6, 1, 10, 0, 0, tzinfo=timezone.utc) + repo.record(_entry(ts=ts - timedelta(seconds=1), message="before")) + repo.record(_entry(ts=ts, message="at boundary")) + repo.record(_entry(ts=ts + timedelta(seconds=1), message="after")) + + results = repo.query(ActivityLogFilters(since=ts), limit=10) + messages = {r.message for r in results} + assert "at boundary" in messages, "since boundary row (ts == since) must be included" + assert "before" not in messages + + def test_until_is_inclusive(self, repo: ActivityLogRepository) -> None: + """until is an INCLUSIVE upper bound: ts <= until.""" + ts = datetime(2026, 6, 1, 10, 0, 0, tzinfo=timezone.utc) + repo.record(_entry(ts=ts - timedelta(seconds=1), message="before")) + repo.record(_entry(ts=ts, message="at boundary")) + repo.record(_entry(ts=ts + timedelta(seconds=1), message="after")) + + results = repo.query(ActivityLogFilters(until=ts), limit=10) + messages = {r.message for r in results} + assert "at boundary" in messages, "until boundary row (ts == until) must be included" + assert "after" not in messages + + def test_since_and_until_define_closed_range(self, repo: ActivityLogRepository) -> None: + """Combining since + until must keep rows in [since, until] inclusive.""" + base = datetime(2026, 6, 1, 12, 0, 0, tzinfo=timezone.utc) + repo.record(_entry(ts=base - timedelta(hours=1), message="out_before")) + repo.record(_entry(ts=base, message="in_start")) + repo.record(_entry(ts=base + timedelta(hours=1), message="in_middle")) + repo.record(_entry(ts=base + timedelta(hours=2), message="in_end")) + repo.record(_entry(ts=base + timedelta(hours=3), message="out_after")) + + results = repo.query( + ActivityLogFilters(since=base, until=base + timedelta(hours=2)), + limit=10, + ) + messages = {r.message for r in results} + assert {"in_start", "in_middle", "in_end"} == messages + + def test_tz_aware_datetime_round_trip(self, repo: ActivityLogRepository) -> None: + """UTC-aware datetimes must survive storage and come back tz-aware.""" + ts = datetime(2026, 1, 15, 8, 30, 0, tzinfo=timezone.utc) + e = _entry(ts=ts) + repo.record(e) + + got = repo.query(ActivityLogFilters(), limit=1)[0] + assert got.ts.tzinfo is not None, "Returned ts must be tz-aware" + assert got.ts.utcoffset().total_seconds() == 0, "Returned ts must be UTC" # type: ignore[union-attr] + assert got.ts == ts + + def test_count_none_equals_count_empty_filters(self, repo: ActivityLogRepository) -> None: + """count(None) == count(ActivityLogFilters()) per acceptance criteria.""" + for i in range(4): + repo.record(_entry()) + + assert repo.count(None) == repo.count(ActivityLogFilters()) + + +# --------------------------------------------------------------------------- +# 5. Codec / data integrity +# --------------------------------------------------------------------------- + + +class TestCodecDataIntegrity: + def test_metadata_nested_dict_round_trip(self, repo: ActivityLogRepository) -> None: + """Deeply nested metadata survives JSON round-trip.""" + meta = { + "level1": { + "level2": {"level3": [1, 2, 3]}, + "list": [{"a": True}, {"b": None}], + }, + "count": 42, + } + e = _entry(metadata=meta) + repo.record(e) + got = repo.query(ActivityLogFilters(), limit=1)[0] + assert got.metadata == meta + + def test_metadata_unicode_round_trip(self, repo: ActivityLogRepository) -> None: + """Unicode (including emoji and CJK) in metadata survives storage.""" + meta = {"label": "こんにちは", "emoji": "🎉", "arrow": "→"} + e = _entry(metadata=meta) + repo.record(e) + got = repo.query(ActivityLogFilters(), limit=1)[0] + assert got.metadata == meta + + def test_metadata_empty_dict_round_trip(self, repo: ActivityLogRepository) -> None: + """An empty {} metadata must come back as {} not None.""" + e = _entry(metadata={}) + repo.record(e) + got = repo.query(ActivityLogFilters(), limit=1)[0] + assert got.metadata == {} + assert isinstance(got.metadata, dict) + + def test_metadata_json_special_chars(self, repo: ActivityLogRepository) -> None: + """Metadata with JSON-special characters (backslash, quotes) round-trips correctly.""" + meta = {"path": "C:\\Users\\test", "quoted": '"hello"', "newline": "line1\nline2"} + e = _entry(metadata=meta) + repo.record(e) + got = repo.query(ActivityLogFilters(), limit=1)[0] + assert got.metadata == meta + + def test_entity_type_none_vs_empty_string(self, repo: ActivityLogRepository) -> None: + """None entity_type must come back as None (not empty string ''). + These are semantically different — None means 'not applicable'.""" + e = _entry(entity_type=None, entity_id=None, entity_name=None) + repo.record(e) + got = repo.query(ActivityLogFilters(), limit=1)[0] + # Must be exactly None, not "" + assert got.entity_type is None + assert got.entity_id is None + assert got.entity_name is None + + def test_ts_microsecond_precision_preserved(self, repo: ActivityLogRepository) -> None: + """Microsecond component of ts must survive the isoformat() round-trip.""" + ts = datetime(2026, 6, 9, 12, 34, 56, 789012, tzinfo=timezone.utc) + e = _entry(ts=ts) + repo.record(e) + got = repo.query(ActivityLogFilters(), limit=1)[0] + assert got.ts == ts, f"Expected {ts!r}, got {got.ts!r} — microsecond precision may be lost" + + def test_to_row_does_not_include_seq(self) -> None: + """to_row() must NOT include 'seq' (it's DB-assigned).""" + e = _entry() + row = e.to_row() + assert "seq" not in row, "to_row() must not include seq — it is DB-assigned" + + def test_to_row_has_exactly_11_keys(self) -> None: + """Acceptance criteria: to_row() returns 11 keys.""" + e = _entry() + row = e.to_row() + expected_keys = { + "id", + "ts", + "category", + "action", + "severity", + "actor", + "entity_type", + "entity_id", + "entity_name", + "message", + "metadata", + } + assert set(row.keys()) == expected_keys + + def test_from_row_ignores_seq_column(self) -> None: + """from_row() must not raise or fail when 'seq' is present in the dict.""" + e = _entry() + row = e.to_row() + row["seq"] = 42 # inject seq as if from DB + recovered = ActivityLogEntry.from_row(row) + assert recovered.id == e.id + + def test_from_row_naive_ts_becomes_utc_aware(self) -> None: + """If a stored ts has no timezone offset (legacy row), from_row must attach UTC.""" + e = _entry() + row = e.to_row() + # Strip timezone from the isoformat string to simulate a legacy row + row["ts"] = datetime(2026, 1, 1, 10, 0, 0).isoformat() # naive + recovered = ActivityLogEntry.from_row(row) + assert recovered.ts.tzinfo is not None, "Legacy naive ts must become tz-aware (UTC)" + + def test_metadata_with_numeric_keys_round_trip(self, repo: ActivityLogRepository) -> None: + """JSON only supports string keys; numeric keys are coerced to strings.""" + # This tests that the codec doesn't silently crash on non-string keys + # (Python allows them but JSON does not — json.dumps coerces to string) + meta = {1: "one", "two": 2} + e = _entry(metadata=meta) # type: ignore[arg-type] + repo.record(e) + got = repo.query(ActivityLogFilters(), limit=1)[0] + # json.dumps coerces int key 1 → "1" + assert "1" in got.metadata or 1 in got.metadata + + def test_all_category_values_round_trip(self, repo: ActivityLogRepository) -> None: + """Every ActivityCategory constant must survive storage without corruption.""" + for cat in ActivityCategory.ALL: + repo.record(_entry(category=cat, message=f"cat:{cat}")) + + for cat in ActivityCategory.ALL: + results = repo.query(ActivityLogFilters(categories=[cat]), limit=10) + assert len(results) == 1 + assert results[0].category == cat + + def test_all_severity_values_round_trip(self, repo: ActivityLogRepository) -> None: + """Every ActivitySeverity constant must survive storage without corruption.""" + for sev in ActivitySeverity.ALL: + repo.record(_entry(severity=sev, message=f"sev:{sev}")) + + for sev in ActivitySeverity.ALL: + results = repo.query(ActivityLogFilters(severities=[sev]), limit=10) + assert len(results) == 1 + assert results[0].severity == sev + + +# --------------------------------------------------------------------------- +# 6. Migration idempotency (additional structural checks) +# --------------------------------------------------------------------------- + + +class TestMigrationIdempotencyExtended: + def test_table_has_autoincrement_seq(self, tmp_db: Database) -> None: + """The seq column must be INTEGER PRIMARY KEY AUTOINCREMENT — never reuse deleted seqs.""" + repo = ActivityLogRepository(tmp_db) + e1 = _entry(message="first") + e2 = _entry(message="second") + repo.record(e1) + repo.record(e2) + seq1 = _get_seq(repo, e1.id) + seq2 = _get_seq(repo, e2.id) + assert seq2 > seq1, "AUTOINCREMENT must produce monotonically increasing seqs" + + # After clear, a new record must get a seq higher than the previous max + repo.clear() + e3 = _entry(message="third") + repo.record(e3) + seq3 = _get_seq(repo, e3.id) + assert seq3 > seq2, "AUTOINCREMENT must not reuse seqs after DELETE" + + def test_all_expected_indexes_present(self, tmp_db: Database) -> None: + """All 5 indexes declared in the acceptance criteria must exist.""" + ActivityLogRepository(tmp_db) + + cursor = tmp_db.execute( + "SELECT name FROM sqlite_master WHERE type='index' AND tbl_name='activity_log'" + ) + index_names = {row["name"] for row in cursor.fetchall()} + required = { + "idx_activity_log_ts_seq", + "idx_activity_log_category", + "idx_activity_log_severity", + "idx_activity_log_actor", + "idx_activity_log_entity", + } + missing = required - index_names + assert not missing, f"Missing indexes: {missing}" + + def test_id_column_has_unique_constraint(self, tmp_db: Database) -> None: + """Inserting duplicate id must raise IntegrityError.""" + import sqlite3 as sqlite_module + + repo = ActivityLogRepository(tmp_db) + fixed_id = f"al_{uuid.uuid4().hex[:8]}" + repo.record(_entry(id=fixed_id, message="first")) + + with pytest.raises((Exception, sqlite_module.IntegrityError)): + repo.record(_entry(id=fixed_id, message="duplicate id")) + + def test_migration_name_is_002_add_activity_log(self, tmp_db: Database) -> None: + """The migration name must exactly match '002_add_activity_log'.""" + from ledgrab.storage.data_migrations import AddActivityLogTableMigration + + migration = AddActivityLogTableMigration() + assert migration.name == "002_add_activity_log" + + def test_migration_is_second_in_all_migrations(self) -> None: + """AddActivityLogTableMigration must be at index [1] in ALL_MIGRATIONS.""" + from ledgrab.storage.data_migrations import ( + ALL_MIGRATIONS, + AddActivityLogTableMigration, + ) + + assert len(ALL_MIGRATIONS) >= 2, "ALL_MIGRATIONS must have at least 2 entries" + assert isinstance( + ALL_MIGRATIONS[1], AddActivityLogTableMigration + ), "AddActivityLogTableMigration must be the second migration (index 1)" + + def test_apply_twice_is_noop_no_error(self, tmp_db: Database) -> None: + """Calling apply() on the connection twice must not raise — IF NOT EXISTS ensures this.""" + from ledgrab.storage.data_migrations import AddActivityLogTableMigration + + migration = AddActivityLogTableMigration() + with tmp_db.transaction() as conn: + migration.apply(conn) + # Second apply — must not raise + with tmp_db.transaction() as conn: + migration.apply(conn) + + # Table should still be accessible + cursor = tmp_db.execute("SELECT COUNT(*) AS cnt FROM activity_log") + assert cursor.fetchone()["cnt"] == 0 + + +# --------------------------------------------------------------------------- +# 7. iter_export vs query consistency +# --------------------------------------------------------------------------- + + +class TestIterExportConsistency: + def test_iter_export_empty_table_yields_nothing(self, repo: ActivityLogRepository) -> None: + """iter_export on empty table must yield nothing, not raise.""" + exported = list(repo.iter_export()) + assert exported == [] + + def test_iter_export_matches_query_results(self, repo: ActivityLogRepository) -> None: + """iter_export(filters) and query(filters) must return the same entries.""" + for i in range(8): + cat = ActivityCategory.AUTH if i % 2 == 0 else ActivityCategory.DEVICE + repo.record(_entry(category=cat, message=f"e{i}")) + + filters = ActivityLogFilters(categories=[ActivityCategory.AUTH]) + + exported_ids = {e.id for e in repo.iter_export(filters)} + queried_ids = {e.id for e in repo.query(filters, limit=100)} + assert ( + exported_ids == queried_ids + ), "iter_export and query must return the same set of entries for the same filters" + + def test_iter_export_none_filter_yields_all(self, repo: ActivityLogRepository) -> None: + """iter_export(None) must yield all rows (same as query with no filter).""" + for i in range(5): + repo.record(_entry(message=f"e{i}")) + + all_exported = list(repo.iter_export(None)) + all_queried = repo.query(ActivityLogFilters(), limit=100) + + assert len(all_exported) == len(all_queried) == 5 + + def test_iter_export_ascending_seq_order(self, repo: ActivityLogRepository) -> None: + """iter_export must yield rows in ascending seq order (oldest first).""" + base = datetime(2026, 1, 1, tzinfo=timezone.utc) + for i in range(5): + repo.record(_entry(ts=base + timedelta(seconds=i), message=f"e{i}")) + + exported = list(repo.iter_export()) + seqs = [_get_seq(repo, e.id) for e in exported] + assert seqs == sorted(seqs), "iter_export must yield rows in ascending seq order" + + def test_iter_export_respects_message_like_filter(self, repo: ActivityLogRepository) -> None: + """iter_export should honour message_like just as query does.""" + repo.record(_entry(message="found: hello world")) + repo.record(_entry(message="nothing relevant here")) + repo.record(_entry(message="also found: hello there")) + + exported = list(repo.iter_export(ActivityLogFilters(message_like="found"))) + assert len(exported) == 2 + assert all("found" in e.message for e in exported) + + def test_iter_export_is_lazy_generator(self, repo: ActivityLogRepository) -> None: + """iter_export must return a generator (lazy), not a list.""" + import types + + for _ in range(3): + repo.record(_entry()) + + result = repo.iter_export() + assert isinstance( + result, types.GeneratorType + ), "iter_export must return a generator for streaming — not a pre-loaded list" diff --git a/server/tests/storage/test_activity_log_repository.py b/server/tests/storage/test_activity_log_repository.py new file mode 100644 index 0000000..906a055 --- /dev/null +++ b/server/tests/storage/test_activity_log_repository.py @@ -0,0 +1,609 @@ +"""Unit tests for ActivityLogRepository (Phase 1 — storage layer). + +Coverage +-------- +* round-trip: record + read back, including metadata JSON and UTC ts +* filter by each dimension: category, severity, actor, entity_type/id, date range, message_like +* keyset pagination stability with same-ts rows (seq tiebreaker) +* prune by age (before_ts) and by max_entries +* clear; count (filtered + unfiltered); export iterator +* migration idempotency: constructing the repo twice does not re-run the migration +""" + +from __future__ import annotations + +import uuid +from datetime import datetime, timedelta, timezone + +import pytest + +from ledgrab.storage.activity_log import ( + ActivityCategory, + ActivityLogEntry, + ActivityLogFilters, + ActivitySeverity, +) +from ledgrab.storage.activity_log_repository import ActivityLogRepository +from ledgrab.storage.database import Database + + +# --------------------------------------------------------------------------- +# Helpers +# --------------------------------------------------------------------------- + + +def _now() -> datetime: + return datetime.now(timezone.utc) + + +_SENTINEL = object() # sentinel for "caller did not pass this kwarg" + + +def _entry( + *, + id: str | None = None, + ts: datetime | None = None, + category: str = ActivityCategory.ENTITY, + action: str = "entity.created", + severity: str = ActivitySeverity.INFO, + actor: str = "test_actor", + entity_type: str | None = "output_target", + entity_id: object = _SENTINEL, + entity_name: str | None = "My Target", + message: str = "Created output target", + metadata: dict | None = None, +) -> ActivityLogEntry: + """Build a test ``ActivityLogEntry``. + + ``entity_id`` defaults to a random id when not supplied at all. Pass + ``entity_id=None`` explicitly to get ``None`` stored in the entry. + """ + resolved_entity_id: str | None = ( + f"ot_{uuid.uuid4().hex[:8]}" if entity_id is _SENTINEL else entity_id # type: ignore[assignment] + ) + return ActivityLogEntry( + id=id or f"al_{uuid.uuid4().hex[:8]}", + ts=ts or _now(), + category=category, + action=action, + severity=severity, + actor=actor, + entity_type=entity_type, + entity_id=resolved_entity_id, + entity_name=entity_name, + message=message, + metadata=metadata if metadata is not None else {}, + ) + + +# --------------------------------------------------------------------------- +# Fixtures +# --------------------------------------------------------------------------- + + +@pytest.fixture +def repo(tmp_db: Database) -> ActivityLogRepository: + """Fresh ActivityLogRepository backed by a temp database.""" + return ActivityLogRepository(tmp_db) + + +# --------------------------------------------------------------------------- +# Round-trip +# --------------------------------------------------------------------------- + + +class TestRoundTrip: + def test_record_and_read_back(self, repo: ActivityLogRepository) -> None: + e = _entry(message="Hello world", metadata={"key": "value", "n": 42}) + repo.record(e) + + page = repo.query(ActivityLogFilters(), limit=10) + assert len(page) == 1 + got = page[0] + assert got.id == e.id + assert got.category == e.category + assert got.action == e.action + assert got.severity == e.severity + assert got.actor == e.actor + assert got.entity_type == e.entity_type + assert got.entity_id == e.entity_id + assert got.entity_name == e.entity_name + assert got.message == e.message + + def test_metadata_json_round_trip(self, repo: ActivityLogRepository) -> None: + meta = {"device": "wled_01", "led_count": 150, "nested": {"x": True}} + e = _entry(metadata=meta) + repo.record(e) + + got = repo.query(ActivityLogFilters(), limit=1)[0] + assert got.metadata == meta + + def test_utc_timestamp_preserved(self, repo: ActivityLogRepository) -> None: + ts = datetime(2026, 1, 15, 12, 30, 45, tzinfo=timezone.utc) + e = _entry(ts=ts) + repo.record(e) + + got = repo.query(ActivityLogFilters(), limit=1)[0] + # Should round-trip to the same UTC moment + assert got.ts.replace(tzinfo=timezone.utc) == ts.replace(tzinfo=timezone.utc) + + def test_none_optional_fields_preserved(self, repo: ActivityLogRepository) -> None: + e = _entry(entity_type=None, entity_id=None, entity_name=None) + repo.record(e) + + got = repo.query(ActivityLogFilters(), limit=1)[0] + assert got.entity_type is None + assert got.entity_id is None + assert got.entity_name is None + + def test_empty_metadata_default(self, repo: ActivityLogRepository) -> None: + e = _entry(metadata={}) + repo.record(e) + + got = repo.query(ActivityLogFilters(), limit=1)[0] + assert got.metadata == {} + + +# --------------------------------------------------------------------------- +# Filters +# --------------------------------------------------------------------------- + + +class TestFilters: + def test_filter_by_category(self, repo: ActivityLogRepository) -> None: + repo.record(_entry(category=ActivityCategory.AUTH, action="auth.rejected")) + repo.record(_entry(category=ActivityCategory.DEVICE, action="device.connected")) + repo.record(_entry(category=ActivityCategory.ENTITY, action="entity.deleted")) + + results = repo.query(ActivityLogFilters(categories=[ActivityCategory.AUTH]), limit=10) + assert len(results) == 1 + assert results[0].category == ActivityCategory.AUTH + + def test_filter_by_multiple_categories(self, repo: ActivityLogRepository) -> None: + repo.record(_entry(category=ActivityCategory.AUTH)) + repo.record(_entry(category=ActivityCategory.DEVICE)) + repo.record(_entry(category=ActivityCategory.SYSTEM)) + + results = repo.query( + ActivityLogFilters(categories=[ActivityCategory.AUTH, ActivityCategory.DEVICE]), + limit=10, + ) + assert len(results) == 2 + cats = {r.category for r in results} + assert cats == {ActivityCategory.AUTH, ActivityCategory.DEVICE} + + def test_filter_by_severity(self, repo: ActivityLogRepository) -> None: + repo.record(_entry(severity=ActivitySeverity.INFO)) + repo.record(_entry(severity=ActivitySeverity.WARNING)) + repo.record(_entry(severity=ActivitySeverity.ERROR)) + + results = repo.query(ActivityLogFilters(severities=[ActivitySeverity.ERROR]), limit=10) + assert len(results) == 1 + assert results[0].severity == ActivitySeverity.ERROR + + def test_filter_by_multiple_severities(self, repo: ActivityLogRepository) -> None: + repo.record(_entry(severity=ActivitySeverity.INFO)) + repo.record(_entry(severity=ActivitySeverity.WARNING)) + repo.record(_entry(severity=ActivitySeverity.ERROR)) + + results = repo.query( + ActivityLogFilters(severities=[ActivitySeverity.WARNING, ActivitySeverity.ERROR]), + limit=10, + ) + assert len(results) == 2 + + def test_filter_by_actor(self, repo: ActivityLogRepository) -> None: + repo.record(_entry(actor="alice")) + repo.record(_entry(actor="bob")) + repo.record(_entry(actor="alice")) + + results = repo.query(ActivityLogFilters(actor="alice"), limit=10) + assert len(results) == 2 + assert all(r.actor == "alice" for r in results) + + def test_filter_by_entity_type(self, repo: ActivityLogRepository) -> None: + repo.record(_entry(entity_type="output_target")) + repo.record(_entry(entity_type="device")) + repo.record(_entry(entity_type="output_target")) + + results = repo.query(ActivityLogFilters(entity_type="output_target"), limit=10) + assert len(results) == 2 + + def test_filter_by_entity_id(self, repo: ActivityLogRepository) -> None: + repo.record(_entry(entity_id="ot_aabbccdd")) + repo.record(_entry(entity_id="ot_11223344")) + repo.record(_entry(entity_id="ot_aabbccdd")) + + results = repo.query(ActivityLogFilters(entity_id="ot_aabbccdd"), limit=10) + assert len(results) == 2 + + def test_filter_by_since(self, repo: ActivityLogRepository) -> None: + base = datetime(2026, 1, 1, 0, 0, 0, tzinfo=timezone.utc) + repo.record(_entry(ts=base - timedelta(hours=2), message="old")) + repo.record(_entry(ts=base, message="boundary")) + repo.record(_entry(ts=base + timedelta(hours=1), message="new")) + + results = repo.query(ActivityLogFilters(since=base), limit=10) + assert len(results) == 2 + messages = {r.message for r in results} + assert "old" not in messages + + def test_filter_by_until(self, repo: ActivityLogRepository) -> None: + base = datetime(2026, 1, 1, 0, 0, 0, tzinfo=timezone.utc) + repo.record(_entry(ts=base - timedelta(hours=1), message="old")) + repo.record(_entry(ts=base, message="boundary")) + repo.record(_entry(ts=base + timedelta(hours=2), message="new")) + + results = repo.query(ActivityLogFilters(until=base), limit=10) + assert len(results) == 2 + messages = {r.message for r in results} + assert "new" not in messages + + def test_filter_message_like_substring(self, repo: ActivityLogRepository) -> None: + repo.record(_entry(message="Created output target MyStrip")) + repo.record(_entry(message="Deleted device sensor-01")) + repo.record(_entry(message="Updated output target MyStrip")) + + results = repo.query(ActivityLogFilters(message_like="output target"), limit=10) + assert len(results) == 2 + + def test_filter_message_like_escapes_percent(self, repo: ActivityLogRepository) -> None: + """A literal % in message_like should not act as a SQL wildcard.""" + repo.record(_entry(message="100% done")) + repo.record(_entry(message="partial done")) + + results = repo.query(ActivityLogFilters(message_like="100%"), limit=10) + assert len(results) == 1 + assert results[0].message == "100% done" + + def test_combined_filters(self, repo: ActivityLogRepository) -> None: + repo.record( + _entry( + actor="alice", + category=ActivityCategory.ENTITY, + severity=ActivitySeverity.INFO, + ) + ) + repo.record( + _entry( + actor="alice", + category=ActivityCategory.AUTH, + severity=ActivitySeverity.WARNING, + ) + ) + repo.record( + _entry( + actor="bob", + category=ActivityCategory.ENTITY, + severity=ActivitySeverity.INFO, + ) + ) + + results = repo.query( + ActivityLogFilters( + actor="alice", + categories=[ActivityCategory.ENTITY], + severities=[ActivitySeverity.INFO], + ), + limit=10, + ) + assert len(results) == 1 + assert results[0].actor == "alice" + assert results[0].category == ActivityCategory.ENTITY + + +# --------------------------------------------------------------------------- +# Keyset pagination +# --------------------------------------------------------------------------- + + +class TestKeysetPagination: + def test_basic_pagination(self, repo: ActivityLogRepository) -> None: + """Records returned across two pages cover the full set without overlap.""" + for i in range(10): + repo.record(_entry(message=f"entry {i}")) + + page1 = repo.query(ActivityLogFilters(), limit=4) + assert len(page1) == 4 + + # The last entry on page 1 has the smallest seq — use it as the cursor + # We need the seq; query internally reverses, so page1[0] is oldest on page + # and page1[-1] is newest on page. We need the min seq to paginate. + # The repo returns entries in ascending order within a page, so page1[0] + # has the smallest seq on the page. + first_seq = self._get_seq(repo, page1[0].id) + page2 = repo.query(ActivityLogFilters(), before_seq=first_seq, limit=4) + assert len(page2) == 4 + + ids1 = {e.id for e in page1} + ids2 = {e.id for e in page2} + assert ids1.isdisjoint(ids2), "Pages must not overlap" + + page3 = repo.query( + ActivityLogFilters(), + before_seq=self._get_seq(repo, page2[0].id), + limit=4, + ) + assert len(page3) == 2 # 10 total; 4 + 4 + 2 + + def test_same_ts_stability(self, repo: ActivityLogRepository) -> None: + """Rows with identical ts are ordered by seq, not ts — no duplicates across pages.""" + # Insert 6 rows all sharing the exact same timestamp + same_ts = datetime(2026, 3, 10, 15, 0, 0, tzinfo=timezone.utc) + entries = [_entry(ts=same_ts, message=f"same-ts {i}") for i in range(6)] + for e in entries: + repo.record(e) + + page1 = repo.query(ActivityLogFilters(), limit=3) + first_seq = self._get_seq(repo, page1[0].id) + page2 = repo.query(ActivityLogFilters(), before_seq=first_seq, limit=3) + + ids1 = {e.id for e in page1} + ids2 = {e.id for e in page2} + assert ids1.isdisjoint(ids2), "Same-ts rows leaked across page boundary" + assert ids1 | ids2 == {e.id for e in entries}, "All rows covered exactly once" + + def test_empty_page_at_end(self, repo: ActivityLogRepository) -> None: + """Requesting a page beyond the last entry returns an empty list.""" + for i in range(3): + repo.record(_entry(message=f"e{i}")) + + page1 = repo.query(ActivityLogFilters(), limit=3) + assert len(page1) == 3 + first_seq = self._get_seq(repo, page1[0].id) + page2 = repo.query(ActivityLogFilters(), before_seq=first_seq, limit=3) + assert page2 == [] + + @staticmethod + def _get_seq(repo: ActivityLogRepository, entry_id: str) -> int: + """Helper: retrieve the seq for an entry by its application id.""" + cursor = repo._db.execute("SELECT seq FROM activity_log WHERE id = ?", (entry_id,)) + row = cursor.fetchone() + assert row is not None, f"No row found for id={entry_id!r}" + return int(row["seq"]) + + +# --------------------------------------------------------------------------- +# Prune +# --------------------------------------------------------------------------- + + +class TestPrune: + def test_prune_by_age(self, repo: ActivityLogRepository) -> None: + base = datetime(2026, 2, 1, 12, 0, 0, tzinfo=timezone.utc) + repo.record(_entry(ts=base - timedelta(days=10), message="old1")) + repo.record(_entry(ts=base - timedelta(days=5), message="old2")) + repo.record(_entry(ts=base, message="boundary")) + repo.record(_entry(ts=base + timedelta(days=1), message="new")) + + # Prune everything strictly older than base + deleted = repo.prune(before_ts=base) + assert deleted == 2 + remaining = repo.query(ActivityLogFilters(), limit=20) + messages = {r.message for r in remaining} + assert "old1" not in messages + assert "old2" not in messages + assert "boundary" in messages + assert "new" in messages + + def test_prune_by_max_entries(self, repo: ActivityLogRepository) -> None: + for i in range(10): + repo.record(_entry(message=f"entry {i}")) + + deleted = repo.prune(max_entries=3) + assert deleted == 7 + assert repo.count() == 3 + + def test_prune_keeps_newest_on_max_entries(self, repo: ActivityLogRepository) -> None: + base = datetime(2026, 1, 1, tzinfo=timezone.utc) + ids = [] + for i in range(5): + e = _entry(ts=base + timedelta(hours=i), message=f"entry {i}") + ids.append(e.id) + repo.record(e) + + # Keep only the 2 newest + repo.prune(max_entries=2) + remaining = repo.query(ActivityLogFilters(), limit=10) + remaining_ids = {r.id for r in remaining} + # The 2 newest are the last 2 inserted (highest seq) + assert ids[3] in remaining_ids + assert ids[4] in remaining_ids + assert ids[0] not in remaining_ids + + def test_prune_both_predicates(self, repo: ActivityLogRepository) -> None: + base = datetime(2026, 2, 1, 0, 0, 0, tzinfo=timezone.utc) + # Insert 6 entries: 3 old, 3 recent + for i in range(3): + repo.record(_entry(ts=base - timedelta(days=i + 1), message=f"old{i}")) + for i in range(3): + repo.record(_entry(ts=base + timedelta(hours=i), message=f"new{i}")) + + # Prune old entries AND keep at most 2 of the remaining + deleted = repo.prune(before_ts=base, max_entries=2) + # 3 age-pruned + 1 count-pruned = 4 + assert deleted == 4 + assert repo.count() == 2 + + def test_prune_max_entries_zero_clears_all(self, repo: ActivityLogRepository) -> None: + for i in range(5): + repo.record(_entry()) + + repo.prune(max_entries=0) + assert repo.count() == 0 + + def test_prune_no_op_when_below_max(self, repo: ActivityLogRepository) -> None: + for i in range(3): + repo.record(_entry()) + + deleted = repo.prune(max_entries=10) + assert deleted == 0 + assert repo.count() == 3 + + +# --------------------------------------------------------------------------- +# Clear +# --------------------------------------------------------------------------- + + +class TestClear: + def test_clear_returns_row_count(self, repo: ActivityLogRepository) -> None: + for _ in range(5): + repo.record(_entry()) + + deleted = repo.clear() + assert deleted == 5 + + def test_clear_empties_table(self, repo: ActivityLogRepository) -> None: + for _ in range(3): + repo.record(_entry()) + + repo.clear() + assert repo.count() == 0 + + def test_clear_on_empty_table(self, repo: ActivityLogRepository) -> None: + deleted = repo.clear() + assert deleted == 0 + + +# --------------------------------------------------------------------------- +# Count +# --------------------------------------------------------------------------- + + +class TestCount: + def test_count_all(self, repo: ActivityLogRepository) -> None: + for _ in range(7): + repo.record(_entry()) + assert repo.count() == 7 + + def test_count_filtered(self, repo: ActivityLogRepository) -> None: + repo.record(_entry(category=ActivityCategory.AUTH)) + repo.record(_entry(category=ActivityCategory.DEVICE)) + repo.record(_entry(category=ActivityCategory.AUTH)) + + n = repo.count(ActivityLogFilters(categories=[ActivityCategory.AUTH])) + assert n == 2 + + def test_count_empty(self, repo: ActivityLogRepository) -> None: + assert repo.count() == 0 + + def test_count_no_match(self, repo: ActivityLogRepository) -> None: + repo.record(_entry(category=ActivityCategory.ENTITY)) + n = repo.count(ActivityLogFilters(categories=[ActivityCategory.AUTH])) + assert n == 0 + + +# --------------------------------------------------------------------------- +# Export iterator +# --------------------------------------------------------------------------- + + +class TestExportIterator: + def test_iter_export_yields_all_rows(self, repo: ActivityLogRepository) -> None: + entries = [_entry(message=f"e{i}") for i in range(5)] + for e in entries: + repo.record(e) + + exported = list(repo.iter_export()) + assert len(exported) == 5 + exported_ids = {e.id for e in exported} + assert exported_ids == {e.id for e in entries} + + def test_iter_export_ascending_order(self, repo: ActivityLogRepository) -> None: + base = datetime(2026, 4, 1, tzinfo=timezone.utc) + for i in range(5): + repo.record(_entry(ts=base + timedelta(seconds=i), message=f"e{i}")) + + exported = list(repo.iter_export()) + seqs = [ + repo._db.execute("SELECT seq FROM activity_log WHERE id = ?", (e.id,)).fetchone()["seq"] + for e in exported + ] + assert seqs == sorted(seqs), "iter_export must yield rows in ascending seq order" + + def test_iter_export_with_filter(self, repo: ActivityLogRepository) -> None: + repo.record(_entry(category=ActivityCategory.AUTH)) + repo.record(_entry(category=ActivityCategory.ENTITY)) + repo.record(_entry(category=ActivityCategory.AUTH)) + + exported = list(repo.iter_export(ActivityLogFilters(categories=[ActivityCategory.AUTH]))) + assert len(exported) == 2 + assert all(e.category == ActivityCategory.AUTH for e in exported) + + def test_iter_export_streaming_not_all_in_memory(self, repo: ActivityLogRepository) -> None: + """Verify iter_export is a generator (lazy), not a pre-loaded list.""" + import types + + for _ in range(3): + repo.record(_entry()) + + result = repo.iter_export() + assert isinstance(result, types.GeneratorType) + + +# --------------------------------------------------------------------------- +# Migration idempotency +# --------------------------------------------------------------------------- + + +class TestMigrationIdempotency: + def test_construct_repo_twice_is_noop(self, tmp_db: Database) -> None: + """Creating two repos on the same DB does not re-run the migration.""" + repo1 = ActivityLogRepository(tmp_db) + repo1.record(_entry(message="before second construction")) + + # Second construction must not raise or re-apply the migration + repo2 = ActivityLogRepository(tmp_db) + assert repo2.count() == 1 + + # Confirm migration is recorded exactly once + # Count how many times our migration name appears (should be 1) + cursor = tmp_db.execute( + "SELECT COUNT(*) AS cnt FROM data_migrations WHERE name = ?", + ("002_add_activity_log",), + ) + assert cursor.fetchone()["cnt"] == 1 + + def test_running_migrations_twice_is_noop(self, tmp_db: Database) -> None: + """MigrationRunner.run is idempotent for AddActivityLogTableMigration.""" + from ledgrab.storage.data_migrations import ( + AddActivityLogTableMigration, + MigrationRunner, + ) + + runner = MigrationRunner(tmp_db) + migration = AddActivityLogTableMigration() + + first_run = runner.run([migration]) + assert len(first_run) == 1 + assert first_run[0].name == "002_add_activity_log" + + second_run = runner.run([migration]) + assert second_run == [], "Second run must be a no-op" + + def test_activity_log_table_exists_after_migration(self, tmp_db: Database) -> None: + """The activity_log table is present after the migration runs.""" + ActivityLogRepository(tmp_db) + + cursor = tmp_db.execute( + "SELECT name FROM sqlite_master WHERE type='table' AND name='activity_log'" + ) + assert cursor.fetchone() is not None + + def test_activity_log_indexes_exist_after_migration(self, tmp_db: Database) -> None: + """All declared indexes are present after migration.""" + ActivityLogRepository(tmp_db) + + cursor = tmp_db.execute( + "SELECT name FROM sqlite_master WHERE type='index' AND tbl_name='activity_log'" + ) + index_names = {row["name"] for row in cursor.fetchall()} + expected = { + "idx_activity_log_ts_seq", + "idx_activity_log_category", + "idx_activity_log_severity", + "idx_activity_log_actor", + "idx_activity_log_entity", + } + assert expected.issubset(index_names) From 726f39e2ba1538aced1d94b1973f8c95ae04fbbe Mon Sep 17 00:00:00 2001 From: "alexei.dolgolyov" Date: Tue, 9 Jun 2026 18:10:27 +0300 Subject: [PATCH 04/13] feat(activity-log): phase 2 - recorder, actor context, retention, lifecycle - ActivityRecorder: thread-safe record() (inline on loop, call_soon_threadsafe off-loop), best-effort, fires activity_logged event - current_actor ContextVar set in verify_api_key (both branches), default system - ActivityLogRetentionEngine: prune loop (max_days+max_entries), settings persistence, rehydrates recorder.enabled on startup - lifespan wiring: server.shutting_down recorded first on shutdown, retention stop before db.close - events-ws.ts allowlist + parity; DI getters + module accessor; 62 new tests --- plans/activity-log/CONTEXT.md | 3 +- plans/activity-log/PLAN.md | 2 +- .../phase-2-recorder-retention.md | 106 ++- server/src/ledgrab/api/auth.py | 5 + server/src/ledgrab/api/dependencies.py | 21 + .../src/ledgrab/core/activity_log/__init__.py | 23 + .../src/ledgrab/core/activity_log/context.py | 21 + .../src/ledgrab/core/activity_log/recorder.py | 267 ++++++ .../ledgrab/core/activity_log/retention.py | 216 +++++ server/src/ledgrab/main.py | 41 + .../src/ledgrab/static/js/core/events-ws.ts | 2 + .../tests/core/test_activity_log_retention.py | 312 +++++++ server/tests/core/test_activity_recorder.py | 256 ++++++ .../test_activity_recorder_adversarial.py | 778 ++++++++++++++++++ 14 files changed, 2037 insertions(+), 16 deletions(-) create mode 100644 server/src/ledgrab/core/activity_log/__init__.py create mode 100644 server/src/ledgrab/core/activity_log/context.py create mode 100644 server/src/ledgrab/core/activity_log/recorder.py create mode 100644 server/src/ledgrab/core/activity_log/retention.py create mode 100644 server/tests/core/test_activity_log_retention.py create mode 100644 server/tests/core/test_activity_recorder.py create mode 100644 server/tests/core/test_activity_recorder_adversarial.py diff --git a/plans/activity-log/CONTEXT.md b/plans/activity-log/CONTEXT.md index 0776c6a..be800ea 100644 --- a/plans/activity-log/CONTEXT.md +++ b/plans/activity-log/CONTEXT.md @@ -47,7 +47,7 @@ context (survives across phases; graduates to CLAUDE.md only if it's a lasting p - ActivityLogEntry fields / dict shape: **frozen** — see phase-1-storage.md Handoff section. 11 fields: `id`, `ts`, `category`, `action`, `severity`, `actor`, `message`, `entity_type`, `entity_id`, `entity_name`, `metadata`. `seq` is DB-only (not on dataclass). - ActivityLogFilters shape: **frozen** — 8 optional fields: `categories`, `severities`, `actor`, `entity_type`, `entity_id`, `since`, `until`, `message_like`. See phase-1-storage.md Handoff. -- recorder.record(...) signature + actor ContextVar import path: _(Phase 2 handoff)_ +- recorder.record(...) signature + actor ContextVar import path: **frozen** — see phase-2-recorder-retention.md Handoff section. Signature: `record(category, action, *, severity="info", actor=None, entity_type=None, entity_id=None, entity_name=None, message, metadata=None, _bypass_enabled=False)`. ContextVar: `from ledgrab.core.activity_log.context import current_actor`. Module accessor: `from ledgrab.core.activity_log.recorder import get_module_recorder`. Event payload: `{"type": "activity_logged", "entry": {11-field dict with ts as ISO string, metadata as dict}}`. DI getters: `get_activity_recorder()`, `get_activity_log_repo()`, `get_activity_log_retention_engine()`. - API endpoints + query params + page envelope + settings bounds: _(Phase 4 handoff)_ ## Failed approaches / rejected designs @@ -66,3 +66,4 @@ context (survives across phases; graduates to CLAUDE.md only if it's a lasting p ## Phase progress notes Phase 1 landed (2026-06-09): `activity_log.py` (dataclass + enums + filters + codec), `AddActivityLogTableMigration` (`002_add_activity_log`) appended to `ALL_MIGRATIONS`, `ActivityLogRepository` (record/query/count/prune/clear/iter_export), 41 new tests — all green. Full suite 2226 passed, 0 failed. Schema and method signatures frozen in phase-1-storage.md Handoff. Gotcha: `Database.execute` takes a positional tuple — use `?` placeholders (not `:name`), otherwise Python 3.14 will raise `ProgrammingError`. +Phase 2 landed (2026-06-09): `core/activity_log/` package (`context.py`, `recorder.py`, `retention.py`, `__init__.py`); actor ContextVar set in `api/auth.py` (both branches); `ActivityLogRetentionEngine` mirroring AutoBackupEngine; full wiring in `main.py` (repo at module level, recorder+engine in lifespan, `server.shutting_down` first shutdown action, engine stop before db.close); DI getters in `api/dependencies.py`; `activity_logged` added to `_ALLOWED_SERVER_EVENT_TYPES` in `events-ws.ts`; `set_module_recorder` exposes recorder to non-DI sites; 24 new tests — all green. Full suite 2309 passed, 2 skipped, 0 failed. Ruff clean. diff --git a/plans/activity-log/PLAN.md b/plans/activity-log/PLAN.md index b74fc71..fd423dd 100644 --- a/plans/activity-log/PLAN.md +++ b/plans/activity-log/PLAN.md @@ -80,7 +80,7 @@ is an on-demand CSV/JSON **export** (no separate backup subsystem). | Phase | Domain | Status | Review | Build | Committed | |-------|--------|--------|--------|-------|-----------| | Phase 1: Storage | data | ✅ Done | ✅ Passed | ✅ Passed | ✅ | -| Phase 2: Recorder/Retention | backend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | +| Phase 2: Recorder/Retention | backend | ✅ Done | ✅ Passed | ✅ Passed | ✅ | | Phase 3: Instrumentation | backend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | | Phase 4: REST API | backend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | | Phase 5: Frontend tab | frontend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | diff --git a/plans/activity-log/phase-2-recorder-retention.md b/plans/activity-log/phase-2-recorder-retention.md index cc9fea0..fd33c95 100644 --- a/plans/activity-log/phase-2-recorder-retention.md +++ b/plans/activity-log/phase-2-recorder-retention.md @@ -1,6 +1,6 @@ # Phase 2: Recorder, actor context, retention, lifecycle -**Status:** ⬜ Not Started +**Status:** ✅ Done **Parent plan:** [PLAN.md](./PLAN.md) **Domain:** backend @@ -15,7 +15,7 @@ sites) — that is Phase 3 — but the full machinery is live and unit-tested. ## Tasks -- [ ] Create `server/src/ledgrab/core/activity_log/__init__.py` and +- [x] Create `server/src/ledgrab/core/activity_log/__init__.py` and `server/src/ledgrab/core/activity_log/recorder.py`: - `ActivityRecorder(repo: ActivityLogRepository, processor_manager, *, loop=None)`. - `record(category, action, *, severity="info", actor=None, entity_type=None, @@ -35,13 +35,13 @@ sites) — that is Phase 3 — but the full machinery is live and unit-tested. - `enabled` flag honored: when retention settings say `enabled=false`, `record()` is a no-op — EXCEPT the "audit log disabled" event itself, which must be recorded before the flag takes effect (see retention engine). -- [ ] Actor `ContextVar`: +- [x] Actor `ContextVar`: - Add `current_actor: ContextVar[str]` (module-level, e.g. in `core/activity_log/context.py` or `api/auth.py`). In `verify_api_key` (`api/auth.py`), set it next to the existing `request.state.auth_label = ...` (both the authenticated label and the `"anonymous"` branch). Default `"system"` when unset. Ensure no cross-request leakage (set on every auth evaluation). -- [ ] Create `server/src/ledgrab/core/activity_log/retention.py`: +- [x] Create `server/src/ledgrab/core/activity_log/retention.py`: - `ActivityLogRetentionEngine(repo, db, recorder)` mirroring `core/backup/auto_backup.py`: `_load_settings()`/`_save_settings()` via `db.get_setting("activity_log")` / `db.set_setting("activity_log", {...})`, `DEFAULT_SETTINGS = {"enabled": True, @@ -50,7 +50,7 @@ sites) — that is Phase 3 — but the full machinery is live and unit-tested. interval (e.g. hourly) then calls `repo.prune(before_ts=now-max_days, max_entries=...)`. `async stop()` → cancel + await task. `get_settings()` / `async update_settings(...)` that persist and apply (changing `enabled` is logged via the recorder BEFORE disabling). -- [ ] Wiring: +- [x] Wiring: - `main.py`: instantiate `activity_log_repo = ActivityLogRepository(db)` (module level near other stores); in `lifespan` startup build `activity_recorder` + `activity_log_retention_engine`, pass to `init_dependencies(...)`, and `await activity_log_retention_engine.start()`. @@ -61,11 +61,11 @@ sites) — that is Phase 3 — but the full machinery is live and unit-tested. `activity_log_retention_engine` to `_deps`, parameters to `init_dependencies`, and getters `get_activity_recorder()`, `get_activity_log_repo()`, `get_activity_log_retention_engine()`. -- [ ] Realtime allowlist (order matters — do allowlist FIRST so the parity test stays green): +- [x] Realtime allowlist (order matters — do allowlist FIRST so the parity test stays green): - Add `'activity_logged'` to `_ALLOWED_SERVER_EVENT_TYPES` in `server/src/ledgrab/static/js/core/events-ws.ts` (+ a one-line comment naming the source). - Confirm `tests/test_events_ws_parity.py` passes with the new emit type. -- [ ] Unit tests `server/tests/core/test_activity_recorder.py` + +- [x] Unit tests `server/tests/core/test_activity_recorder.py` + `test_activity_log_retention.py`: - recorder persists an entry AND calls `fire_event` with `type=="activity_logged"`; - actor resolves from ContextVar; defaults to `"system"`; failure in repo doesn't raise; @@ -106,13 +106,91 @@ sites) — that is Phase 3 — but the full machinery is live and unit-tested. ## Review Checklist -- [ ] All tasks completed -- [ ] Code follows project conventions (engine/DI patterns) -- [ ] No unintended side effects (no call sites yet; lifespan order correct) -- [ ] Build passes (ruff + pytest, incl. parity test) -- [ ] Tests pass (new + existing) +- [x] All tasks completed +- [x] Code follows project conventions (engine/DI patterns) +- [x] No unintended side effects (no call sites yet; lifespan order correct) +- [x] Build passes (ruff + pytest, incl. parity test) +- [x] Tests pass (new + existing) ## Handoff to Next Phase - +### recorder.record(...) — final signature + +```python +recorder.record( + category: str, # ActivityCategory constant + action: str, # verb-object label + *, + severity: str = "info", # ActivitySeverity constant + actor: str | None = None, # resolved from current_actor ContextVar when None + entity_type: str | None = None, + entity_id: str | None = None, + entity_name: str | None = None, + message: str, + metadata: dict | None = None, + _bypass_enabled: bool = False, # internal: used by retention engine only +) -> None +``` + +### Actor ContextVar import path + +```python +from ledgrab.core.activity_log.context import current_actor +``` + +### Module accessor (for non-DI sites) + +```python +from ledgrab.core.activity_log.recorder import get_module_recorder, set_module_recorder +recorder = get_module_recorder() # returns ActivityRecorder | None +``` + +### entry_to_dict helper (for API response serialisation) + +```python +from ledgrab.core.activity_log.recorder import entry_to_dict +d = entry_to_dict(entry) # returns dict with 11 keys +``` + +### Frozen `activity_logged` event payload shape + +```python +{ + "type": "activity_logged", + "entry": { + "id": str, # "al_<8-hex>" + "ts": str, # ISO-8601 UTC string + "category": str, + "action": str, + "severity": str, + "actor": str, + "entity_type": str | None, + "entity_id": str | None, + "entity_name": str | None, + "message": str, + "metadata": dict, # real dict, not JSON string + } +} +``` + +### DI getter names (in `api/dependencies.py`) + +```python +from ledgrab.api.dependencies import ( + get_activity_recorder, + get_activity_log_repo, + get_activity_log_retention_engine, +) +``` + +### Notes for Phase 3 + +- Phase 3 instruments `fire_entity_event` in `api/dependencies.py` by calling + `get_module_recorder()` there (not via FastAPI DI — it's a plain function). +- The actor ContextVar is already set by `verify_api_key` before any route + handler runs, so entity events carry the correct actor automatically. +- `recorder.record(...)` never raises; Phase 3 call sites need no try/except. + +Phase 2 landed (2026-06-09): ActivityRecorder, actor ContextVar, ActivityLogRetentionEngine, +all wiring in main.py/dependencies.py/auth.py, activity_logged allowlist in events-ws.ts, +24 new tests — all green. Full suite 2309 passed, 2 skipped, 0 failed. Ruff clean. diff --git a/server/src/ledgrab/api/auth.py b/server/src/ledgrab/api/auth.py index 6f5e68c..3102165 100644 --- a/server/src/ledgrab/api/auth.py +++ b/server/src/ledgrab/api/auth.py @@ -10,6 +10,7 @@ from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer from starlette.websockets import WebSocket, WebSocketDisconnect from ledgrab.config import get_config +from ledgrab.core.activity_log.context import current_actor from ledgrab.utils import get_logger from ledgrab.utils.net_classify import is_loopback as _classify_is_loopback @@ -81,6 +82,7 @@ def verify_api_key( # No keys configured — allow loopback only. if _is_loopback(client_host): request.state.auth_label = "anonymous" + current_actor.set("anonymous") return "anonymous" # Allow caller to authenticate explicitly even without configured keys? # No — there are no keys to compare against. Reject. @@ -127,6 +129,9 @@ def verify_api_key( # Stash the friendly label so the access-log middleware can attribute the # request to a client without re-running the token comparison. request.state.auth_label = authenticated_as + # Set the actor ContextVar so ActivityRecorder can resolve it without + # threading it through every call site. + current_actor.set(authenticated_as) return authenticated_as diff --git a/server/src/ledgrab/api/dependencies.py b/server/src/ledgrab/api/dependencies.py index 0a1f15d..c218b7d 100644 --- a/server/src/ledgrab/api/dependencies.py +++ b/server/src/ledgrab/api/dependencies.py @@ -42,6 +42,9 @@ from ledgrab.core.mqtt.mqtt_manager import MQTTManager from ledgrab.storage.http_endpoint_store import HTTPEndpointStore from ledgrab.storage.audio_processing_template_store import AudioProcessingTemplateStore from ledgrab.storage.pattern_template_store import PatternTemplateStore +from ledgrab.core.activity_log.recorder import ActivityRecorder +from ledgrab.core.activity_log.retention import ActivityLogRetentionEngine +from ledgrab.storage.activity_log_repository import ActivityLogRepository T = TypeVar("T") @@ -196,6 +199,18 @@ def get_update_service() -> UpdateService: return _get("update_service", "Update service") +def get_activity_recorder() -> ActivityRecorder: + return _get("activity_recorder", "Activity recorder") + + +def get_activity_log_repo() -> ActivityLogRepository: + return _get("activity_log_repo", "Activity log repository") + + +def get_activity_log_retention_engine() -> ActivityLogRetentionEngine: + return _get("activity_log_retention_engine", "Activity log retention engine") + + # ── Event helper ──────────────────────────────────────────────────────── @@ -257,6 +272,9 @@ def init_dependencies( http_endpoint_store: HTTPEndpointStore | None = None, audio_processing_template_store: AudioProcessingTemplateStore | None = None, pattern_template_store: PatternTemplateStore | None = None, + activity_recorder: ActivityRecorder | None = None, + activity_log_repo: ActivityLogRepository | None = None, + activity_log_retention_engine: ActivityLogRetentionEngine | None = None, ): """Initialize global dependencies.""" _deps.update( @@ -295,5 +313,8 @@ def init_dependencies( "http_endpoint_store": http_endpoint_store, "audio_processing_template_store": audio_processing_template_store, "pattern_template_store": pattern_template_store, + "activity_recorder": activity_recorder, + "activity_log_repo": activity_log_repo, + "activity_log_retention_engine": activity_log_retention_engine, } ) diff --git a/server/src/ledgrab/core/activity_log/__init__.py b/server/src/ledgrab/core/activity_log/__init__.py new file mode 100644 index 0000000..8f47584 --- /dev/null +++ b/server/src/ledgrab/core/activity_log/__init__.py @@ -0,0 +1,23 @@ +"""Activity / audit log core — recorder, retention engine, and actor context. + +Public surface +-------------- +``ActivityRecorder`` — thread-safe facade; persists entries and fires live events. +``ActivityLogRetentionEngine`` — background pruning engine (mirrors AutoBackupEngine). +``current_actor`` — ``ContextVar[str]`` set by the auth layer per request. + +Quick start +----------- +Wired in ``main.py`` lifespan; injected via ``api/dependencies.py`` getters. +Phase 3 adds the instrumentation call sites. +""" + +from ledgrab.core.activity_log.context import current_actor +from ledgrab.core.activity_log.recorder import ActivityRecorder +from ledgrab.core.activity_log.retention import ActivityLogRetentionEngine + +__all__ = [ + "ActivityRecorder", + "ActivityLogRetentionEngine", + "current_actor", +] diff --git a/server/src/ledgrab/core/activity_log/context.py b/server/src/ledgrab/core/activity_log/context.py new file mode 100644 index 0000000..657cc85 --- /dev/null +++ b/server/src/ledgrab/core/activity_log/context.py @@ -0,0 +1,21 @@ +"""Actor context variable for the activity log. + +``current_actor`` is set by ``api/auth.py:verify_api_key`` on every request so +that ``ActivityRecorder.record(...)`` can resolve the actor without requiring +every call site to pass it explicitly. + +Default value is ``"system"`` — used by background engines and any code path +that runs outside a request context (e.g. lifespan startup/shutdown, zeroconf +discovery thread). + +Per-request isolation is guaranteed by ASGI's coroutine context: each request +runs in its own coroutine with its own copy of the context inherited from the +server's main task. The auth layer resets it on every request before the route +handler runs, so stale labels from a previous request cannot bleed into a new +one. +""" + +from contextvars import ContextVar + +#: The actor label for the current request — API-key label or ``"system"``. +current_actor: ContextVar[str] = ContextVar("current_actor", default="system") diff --git a/server/src/ledgrab/core/activity_log/recorder.py b/server/src/ledgrab/core/activity_log/recorder.py new file mode 100644 index 0000000..2fc2533 --- /dev/null +++ b/server/src/ledgrab/core/activity_log/recorder.py @@ -0,0 +1,267 @@ +"""Thread-safe ActivityRecorder facade. + +Responsibilities +---------------- +1. Build an ``ActivityLogEntry`` from the caller-supplied fields. +2. Resolve the ``actor`` from the ``current_actor`` ContextVar when not given. +3. Persist the entry via ``ActivityLogRepository.record()`` on the event-loop + thread — inline if already on that thread, via + ``loop.call_soon_threadsafe`` if called from another thread (e.g. the + zeroconf discovery thread that fires ``device_discovered/lost`` events). +4. Push a live ``activity_logged`` event via + ``ProcessorManager.fire_event({"type": "activity_logged", "entry": {...}})``. +5. Never raise into the caller — audit recording is best-effort. Failures are + logged at ``WARNING`` level so operators can diagnose without breaking the + audited action. + +Thread-marshal pattern mirrors ``utils/log_broadcaster.py`` (``ensure_loop`` / +``call_soon_threadsafe``). + +Module accessor +--------------- +A module-level singleton ``_recorder`` is populated by +``set_module_recorder()`` during ``main.py`` lifespan startup and exposed via +``get_module_recorder()``. Background engines and other non-DI sites that need +to call ``record()`` without FastAPI DI can use this accessor. Phase 3 +instrumentation uses it at the ``fire_entity_event`` choke-point. +""" + +from __future__ import annotations + +import asyncio +import uuid +from datetime import datetime, timezone +from typing import TYPE_CHECKING + +from ledgrab.core.activity_log.context import current_actor +from ledgrab.storage.activity_log import ActivityLogEntry, ActivitySeverity +from ledgrab.utils import get_logger + +if TYPE_CHECKING: + from ledgrab.core.processing.processor_manager import ProcessorManager + from ledgrab.storage.activity_log_repository import ActivityLogRepository + +logger = get_logger(__name__) + + +def _new_id() -> str: + """Generate a compact activity-log entry id: ``al_<8-hex-chars>``.""" + return "al_" + uuid.uuid4().hex[:8] + + +def entry_to_dict(entry: ActivityLogEntry) -> dict: + """Serialise an ``ActivityLogEntry`` to the canonical API/event payload dict. + + Reused by Phase 4 (API response serialisation) and Phase 5 (frontend). + The shape is identical to the flat row codec minus the DB-only ``seq`` + field, but with ``ts`` kept as an ISO-8601 string and ``metadata`` as a + real ``dict`` (not a JSON string). + """ + return { + "id": entry.id, + "ts": entry.ts.isoformat(), + "category": entry.category, + "action": entry.action, + "severity": entry.severity, + "actor": entry.actor, + "entity_type": entry.entity_type, + "entity_id": entry.entity_id, + "entity_name": entry.entity_name, + "message": entry.message, + "metadata": entry.metadata, + } + + +class ActivityRecorder: + """Thread-safe facade for persisting audit log entries. + + Parameters + ---------- + repo: + ``ActivityLogRepository`` used to persist entries. + processor_manager: + ``ProcessorManager`` whose ``fire_event`` dispatches the live + ``activity_logged`` event to WebSocket subscribers. + loop: + Optional: the running asyncio event loop. If ``None``, it is + captured lazily on the first call that originates from an async + context (mirroring ``LogBroadcaster.ensure_loop``). Pass it + explicitly in tests to avoid depending on a real running loop. + """ + + def __init__( + self, + repo: "ActivityLogRepository", + processor_manager: "ProcessorManager", + *, + loop: asyncio.AbstractEventLoop | None = None, + ) -> None: + self._repo = repo + self._pm = processor_manager + self._loop: asyncio.AbstractEventLoop | None = loop + self._enabled: bool = True + + # ── Loop capture (mirrors LogBroadcaster.ensure_loop) ────────────────── + + def ensure_loop(self) -> None: + """Capture the running event loop if not already stored. + + Call from an async context (e.g. lifespan startup) so that + ``call_soon_threadsafe`` works when ``record()`` is later called from + non-async threads. + """ + if self._loop is None: + try: + self._loop = asyncio.get_running_loop() + except RuntimeError: + pass + + # ── Public API ────────────────────────────────────────────────────────── + + @property + def enabled(self) -> bool: + """Whether recording is currently active.""" + return self._enabled + + @enabled.setter + def enabled(self, value: bool) -> None: + self._enabled = value + + def record( + self, + category: str, + action: str, + *, + severity: str = ActivitySeverity.INFO, + actor: str | None = None, + entity_type: str | None = None, + entity_id: str | None = None, + entity_name: str | None = None, + message: str, + metadata: dict | None = None, + _bypass_enabled: bool = False, + ) -> None: + """Append one audit entry — best-effort, never raises. + + Parameters + ---------- + category: + Broad bucket — one of :class:`~ledgrab.storage.activity_log.ActivityCategory`. + action: + Verb-object label, e.g. ``"entity.created"`` or ``"server.shutting_down"``. + severity: + One of :class:`~ledgrab.storage.activity_log.ActivitySeverity`. Defaults + to ``"info"``. + actor: + Who triggered the action. When ``None`` (the common case), the + value is resolved from :data:`~ledgrab.core.activity_log.context.current_actor` + with a default of ``"system"``. + entity_type / entity_id / entity_name: + Optional entity context for entity-domain events. + message: + Human-readable description suitable for display. + metadata: + Small JSON-serialisable dict with extra context. Defaults to ``{}``. + _bypass_enabled: + Internal flag used by the retention engine to record the + "audit log disabled" event even when ``enabled`` is ``False``. + """ + if not self._enabled and not _bypass_enabled: + return + + # Resolve actor from ContextVar when not explicitly supplied. + resolved_actor = actor if actor is not None else current_actor.get() + + entry = ActivityLogEntry( + id=_new_id(), + ts=datetime.now(timezone.utc), + category=category, + action=action, + severity=severity, + actor=resolved_actor, + entity_type=entity_type, + entity_id=entity_id, + entity_name=entity_name, + message=message, + metadata=metadata or {}, + ) + + # Determine whether we are on the event-loop thread or not. + loop = self._loop + if loop is None: + # Lazy capture — may fail if called before the loop is running. + try: + loop = asyncio.get_running_loop() + self._loop = loop + except RuntimeError: + pass + + if loop is not None and loop.is_running(): + try: + current = asyncio.get_event_loop() + except RuntimeError: + current = None + + # If the current thread IS the event-loop thread, write inline. + if current is loop: + self._write_and_emit(entry) + else: + # Called from a non-loop thread (e.g. zeroconf discovery) — + # marshal onto the event-loop thread. + try: + loop.call_soon_threadsafe(self._write_and_emit, entry) + except RuntimeError: + # Loop has been closed (rare; happens during tests) + logger.warning( + "ActivityRecorder: event loop closed, dropping entry %s", entry.id + ) + else: + # No running loop — fall back to a direct synchronous write. + # This path hits in synchronous unit tests that do not start a loop. + self._write_and_emit(entry) + + def _write_and_emit(self, entry: ActivityLogEntry) -> None: + """Persist *entry* and fire the live event — called on the loop thread.""" + try: + self._repo.record(entry) + except Exception as exc: + logger.warning("ActivityRecorder: failed to persist entry %s: %s", entry.id, exc) + return # don't emit an event for an entry that failed to persist + + try: + self._pm.fire_event( + { + "type": "activity_logged", + "entry": entry_to_dict(entry), + } + ) + except Exception as exc: + logger.warning("ActivityRecorder: failed to fire live event for %s: %s", entry.id, exc) + + +# ── Module-level singleton accessor ──────────────────────────────────────── +# +# Background engines and non-DI call sites (Phase 3's fire_entity_event hook, +# device discovery thread) need ``record()`` without going through FastAPI DI. +# ``set_module_recorder`` is called from ``main.py`` lifespan immediately after +# the recorder is wired into ``init_dependencies``. + +_recorder: ActivityRecorder | None = None + + +def set_module_recorder(recorder: ActivityRecorder) -> None: + """Store the application-level recorder in the module singleton. + + Called once from ``main.py`` lifespan startup. + """ + global _recorder + _recorder = recorder + + +def get_module_recorder() -> ActivityRecorder | None: + """Return the module-level recorder, or ``None`` if not yet initialised. + + Callers must guard against ``None`` — this returns ``None`` during module + import and early startup before ``main.py`` lifespan has run. + """ + return _recorder diff --git a/server/src/ledgrab/core/activity_log/retention.py b/server/src/ledgrab/core/activity_log/retention.py new file mode 100644 index 0000000..e6c0fda --- /dev/null +++ b/server/src/ledgrab/core/activity_log/retention.py @@ -0,0 +1,216 @@ +"""Activity log retention engine. + +Mirrors ``core/backup/auto_backup.py``: +- Settings persisted via ``db.get_setting("activity_log")`` / + ``db.set_setting("activity_log", {...})``. +- ``start()`` / ``stop()`` lifecycle following the engine convention used + throughout the codebase. +- Hourly background loop calling ``repo.prune(before_ts=..., max_entries=...)``. +- ``get_settings()`` / ``async update_settings(...)`` for the Settings API + (Phase 4). + +Changing ``enabled`` to ``False`` records an ``"audit_log.disabled"`` event via +the recorder BEFORE the flag takes effect — so the last action in the log is a +record of the intentional disable. +""" + +from __future__ import annotations + +import asyncio +from datetime import datetime, timedelta, timezone +from typing import TYPE_CHECKING + +from ledgrab.storage.activity_log import ActivityCategory, ActivitySeverity +from ledgrab.utils import get_logger + +if TYPE_CHECKING: + from ledgrab.core.activity_log.recorder import ActivityRecorder + from ledgrab.storage.activity_log_repository import ActivityLogRepository + from ledgrab.storage.database import Database + +logger = get_logger(__name__) + +DEFAULT_SETTINGS: dict = { + "enabled": True, + "max_days": 90, + "max_entries": 20000, +} + +# Prune loop interval — run roughly once an hour. +_PRUNE_INTERVAL_SECS = 3600 + + +class ActivityLogRetentionEngine: + """Background engine that prunes old activity log entries. + + Parameters + ---------- + repo: + The ``ActivityLogRepository`` used to prune entries. + db: + The shared ``Database`` singleton for settings persistence. + recorder: + The ``ActivityRecorder`` used to log the "audit log disabled" event + before disabling takes effect. + """ + + def __init__( + self, + repo: "ActivityLogRepository", + db: "Database", + recorder: "ActivityRecorder", + ) -> None: + self._repo = repo + self._db = db + self._recorder = recorder + self._task: asyncio.Task | None = None + self._settings = self._load_settings() + # Rehydrate the recorder's enabled flag from persisted settings so a + # previously-disabled log stays disabled across restarts. + self._recorder.enabled = self._settings["enabled"] + + # ── Settings persistence ─────────────────────────────────────────────── + + def _load_settings(self) -> dict: + data = self._db.get_setting("activity_log") + if data: + return {**DEFAULT_SETTINGS, **data} + return dict(DEFAULT_SETTINGS) + + def _save_settings(self) -> None: + self._db.set_setting( + "activity_log", + { + "enabled": self._settings["enabled"], + "max_days": self._settings["max_days"], + "max_entries": self._settings["max_entries"], + }, + ) + + # ── Lifecycle ────────────────────────────────────────────────────────── + + async def start(self) -> None: + """Start the retention loop if enabled.""" + if self._settings["enabled"]: + self._start_loop() + logger.info( + "Activity log retention engine started " "(max_days=%d, max_entries=%d)", + self._settings["max_days"], + self._settings["max_entries"], + ) + else: + logger.info("Activity log retention engine initialized (disabled)") + + async def stop(self) -> None: + """Cancel the retention loop.""" + self._cancel_loop() + logger.info("Activity log retention engine stopped") + + def _start_loop(self) -> None: + self._cancel_loop() + self._task = asyncio.create_task(self._retention_loop()) + + def _cancel_loop(self) -> None: + if self._task is not None: + self._task.cancel() + self._task = None + + # ── Prune loop ───────────────────────────────────────────────────────── + + async def _retention_loop(self) -> None: + try: + while True: + await asyncio.sleep(_PRUNE_INTERVAL_SECS) + try: + self._prune() + except Exception as exc: + logger.error("Activity log retention prune failed: %s", exc, exc_info=True) + except asyncio.CancelledError: + logger.debug("Activity log retention loop cancelled") + + def _prune(self) -> None: + """Execute one prune pass based on current settings.""" + settings = self._settings + if not settings["enabled"]: + return + + max_days: int = settings["max_days"] + max_entries: int = settings["max_entries"] + + before_ts: datetime | None = None + if max_days and max_days > 0: + before_ts = datetime.now(timezone.utc) - timedelta(days=max_days) + + max_entries_val: int | None = max_entries if max_entries and max_entries > 0 else None + + deleted = self._repo.prune(before_ts=before_ts, max_entries=max_entries_val) + if deleted: + logger.info( + "Activity log pruned %d rows (max_days=%d, max_entries=%d)", + deleted, + max_days, + max_entries, + ) + + # ── Public API ───────────────────────────────────────────────────────── + + def get_settings(self) -> dict: + """Return the current retention settings dict.""" + return { + "enabled": self._settings["enabled"], + "max_days": self._settings["max_days"], + "max_entries": self._settings["max_entries"], + } + + async def update_settings( + self, + *, + enabled: bool, + max_days: int, + max_entries: int, + ) -> dict: + """Persist new settings and apply them immediately. + + If ``enabled`` is changing to ``False``, the disable event is recorded + BEFORE the flag takes effect so there is a final log entry. + + Returns the new settings dict (same as ``get_settings()``). + """ + was_enabled = self._settings["enabled"] + + # Record the disable event before the recorder stops accepting entries. + if was_enabled and not enabled: + self._recorder.record( + category=ActivityCategory.SYSTEM, + action="audit_log.disabled", + severity=ActivitySeverity.WARNING, + actor="system", + message="Activity log recording disabled via settings", + _bypass_enabled=True, + ) + + self._settings["enabled"] = enabled + self._settings["max_days"] = max_days + self._settings["max_entries"] = max_entries + self._save_settings() + + # Propagate enabled flag to the recorder. + self._recorder.enabled = enabled + + if enabled: + self._start_loop() + logger.info( + "Activity log retention enabled (max_days=%d, max_entries=%d)", + max_days, + max_entries, + ) + # Run an immediate prune pass when re-enabling. + try: + self._prune() + except Exception as exc: + logger.error("Activity log immediate prune failed: %s", exc) + else: + self._cancel_loop() + logger.info("Activity log retention disabled") + + return self.get_settings() diff --git a/server/src/ledgrab/main.py b/server/src/ledgrab/main.py index 2a1b08c..a43ee0f 100644 --- a/server/src/ledgrab/main.py +++ b/server/src/ledgrab/main.py @@ -60,6 +60,9 @@ from ledgrab.storage.audio_processing_template_store import AudioProcessingTempl from ledgrab.storage.pattern_template_store import PatternTemplateStore import ledgrab.core.audio.filters # noqa: F401 — trigger audio filter auto-registration from ledgrab.core.backup.auto_backup import AutoBackupEngine +from ledgrab.core.activity_log.recorder import ActivityRecorder, set_module_recorder +from ledgrab.core.activity_log.retention import ActivityLogRetentionEngine +from ledgrab.storage.activity_log_repository import ActivityLogRepository from ledgrab.core.processing.os_notification_listener import OsNotificationListener from ledgrab.core.devices.discovery_watcher import DiscoveryWatcher from ledgrab.core.update.update_service import UpdateService @@ -184,6 +187,10 @@ pattern_template_store = PatternTemplateStore(db) game_event_bus = GameEventBus() register_community_adapters() +# Activity log repository — constructed at module level like other stores so +# it migrates the DB schema (``002_add_activity_log``) on import. +activity_log_repo = ActivityLogRepository(db) + processor_manager = ProcessorManager( ProcessorDependencies( picture_source_store=picture_source_store, @@ -290,6 +297,17 @@ async def lifespan(app: FastAPI): processor_manager=processor_manager, ) + # Create activity recorder + retention engine. The recorder needs the + # processor_manager to fire live events, so it is built after that is + # already constructed at module level. + activity_recorder = ActivityRecorder(activity_log_repo, processor_manager) + activity_recorder.ensure_loop() + activity_log_retention_engine = ActivityLogRetentionEngine( + repo=activity_log_repo, + db=db, + recorder=activity_recorder, + ) + # Create auto-backup engine — derive paths from database location so that # demo mode auto-backups go to data/demo/ instead of data/. _data_dir = Path(config.storage.database_file).parent @@ -347,7 +365,13 @@ async def lifespan(app: FastAPI): http_endpoint_store=http_endpoint_store, audio_processing_template_store=audio_processing_template_store, pattern_template_store=pattern_template_store, + activity_recorder=activity_recorder, + activity_log_repo=activity_log_repo, + activity_log_retention_engine=activity_log_retention_engine, ) + # Expose the recorder via the module singleton so non-DI sites + # (fire_entity_event, device threads) can call record() without FastAPI DI. + set_module_recorder(activity_recorder) # Register devices in processor manager for health monitoring devices = device_store.get_all_devices() @@ -390,6 +414,9 @@ async def lifespan(app: FastAPI): # Start auto-backup engine (periodic configuration backups) await auto_backup_engine.start() + # Start activity log retention engine (hourly prune of old entries) + await activity_log_retention_engine.start() + # Start update checker (periodic release polling) await update_service.start() @@ -438,6 +465,19 @@ async def lifespan(app: FastAPI): except Exception as e: logger.error("Shutdown step '%s' raised: %s", label, e) + # Record the shutdown event FIRST — before any engine teardown — so there + # is always a final log entry on graceful shutdown. + try: + activity_recorder.record( + category="system", + action="server.shutting_down", + severity="info", + actor="system", + message="Server is shutting down", + ) + except Exception as e: + logger.error("Failed to record shutdown event: %s", e) + # Legacy hook — SQLite stores are write-through so this only logs. # Durability comes from PRAGMA synchronous=FULL + the explicit # wal_checkpoint(TRUNCATE) in Database.close() at the end of this block. @@ -510,6 +550,7 @@ async def lifespan(app: FastAPI): await _bounded("update_service.stop", update_service.stop(), timeout=0.5) await _bounded("auto_backup_engine.stop", auto_backup_engine.stop(), timeout=0.5) + await _bounded("activity_log_retention.stop", activity_log_retention_engine.stop(), timeout=0.5) # Close the DB last so it runs a TRUNCATE checkpoint, flushing the WAL # into the main file. Without this, writes can survive a graceful app diff --git a/server/src/ledgrab/static/js/core/events-ws.ts b/server/src/ledgrab/static/js/core/events-ws.ts index 507b8f3..f46f9b4 100644 --- a/server/src/ledgrab/static/js/core/events-ws.ts +++ b/server/src/ledgrab/static/js/core/events-ws.ts @@ -32,6 +32,7 @@ import { openAuthedWs } from './ws-auth.ts'; * update_download_progress — update_service.py (consumed by features/update.ts) * device_discovered — discovery_watcher.py (consumed by features/notifications-watcher.ts) * device_lost — discovery_watcher.py (consumed by features/notifications-watcher.ts) + * activity_logged — core/activity_log/recorder.py (consumed by features/activity-log.ts) * * Missing any of these silently breaks the corresponding UI flow — keep * this list in sync when adding new event types on the server side. @@ -47,6 +48,7 @@ const _ALLOWED_SERVER_EVENT_TYPES: ReadonlySet = new Set([ 'update_download_progress', 'device_discovered', 'device_lost', + 'activity_logged', // source: core/activity_log/recorder.py ]); interface ServerEventEnvelope { diff --git a/server/tests/core/test_activity_log_retention.py b/server/tests/core/test_activity_log_retention.py new file mode 100644 index 0000000..3feab00 --- /dev/null +++ b/server/tests/core/test_activity_log_retention.py @@ -0,0 +1,312 @@ +"""Unit tests for ActivityLogRetentionEngine (Phase 2). + +Coverage targets +---------------- +- Prunes entries older than max_days. +- Prunes entries when count exceeds max_entries. +- Settings round-trip: persist to DB, reload on construction. +- Disabling logs the ``audit_log.disabled`` event via the recorder BEFORE + the flag takes effect. +- ``start()`` / ``stop()`` lifecycle does not raise. +- Loop starts only when ``enabled=True``; does not start when ``enabled=False``. +""" + +from __future__ import annotations + +import asyncio +from datetime import datetime, timedelta, timezone +from unittest.mock import MagicMock + + +from ledgrab.core.activity_log.recorder import ActivityRecorder +from ledgrab.core.activity_log.retention import ( + DEFAULT_SETTINGS, + ActivityLogRetentionEngine, +) +from ledgrab.storage.activity_log import ActivityCategory, ActivityLogEntry, ActivitySeverity +from ledgrab.storage.activity_log_repository import ActivityLogRepository +from ledgrab.storage.database import Database + + +# --------------------------------------------------------------------------- +# Helpers +# --------------------------------------------------------------------------- + + +def _make_entry( + *, + action: str = "test.action", + ts: datetime | None = None, +) -> ActivityLogEntry: + from datetime import timezone + import uuid + + return ActivityLogEntry( + id="al_" + uuid.uuid4().hex[:8], + ts=ts or datetime.now(timezone.utc), + category=ActivityCategory.SYSTEM, + action=action, + severity=ActivitySeverity.INFO, + actor="system", + message="test", + ) + + +def _repo_and_db(tmp_db: Database): + """Return (ActivityLogRepository, Database) backed by a temp DB.""" + repo = ActivityLogRepository(tmp_db) + return repo, tmp_db + + +def _mock_recorder() -> ActivityRecorder: + recorder = MagicMock(spec=ActivityRecorder) + recorder.enabled = True + return recorder + + +# --------------------------------------------------------------------------- +# Settings persistence +# --------------------------------------------------------------------------- + + +def test_default_settings(tmp_db): + repo, db = _repo_and_db(tmp_db) + recorder = _mock_recorder() + engine = ActivityLogRetentionEngine(repo=repo, db=db, recorder=recorder) + s = engine.get_settings() + assert s == DEFAULT_SETTINGS + + +def test_settings_round_trip(tmp_db): + repo, db = _repo_and_db(tmp_db) + recorder = _mock_recorder() + engine = ActivityLogRetentionEngine(repo=repo, db=db, recorder=recorder) + + asyncio.run(engine.update_settings(enabled=True, max_days=30, max_entries=5000)) + s = engine.get_settings() + assert s["max_days"] == 30 + assert s["max_entries"] == 5000 + + # Reload from DB (simulates restart) + engine2 = ActivityLogRetentionEngine(repo=repo, db=db, recorder=recorder) + s2 = engine2.get_settings() + assert s2["max_days"] == 30 + assert s2["max_entries"] == 5000 + + +# --------------------------------------------------------------------------- +# Pruning +# --------------------------------------------------------------------------- + + +def test_prune_by_age(tmp_db): + repo, db = _repo_and_db(tmp_db) + recorder = _mock_recorder() + engine = ActivityLogRetentionEngine(repo=repo, db=db, recorder=recorder) + + now = datetime.now(timezone.utc) + old_ts = now - timedelta(days=100) + recent_ts = now - timedelta(days=5) + + repo.record(_make_entry(ts=old_ts)) + repo.record(_make_entry(ts=recent_ts)) + assert repo.count() == 2 + + # Simulate prune with max_days=90 + asyncio.run(engine.update_settings(enabled=True, max_days=90, max_entries=0)) + engine._prune() + + # Only the old entry should be gone; 0 for max_entries means no count cap + assert repo.count() == 1 + entries = repo.query( + filters=__import__( + "ledgrab.storage.activity_log", fromlist=["ActivityLogFilters"] + ).ActivityLogFilters() + ) + assert entries[0].ts.date() == recent_ts.date() + + +def test_prune_by_max_entries(tmp_db): + + repo, db = _repo_and_db(tmp_db) + recorder = _mock_recorder() + engine = ActivityLogRetentionEngine(repo=repo, db=db, recorder=recorder) + + for _ in range(10): + repo.record(_make_entry()) + + assert repo.count() == 10 + + asyncio.run(engine.update_settings(enabled=True, max_days=0, max_entries=5)) + engine._prune() + + assert repo.count() == 5 + + +def test_prune_disabled_is_noop(tmp_db): + repo, db = _repo_and_db(tmp_db) + recorder = _mock_recorder() + engine = ActivityLogRetentionEngine(repo=repo, db=db, recorder=recorder) + + for _ in range(5): + repo.record(_make_entry()) + + # Disable engine then force a prune call + asyncio.run(engine.update_settings(enabled=False, max_days=1, max_entries=1)) + engine._prune() # should be a no-op since enabled=False + + assert repo.count() == 5 + + +# --------------------------------------------------------------------------- +# Disabling records the disable event +# --------------------------------------------------------------------------- + + +def test_disable_records_disable_event(tmp_db): + repo, db = _repo_and_db(tmp_db) + recorder = _mock_recorder() + engine = ActivityLogRetentionEngine(repo=repo, db=db, recorder=recorder) + + # Engine starts enabled (DEFAULT_SETTINGS["enabled"] == True) + asyncio.run(engine.update_settings(enabled=False, max_days=90, max_entries=20000)) + + # recorder.record must have been called with the disable action + recorder.record.assert_called_once() + kwargs = recorder.record.call_args + assert kwargs.kwargs.get("action") == "audit_log.disabled" or ( + len(kwargs.args) > 1 and kwargs.args[1] == "audit_log.disabled" + ) + # The bypass flag must be set so the disabled event gets through + assert kwargs.kwargs.get("_bypass_enabled") is True + + +def test_re_enable_does_not_record_disable_event(tmp_db): + repo, db = _repo_and_db(tmp_db) + recorder = _mock_recorder() + engine = ActivityLogRetentionEngine(repo=repo, db=db, recorder=recorder) + + # Disable first + asyncio.run(engine.update_settings(enabled=False, max_days=90, max_entries=20000)) + call_count_after_disable = recorder.record.call_count + + # Re-enable — should NOT call recorder again + asyncio.run(engine.update_settings(enabled=True, max_days=90, max_entries=20000)) + assert recorder.record.call_count == call_count_after_disable + + +# --------------------------------------------------------------------------- +# Lifecycle: start / stop +# --------------------------------------------------------------------------- + + +def test_start_stop_does_not_raise(tmp_db): + repo, db = _repo_and_db(tmp_db) + recorder = _mock_recorder() + engine = ActivityLogRetentionEngine(repo=repo, db=db, recorder=recorder) + + async def _run(): + await engine.start() + await engine.stop() + + asyncio.run(_run()) + + +def test_start_disabled_does_not_create_task(tmp_db): + repo, db = _repo_and_db(tmp_db) + recorder = _mock_recorder() + # Persist disabled setting + db.set_setting("activity_log", {**DEFAULT_SETTINGS, "enabled": False}) + engine = ActivityLogRetentionEngine(repo=repo, db=db, recorder=recorder) + + async def _run(): + await engine.start() + assert engine._task is None + await engine.stop() + + asyncio.run(_run()) + + +def test_start_enabled_creates_task(tmp_db): + repo, db = _repo_and_db(tmp_db) + recorder = _mock_recorder() + engine = ActivityLogRetentionEngine(repo=repo, db=db, recorder=recorder) + # DEFAULT_SETTINGS has enabled=True + + async def _run(): + await engine.start() + assert engine._task is not None + await engine.stop() + assert engine._task is None + + asyncio.run(_run()) + + +# --------------------------------------------------------------------------- +# Regression: recorder.enabled rehydrated from persisted settings on __init__ +# --------------------------------------------------------------------------- + + +def test_recorder_enabled_rehydrated_from_persisted_disabled(tmp_db): + """Engine.__init__ must propagate persisted enabled=False to recorder. + + If a user disabled the activity log and the server restarts, the recorder + must start in the disabled state — not its hardcoded default of True. + """ + from unittest.mock import MagicMock + from ledgrab.core.processing.processor_manager import ProcessorManager + + repo, db = _repo_and_db(tmp_db) + + # Persist enabled=False before constructing the engine. + db.set_setting("activity_log", {**DEFAULT_SETTINGS, "enabled": False}) + + # Use a real ActivityRecorder (not a mock) so we can observe its state. + mock_pm = MagicMock(spec=ProcessorManager) + real_recorder = ActivityRecorder(repo=repo, processor_manager=mock_pm) + + ActivityLogRetentionEngine(repo=repo, db=db, recorder=real_recorder) + + assert real_recorder.enabled is False, ( + "recorder.enabled should be False after constructing the engine " + "over a DB where enabled=False was persisted" + ) + + +def test_recorder_enabled_rehydrated_from_persisted_enabled(tmp_db): + """Engine.__init__ leaves recorder enabled when persisted setting is True.""" + from unittest.mock import MagicMock + from ledgrab.core.processing.processor_manager import ProcessorManager + + repo, db = _repo_and_db(tmp_db) + + # Persist enabled=True explicitly. + db.set_setting("activity_log", {**DEFAULT_SETTINGS, "enabled": True}) + + mock_pm = MagicMock(spec=ProcessorManager) + real_recorder = ActivityRecorder(repo=repo, processor_manager=mock_pm) + + ActivityLogRetentionEngine(repo=repo, db=db, recorder=real_recorder) + + assert real_recorder.enabled is True, ( + "recorder.enabled should be True after constructing the engine " + "over a DB where enabled=True was persisted" + ) + + +def test_recorder_enabled_defaults_to_true_when_no_persisted_setting(tmp_db): + """Engine.__init__ leaves recorder enabled when no setting has been persisted.""" + from unittest.mock import MagicMock + from ledgrab.core.processing.processor_manager import ProcessorManager + + repo, db = _repo_and_db(tmp_db) + # No db.set_setting call — DB has no activity_log setting yet. + + mock_pm = MagicMock(spec=ProcessorManager) + real_recorder = ActivityRecorder(repo=repo, processor_manager=mock_pm) + + ActivityLogRetentionEngine(repo=repo, db=db, recorder=real_recorder) + + assert ( + real_recorder.enabled is True + ), "recorder.enabled should default to True when no setting is persisted" diff --git a/server/tests/core/test_activity_recorder.py b/server/tests/core/test_activity_recorder.py new file mode 100644 index 0000000..20db027 --- /dev/null +++ b/server/tests/core/test_activity_recorder.py @@ -0,0 +1,256 @@ +"""Unit tests for ActivityRecorder (Phase 2). + +Coverage targets +---------------- +- record() persists an entry AND fires ``activity_logged`` via fire_event. +- actor resolves from the ``current_actor`` ContextVar; defaults to ``"system"``. +- Failure in repo.record() does NOT raise into the caller. +- Cross-thread record() from a threading.Thread routes through the event loop + and persists. +- ``enabled=False`` makes record() a no-op (except ``_bypass_enabled``). +- ``entry_to_dict`` produces the expected shape. +""" + +from __future__ import annotations + +import asyncio +import threading +from unittest.mock import MagicMock + + +from ledgrab.core.activity_log.context import current_actor +from ledgrab.core.activity_log.recorder import ActivityRecorder, entry_to_dict +from ledgrab.storage.activity_log import ActivityCategory, ActivityLogEntry, ActivitySeverity + + +# --------------------------------------------------------------------------- +# Helpers / fixtures +# --------------------------------------------------------------------------- + + +def _make_recorder( + *, + fail_repo: bool = False, + loop: asyncio.AbstractEventLoop | None = None, +) -> tuple[ActivityRecorder, list, list]: + """Return (recorder, persisted_entries, fired_events).""" + repo = MagicMock() + persisted: list[ActivityLogEntry] = [] + + if fail_repo: + repo.record.side_effect = RuntimeError("DB exploded") + else: + repo.record.side_effect = lambda entry: persisted.append(entry) + + pm = MagicMock() + fired: list[dict] = [] + pm.fire_event.side_effect = lambda evt: fired.append(evt) + + recorder = ActivityRecorder(repo, pm, loop=loop) + return recorder, persisted, fired + + +# --------------------------------------------------------------------------- +# Basic persistence + event emit +# --------------------------------------------------------------------------- + + +def test_record_persists_entry(): + recorder, persisted, fired = _make_recorder() + recorder.record( + category=ActivityCategory.SYSTEM, + action="test.action", + message="hello", + ) + assert len(persisted) == 1 + entry = persisted[0] + assert entry.category == ActivityCategory.SYSTEM + assert entry.action == "test.action" + assert entry.message == "hello" + assert entry.id.startswith("al_") + + +def test_record_fires_activity_logged_event(): + recorder, persisted, fired = _make_recorder() + recorder.record( + category=ActivityCategory.AUTH, + action="auth.login", + message="user signed in", + ) + assert len(fired) == 1 + evt = fired[0] + assert evt["type"] == "activity_logged" + assert "entry" in evt + assert evt["entry"]["action"] == "auth.login" + + +def test_record_default_severity_is_info(): + recorder, persisted, _ = _make_recorder() + recorder.record(category=ActivityCategory.SYSTEM, action="x", message="m") + assert persisted[0].severity == ActivitySeverity.INFO + + +def test_record_custom_fields(): + recorder, persisted, _ = _make_recorder() + recorder.record( + category=ActivityCategory.ENTITY, + action="entity.created", + severity=ActivitySeverity.WARNING, + entity_type="output_target", + entity_id="ot_abc123", + entity_name="My strip", + message="created", + metadata={"key": "val"}, + ) + e = persisted[0] + assert e.severity == ActivitySeverity.WARNING + assert e.entity_type == "output_target" + assert e.entity_id == "ot_abc123" + assert e.entity_name == "My strip" + assert e.metadata == {"key": "val"} + + +# --------------------------------------------------------------------------- +# Actor resolution from ContextVar +# --------------------------------------------------------------------------- + + +def test_actor_defaults_to_system(): + recorder, persisted, _ = _make_recorder() + recorder.record(category=ActivityCategory.SYSTEM, action="a", message="m") + assert persisted[0].actor == "system" + + +def test_actor_resolved_from_contextvar(): + recorder, persisted, _ = _make_recorder() + token = current_actor.set("homeassistant") + try: + recorder.record(category=ActivityCategory.AUTH, action="b", message="m") + finally: + current_actor.reset(token) + assert persisted[0].actor == "homeassistant" + + +def test_actor_explicit_overrides_contextvar(): + recorder, persisted, _ = _make_recorder() + token = current_actor.set("homeassistant") + try: + recorder.record( + category=ActivityCategory.SYSTEM, + action="c", + message="m", + actor="explicit_actor", + ) + finally: + current_actor.reset(token) + assert persisted[0].actor == "explicit_actor" + + +# --------------------------------------------------------------------------- +# Failure isolation — repo failure must not raise into caller +# --------------------------------------------------------------------------- + + +def test_repo_failure_does_not_raise(): + recorder, persisted, fired = _make_recorder(fail_repo=True) + # Must not raise + recorder.record(category=ActivityCategory.SYSTEM, action="a", message="m") + # No event emitted when persist failed + assert fired == [] + + +# --------------------------------------------------------------------------- +# enabled flag +# --------------------------------------------------------------------------- + + +def test_disabled_recorder_is_noop(): + recorder, persisted, fired = _make_recorder() + recorder.enabled = False + recorder.record(category=ActivityCategory.SYSTEM, action="a", message="m") + assert persisted == [] + assert fired == [] + + +def test_bypass_enabled_flag_records_even_when_disabled(): + recorder, persisted, fired = _make_recorder() + recorder.enabled = False + recorder.record( + category=ActivityCategory.SYSTEM, + action="audit_log.disabled", + message="disabled", + _bypass_enabled=True, + ) + assert len(persisted) == 1 + + +# --------------------------------------------------------------------------- +# entry_to_dict helper +# --------------------------------------------------------------------------- + + +def test_entry_to_dict_shape(): + from datetime import datetime, timezone + + entry = ActivityLogEntry( + id="al_aabbccdd", + ts=datetime(2026, 1, 2, 3, 4, 5, tzinfo=timezone.utc), + category="system", + action="test", + severity="info", + actor="system", + message="hello", + metadata={"x": 1}, + ) + d = entry_to_dict(entry) + assert set(d.keys()) == { + "id", + "ts", + "category", + "action", + "severity", + "actor", + "entity_type", + "entity_id", + "entity_name", + "message", + "metadata", + } + assert d["metadata"] == {"x": 1} # real dict, not JSON string + assert d["ts"].startswith("2026-01-02T03:04:05") + + +# --------------------------------------------------------------------------- +# Cross-thread record() — routes through the event loop and persists +# --------------------------------------------------------------------------- + + +def test_cross_thread_record_routes_through_loop(): + """record() called from a non-loop thread marshals via call_soon_threadsafe.""" + + async def _run(): + recorder, persisted, fired = _make_recorder(loop=asyncio.get_running_loop()) + recorder.ensure_loop() + + done = threading.Event() + + def _thread_body(): + recorder.record( + category=ActivityCategory.DEVICE, + action="device.discovered", + message="found it", + ) + done.set() + + t = threading.Thread(target=_thread_body) + t.start() + t.join(timeout=2.0) + # Give the scheduled callback a chance to run on the loop. + await asyncio.sleep(0.05) + + assert len(persisted) == 1, f"Expected 1 entry, got {persisted}" + assert persisted[0].action == "device.discovered" + assert len(fired) == 1 + assert fired[0]["type"] == "activity_logged" + + asyncio.run(_run()) diff --git a/server/tests/core/test_activity_recorder_adversarial.py b/server/tests/core/test_activity_recorder_adversarial.py new file mode 100644 index 0000000..df7af5f --- /dev/null +++ b/server/tests/core/test_activity_recorder_adversarial.py @@ -0,0 +1,778 @@ +"""Adversarial / edge-case tests for ActivityRecorder and ActivityLogRetentionEngine. + +Derive expected behaviour from the acceptance criteria in +plans/activity-log/phase-2-recorder-retention.md — NOT from what the code does. +A failing test is a bug found in the implementation. + +Coverage areas +-------------- +1. Thread-safety / marshaling — record() from a non-loop thread routes via + call_soon_threadsafe; record() from the loop thread writes inline. + Neither path raises into the caller even when the loop is closed. +2. Best-effort / never-raises — repo.record raises → no exception escapes, + no event emitted; fire_event raises → no exception escapes, entry still + persisted (order: persist THEN emit). +3. Actor resolution — defaults "system"; ContextVar wins when set; + explicit actor= overrides ContextVar; no cross-context leakage (fresh + ContextVar copy does not see a previous set). +4. enabled flag — disabled → NO-OP (nothing persisted, no event); + _bypass_enabled=True → still records despite enabled=False. +5. entry_to_dict / payload — exactly 11 keys; ts is ISO-8601 string; + metadata is a real dict; activity_logged payload shape is frozen. +6. Retention engine — update_settings persists and round-trips; + _prune calls repo.prune with correct before_ts / max_entries; + disabling records exactly one disable event BEFORE recording stops; + subsequent normal record after disable is a no-op; + start() then stop() cancels task cleanly; + stop() without prior start() is safe. +7. Lazy loop capture — recorder built before the loop is running still + works after the loop starts (no explicit loop= argument). +""" + +from __future__ import annotations + +import asyncio +import contextvars +import threading +import uuid +from datetime import datetime, timedelta, timezone +from unittest.mock import MagicMock + + +from ledgrab.core.activity_log.context import current_actor +from ledgrab.core.activity_log.recorder import ( + ActivityRecorder, + entry_to_dict, + get_module_recorder, + set_module_recorder, +) +from ledgrab.core.activity_log.retention import ( + DEFAULT_SETTINGS, + ActivityLogRetentionEngine, +) +from ledgrab.storage.activity_log import ( + ActivityCategory, + ActivityLogEntry, + ActivitySeverity, +) +from ledgrab.storage.activity_log_repository import ActivityLogRepository + + +# --------------------------------------------------------------------------- +# Shared helpers +# --------------------------------------------------------------------------- + + +def _make_recorder( + *, + fail_repo: bool = False, + fail_pm: bool = False, + loop: asyncio.AbstractEventLoop | None = None, +) -> tuple[ActivityRecorder, list[ActivityLogEntry], list[dict]]: + """Return (recorder, persisted_entries, fired_events) — pure mocks.""" + repo = MagicMock() + persisted: list[ActivityLogEntry] = [] + + if fail_repo: + repo.record.side_effect = RuntimeError("DB exploded") + else: + repo.record.side_effect = lambda entry: persisted.append(entry) + + pm = MagicMock() + fired: list[dict] = [] + + if fail_pm: + pm.fire_event.side_effect = RuntimeError("PM exploded") + else: + pm.fire_event.side_effect = lambda evt: fired.append(evt) + + recorder = ActivityRecorder(repo, pm, loop=loop) + return recorder, persisted, fired + + +def _make_entry(action: str = "test.action") -> ActivityLogEntry: + return ActivityLogEntry( + id="al_" + uuid.uuid4().hex[:8], + ts=datetime.now(timezone.utc), + category=ActivityCategory.SYSTEM, + action=action, + severity=ActivitySeverity.INFO, + actor="system", + message="test", + ) + + +# --------------------------------------------------------------------------- +# 1. Thread-safety / marshaling +# --------------------------------------------------------------------------- + + +def test_cross_thread_write_goes_via_call_soon_threadsafe(): + """record() from a non-loop thread must marshal onto the loop, not write inline.""" + + async def _run(): + loop = asyncio.get_running_loop() + recorder, persisted, fired = _make_recorder(loop=loop) + + # Ensure the recorder knows the loop. + recorder.ensure_loop() + + thread_saw_persisted_count: list[int] = [] + + def _thread_body(): + # Nothing should be persisted synchronously in this thread — + # the write must be deferred to the loop via call_soon_threadsafe. + recorder.record( + category=ActivityCategory.DEVICE, + action="device.discovered", + message="zeroconf found it", + ) + # Capture how many entries are persisted synchronously right after the call. + thread_saw_persisted_count.append(len(persisted)) + + t = threading.Thread(target=_thread_body) + t.start() + t.join(timeout=2.0) + assert not t.is_alive(), "thread did not finish in time" + + # The thread's synchronous view must see 0 — the actual write is deferred. + assert thread_saw_persisted_count[0] == 0, ( + "write was not deferred: record() persisted synchronously on the " + "calling thread instead of marshaling to the loop" + ) + + # Give the loop a tick to drain the call_soon_threadsafe callback. + await asyncio.sleep(0.05) + + assert len(persisted) == 1, f"entry not persisted after loop tick: {persisted}" + assert persisted[0].action == "device.discovered" + assert len(fired) == 1 + assert fired[0]["type"] == "activity_logged" + + asyncio.run(_run()) + + +def test_loop_thread_write_is_inline(): + """record() called from the loop thread writes without call_soon_threadsafe.""" + + call_soon_threadsafe_calls: list = [] + + async def _run(): + loop = asyncio.get_running_loop() + # Monkeypatch call_soon_threadsafe to detect if it is used. + original_csst = loop.call_soon_threadsafe + loop.call_soon_threadsafe = lambda *a, **kw: call_soon_threadsafe_calls.append(a) or original_csst(*a, **kw) # type: ignore[method-assign] + try: + recorder, persisted, fired = _make_recorder(loop=loop) + recorder.ensure_loop() + + recorder.record( + category=ActivityCategory.SYSTEM, + action="system.startup", + message="loop thread write", + ) + # No yield — synchronous within the coroutine. + assert len(persisted) == 1, "inline write did not happen synchronously" + assert call_soon_threadsafe_calls == [], ( + "call_soon_threadsafe was invoked from the loop thread — " + "should write inline instead" + ) + finally: + loop.call_soon_threadsafe = original_csst # type: ignore[method-assign] + + asyncio.run(_run()) + + +def test_cross_thread_closed_loop_does_not_raise(): + """record() from a thread after the loop closes must log a warning, not raise.""" + loop = asyncio.new_event_loop() + recorder, persisted, fired = _make_recorder(loop=loop) + # Close the loop immediately — simulate a test teardown race. + loop.close() + + # This must not raise. + recorder.record( + category=ActivityCategory.SYSTEM, + action="closed.loop.test", + message="should not raise", + ) + # The entry may or may not be persisted (the closed-loop path drops it), + # but the important contract is: no exception propagates. + + +def test_no_loop_falls_back_to_synchronous_write(): + """record() with no loop and no running loop writes synchronously.""" + recorder, persisted, fired = _make_recorder(loop=None) + # No loop is running here (plain synchronous test). + recorder.record( + category=ActivityCategory.SYSTEM, + action="no.loop.write", + message="synchronous fallback", + ) + assert len(persisted) == 1 + assert len(fired) == 1 + + +# --------------------------------------------------------------------------- +# 2. Best-effort / never-raises +# --------------------------------------------------------------------------- + + +def test_repo_failure_does_not_raise_and_suppresses_fire_event(): + """repo.record raises → no exception propagates AND fire_event is NOT called.""" + recorder, persisted, fired = _make_recorder(fail_repo=True) + # Must not raise. + recorder.record(category=ActivityCategory.SYSTEM, action="a", message="m") + # No event must be emitted for an entry that failed to persist. + assert fired == [], ( + "fire_event was called even though repo.record failed — " + "the event would reference an entry that was never stored" + ) + + +def test_fire_event_failure_does_not_raise_and_entry_is_persisted(): + """fire_event raises → no exception propagates AND the entry IS persisted. + + Order: persist THEN emit. An emit failure must not roll back the persist. + """ + recorder, persisted, fired = _make_recorder(fail_pm=True) + # Must not raise. + recorder.record(category=ActivityCategory.SYSTEM, action="b", message="m") + # Entry must have been persisted before the emit attempt. + assert ( + len(persisted) == 1 + ), "entry was not persisted — fire_event failure retroactively erased it" + + +def test_both_failures_do_not_raise(): + """Even when both repo AND fire_event raise, record() must not propagate.""" + recorder, persisted, fired = _make_recorder(fail_repo=True, fail_pm=True) + recorder.record(category=ActivityCategory.SYSTEM, action="c", message="m") + # Nothing persisted, nothing fired — but absolutely no exception. + + +# --------------------------------------------------------------------------- +# 3. Actor resolution / ContextVar isolation +# --------------------------------------------------------------------------- + + +def test_actor_defaults_to_system_when_contextvar_unset(): + """When no actor arg and ContextVar at default, actor must be 'system'.""" + recorder, persisted, _ = _make_recorder() + # Make sure the ContextVar is at its default. + token = current_actor.set("system") + current_actor.reset(token) + recorder.record(category=ActivityCategory.SYSTEM, action="a", message="m") + assert persisted[0].actor == "system" + + +def test_explicit_actor_overrides_contextvar(): + """Explicit actor= argument wins over the ContextVar value.""" + recorder, persisted, _ = _make_recorder() + token = current_actor.set("api_user") + try: + recorder.record( + category=ActivityCategory.AUTH, + action="auth.login", + message="explicit", + actor="override_actor", + ) + finally: + current_actor.reset(token) + assert ( + persisted[0].actor == "override_actor" + ), "explicit actor= was ignored; ContextVar won over explicit arg" + + +def test_contextvar_value_used_when_set(): + """When current_actor ContextVar is set, recorder picks it up.""" + recorder, persisted, _ = _make_recorder() + token = current_actor.set("mobile_client") + try: + recorder.record(category=ActivityCategory.ENTITY, action="e.created", message="m") + finally: + current_actor.reset(token) + assert persisted[0].actor == "mobile_client" + + +def test_no_cross_context_leakage_via_copy_context(): + """ContextVar set in one context does not bleed into an independent copy.""" + # Simulate request-1 setting the actor. + ctx_req1 = contextvars.copy_context() + + def _request1(): + current_actor.set("user_alice") + + ctx_req1.run(_request1) + + # Simulate request-2 in a fresh copy — must not see user_alice. + ctx_req2 = contextvars.copy_context() + + def _request2(): + return current_actor.get() + + actor_in_req2 = ctx_req2.run(_request2) + assert actor_in_req2 == "system", ( + f"Cross-context leakage: request-2 saw actor '{actor_in_req2}' " + "from request-1 instead of the default 'system'" + ) + + +def test_no_cross_request_leakage_sequential_records(): + """Two sequential simulated requests must not share ContextVar state.""" + recorder, persisted, _ = _make_recorder() + + # Request 1: set actor, record, reset. + token1 = current_actor.set("admin_user") + try: + recorder.record(category=ActivityCategory.AUTH, action="login", message="req1") + finally: + current_actor.reset(token1) + + # Request 2: no actor set — must fall back to "system". + recorder.record(category=ActivityCategory.SYSTEM, action="heartbeat", message="req2") + + assert persisted[0].actor == "admin_user" + assert persisted[1].actor == "system", ( + f"Request-2 actor was '{persisted[1].actor}' instead of 'system' — " + "ContextVar from request-1 leaked into request-2" + ) + + +# --------------------------------------------------------------------------- +# 4. enabled flag +# --------------------------------------------------------------------------- + + +def test_disabled_record_is_noop_nothing_persisted(): + """enabled=False → record() returns immediately; nothing persisted.""" + recorder, persisted, fired = _make_recorder() + recorder.enabled = False + recorder.record(category=ActivityCategory.SYSTEM, action="a", message="m") + assert persisted == [], "disabled recorder should not persist" + assert fired == [], "disabled recorder should not fire events" + + +def test_disabled_record_bypass_enabled_still_records(): + """_bypass_enabled=True bypasses the enabled=False guard.""" + recorder, persisted, fired = _make_recorder() + recorder.enabled = False + recorder.record( + category=ActivityCategory.SYSTEM, + action="audit_log.disabled", + message="final entry before disable", + _bypass_enabled=True, + ) + assert len(persisted) == 1, "_bypass_enabled=True should still persist" + assert len(fired) == 1, "_bypass_enabled=True should still fire the event" + + +def test_bypass_enabled_false_with_enabled_true_is_normal_record(): + """_bypass_enabled=False and enabled=True → normal record (regression guard).""" + recorder, persisted, fired = _make_recorder() + recorder.enabled = True + recorder.record( + category=ActivityCategory.SYSTEM, + action="normal", + message="m", + _bypass_enabled=False, + ) + assert len(persisted) == 1 + assert len(fired) == 1 + + +# --------------------------------------------------------------------------- +# 5. entry_to_dict / payload shape +# --------------------------------------------------------------------------- + +_EXPECTED_KEYS = frozenset( + { + "id", + "ts", + "category", + "action", + "severity", + "actor", + "entity_type", + "entity_id", + "entity_name", + "message", + "metadata", + } +) + + +def test_entry_to_dict_has_exactly_11_keys(): + """entry_to_dict must return a dict with exactly the 11 frozen keys.""" + d = entry_to_dict(_make_entry()) + assert set(d.keys()) == _EXPECTED_KEYS, ( + f"Key mismatch.\n Missing: {_EXPECTED_KEYS - set(d.keys())}\n" + f" Extra: {set(d.keys()) - _EXPECTED_KEYS}" + ) + + +def test_entry_to_dict_ts_is_iso8601_string(): + """ts must be an ISO-8601 string, not a datetime object.""" + entry = _make_entry() + d = entry_to_dict(entry) + assert isinstance(d["ts"], str), f"ts is {type(d['ts'])}, expected str" + # Must round-trip through fromisoformat without error. + parsed = datetime.fromisoformat(d["ts"]) + assert parsed.tzinfo is not None, "ts ISO string has no timezone info" + + +def test_entry_to_dict_metadata_is_real_dict_not_json_string(): + """metadata must be a dict, not a JSON-encoded string.""" + entry = ActivityLogEntry( + id="al_aabbccdd", + ts=datetime.now(timezone.utc), + category=ActivityCategory.SYSTEM, + action="test", + severity=ActivitySeverity.INFO, + actor="system", + message="hello", + metadata={"nested": {"key": 42}, "list": [1, 2, 3]}, + ) + d = entry_to_dict(entry) + assert isinstance( + d["metadata"], dict + ), f"metadata is {type(d['metadata'])}, expected dict (not a JSON string)" + assert d["metadata"] == {"nested": {"key": 42}, "list": [1, 2, 3]} + + +def test_activity_logged_event_payload_shape(): + """The fired event must match the frozen payload shape from the handoff doc.""" + recorder, persisted, fired = _make_recorder() + recorder.record( + category=ActivityCategory.AUTH, + action="auth.login", + severity=ActivitySeverity.WARNING, + actor="api_user", + entity_type="session", + entity_id="sess_001", + entity_name="admin session", + message="user signed in", + metadata={"ip": "127.0.0.1"}, + ) + assert len(fired) == 1 + evt = fired[0] + assert evt.get("type") == "activity_logged", f"event type wrong: {evt.get('type')!r}" + entry_dict = evt.get("entry") + assert isinstance(entry_dict, dict), "event 'entry' must be a dict" + assert set(entry_dict.keys()) == _EXPECTED_KEYS + assert entry_dict["actor"] == "api_user" + assert entry_dict["entity_type"] == "session" + assert entry_dict["metadata"] == {"ip": "127.0.0.1"} + assert isinstance(entry_dict["metadata"], dict), "metadata in event must be a dict" + + +def test_entry_id_format(): + """Entry IDs must be 'al_' followed by 8 hex characters.""" + recorder, persisted, _ = _make_recorder() + recorder.record(category=ActivityCategory.SYSTEM, action="a", message="m") + entry_id = persisted[0].id + assert entry_id.startswith("al_"), f"id does not start with 'al_': {entry_id!r}" + suffix = entry_id[3:] + assert len(suffix) == 8, f"id suffix length is {len(suffix)}, expected 8: {entry_id!r}" + assert all(c in "0123456789abcdef" for c in suffix), f"id suffix is not hex: {suffix!r}" + + +def test_entry_ts_is_utc(): + """Recorded entry ts must be timezone-aware UTC.""" + recorder, persisted, _ = _make_recorder() + recorder.record(category=ActivityCategory.SYSTEM, action="a", message="m") + ts = persisted[0].ts + assert ts.tzinfo is not None, "ts has no timezone info" + # Must be within 5 seconds of now (sanity check). + delta = abs((datetime.now(timezone.utc) - ts).total_seconds()) + assert delta < 5, f"ts is {delta:.1f}s away from now — suspiciously stale" + + +# --------------------------------------------------------------------------- +# 6. Retention engine +# --------------------------------------------------------------------------- + + +def test_retention_update_settings_persists_to_db(tmp_db): + """update_settings must persist to DB so a fresh engine reload picks it up.""" + repo = ActivityLogRepository(tmp_db) + recorder = MagicMock(spec=ActivityRecorder) + recorder.enabled = True + + engine = ActivityLogRetentionEngine(repo=repo, db=tmp_db, recorder=recorder) + asyncio.run(engine.update_settings(enabled=True, max_days=14, max_entries=500)) + + # Reload from DB — simulates server restart. + engine2 = ActivityLogRetentionEngine(repo=repo, db=tmp_db, recorder=recorder) + s = engine2.get_settings() + assert s["max_days"] == 14, f"max_days not persisted: {s}" + assert s["max_entries"] == 500, f"max_entries not persisted: {s}" + assert s["enabled"] is True + + +def test_retention_prune_passes_correct_before_ts(tmp_db): + """_prune must call repo.prune with before_ts ≈ now - max_days.""" + repo = MagicMock() + repo.prune.return_value = 0 + recorder = MagicMock(spec=ActivityRecorder) + recorder.enabled = True + + engine = ActivityLogRetentionEngine(repo=repo, db=tmp_db, recorder=recorder) + # Patch settings directly (don't go through update_settings to avoid task side-effects). + engine._settings = {"enabled": True, "max_days": 30, "max_entries": 0} + + before = datetime.now(timezone.utc) + engine._prune() + after = datetime.now(timezone.utc) + + repo.prune.assert_called_once() + kwargs = repo.prune.call_args.kwargs + before_ts = kwargs.get("before_ts") + assert before_ts is not None, "_prune called repo.prune without before_ts" + expected_min = before - timedelta(days=30, seconds=1) + expected_max = after - timedelta(days=30) + timedelta(seconds=1) + assert expected_min <= before_ts <= expected_max, ( + f"before_ts {before_ts} is not near now - 30 days " + f"(expected [{expected_min}, {expected_max}])" + ) + + +def test_retention_prune_passes_max_entries(tmp_db): + """_prune must forward max_entries from settings to repo.prune.""" + repo = MagicMock() + repo.prune.return_value = 0 + recorder = MagicMock(spec=ActivityRecorder) + recorder.enabled = True + + engine = ActivityLogRetentionEngine(repo=repo, db=tmp_db, recorder=recorder) + engine._settings = {"enabled": True, "max_days": 0, "max_entries": 9999} + engine._prune() + + kwargs = repo.prune.call_args.kwargs + assert kwargs.get("max_entries") == 9999, f"max_entries not forwarded: {kwargs}" + + +def test_retention_prune_zero_max_entries_means_no_count_cap(tmp_db): + """max_entries=0 should pass None (no count cap) to repo.prune.""" + repo = MagicMock() + repo.prune.return_value = 0 + recorder = MagicMock(spec=ActivityRecorder) + recorder.enabled = True + + engine = ActivityLogRetentionEngine(repo=repo, db=tmp_db, recorder=recorder) + engine._settings = {"enabled": True, "max_days": 0, "max_entries": 0} + engine._prune() + + kwargs = repo.prune.call_args.kwargs + assert ( + kwargs.get("max_entries") is None + ), f"max_entries=0 should map to None (no cap), got {kwargs.get('max_entries')!r}" + + +def test_retention_disable_records_exactly_one_disable_event_with_bypass(tmp_db): + """Disabling via update_settings records exactly one 'audit_log.disabled' event + with _bypass_enabled=True BEFORE the enabled flag is set to False.""" + repo = ActivityLogRepository(tmp_db) + # Use a real recorder backed by repo to verify ordering. + pm = MagicMock() + pm.fire_event.return_value = None + real_recorder = ActivityRecorder(repo, pm) + real_recorder.enabled = True + + engine = ActivityLogRetentionEngine(repo=repo, db=tmp_db, recorder=real_recorder) + + # Disable — should record the event before flipping the flag. + asyncio.run(engine.update_settings(enabled=False, max_days=90, max_entries=20000)) + + # The disable event must be in the DB (persisted before the flag flipped). + entries = repo.query( + __import__( + "ledgrab.storage.activity_log", + fromlist=["ActivityLogFilters"], + ).ActivityLogFilters() + ) + disable_events = [e for e in entries if e.action == "audit_log.disabled"] + assert len(disable_events) == 1, f"Expected exactly 1 disable event, got {len(disable_events)}" + + # After disabling, a normal record must be a no-op. + real_recorder.record( + category=ActivityCategory.SYSTEM, + action="should.not.appear", + message="this should be dropped", + ) + entries_after = repo.query( + __import__( + "ledgrab.storage.activity_log", + fromlist=["ActivityLogFilters"], + ).ActivityLogFilters() + ) + post_disable_actions = [e.action for e in entries_after if e.action != "audit_log.disabled"] + assert post_disable_actions == [], f"Entries appeared after disable: {post_disable_actions}" + + +def test_retention_disable_does_not_record_event_when_already_disabled(tmp_db): + """update_settings(enabled=False) when already disabled must NOT record a second event.""" + repo = ActivityLogRepository(tmp_db) + pm = MagicMock() + pm.fire_event.return_value = None + recorder = MagicMock(spec=ActivityRecorder) + recorder.enabled = True + + engine = ActivityLogRetentionEngine(repo=repo, db=tmp_db, recorder=recorder) + + # First disable. + asyncio.run(engine.update_settings(enabled=False, max_days=90, max_entries=20000)) + first_count = recorder.record.call_count + + # Second disable — must NOT record another event. + asyncio.run(engine.update_settings(enabled=False, max_days=90, max_entries=20000)) + assert ( + recorder.record.call_count == first_count + ), "A second disable call recorded an extra event when already disabled" + + +async def test_retention_start_stop_cancels_task_cleanly(tmp_db): + """start() then stop() must cancel the task and leave _task=None. + + After stop(), the task has been requested to cancel and _task is None. + The cancellation may still be 'in-flight' on the event loop (status: + 'cancelling') until the next tick; we yield once to let the event loop + process the CancelledError and confirm task.done() is True. + """ + repo = ActivityLogRepository(tmp_db) + recorder = MagicMock(spec=ActivityRecorder) + recorder.enabled = True + + engine = ActivityLogRetentionEngine(repo=repo, db=tmp_db, recorder=recorder) + + await engine.start() + task = engine._task + assert task is not None, "start() did not create a task" + assert not task.done(), "task completed immediately — should be sleeping" + + await engine.stop() + # _task cleared immediately. + assert engine._task is None, "_task was not cleared to None after stop()" + # Give the event loop one tick to process the CancelledError. + await asyncio.sleep(0) + assert task.done(), ( + "task is still running after stop() + one event loop tick — " + "stop() did not cancel the task" + ) + + +async def test_retention_stop_without_start_is_safe(tmp_db): + """stop() without a prior start() must not raise.""" + repo = ActivityLogRepository(tmp_db) + recorder = MagicMock(spec=ActivityRecorder) + recorder.enabled = True + + engine = ActivityLogRetentionEngine(repo=repo, db=tmp_db, recorder=recorder) + assert engine._task is None + + # Must not raise. + await engine.stop() + assert engine._task is None + + +async def test_retention_start_disabled_no_task(tmp_db): + """start() when enabled=False must not create a task.""" + tmp_db.set_setting("activity_log", {**DEFAULT_SETTINGS, "enabled": False}) + repo = ActivityLogRepository(tmp_db) + recorder = MagicMock(spec=ActivityRecorder) + recorder.enabled = False + + engine = ActivityLogRetentionEngine(repo=repo, db=tmp_db, recorder=recorder) + await engine.start() + assert engine._task is None, "task was created even though engine is disabled" + await engine.stop() + + +async def test_retention_max_days_boundary(tmp_db): + """max_days ≤ 0 should not pass a before_ts to repo.prune (no age cap).""" + repo = MagicMock() + repo.prune.return_value = 0 + recorder = MagicMock(spec=ActivityRecorder) + recorder.enabled = True + + engine = ActivityLogRetentionEngine(repo=repo, db=tmp_db, recorder=recorder) + engine._settings = {"enabled": True, "max_days": 0, "max_entries": 0} + engine._prune() + + kwargs = repo.prune.call_args.kwargs + assert ( + kwargs.get("before_ts") is None + ), f"max_days=0 should map to before_ts=None (no age cap), got {kwargs.get('before_ts')!r}" + + +# --------------------------------------------------------------------------- +# 7. Lazy loop capture (recorder built before loop is running) +# --------------------------------------------------------------------------- + + +def test_lazy_loop_capture_without_explicit_loop(): + """Recorder with loop=None still works when record() is called from a running loop.""" + + async def _run(): + # Build the recorder BEFORE passing the loop explicitly — test lazy capture. + recorder, persisted, fired = _make_recorder(loop=None) + # Do NOT call ensure_loop() explicitly — the lazy path in record() must handle it. + recorder.record( + category=ActivityCategory.SYSTEM, + action="lazy.capture", + message="loop captured lazily", + ) + assert ( + len(persisted) == 1 + ), "Lazy loop capture failed: entry not persisted when loop=None at construction" + + asyncio.run(_run()) + + +def test_lazy_loop_stores_loop_for_subsequent_calls(): + """After the first call from an async context, _loop is populated.""" + + async def _run(): + recorder, persisted, fired = _make_recorder(loop=None) + assert recorder._loop is None + + recorder.record(category=ActivityCategory.SYSTEM, action="first", message="m") + + # The loop must have been captured. + assert ( + recorder._loop is not None + ), "recorder._loop was not set after first record() from async context" + assert recorder._loop is asyncio.get_running_loop() + + asyncio.run(_run()) + + +# --------------------------------------------------------------------------- +# 8. Module-level singleton accessor +# --------------------------------------------------------------------------- + + +def test_set_and_get_module_recorder(): + """set_module_recorder / get_module_recorder round-trip.""" + original = get_module_recorder() + try: + recorder, _, _ = _make_recorder() + set_module_recorder(recorder) + assert get_module_recorder() is recorder + finally: + # Restore whatever was there before (may be None in test isolation). + import ledgrab.core.activity_log.recorder as _mod + + _mod._recorder = original # type: ignore[attr-defined] + + +def test_get_module_recorder_returns_none_before_set(): + """get_module_recorder() returns None when not yet initialised.""" + import ledgrab.core.activity_log.recorder as _mod + + original = _mod._recorder # type: ignore[attr-defined] + _mod._recorder = None # type: ignore[attr-defined] + try: + assert get_module_recorder() is None + finally: + _mod._recorder = original # type: ignore[attr-defined] From 25c613c5cb331a30cd7dd645bbbd2b2eb7bf2c59 Mon Sep 17 00:00:00 2001 From: "alexei.dolgolyov" Date: Tue, 9 Jun 2026 19:20:57 +0300 Subject: [PATCH 05/13] feat(activity-log): phase 3 - event instrumentation (4 categories) - entity CRUD via fire_entity_event choke point (name resolved/sanitized; deletes pass name explicitly) - auth: failures + WS session establishment (no tokens logged); per-IP audit-record throttle - device: online/offline (health), discovered/lost (zeroconf), ADB connect/disconnect - capture/system: target start-stop, scenes, playlists, automations, backup/restore, update, restart, calibration, settings - security hardening: sanitize_display strips control/NUL/ANSI/newlines from untrusted strings; malformed-IPv6 origin guard - 129 instrumentation tests (incl. secret-leak, log-injection, throttle, best-effort) + autouse throttle-reset fixture --- plans/activity-log/CONTEXT.md | 1 + plans/activity-log/PLAN.md | 12 +- plans/activity-log/phase-3-instrumentation.md | 104 +- server/src/ledgrab/api/auth.py | 121 +- server/src/ledgrab/api/dependencies.py | 95 +- .../src/ledgrab/api/routes/audio_sources.py | 8 +- server/src/ledgrab/api/routes/automations.py | 8 +- server/src/ledgrab/api/routes/backup.py | 31 +- server/src/ledgrab/api/routes/calibration.py | 36 + .../api/routes/color_strip_sources/crud.py | 8 +- server/src/ledgrab/api/routes/devices.py | 9 +- server/src/ledgrab/api/routes/gradients.py | 8 +- .../src/ledgrab/api/routes/output_targets.py | 9 +- .../api/routes/output_targets_control.py | 58 +- .../src/ledgrab/api/routes/picture_sources.py | 8 +- .../src/ledgrab/api/routes/scene_playlists.py | 52 +- .../src/ledgrab/api/routes/scene_presets.py | 24 +- server/src/ledgrab/api/routes/sync_clocks.py | 8 +- .../src/ledgrab/api/routes/system_settings.py | 45 + server/src/ledgrab/api/routes/templates.py | 8 +- server/src/ledgrab/api/routes/update.py | 38 +- .../src/ledgrab/core/activity_log/__init__.py | 2 + .../src/ledgrab/core/activity_log/sanitize.py | 82 + .../core/automations/automation_engine.py | 45 + .../ledgrab/core/devices/discovery_watcher.py | 32 + .../ledgrab/core/processing/device_health.py | 29 + server/tests/conftest.py | 28 + server/tests/test_activity_instrumentation.py | 614 +++++++ ...st_activity_instrumentation_adversarial.py | 1533 +++++++++++++++++ 29 files changed, 3012 insertions(+), 44 deletions(-) create mode 100644 server/src/ledgrab/core/activity_log/sanitize.py create mode 100644 server/tests/test_activity_instrumentation.py create mode 100644 server/tests/test_activity_instrumentation_adversarial.py diff --git a/plans/activity-log/CONTEXT.md b/plans/activity-log/CONTEXT.md index be800ea..ff62734 100644 --- a/plans/activity-log/CONTEXT.md +++ b/plans/activity-log/CONTEXT.md @@ -67,3 +67,4 @@ context (survives across phases; graduates to CLAUDE.md only if it's a lasting p Phase 1 landed (2026-06-09): `activity_log.py` (dataclass + enums + filters + codec), `AddActivityLogTableMigration` (`002_add_activity_log`) appended to `ALL_MIGRATIONS`, `ActivityLogRepository` (record/query/count/prune/clear/iter_export), 41 new tests — all green. Full suite 2226 passed, 0 failed. Schema and method signatures frozen in phase-1-storage.md Handoff. Gotcha: `Database.execute` takes a positional tuple — use `?` placeholders (not `:name`), otherwise Python 3.14 will raise `ProgrammingError`. Phase 2 landed (2026-06-09): `core/activity_log/` package (`context.py`, `recorder.py`, `retention.py`, `__init__.py`); actor ContextVar set in `api/auth.py` (both branches); `ActivityLogRetentionEngine` mirroring AutoBackupEngine; full wiring in `main.py` (repo at module level, recorder+engine in lifespan, `server.shutting_down` first shutdown action, engine stop before db.close); DI getters in `api/dependencies.py`; `activity_logged` added to `_ALLOWED_SERVER_EVENT_TYPES` in `events-ws.ts`; `set_module_recorder` exposes recorder to non-DI sites; 24 new tests — all green. Full suite 2309 passed, 2 skipped, 0 failed. Ruff clean. +Phase 3 landed (2026-06-09): instrumented all four categories — entity CRUD via `fire_entity_event` choke-point (`dependencies.py`), auth failures + WS session in `auth.py`, device online/offline in `device_health.py`, device discovered/lost in `discovery_watcher.py`, ADB connect/disconnect in `system_settings.py`, capture start/stop (individual + bulk) in `output_targets_control.py`, scene/playlist/automation activate in their respective route/engine files, backup/restore/delete + restart/shutdown/update/calibration/settings in `backup.py`/`update.py`/`calibration.py`; all 11 entity delete handlers pass `entity_name` to `fire_entity_event`; 22 new tests (security: token never in any field, explicitly asserted) — all green. Full suite 2369 passed, 2 skipped, 0 failed. Ruff clean. Complete (category, action) inventory in phase-3-instrumentation.md Handoff section. diff --git a/plans/activity-log/PLAN.md b/plans/activity-log/PLAN.md index fd423dd..027f382 100644 --- a/plans/activity-log/PLAN.md +++ b/plans/activity-log/PLAN.md @@ -60,8 +60,8 @@ is an on-demand CSV/JSON **export** (no separate backup subsystem). ## Phases - [x] Phase 1: Storage — model, migration, repository [domain: data] → [subplan](./phase-1-storage.md) -- [ ] Phase 2: Recorder, actor context, retention, lifecycle [domain: backend] → [subplan](./phase-2-recorder-retention.md) -- [ ] Phase 3: Event instrumentation (4 categories) [domain: backend] → [subplan](./phase-3-instrumentation.md) +- [x] Phase 2: Recorder, actor context, retention, lifecycle [domain: backend] → [subplan](./phase-2-recorder-retention.md) +- [x] Phase 3: Event instrumentation (4 categories) [domain: backend] → [subplan](./phase-3-instrumentation.md) - [ ] Phase 4: REST API — query/filter/export/settings/clear [domain: backend] → [subplan](./phase-4-api.md) - [ ] Phase 5: Frontend — Activity tab + smart filtering + live updates [domain: frontend] → [subplan](./phase-5-frontend-tab.md) - [ ] Phase 6: Dashboard widget + Settings panel + docs [domain: frontend] → [subplan](./phase-6-dashboard-settings.md) @@ -81,7 +81,7 @@ is an on-demand CSV/JSON **export** (no separate backup subsystem). |-------|--------|--------|--------|-------|-----------| | Phase 1: Storage | data | ✅ Done | ✅ Passed | ✅ Passed | ✅ | | Phase 2: Recorder/Retention | backend | ✅ Done | ✅ Passed | ✅ Passed | ✅ | -| Phase 3: Instrumentation | backend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | +| Phase 3: Instrumentation | backend | ✅ Done | ✅ Passed | ✅ Passed | ✅ | | Phase 4: REST API | backend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | | Phase 5: Frontend tab | frontend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | | Phase 6: Dashboard/Settings | frontend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | @@ -90,7 +90,11 @@ is an on-demand CSV/JSON **export** (no separate backup subsystem). | Phase | Warning | Severity | Status (open / resolved / accepted) | |-------|---------|----------|-------------------------------------| -| | | | | +| 3 | Log injection via unauth mDNS device name/url into audit message | 🟠 High (security) | resolved — `sanitize_display` helper applied | +| 3 | Origin sanitizer missed spaces/NUL/ANSI | 🟠 High (security) | resolved — `sanitize_display` over netloc | +| 3 | Unauth auth-failure audit-write flood (no write-rate bound) | 🟠 High (security) | resolved — per-IP audit-record throttle (10s, capped) | +| 3 | Malformed-IPv6 Origin → urlparse ValueError into WS handler | 🟡 Warning | resolved — try/except guard | +| 3 | Throttle module-global state caused flaky test contamination | 🟡 Warning | resolved — autouse conftest reset fixture | ## Final Review diff --git a/plans/activity-log/phase-3-instrumentation.md b/plans/activity-log/phase-3-instrumentation.md index 9b24d4e..efc2195 100644 --- a/plans/activity-log/phase-3-instrumentation.md +++ b/plans/activity-log/phase-3-instrumentation.md @@ -1,6 +1,6 @@ # Phase 3: Event instrumentation (4 categories) -**Status:** ⬜ Not Started +**Status:** ✅ Done **Parent plan:** [PLAN.md](./PLAN.md) **Domain:** backend · 🔒 security-sensitive (security reviewer triggers) @@ -13,7 +13,7 @@ Maximize coverage via the central `fire_entity_event` choke point; add explicit ## Tasks ### Entity CRUD (via the choke point) -- [ ] In `api/dependencies.py`, extend `fire_entity_event` to ALSO record an audit entry: +- [x] In `api/dependencies.py`, extend `fire_entity_event` to ALSO record an audit entry: - Signature gains an optional `entity_name: str | None = None`. - For `created`/`updated`: if `entity_name` not supplied, best-effort resolve from the matching store in `_deps` keyed by `entity_type` (entity still present). For `deleted`: @@ -22,14 +22,14 @@ Maximize coverage via the central `fire_entity_event` choke point; add explicit - Map `action` → severity (`info`), category `entity`. Build a human message (e.g. `"Target 'Desk' updated"`). Read actor from the ContextVar. - Recording is best-effort (never break the entity operation). -- [ ] Update entity **delete** handlers to pass `entity_name` into `fire_entity_event` +- [x] Update entity **delete** handlers to pass `entity_name` into `fire_entity_event` (the entity object is already loaded for the 404 check). Cover the representative/most-used entities at minimum: output targets, sync clocks, devices, picture/audio/color-strip sources, automations, scene presets/playlists, templates, gradients. (Create/update can rely on hook resolution but pass the name where trivially available.) ### Authentication (DESCOPED: no key create/rotate/revoke — those routes don't exist) -- [ ] In `api/auth.py`, record: +- [x] In `api/auth.py`, record: - auth **failures**: missing/invalid Bearer token (HTTP), rejected LAN-without-keys, rejected WS origin (4403), WS auth handshake failure (4401). Category `auth`, severity `warning`. Include the caller IP/label and the reason in `metadata` — **never** the attempted token. @@ -38,26 +38,26 @@ Maximize coverage via the central `fire_entity_event` choke point; add explicit - (Do NOT record per-request HTTP auth *success* — too frequent.) ### Device connect/disconnect (use existing discrete seams) -- [ ] Hook `device_health_changed` (`core/processing/device_health.py`, fired only on +- [x] Hook `device_health_changed` (`core/processing/device_health.py`, fired only on `online != prev_online`) → record online/offline transition. Category `device`, severity `info` (online) / `warning` (offline). -- [ ] Hook `device_discovered` / `device_lost` (`core/devices/discovery_watcher.py`, **runs on +- [x] Hook `device_discovered` / `device_lost` (`core/devices/discovery_watcher.py`, **runs on the zeroconf thread** → recorder must marshal to the loop, which Phase 2 handles). Category `device`. -- [ ] ADB connect/disconnect (`api/routes/system_settings.py:adb_connect/adb_disconnect`). +- [x] ADB connect/disconnect (`api/routes/system_settings.py:adb_connect/adb_disconnect`). ### Capture & system events (explicit record calls) -- [ ] Target processing start/stop + bulk (`api/routes/output_targets_control.py`). -- [ ] Scene activation (`scene_presets.py:activate_scene_preset`), playlist start/stop +- [x] Target processing start/stop + bulk (`api/routes/output_targets_control.py`). +- [x] Scene activation (`scene_presets.py:activate_scene_preset`), playlist start/stop (`scene_playlists.py`), automation activate/deactivate (`automation_engine.py`). -- [ ] System: backup create/restore/delete (`backup.py`), update apply/dismiss (`update.py`), +- [x] System: backup create/restore/delete (`backup.py`), update apply/dismiss (`update.py`), restart/shutdown (`backup.py`), calibration start/stop/cancel (`calibration.py`). -- [ ] Settings changes: scope to high-value settings only (auto-backup, update, shutdown +- [x] Settings changes: scope to high-value settings only (auto-backup, update, shutdown action). **Exclude the activity-log's own `"activity_log"` settings key** to avoid self-referential churn. ### Tests -- [ ] `server/tests/test_activity_instrumentation.py` (or per-area): +- [x] `server/tests/test_activity_instrumentation.py` (or per-area): - representative entity create/update/delete produces a record with correct category/actor/ name (incl. a delete carrying its name); - an auth failure produces a `warning` record and the token never appears in any field; @@ -95,14 +95,78 @@ Maximize coverage via the central `fire_entity_event` choke point; add explicit ## Review Checklist -- [ ] All tasks completed -- [ ] Code follows project conventions -- [ ] No unintended side effects (audited actions still succeed on recorder failure) -- [ ] No secrets logged (token never recorded) — explicitly verified -- [ ] Build passes (ruff + pytest) -- [ ] Tests pass (new + existing) +- [x] All tasks completed +- [x] Code follows project conventions +- [x] No unintended side effects (audited actions still succeed on recorder failure) +- [x] No secrets logged (token never recorded) — explicitly verified +- [x] Build passes (ruff + pytest) +- [x] Tests pass (new + existing) ## Handoff to Next Phase - +Phase 3 is complete. The following (category, action) pairs are now emitted, along with their +metadata keys, for Phase 4 to expose via query/filter and for Phase 5 quick-filter presets. + +### `entity` category + +| Action | Severity | Metadata keys | Notes | +|--------|----------|---------------|-------| +| `entity.created` | info | — | All entity types via `fire_entity_event` choke-point | +| `entity.updated` | info | — | All entity types; name resolved from store when not passed | +| `entity.deleted` | info | — | Name passed explicitly by delete handler before deletion | + +### `auth` category + +| Action | Severity | Metadata keys | Notes | +|--------|----------|---------------|-------| +| `auth.rejected` | warning | `reason` (str), `client` (str/IP) | Missing Bearer, invalid Bearer, LAN-no-keys, WS origin, WS auth timeout, invalid WS token | +| `auth.ws_connected` | info | `client` (str/IP) | Successful WS session established | + +### `device` category + +| Action | Severity | Metadata keys | Notes | +|--------|----------|---------------|-------| +| `device.online` | info | `latency_ms` (float) | Health monitor, transition only | +| `device.offline` | warning | `latency_ms` (float) | Health monitor, transition only | +| `device.discovered` | info | `url` (str), `device_type` (str) | Zeroconf discovery thread; recorder marshals to loop | +| `device.lost` | warning | `url` (str), `device_type` (str) | Zeroconf discovery thread | +| `device.adb_connected` | info | `address` (str) | ADB route success | +| `device.adb_disconnected` | info | `address` (str) | ADB route success | + +### `capture` category + +| Action | Severity | Metadata keys | Notes | +|--------|----------|---------------|-------| +| `capture.started` | info | — | Per target (individual + bulk) | +| `capture.stopped` | info | — | Per target (individual + bulk) | +| `scene.activated` | info | — | `scene_presets.py:activate_scene_preset` | +| `playlist.started` | info | — | `scene_playlists.py:start_scene_playlist` | +| `playlist.stopped` | info | — | `scene_playlists.py:stop_scene_playlist` | +| `automation.activated` | info | — | `automation_engine.py:_activate_automation`; actor="system" | +| `automation.deactivated` | info | — | `automation_engine.py:_deactivate_automation`; actor="system" | + +### `system` category + +| Action | Severity | Metadata keys | Notes | +|--------|----------|---------------|-------| +| `backup.created` | info | `filename` (str) | `backup.py:backup_config` | +| `backup.restored` | info | — | `backup.py:restore_config` | +| `backup.deleted` | info | `filename` (str) | `backup.py:delete_saved_backup` | +| `server.restarting` | info | — | `backup.py:restart_server` | +| `server.shutdown_requested` | info | — | `backup.py:shutdown_server` | +| `update.dismissed` | info | `version` (str) | `update.py:dismiss_update` | +| `update.applied` | info | `version` (str) | `update.py:apply_update` | +| `settings.changed` | info | `setting_key` (str) + setting-specific keys | `setting_key` values: `"auto_backup"`, `"update"`, `"shutdown_action"`. Activity-log own key excluded. | +| `calibration.started` | info | — | `calibration.py`; entity_type="device", entity_id=device_id | +| `calibration.stopped` | info | — | `calibration.py` | +| `calibration.cancelled` | info | — | `calibration.py` | + +### Implementation notes for Phase 4 + +- The `metadata` field is a JSON `TEXT` column. All keys above are scalars (str, float). +- Phase 4 filter `metadata_key` / `metadata_value` lookup, if added, can target `setting_key` + for settings-change filtering. +- `entity_type` is populated for entity CRUD and `calibration.started`. For auth/system/capture + events `entity_type` may be None. +- `entity_name` is always populated for `entity.deleted`; populated for CRUD create/update + when resolved; populated for most capture/system events where a name is meaningful. diff --git a/server/src/ledgrab/api/auth.py b/server/src/ledgrab/api/auth.py index 3102165..f0ebf55 100644 --- a/server/src/ledgrab/api/auth.py +++ b/server/src/ledgrab/api/auth.py @@ -3,7 +3,9 @@ import asyncio import json import secrets +import time from typing import Annotated +from urllib.parse import urlparse from fastapi import Depends, HTTPException, Request, Security, status from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer @@ -11,11 +13,101 @@ from starlette.websockets import WebSocket, WebSocketDisconnect from ledgrab.config import get_config from ledgrab.core.activity_log.context import current_actor +from ledgrab.core.activity_log.sanitize import sanitize_display +from ledgrab.storage.activity_log import ActivityCategory, ActivitySeverity from ledgrab.utils import get_logger from ledgrab.utils.net_classify import is_loopback as _classify_is_loopback logger = get_logger(__name__) +# ── Auth-failure audit throttle (H3) ─────────────────────────────────────── +# +# Unauthenticated callers can hammer any auth path; without a recording +# throttle each attempt would write one SQLite row AND broadcast one WS event, +# providing a cheap disk/broadcast amplification vector. +# +# Mitigation: record at most one ``auth.rejected`` audit entry per client IP +# per _AUTH_RECORD_WINDOW seconds. The auth decision (401) is NEVER +# suppressed — only the *audit recording* is de-duplicated. +# +# Memory safety: the throttle dict is capped at _AUTH_THROTTLE_HARD_CAP +# entries. When the cap is exceeded the oldest-seen IP (lowest timestamp) is +# evicted so the dict stays bounded regardless of the number of distinct source +# IPs an attacker can forge. + +_AUTH_RECORD_WINDOW: float = 10.0 # seconds — one record per IP per window +_AUTH_THROTTLE_HARD_CAP: int = 512 # max IPs tracked simultaneously + +# ip -> monotonic timestamp of last *recorded* auth.rejected entry +_auth_record_last: dict[str, float] = {} + + +def _should_record_auth_failure(client_ip: str) -> bool: + """Return True when an ``auth.rejected`` record should be written for *client_ip*. + + Suppresses duplicates within _AUTH_RECORD_WINDOW seconds. Evicts the + oldest entry when the dict exceeds _AUTH_THROTTLE_HARD_CAP to prevent + unbounded memory growth under IP-spray attacks. + """ + now = time.monotonic() + last = _auth_record_last.get(client_ip) + if last is not None and (now - last) < _AUTH_RECORD_WINDOW: + return False # suppress: within the de-dup window + + # Enforce hard cap before inserting: evict the single oldest entry. + if len(_auth_record_last) >= _AUTH_THROTTLE_HARD_CAP: + oldest_ip = min(_auth_record_last, key=lambda ip: _auth_record_last[ip]) + del _auth_record_last[oldest_ip] + + _auth_record_last[client_ip] = now + return True + + +def _record_auth_failure(reason: str, client_host: str | None) -> None: + """Best-effort: record an auth failure audit entry (never raises). + + SECURITY: the attempted token is NEVER passed here; only the reason and + the caller's IP/label are recorded. + + THROTTLE: at most one ``auth.rejected`` record is written per client IP + per _AUTH_RECORD_WINDOW seconds to prevent disk/WS-broadcast amplification + DoS. The 401 response is always returned regardless. + """ + if not _should_record_auth_failure(client_host or "unknown"): + return # throttled — drop duplicate recording for this IP/window + + from ledgrab.core.activity_log.recorder import get_module_recorder + + rec = get_module_recorder() + if rec is None: + return + rec.record( + category=ActivityCategory.AUTH, + action="auth.rejected", + severity=ActivitySeverity.WARNING, + actor="anonymous", + message=f"Authentication failed: {reason}", + metadata={"reason": reason, "client": client_host or "unknown"}, + ) + + +def _record_ws_auth_success(label: str, client_host: str | None) -> None: + """Best-effort: record a successful WebSocket session establishment.""" + from ledgrab.core.activity_log.recorder import get_module_recorder + + rec = get_module_recorder() + if rec is None: + return + rec.record( + category=ActivityCategory.AUTH, + action="auth.ws_connected", + severity=ActivitySeverity.INFO, + actor=label, + message=f"WebSocket session established by '{label}'", + metadata={"client": client_host or "unknown"}, + ) + + # Security scheme for Bearer token security = HTTPBearer(auto_error=False) @@ -87,6 +179,7 @@ def verify_api_key( # Allow caller to authenticate explicitly even without configured keys? # No — there are no keys to compare against. Reject. logger.warning("Rejected LAN request from %s: no API key configured", client_host) + _record_auth_failure("LAN access rejected: no API key configured", client_host) raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail=( @@ -99,13 +192,14 @@ def verify_api_key( # Check if credentials are provided if not credentials: logger.warning("Request missing Authorization header") + _record_auth_failure("missing Bearer token", client_host) raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Missing API key - authentication is required", headers={"WWW-Authenticate": "Bearer"}, ) - # Extract token + # Extract token — NEVER log or record the token value itself. token = credentials.credentials # Find matching key and return its label using constant-time comparison @@ -117,6 +211,7 @@ def verify_api_key( if not authenticated_as: logger.warning("Invalid API key attempt") + _record_auth_failure("invalid Bearer token", client_host) raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid API key", @@ -195,12 +290,30 @@ async def accept_and_authenticate_ws(websocket: WebSocket, timeout: float = 3.0) # a strong signal even before the token check. Non-browser clients # legitimately omit Origin; those fall through to the auth handshake. config = get_config() + client_host = websocket.client.host if websocket.client else None origin = websocket.headers.get("origin") if not _is_origin_allowed(origin, config.server.cors_origins): logger.warning( "Rejected WebSocket from origin %r (not in cors_origins)", origin, ) + # Sanitize first so urlparse does not choke on control chars / ANSI / NUL + # embedded by an attacker in the Origin header (e.g. \n triggers IPv6 parse + # error in Python's urlsplit on malformed netloc). + _safe_origin_raw = sanitize_display(origin) if origin else "" + try: + _netloc = urlparse(_safe_origin_raw).netloc if _safe_origin_raw else "" + except ValueError: + # Malformed IPv6 addresses (e.g. "http://[::1" without closing "]") + # cause urlparse to raise ValueError. Fall back to "unknown" — do NOT + # fall back to the raw origin string, which could carry query params + # or path components containing secrets. + _netloc = "" + _safe_origin = sanitize_display(_netloc or "unknown") + _record_auth_failure( + f"WebSocket origin rejected: {_safe_origin!r}", + client_host, + ) try: await websocket.close(code=WS_ORIGIN_CLOSE_CODE) except _WS_SEND_BENIGN_EXC: @@ -215,6 +328,7 @@ async def accept_and_authenticate_ws(websocket: WebSocket, timeout: float = 3.0) except _WS_SEND_BENIGN_EXC: pass return None + _record_ws_auth_success(label, client_host) return label @@ -280,6 +394,7 @@ async def verify_ws_auth( return None return "anonymous" logger.warning("WebSocket auth timeout after %.1fs from %s", timeout, client_host) + _record_auth_failure("WebSocket auth timeout", client_host) try: await websocket.send_json({"type": "auth_error", "reason": "auth timeout"}) except _WS_SEND_BENIGN_EXC: @@ -337,6 +452,7 @@ async def verify_ws_auth( await websocket.send_json({"type": "auth_ok"}) return "anonymous" logger.warning("Rejected LAN WebSocket from %s: no API key configured", client_host) + _record_auth_failure("LAN WebSocket rejected: no API key configured", client_host) try: await websocket.send_json( { @@ -348,10 +464,11 @@ async def verify_ws_auth( pass return None - # Keys configured: require a matching token. + # Keys configured: require a matching token. NEVER log the token value. label = _match_api_key(token or "") if not label: logger.warning("Invalid WebSocket auth attempt from %s", client_host) + _record_auth_failure("invalid WebSocket token", client_host) try: await websocket.send_json({"type": "auth_error", "reason": "invalid token"}) except _WS_SEND_BENIGN_EXC: diff --git a/server/src/ledgrab/api/dependencies.py b/server/src/ledgrab/api/dependencies.py index c218b7d..189eba0 100644 --- a/server/src/ledgrab/api/dependencies.py +++ b/server/src/ledgrab/api/dependencies.py @@ -42,8 +42,10 @@ from ledgrab.core.mqtt.mqtt_manager import MQTTManager from ledgrab.storage.http_endpoint_store import HTTPEndpointStore from ledgrab.storage.audio_processing_template_store import AudioProcessingTemplateStore from ledgrab.storage.pattern_template_store import PatternTemplateStore -from ledgrab.core.activity_log.recorder import ActivityRecorder +from ledgrab.core.activity_log.recorder import ActivityRecorder, get_module_recorder from ledgrab.core.activity_log.retention import ActivityLogRetentionEngine +from ledgrab.core.activity_log.sanitize import sanitize_display +from ledgrab.storage.activity_log import ActivityCategory, ActivitySeverity from ledgrab.storage.activity_log_repository import ActivityLogRepository T = TypeVar("T") @@ -214,13 +216,68 @@ def get_activity_log_retention_engine() -> ActivityLogRetentionEngine: # ── Event helper ──────────────────────────────────────────────────────── -def fire_entity_event(entity_type: str, action: str, entity_id: str) -> None: - """Fire an entity_changed event via the ProcessorManager event bus. +def _resolve_entity_name(entity_type: str, entity_id: str) -> str | None: + """Best-effort: look up a human name for *entity_id* from the matching store. + + Returns ``None`` when the store is missing, the entity is gone, or any + exception occurs (e.g. during delete the entity may have just been removed). + """ + # Map entity_type → (_deps key, method name on the store) + _STORE_LOOKUP: dict[str, tuple[str, str]] = { + "output_target": ("output_target_store", "get_target"), + "device": ("device_store", "get_device"), + "picture_source": ("picture_source_store", "get_source"), + "audio_source": ("audio_source_store", "get_source"), + "color_strip_source": ("color_strip_store", "get_source"), + "template": ("template_store", "get_template"), + "capture_template": ("template_store", "get_template"), + "pp_template": ("pp_template_store", "get_template"), + "automation": ("automation_store", "get_automation"), + "scene_preset": ("scene_preset_store", "get_preset"), + "scene_playlist": ("scene_playlist_store", "get_playlist"), + "sync_clock": ("sync_clock_store", "get_clock"), + "gradient": ("gradient_store", "get_gradient"), + "audio_template": ("audio_template_store", "get_template"), + "value_source": ("value_source_store", "get_source"), + "cspt": ("cspt_store", "get_template"), + "audio_processing_template": ("audio_processing_template_store", "get_template"), + "pattern_template": ("pattern_template_store", "get_template"), + "home_assistant_source": ("ha_store", "get_source"), + "mqtt_source": ("mqtt_store", "get_source"), + "http_endpoint": ("http_endpoint_store", "get_endpoint"), + } + entry = _STORE_LOOKUP.get(entity_type) + if entry is None: + return None + store_key, method_name = entry + store = _deps.get(store_key) + if store is None: + return None + try: + obj = getattr(store, method_name)(entity_id) + if obj is not None: + return getattr(obj, "name", None) + except Exception: + pass + return None + + +def fire_entity_event( + entity_type: str, + action: str, + entity_id: str, + entity_name: str | None = None, +) -> None: + """Fire an entity_changed event via the ProcessorManager event bus and + record an audit entry. Args: entity_type: e.g. "device", "output_target", "color_strip_source" action: "created", "updated", or "deleted" entity_id: The entity's unique ID + entity_name: Human-readable name. For deletes: **must** be passed + explicitly (entity is already gone when we get here). + For create/update: resolved from the store when not supplied. """ pm = _deps.get("processor_manager") if pm is not None: @@ -233,6 +290,38 @@ def fire_entity_event(entity_type: str, action: str, entity_id: str) -> None: } ) + # ── Audit record (best-effort) ────────────────────────────────────────── + rec = get_module_recorder() + if rec is None: + return + + # Resolve name when not explicitly provided (create / update paths). + # For deleted: entity already gone — rely on the explicitly passed name. + resolved_name = entity_name + if resolved_name is None and action != "deleted": + resolved_name = _resolve_entity_name(entity_type, entity_id) + + # Build a concise human message. + # Sanitize the display name before interpolating into the free-text message + # (user-authored names hit the CSV/export trust surface). + safe_display_name = sanitize_display(resolved_name) if resolved_name else None + display_name = f"'{safe_display_name}'" if safe_display_name else entity_id + action_word = {"created": "created", "updated": "updated", "deleted": "deleted"}.get( + action, action + ) + entity_label = entity_type.replace("_", " ") + message = f"{entity_label.capitalize()} {display_name} {action_word}" + + rec.record( + category=ActivityCategory.ENTITY, + action=f"entity.{action}", + severity=ActivitySeverity.INFO, + entity_type=entity_type, + entity_id=entity_id, + entity_name=resolved_name, + message=message, + ) + # ── Initialization ────────────────────────────────────────────────────── diff --git a/server/src/ledgrab/api/routes/audio_sources.py b/server/src/ledgrab/api/routes/audio_sources.py index 704900e..8d252fc 100644 --- a/server/src/ledgrab/api/routes/audio_sources.py +++ b/server/src/ledgrab/api/routes/audio_sources.py @@ -182,6 +182,12 @@ async def delete_audio_source( css_store: ColorStripStore = Depends(get_color_strip_store), ): """Delete an audio source.""" + _entity_name: str | None = None + try: + _entity_name = store.get_source(source_id).name + except Exception: + pass + try: # Check if any CSS entities reference this audio source from ledgrab.storage.color_strip_source import AudioColorStripSource @@ -194,7 +200,7 @@ async def delete_audio_source( raise ValueError(f"Cannot delete: referenced by color strip source '{css.name}'") store.delete_source(source_id) - fire_entity_event("audio_source", "deleted", source_id) + fire_entity_event("audio_source", "deleted", source_id, entity_name=_entity_name) except EntityNotFoundError as e: raise HTTPException(status_code=404, detail=str(e)) diff --git a/server/src/ledgrab/api/routes/automations.py b/server/src/ledgrab/api/routes/automations.py index 3208009..cade7df 100644 --- a/server/src/ledgrab/api/routes/automations.py +++ b/server/src/ledgrab/api/routes/automations.py @@ -329,6 +329,12 @@ async def delete_automation( engine: AutomationEngine = Depends(get_automation_engine), ): """Delete an automation.""" + _entity_name: str | None = None + try: + _entity_name = store.get_automation(automation_id).name + except Exception: + pass + # Deactivate first await engine.deactivate_if_active(automation_id) @@ -337,7 +343,7 @@ async def delete_automation( except ValueError as e: raise HTTPException(status_code=404, detail=str(e)) - fire_entity_event("automation", "deleted", automation_id) + fire_entity_event("automation", "deleted", automation_id, entity_name=_entity_name) # ===== Enable/Disable ===== diff --git a/server/src/ledgrab/api/routes/backup.py b/server/src/ledgrab/api/routes/backup.py index 189f2ab..9951da9 100644 --- a/server/src/ledgrab/api/routes/backup.py +++ b/server/src/ledgrab/api/routes/backup.py @@ -27,6 +27,7 @@ from ledgrab.api.schemas.system import ( ) from ledgrab.config import get_config from ledgrab.core.backup.auto_backup import AutoBackupEngine +from ledgrab.storage.activity_log import ActivityCategory, ActivitySeverity from ledgrab.storage.asset_store import AssetStore from ledgrab.storage.database import Database, freeze_writes from ledgrab.utils import get_logger, read_upload_capped @@ -35,6 +36,22 @@ logger = get_logger(__name__) router = APIRouter() + +def _record_system(action: str, message: str, metadata: dict | None = None) -> None: + """Best-effort audit record for a system-level event.""" + from ledgrab.core.activity_log.recorder import get_module_recorder + + rec = get_module_recorder() + if rec is not None: + rec.record( + category=ActivityCategory.SYSTEM, + action=action, + severity=ActivitySeverity.INFO, + message=message, + metadata=metadata or {}, + ) + + _SERVER_DIR = Path(__file__).resolve().parents[4] @@ -143,6 +160,8 @@ def backup_config( timestamp = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H%M%S") filename = f"ledgrab-backup-{timestamp}.zip" + _record_system("backup.created", f"Backup downloaded: {filename}", {"filename": filename}) + return StreamingResponse( zip_buffer, media_type="application/zip", @@ -243,6 +262,7 @@ async def restore_config( freeze_writes() logger.info("Database restored from uploaded backup. Scheduling restart...") + _record_system("backup.restored", "Database restored from uploaded backup") _schedule_restart() return RestoreResponse( @@ -257,6 +277,7 @@ def restart_server(_: AuthRequired): """Schedule a server restart and return immediately.""" from ledgrab.server_ref import _broadcast_restarting + _record_system("server.restarting", "Server restart requested by user") _broadcast_restarting() _schedule_restart() return {"status": "restarting"} @@ -267,6 +288,7 @@ def shutdown_server(_: AuthRequired): """Gracefully shut down the server.""" from ledgrab.server_ref import request_shutdown + _record_system("server.shutdown_requested", "Server shutdown requested by user") request_shutdown() return {"status": "shutting_down"} @@ -300,11 +322,17 @@ async def update_auto_backup_settings( engine: AutoBackupEngine = Depends(get_auto_backup_engine), ): """Update auto-backup settings (enable/disable, interval, max backups).""" - return await engine.update_settings( + result = await engine.update_settings( enabled=body.enabled, interval_hours=body.interval_hours, max_backups=body.max_backups, ) + _record_system( + "settings.changed", + f"Auto-backup settings updated (enabled={body.enabled})", + {"setting_key": "auto_backup", "enabled": body.enabled}, + ) + return result @router.post("/api/v1/system/auto-backup/trigger", tags=["System"]) @@ -365,4 +393,5 @@ async def delete_saved_backup( engine.delete_backup(filename) except (ValueError, FileNotFoundError) as e: raise HTTPException(status_code=404, detail=str(e)) + _record_system("backup.deleted", f"Saved backup deleted: {filename}", {"filename": filename}) return {"status": "deleted", "filename": filename} diff --git a/server/src/ledgrab/api/routes/calibration.py b/server/src/ledgrab/api/routes/calibration.py index 4080e5f..b403711 100644 --- a/server/src/ledgrab/api/routes/calibration.py +++ b/server/src/ledgrab/api/routes/calibration.py @@ -36,6 +36,7 @@ from fastapi import APIRouter, Depends, HTTPException from ledgrab.api.auth import AuthRequired from ledgrab.api.dependencies import get_processor_manager +from ledgrab.storage.activity_log import ActivityCategory, ActivitySeverity from ledgrab.api.schemas.calibration import ( CalibrationSessionPositionRequest, CalibrationSessionStartRequest, @@ -81,6 +82,19 @@ async def start_calibration_session( logger.error("Failed to start calibration session: %s", exc, exc_info=True) raise HTTPException(status_code=500, detail="Internal server error") + from ledgrab.core.activity_log.recorder import get_module_recorder + + rec = get_module_recorder() + if rec is not None: + rec.record( + category=ActivityCategory.SYSTEM, + action="calibration.started", + severity=ActivitySeverity.INFO, + entity_type="device", + entity_id=body.device_id, + message=f"Calibration session started for device '{body.device_id}'", + ) + return CalibrationSessionStateResponse(**session.get_state()) @@ -135,6 +149,17 @@ async def stop_calibration_session( logger.error("Failed to stop calibration session: %s", exc, exc_info=True) raise HTTPException(status_code=500, detail="Internal server error") + from ledgrab.core.activity_log.recorder import get_module_recorder + + rec = get_module_recorder() + if rec is not None: + rec.record( + category=ActivityCategory.SYSTEM, + action="calibration.stopped", + severity=ActivitySeverity.INFO, + message="Calibration session stopped", + ) + return CalibrationSessionStateResponse(**session.get_state()) @@ -155,6 +180,17 @@ async def cancel_calibration_session( logger.error("Failed to cancel calibration session: %s", exc, exc_info=True) raise HTTPException(status_code=500, detail="Internal server error") + from ledgrab.core.activity_log.recorder import get_module_recorder + + rec = get_module_recorder() + if rec is not None: + rec.record( + category=ActivityCategory.SYSTEM, + action="calibration.cancelled", + severity=ActivitySeverity.INFO, + message="Calibration session cancelled", + ) + return CalibrationSessionStateResponse(**session.get_state()) diff --git a/server/src/ledgrab/api/routes/color_strip_sources/crud.py b/server/src/ledgrab/api/routes/color_strip_sources/crud.py index 3638be6..309044f 100644 --- a/server/src/ledgrab/api/routes/color_strip_sources/crud.py +++ b/server/src/ledgrab/api/routes/color_strip_sources/crud.py @@ -167,6 +167,12 @@ async def delete_color_strip_source( target_store: OutputTargetStore = Depends(get_output_target_store), ): """Delete a color strip source. Returns 409 if referenced by any LED target.""" + _entity_name: str | None = None + try: + _entity_name = store.get_source(source_id).name + except Exception: + pass + try: target_names = target_store.get_targets_referencing_css(source_id) if target_names: @@ -201,7 +207,7 @@ async def delete_color_strip_source( "Delete or reassign the processed source(s) first.", ) store.delete_source(source_id) - fire_entity_event("color_strip_source", "deleted", source_id) + fire_entity_event("color_strip_source", "deleted", source_id, entity_name=_entity_name) except HTTPException: raise except ValueError as e: diff --git a/server/src/ledgrab/api/routes/devices.py b/server/src/ledgrab/api/routes/devices.py index 8edc0ea..e9d4d8a 100644 --- a/server/src/ledgrab/api/routes/devices.py +++ b/server/src/ledgrab/api/routes/devices.py @@ -701,6 +701,13 @@ async def delete_device( ): """Delete/detach a device. Returns 409 if referenced by a target.""" try: + # Resolve name before deletion for the audit record. + _entity_name: str | None = None + try: + _entity_name = store.get_device(device_id).name + except Exception: + pass + # Check if any target references this device refs = target_store.get_targets_for_device(device_id) if refs: @@ -728,7 +735,7 @@ async def delete_device( # Delete from storage store.delete_device(device_id) - fire_entity_event("device", "deleted", device_id) + fire_entity_event("device", "deleted", device_id, entity_name=_entity_name) logger.info(f"Deleted device {device_id}") except HTTPException: diff --git a/server/src/ledgrab/api/routes/gradients.py b/server/src/ledgrab/api/routes/gradients.py index c8d6e3e..9ea940a 100644 --- a/server/src/ledgrab/api/routes/gradients.py +++ b/server/src/ledgrab/api/routes/gradients.py @@ -152,13 +152,19 @@ async def delete_gradient( css_store: ColorStripStore = Depends(get_color_strip_store), ): """Delete a gradient (fails if built-in or referenced by sources).""" + _entity_name: str | None = None + try: + _entity_name = store.get_gradient(gradient_id).name + except Exception: + pass + try: # Check references for source in css_store.get_all_sources(): if getattr(source, "gradient_id", None) == gradient_id: raise ValueError(f"Cannot delete: referenced by color strip source '{source.name}'") store.delete_gradient(gradient_id) - fire_entity_event("gradient", "deleted", gradient_id) + fire_entity_event("gradient", "deleted", gradient_id, entity_name=_entity_name) except (ValueError, EntityNotFoundError) as e: status = 404 if "not found" in str(e).lower() else 400 raise HTTPException(status_code=status, detail=str(e)) diff --git a/server/src/ledgrab/api/routes/output_targets.py b/server/src/ledgrab/api/routes/output_targets.py index 7b677d8..441106f 100644 --- a/server/src/ledgrab/api/routes/output_targets.py +++ b/server/src/ledgrab/api/routes/output_targets.py @@ -624,6 +624,13 @@ async def delete_target( ): """Delete a output target. Stops processing first if active.""" try: + # Resolve name before deletion for the audit record. + _entity_name: str | None = None + try: + _entity_name = target_store.get_target(target_id).name + except Exception: + pass + # Stop processing if running try: await manager.stop_processing(target_id) @@ -641,7 +648,7 @@ async def delete_target( # Delete from store target_store.delete_target(target_id) - fire_entity_event("output_target", "deleted", target_id) + fire_entity_event("output_target", "deleted", target_id, entity_name=_entity_name) logger.info(f"Deleted target {target_id}") except ValueError as e: diff --git a/server/src/ledgrab/api/routes/output_targets_control.py b/server/src/ledgrab/api/routes/output_targets_control.py index 43eb818..2e4bfca 100644 --- a/server/src/ledgrab/api/routes/output_targets_control.py +++ b/server/src/ledgrab/api/routes/output_targets_control.py @@ -12,6 +12,7 @@ from ledgrab.api.dependencies import ( get_picture_source_store, get_processor_manager, ) +from ledgrab.storage.activity_log import ActivityCategory, ActivitySeverity from ledgrab.api.schemas.output_targets import ( BulkTargetRequest, BulkTargetResponse, @@ -35,6 +36,23 @@ logger = get_logger(__name__) router = APIRouter() +def _record_capture(action: str, target_id: str, target_name: str | None, message: str) -> None: + """Best-effort audit record for a capture start/stop action.""" + from ledgrab.core.activity_log.recorder import get_module_recorder + + rec = get_module_recorder() + if rec is not None: + rec.record( + category=ActivityCategory.CAPTURE, + action=action, + severity=ActivitySeverity.INFO, + entity_type="output_target", + entity_id=target_id, + entity_name=target_name, + message=message, + ) + + # ===== BULK PROCESSING CONTROL ENDPOINTS ===== @@ -53,10 +71,16 @@ async def bulk_start_processing( for target_id in body.ids: try: - target_store.get_target(target_id) + _tgt = target_store.get_target(target_id) await manager.start_processing(target_id) started.append(target_id) logger.info(f"Bulk start: started processing for target {target_id}") + _record_capture( + "capture.started", + target_id, + getattr(_tgt, "name", None), + f"Capture started for target '{getattr(_tgt, 'name', target_id)}' (bulk)", + ) except ValueError as e: errors[target_id] = str(e) except RuntimeError as e: @@ -78,6 +102,7 @@ async def bulk_start_processing( async def bulk_stop_processing( body: BulkTargetRequest, _auth: AuthRequired, + target_store: OutputTargetStore = Depends(get_output_target_store), manager: ProcessorManager = Depends(get_processor_manager), ): """Stop processing for multiple output targets. Returns lists of stopped IDs and per-ID errors.""" @@ -89,6 +114,17 @@ async def bulk_stop_processing( await manager.stop_processing(target_id) stopped.append(target_id) logger.info(f"Bulk stop: stopped processing for target {target_id}") + _tgt_name: str | None = None + try: + _tgt_name = target_store.get_target(target_id).name + except Exception: + pass + _record_capture( + "capture.stopped", + target_id, + _tgt_name, + f"Capture stopped for target '{_tgt_name or target_id}' (bulk)", + ) except ValueError as e: errors[target_id] = str(e) except Exception as e: @@ -112,11 +148,17 @@ async def start_processing( logger.info("Start processing requested for target %s", target_id) try: # Verify target exists in store - target_store.get_target(target_id) + target = target_store.get_target(target_id) await manager.start_processing(target_id) logger.info(f"Started processing for target {target_id}") + _record_capture( + "capture.started", + target_id, + getattr(target, "name", None), + f"Capture started for target '{getattr(target, 'name', target_id)}'", + ) return {"status": "started", "target_id": target_id} except ValueError as e: @@ -137,6 +179,7 @@ async def start_processing( async def stop_processing( target_id: str, _auth: AuthRequired, + target_store: OutputTargetStore = Depends(get_output_target_store), manager: ProcessorManager = Depends(get_processor_manager), ): """Stop processing for a output target.""" @@ -144,6 +187,17 @@ async def stop_processing( await manager.stop_processing(target_id) logger.info(f"Stopped processing for target {target_id}") + _target_name: str | None = None + try: + _target_name = target_store.get_target(target_id).name + except Exception: + pass + _record_capture( + "capture.stopped", + target_id, + _target_name, + f"Capture stopped for target '{_target_name or target_id}'", + ) return {"status": "stopped", "target_id": target_id} except ValueError as e: diff --git a/server/src/ledgrab/api/routes/picture_sources.py b/server/src/ledgrab/api/routes/picture_sources.py index 1d38520..45cb13d 100644 --- a/server/src/ledgrab/api/routes/picture_sources.py +++ b/server/src/ledgrab/api/routes/picture_sources.py @@ -374,6 +374,12 @@ async def delete_picture_source( css_store: ColorStripStore = Depends(get_color_strip_store), ): """Delete a picture source.""" + _entity_name: str | None = None + try: + _entity_name = store.get_stream(stream_id).name + except Exception: + pass + try: # Check if any target transitively references this stream via a CSS target_names = store.get_targets_referencing(stream_id, target_store, css_store) @@ -395,7 +401,7 @@ async def delete_picture_source( f"{css_names}. Please reassign or delete those first.", ) store.delete_stream(stream_id) - fire_entity_event("picture_source", "deleted", stream_id) + fire_entity_event("picture_source", "deleted", stream_id, entity_name=_entity_name) except HTTPException: raise except EntityNotFoundError as e: diff --git a/server/src/ledgrab/api/routes/scene_playlists.py b/server/src/ledgrab/api/routes/scene_playlists.py index 651bb55..03f3db8 100644 --- a/server/src/ledgrab/api/routes/scene_playlists.py +++ b/server/src/ledgrab/api/routes/scene_playlists.py @@ -220,13 +220,19 @@ async def delete_scene_playlist( engine: PlaylistEngine = Depends(get_playlist_engine), ): """Delete a scene playlist (stops it first if it is currently cycling).""" + _entity_name: str | None = None + try: + _entity_name = store.get_playlist(playlist_id).name + except Exception: + pass + try: store.delete_playlist(playlist_id) except (ValueError, EntityNotFoundError) as e: raise HTTPException(status_code=404, detail=str(e)) await engine.stop_if_running(playlist_id) - fire_entity_event("scene_playlist", "deleted", playlist_id) + fire_entity_event("scene_playlist", "deleted", playlist_id, entity_name=_entity_name) # ===== Cycling control ===== @@ -255,6 +261,27 @@ async def start_scene_playlist( raise HTTPException(status_code=400, detail=str(e)) fire_entity_event("scene_playlist", "updated", playlist_id) + + from ledgrab.core.activity_log.recorder import get_module_recorder + from ledgrab.storage.activity_log import ActivityCategory, ActivitySeverity + + rec = get_module_recorder() + if rec is not None: + _pl_name: str | None = None + try: + _pl_name = store.get_playlist(playlist_id).name + except Exception: + pass + rec.record( + category=ActivityCategory.CAPTURE, + action="playlist.started", + severity=ActivitySeverity.INFO, + entity_type="scene_playlist", + entity_id=playlist_id, + entity_name=_pl_name, + message=f"Playlist '{_pl_name or playlist_id}' started", + ) + return PlaylistRuntimeStateSchema(**engine.get_state()) @@ -265,11 +292,34 @@ async def start_scene_playlist( ) async def stop_scene_playlist( _auth: AuthRequired, + store: ScenePlaylistStore = Depends(get_scene_playlist_store), engine: PlaylistEngine = Depends(get_playlist_engine), ): """Stop the active playlist (leaves the last applied scene in place).""" stopped_id = engine.get_running_playlist_id() + _stopped_name: str | None = None + if stopped_id: + try: + _stopped_name = store.get_playlist(stopped_id).name + except Exception: + pass await engine.stop() if stopped_id: fire_entity_event("scene_playlist", "updated", stopped_id) + + from ledgrab.core.activity_log.recorder import get_module_recorder + from ledgrab.storage.activity_log import ActivityCategory, ActivitySeverity + + rec = get_module_recorder() + if rec is not None: + rec.record( + category=ActivityCategory.CAPTURE, + action="playlist.stopped", + severity=ActivitySeverity.INFO, + entity_type="scene_playlist", + entity_id=stopped_id, + entity_name=_stopped_name, + message=f"Playlist '{_stopped_name or stopped_id}' stopped", + ) + return PlaylistRuntimeStateSchema(**engine.get_state()) diff --git a/server/src/ledgrab/api/routes/scene_presets.py b/server/src/ledgrab/api/routes/scene_presets.py index 8e05ac8..c2e763b 100644 --- a/server/src/ledgrab/api/routes/scene_presets.py +++ b/server/src/ledgrab/api/routes/scene_presets.py @@ -208,12 +208,18 @@ async def delete_scene_preset( store: ScenePresetStore = Depends(get_scene_preset_store), ): """Delete a scene preset.""" + _entity_name: str | None = None + try: + _entity_name = store.get_preset(preset_id).name + except Exception: + pass + try: store.delete_preset(preset_id) except ValueError as e: raise HTTPException(status_code=404, detail=str(e)) - fire_entity_event("scene_preset", "deleted", preset_id) + fire_entity_event("scene_preset", "deleted", preset_id, entity_name=_entity_name) # ===== Recapture ===== @@ -282,4 +288,20 @@ async def activate_scene_preset( logger.info(f"Scene preset '{preset.name}' activated successfully") fire_entity_event("scene_preset", "updated", preset_id) + + from ledgrab.core.activity_log.recorder import get_module_recorder + from ledgrab.storage.activity_log import ActivityCategory, ActivitySeverity + + rec = get_module_recorder() + if rec is not None: + rec.record( + category=ActivityCategory.CAPTURE, + action="scene.activated", + severity=ActivitySeverity.INFO, + entity_type="scene_preset", + entity_id=preset_id, + entity_name=preset.name, + message=f"Scene preset '{preset.name}' activated", + ) + return ActivateResponse(status=status, errors=errors) diff --git a/server/src/ledgrab/api/routes/sync_clocks.py b/server/src/ledgrab/api/routes/sync_clocks.py index 13de0e5..12ea812 100644 --- a/server/src/ledgrab/api/routes/sync_clocks.py +++ b/server/src/ledgrab/api/routes/sync_clocks.py @@ -149,6 +149,12 @@ async def delete_sync_clock( manager: SyncClockManager = Depends(get_sync_clock_manager), ): """Delete a synchronization clock (fails if referenced by CSS or value sources).""" + _entity_name: str | None = None + try: + _entity_name = store.get_clock(clock_id).name + except Exception: + pass + try: # Check references for source in css_store.get_all_sources(): @@ -159,7 +165,7 @@ async def delete_sync_clock( raise ValueError(f"Cannot delete: referenced by value source '{vs.name}'") manager.release_all_for(clock_id) store.delete_clock(clock_id) - fire_entity_event("sync_clock", "deleted", clock_id) + fire_entity_event("sync_clock", "deleted", clock_id, entity_name=_entity_name) except EntityNotFoundError as e: raise HTTPException(status_code=404, detail=str(e)) diff --git a/server/src/ledgrab/api/routes/system_settings.py b/server/src/ledgrab/api/routes/system_settings.py index a3edd9a..ad967ae 100644 --- a/server/src/ledgrab/api/routes/system_settings.py +++ b/server/src/ledgrab/api/routes/system_settings.py @@ -21,11 +21,29 @@ from ledgrab.api.schemas.system import ( ShutdownActionRequest, ShutdownActionResponse, ) +from ledgrab.core.activity_log.sanitize import sanitize_display +from ledgrab.storage.activity_log import ActivityCategory, ActivitySeverity from ledgrab.storage.database import Database from ledgrab.utils import get_logger logger = get_logger(__name__) + +def _record_setting(action: str, key: str, message: str) -> None: + """Best-effort audit record for a high-value settings change.""" + from ledgrab.core.activity_log.recorder import get_module_recorder + + rec = get_module_recorder() + if rec is not None: + rec.record( + category=ActivityCategory.SYSTEM, + action=action, + severity=ActivitySeverity.INFO, + message=message, + metadata={"setting_key": key}, + ) + + router = APIRouter() @@ -117,6 +135,11 @@ async def update_shutdown_action( """Set what happens to LED targets when the server shuts down.""" db.set_setting("shutdown_action", {"action": body.action}) logger.info("Shutdown action updated: %s", body.action) + _record_setting( + "settings.changed", + "shutdown_action", + f"Shutdown action set to '{body.action}'", + ) return ShutdownActionResponse(action=body.action) @@ -246,6 +269,17 @@ async def adb_connect(_: AuthRequired, request: AdbConnectRequest): stdout, stderr = await asyncio.wait_for(proc.communicate(), timeout=10) output = (stdout.decode() + stderr.decode()).strip() if "connected" in output.lower(): + from ledgrab.core.activity_log.recorder import get_module_recorder + + rec = get_module_recorder() + if rec is not None: + rec.record( + category=ActivityCategory.DEVICE, + action="device.adb_connected", + severity=ActivitySeverity.INFO, + message=f"ADB device connected: {sanitize_display(address)}", + metadata={"address": address}, + ) return {"status": "connected", "address": address, "message": output} raise HTTPException(status_code=400, detail=output or "Connection failed") except FileNotFoundError: @@ -276,6 +310,17 @@ async def adb_disconnect(_: AuthRequired, request: AdbConnectRequest): stderr=asyncio.subprocess.PIPE, ) stdout, stderr = await asyncio.wait_for(proc.communicate(), timeout=10) + from ledgrab.core.activity_log.recorder import get_module_recorder + + rec = get_module_recorder() + if rec is not None: + rec.record( + category=ActivityCategory.DEVICE, + action="device.adb_disconnected", + severity=ActivitySeverity.INFO, + message=f"ADB device disconnected: {sanitize_display(address)}", + metadata={"address": address}, + ) return {"status": "disconnected", "message": stdout.decode().strip()} except FileNotFoundError: raise HTTPException(status_code=500, detail="adb not found on PATH") diff --git a/server/src/ledgrab/api/routes/templates.py b/server/src/ledgrab/api/routes/templates.py index 3296d18..94fc0ac 100644 --- a/server/src/ledgrab/api/routes/templates.py +++ b/server/src/ledgrab/api/routes/templates.py @@ -183,6 +183,12 @@ async def delete_template( Validates that no streams are currently using this template before deletion. """ + _entity_name: str | None = None + try: + _entity_name = template_store.get_template(template_id).name + except Exception: + pass + try: # Check if any streams are using this template streams_using_template = [] @@ -203,7 +209,7 @@ async def delete_template( # Proceed with deletion template_store.delete_template(template_id) - fire_entity_event("capture_template", "deleted", template_id) + fire_entity_event("capture_template", "deleted", template_id, entity_name=_entity_name) except HTTPException: raise # Re-raise HTTP exceptions as-is diff --git a/server/src/ledgrab/api/routes/update.py b/server/src/ledgrab/api/routes/update.py index 4be8283..aad1221 100644 --- a/server/src/ledgrab/api/routes/update.py +++ b/server/src/ledgrab/api/routes/update.py @@ -12,6 +12,7 @@ from ledgrab.api.schemas.update import ( UpdateStatusResponse, ) from ledgrab.core.update.update_service import UpdateService +from ledgrab.storage.activity_log import ActivityCategory, ActivitySeverity from ledgrab.utils import get_logger logger = get_logger(__name__) @@ -42,6 +43,17 @@ async def dismiss_update( service: UpdateService = Depends(get_update_service), ): service.dismiss(body.version) + from ledgrab.core.activity_log.recorder import get_module_recorder + + rec = get_module_recorder() + if rec is not None: + rec.record( + category=ActivityCategory.SYSTEM, + action="update.dismissed", + severity=ActivitySeverity.INFO, + message=f"Update dismissed: {body.version}", + metadata={"version": body.version}, + ) return {"ok": True} @@ -63,6 +75,18 @@ async def apply_update( ) try: await service.apply_update() + from ledgrab.core.activity_log.recorder import get_module_recorder + + rec = get_module_recorder() + if rec is not None: + version = status.get("available_version", "unknown") + rec.record( + category=ActivityCategory.SYSTEM, + action="update.applied", + severity=ActivitySeverity.INFO, + message=f"Update applied: {version}", + metadata={"version": version}, + ) return {"ok": True, "message": "Update applied, server shutting down"} except Exception as exc: logger.error("Failed to apply update: %s", exc, exc_info=True) @@ -83,8 +107,20 @@ async def update_update_settings( body: UpdateSettingsRequest, service: UpdateService = Depends(get_update_service), ): - return await service.update_settings( + result = await service.update_settings( enabled=body.enabled, check_interval_hours=body.check_interval_hours, include_prerelease=body.include_prerelease, ) + from ledgrab.core.activity_log.recorder import get_module_recorder + + rec = get_module_recorder() + if rec is not None: + rec.record( + category=ActivityCategory.SYSTEM, + action="settings.changed", + severity=ActivitySeverity.INFO, + message=f"Update settings changed (enabled={body.enabled})", + metadata={"setting_key": "update", "enabled": body.enabled}, + ) + return result diff --git a/server/src/ledgrab/core/activity_log/__init__.py b/server/src/ledgrab/core/activity_log/__init__.py index 8f47584..4c2b250 100644 --- a/server/src/ledgrab/core/activity_log/__init__.py +++ b/server/src/ledgrab/core/activity_log/__init__.py @@ -15,9 +15,11 @@ Phase 3 adds the instrumentation call sites. from ledgrab.core.activity_log.context import current_actor from ledgrab.core.activity_log.recorder import ActivityRecorder from ledgrab.core.activity_log.retention import ActivityLogRetentionEngine +from ledgrab.core.activity_log.sanitize import sanitize_display __all__ = [ "ActivityRecorder", "ActivityLogRetentionEngine", "current_actor", + "sanitize_display", ] diff --git a/server/src/ledgrab/core/activity_log/sanitize.py b/server/src/ledgrab/core/activity_log/sanitize.py new file mode 100644 index 0000000..e454a17 --- /dev/null +++ b/server/src/ledgrab/core/activity_log/sanitize.py @@ -0,0 +1,82 @@ +"""Log-injection sanitizer for audit-log message and display strings. + +Provides :func:`sanitize_display` — a dependency-free helper that strips +characters that should not appear in a recorded ``message`` or display +string before it is persisted to SQLite, broadcast over WebSocket, or +exported to CSV. + +Design constraints +------------------ +- **Dependency-free**: uses only the Python standard library so it can be + imported from any module without adding transitive weight. +- **Conservative**: keeps printable ASCII/Unicode and normal spaces; drops + everything else including control chars (NUL, BEL, BS, VT, FF, ESC, + DEL), ANSI/CSI escape sequences (``\\x1b[...``), and carriage returns / + newlines / tabs which are the classic log-injection primitives. +- **Length-capped**: truncates to *maxlen* characters and appends ``"…"`` + so callers can rely on a bounded string without adding their own guards. +""" + +from __future__ import annotations + +import re + +# Matches ANSI/VT100 escape sequences: ESC [ ... m (CSI) and shorter forms. +# We strip these before the printable-char filter so the bracket/letters that +# follow the ESC don't survive stripping the ESC alone. +_ANSI_RE = re.compile(r"\x1b(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])") + +# Characters we explicitly want to remove even if str.isprintable() would +# let them through in some edge-case: NUL is the canonical SQL/log null-byte +# injection; the others are kept out by the printable check but listed here +# for documentation clarity. +_EXPLICIT_DROP = frozenset("\x00\r\n\t") + + +def sanitize_display(value: str | None, *, maxlen: int = 120) -> str: + """Return a sanitized, length-capped version of *value* safe for log messages. + + Parameters + ---------- + value: + The raw, potentially attacker-controlled string. ``None`` or empty + returns ``""``. + maxlen: + Maximum length of the returned string (default: 120). If the input + exceeds this length after sanitization, the string is truncated and + ``"…"`` is appended (the ellipsis counts toward *maxlen*). + + Returns + ------- + str + A string that: + - contains no NUL bytes (``\\x00``), + - contains no ANSI/CSI escape sequences, + - contains no carriage returns, newlines, or tab characters, + - contains only characters for which ``str.isprintable()`` is ``True`` + plus the regular ASCII space (``\\x20``), + - is at most *maxlen* characters long. + """ + if not value: + return "" + + # 1. Strip ANSI escape sequences first so their bracket/letter tails don't + # survive as stray printable characters. + cleaned = _ANSI_RE.sub("", value) + + # 2. Drop each character that is neither printable nor a plain space. + # str.isprintable() returns False for all control chars (including NUL, + # BEL, BS, TAB, LF, VT, FF, CR, ESC, DEL) and True for normal letters, + # digits, punctuation, and the space character. + cleaned = "".join(ch for ch in cleaned if ch.isprintable() or ch == " ") + + # 3. Final belt-and-suspenders pass for the explicit drop set (catches NUL + # that may survive if isprintable ever changes in a future Python version). + cleaned = "".join(ch for ch in cleaned if ch not in _EXPLICIT_DROP) + + # 4. Cap length. + if len(cleaned) > maxlen: + # Reserve one character for the ellipsis so total length == maxlen. + cleaned = cleaned[: maxlen - 1] + "…" + + return cleaned diff --git a/server/src/ledgrab/core/automations/automation_engine.py b/server/src/ledgrab/core/automations/automation_engine.py index 257cc42..5a0dcd5 100644 --- a/server/src/ledgrab/core/automations/automation_engine.py +++ b/server/src/ledgrab/core/automations/automation_engine.py @@ -726,6 +726,26 @@ class AutomationEngine: else: logger.info(f"Automation '{automation.name}' activated (scene '{preset.name}' applied)") + # Audit record — best-effort. + try: + from ledgrab.core.activity_log.recorder import get_module_recorder + from ledgrab.storage.activity_log import ActivityCategory, ActivitySeverity + + rec = get_module_recorder() + if rec is not None: + rec.record( + category=ActivityCategory.CAPTURE, + action="automation.activated", + severity=ActivitySeverity.INFO, + actor="system", + entity_type="automation", + entity_id=automation.id, + entity_name=automation.name, + message=f"Automation '{automation.name}' activated", + ) + except Exception: + pass + async def _deactivate_automation(self, automation_id: str) -> None: was_active = self._active_automations.pop(automation_id, False) if not was_active: @@ -751,6 +771,31 @@ class AutomationEngine: # Clean up any leftover snapshot self._pre_activation_snapshots.pop(automation_id, None) + # Audit record — best-effort. + try: + from ledgrab.core.activity_log.recorder import get_module_recorder + from ledgrab.storage.activity_log import ActivityCategory, ActivitySeverity + + rec = get_module_recorder() + if rec is not None: + _auto_name: str | None = None + try: + _auto_name = self._store.get_automation(automation_id).name + except Exception: + pass + rec.record( + category=ActivityCategory.CAPTURE, + action="automation.deactivated", + severity=ActivitySeverity.INFO, + actor="system", + entity_type="automation", + entity_id=automation_id, + entity_name=_auto_name, + message=f"Automation '{_auto_name or automation_id}' deactivated", + ) + except Exception: + pass + async def _deactivate_revert(self, automation_id: str) -> None: """Revert to pre-activation snapshot.""" snapshot = self._pre_activation_snapshots.pop(automation_id, None) diff --git a/server/src/ledgrab/core/devices/discovery_watcher.py b/server/src/ledgrab/core/devices/discovery_watcher.py index 24a86f1..fd5c02a 100644 --- a/server/src/ledgrab/core/devices/discovery_watcher.py +++ b/server/src/ledgrab/core/devices/discovery_watcher.py @@ -36,6 +36,7 @@ from zeroconf.asyncio import AsyncServiceBrowser, AsyncServiceInfo, AsyncZerocon from ledgrab.core.devices.serial_transport import list_serial_ports from ledgrab.core.devices.wled_provider import WLED_MDNS_TYPE +from ledgrab.storage.activity_log import ActivityCategory, ActivitySeverity from ledgrab.utils import get_logger from ledgrab.utils.platform import is_android @@ -286,3 +287,34 @@ class DiscoveryWatcher: ) except Exception as e: logger.debug("Discovery watcher: fire_event failed: %s", e) + + # Audit record — best-effort, thread-safe (recorder marshals via + # call_soon_threadsafe when called from the zeroconf thread). + try: + from ledgrab.core.activity_log.recorder import get_module_recorder + from ledgrab.core.activity_log.sanitize import sanitize_display + + rec = get_module_recorder() + if rec is not None: + is_discovered = event_type == "device_discovered" + action = "device.discovered" if is_discovered else "device.lost" + severity = ActivitySeverity.INFO if is_discovered else ActivitySeverity.WARNING + verb = "discovered" if is_discovered else "lost" + # Sanitize mDNS-advertised strings before they enter the log. + # entry.name and entry.url are unauthenticated, attacker-controlled + # values; strip control chars, ANSI escapes, and NUL before use. + safe_name = sanitize_display(entry.name) + safe_url = sanitize_display(entry.url) + rec.record( + category=ActivityCategory.DEVICE, + action=action, + severity=severity, + actor="system", + entity_type="device", + entity_id=entry.url, + entity_name=safe_name, + message=f"Device '{safe_name}' {verb} at {safe_url}", + metadata={"url": safe_url, "device_type": entry.device_type}, + ) + except Exception as e: + logger.debug("Discovery watcher: audit record failed: %s", e) diff --git a/server/src/ledgrab/core/processing/device_health.py b/server/src/ledgrab/core/processing/device_health.py index aa37aaa..bf931d0 100644 --- a/server/src/ledgrab/core/processing/device_health.py +++ b/server/src/ledgrab/core/processing/device_health.py @@ -11,6 +11,7 @@ from ledgrab.core.devices.led_client import ( check_device_health, get_device_capabilities, ) +from ledgrab.storage.activity_log import ActivityCategory, ActivitySeverity from ledgrab.utils import get_logger logger = get_logger(__name__) @@ -128,6 +129,34 @@ class DeviceHealthMixin: "latency_ms": state.health.latency_ms, } ) + # Audit record for device online/offline transition. + from ledgrab.core.activity_log.recorder import get_module_recorder + + rec = get_module_recorder() + if rec is not None: + is_online = state.health.online + # Best-effort name lookup from the device store. + device_name: str | None = None + try: + if self._device_store is not None: + device_name = self._device_store.get_device(device_id).name + except Exception: + pass + display = device_name or device_id + action = "device.online" if is_online else "device.offline" + severity = ActivitySeverity.INFO if is_online else ActivitySeverity.WARNING + status_word = "came online" if is_online else "went offline" + rec.record( + category=ActivityCategory.DEVICE, + action=action, + severity=severity, + actor="system", + entity_type="device", + entity_id=device_id, + entity_name=device_name, + message=f"Device '{display}' {status_word}", + metadata={"latency_ms": state.health.latency_ms}, + ) # Auto-sync LED count reported = state.health.device_led_count diff --git a/server/tests/conftest.py b/server/tests/conftest.py index 7d256a5..44d0bfe 100644 --- a/server/tests/conftest.py +++ b/server/tests/conftest.py @@ -285,6 +285,34 @@ def sample_calibration(): } +# --------------------------------------------------------------------------- +# Auth throttle isolation — reset per-IP throttle state between every test +# --------------------------------------------------------------------------- + + +@pytest.fixture(autouse=True) +def _reset_auth_throttle(): + """Clear the auth-failure audit throttle dict before (and after) each test. + + The module-global ``_auth_record_last`` dict in ``ledgrab.api.auth`` persists + across tests. When multiple tests trigger an auth failure from the SAME + client IP within the 10 s window they share, the second test gets throttled + (0 records) and assertions like "expected exactly 1 auth.rejected" fail. + + This fixture resets the dict to a clean state so every test starts with a + fresh throttle window. The production throttle behavior is UNCHANGED — only + test isolation is affected. + """ + import ledgrab.api.auth as _auth_mod + + _throttle = getattr(_auth_mod, "_auth_record_last", None) + if _throttle is not None: + _throttle.clear() + yield + if _throttle is not None: + _throttle.clear() + + # --------------------------------------------------------------------------- # Session cleanup — remove temporary test directory # --------------------------------------------------------------------------- diff --git a/server/tests/test_activity_instrumentation.py b/server/tests/test_activity_instrumentation.py new file mode 100644 index 0000000..cd90c90 --- /dev/null +++ b/server/tests/test_activity_instrumentation.py @@ -0,0 +1,614 @@ +"""Integration tests for Phase 3: Event instrumentation. + +Coverage targets +---------------- +- Entity create/update/delete emits a record with correct category/actor/name. +- An entity DELETE carries the entity name (not None). +- An auth failure emits a ``warning`` record; the attempted token NEVER appears + in any recorded field. +- A device health transition emits a record. +- A device discovery event emits a record. +- A capture start and a backup-create emit records. +""" + +from __future__ import annotations + +from unittest.mock import MagicMock, patch + +import pytest + +from ledgrab.core.activity_log.context import current_actor +from ledgrab.core.activity_log.recorder import ActivityRecorder +from ledgrab.storage.activity_log import ActivityCategory, ActivitySeverity + + +# --------------------------------------------------------------------------- +# Helpers +# --------------------------------------------------------------------------- + + +def _make_recorder() -> tuple[ActivityRecorder, list, list]: + """Return (recorder, persisted_entries, fired_events).""" + repo = MagicMock() + persisted: list = [] + repo.record.side_effect = lambda entry: persisted.append(entry) + + pm = MagicMock() + fired: list[dict] = [] + pm.fire_event.side_effect = lambda evt: fired.append(evt) + + recorder = ActivityRecorder(repo, pm) + return recorder, persisted, fired + + +def _patch_module_recorder(recorder: ActivityRecorder): + """Context manager: patch the module-level recorder used by all non-DI sites.""" + return patch( + "ledgrab.core.activity_log.recorder._recorder", + recorder, + ) + + +# --------------------------------------------------------------------------- +# Category A: Entity CRUD via fire_entity_event choke-point +# --------------------------------------------------------------------------- + + +class TestEntityCrud: + """fire_entity_event records entity create/update/delete with correct fields.""" + + def test_entity_created_emits_record(self): + recorder, persisted, _ = _make_recorder() + with _patch_module_recorder(recorder): + from ledgrab.api.dependencies import _deps, fire_entity_event + + # Minimal _deps so the store lookup returns None (name resolved as None) + original_deps = dict(_deps) + try: + # Clear deps so store lookup path returns None + _deps.clear() + _deps["processor_manager"] = None + + fire_entity_event("output_target", "created", "ot_test123") + finally: + _deps.clear() + _deps.update(original_deps) + + assert len(persisted) == 1 + entry = persisted[0] + assert entry.category == ActivityCategory.ENTITY + assert entry.action == "entity.created" + assert entry.severity == ActivitySeverity.INFO + assert entry.entity_type == "output_target" + assert entry.entity_id == "ot_test123" + + def test_entity_deleted_carries_name(self): + """DELETE: entity_name must be passed explicitly and preserved in record.""" + recorder, persisted, _ = _make_recorder() + with _patch_module_recorder(recorder): + from ledgrab.api.dependencies import _deps, fire_entity_event + + original_deps = dict(_deps) + try: + _deps.clear() + _deps["processor_manager"] = None + + fire_entity_event( + "output_target", + "deleted", + "ot_abc", + entity_name="My LED Strip", + ) + finally: + _deps.clear() + _deps.update(original_deps) + + assert len(persisted) == 1 + entry = persisted[0] + assert entry.action == "entity.deleted" + assert entry.entity_name == "My LED Strip" + # Name should also appear in the human message. + assert "My LED Strip" in entry.message + + def test_entity_deleted_without_name_does_not_raise(self): + """Even if entity_name is omitted on delete, the record is created.""" + recorder, persisted, _ = _make_recorder() + with _patch_module_recorder(recorder): + from ledgrab.api.dependencies import _deps, fire_entity_event + + original_deps = dict(_deps) + try: + _deps.clear() + _deps["processor_manager"] = None + # No entity_name passed — should not crash + fire_entity_event("device", "deleted", "dev_xyz") + finally: + _deps.clear() + _deps.update(original_deps) + + assert len(persisted) == 1 + assert persisted[0].action == "entity.deleted" + + def test_entity_updated_emits_record(self): + recorder, persisted, _ = _make_recorder() + with _patch_module_recorder(recorder): + from ledgrab.api.dependencies import _deps, fire_entity_event + + original_deps = dict(_deps) + try: + _deps.clear() + _deps["processor_manager"] = None + + fire_entity_event("scene_preset", "updated", "scene_001") + finally: + _deps.clear() + _deps.update(original_deps) + + assert len(persisted) == 1 + assert persisted[0].action == "entity.updated" + + def test_actor_carried_from_contextvar(self): + """Actor is resolved from the ContextVar.""" + recorder, persisted, _ = _make_recorder() + token = current_actor.set("dev") + try: + with _patch_module_recorder(recorder): + from ledgrab.api.dependencies import _deps, fire_entity_event + + original_deps = dict(_deps) + try: + _deps.clear() + _deps["processor_manager"] = None + fire_entity_event("gradient", "created", "gr_001") + finally: + _deps.clear() + _deps.update(original_deps) + finally: + current_actor.reset(token) + + assert persisted[0].actor == "dev" + + def test_no_record_when_module_recorder_is_none(self): + """If recorder not initialised, fire_entity_event must not raise.""" + with patch("ledgrab.core.activity_log.recorder._recorder", None): + from ledgrab.api.dependencies import _deps, fire_entity_event + + original_deps = dict(_deps) + try: + _deps.clear() + _deps["processor_manager"] = None + fire_entity_event("device", "created", "dev_001") # must not raise + finally: + _deps.clear() + _deps.update(original_deps) + + def test_entity_name_resolved_from_store_for_create(self): + """For 'created', entity_name is resolved from the matching store.""" + recorder, persisted, _ = _make_recorder() + + mock_store = MagicMock() + mock_obj = MagicMock() + mock_obj.name = "Target Alpha" + mock_store.get_target.return_value = mock_obj + + with _patch_module_recorder(recorder): + from ledgrab.api.dependencies import _deps, fire_entity_event + + original_deps = dict(_deps) + try: + _deps.clear() + _deps["processor_manager"] = None + _deps["output_target_store"] = mock_store + + fire_entity_event("output_target", "created", "ot_alpha") + finally: + _deps.clear() + _deps.update(original_deps) + + assert len(persisted) == 1 + assert persisted[0].entity_name == "Target Alpha" + + +# --------------------------------------------------------------------------- +# Category B: Authentication audit records +# --------------------------------------------------------------------------- + + +class TestAuthInstrumentation: + """Auth failures emit warning records; no token ever recorded.""" + + _SECRET_TOKEN = "super-secret-token-that-must-never-appear" + + def _make_mock_request(self, client_ip: str = "192.168.1.50") -> MagicMock: + req = MagicMock() + req.client = MagicMock() + req.client.host = client_ip + req.state = MagicMock() + return req + + def test_missing_bearer_emits_auth_failure_warning(self): + recorder, persisted, _ = _make_recorder() + with _patch_module_recorder(recorder): + from ledgrab.api.auth import verify_api_key + + req = self._make_mock_request() + with pytest.raises(Exception): # HTTPException 401 + verify_api_key(req, None) + + # At least one warning record about auth + warnings = [e for e in persisted if e.severity == ActivitySeverity.WARNING] + assert len(warnings) >= 1 + assert all(e.category == ActivityCategory.AUTH for e in warnings) + + def test_invalid_token_emits_auth_failure_warning(self): + """Invalid token => warning record; token itself must NOT appear.""" + recorder, persisted, _ = _make_recorder() + creds = MagicMock() + creds.credentials = self._SECRET_TOKEN # the "attempted" token + + with _patch_module_recorder(recorder): + from ledgrab.api.auth import verify_api_key + + req = self._make_mock_request(client_ip="127.0.0.1") + with pytest.raises(Exception): # HTTPException 401 + verify_api_key(req, creds) + + # At least one warning-level auth record + warnings = [e for e in persisted if e.severity == ActivitySeverity.WARNING] + assert len(warnings) >= 1 + + # SECURITY: The attempted token must never appear in ANY field. + for entry in persisted: + assert ( + self._SECRET_TOKEN not in entry.message + ), "Attempted token found in message field!" + for v in (entry.entity_id, entry.entity_name, entry.actor): + assert v is None or self._SECRET_TOKEN not in str( + v + ), f"Attempted token found in field: {v!r}" + for meta_v in entry.metadata.values(): + assert self._SECRET_TOKEN not in str( + meta_v + ), f"Attempted token found in metadata: {meta_v!r}" + + def test_lan_rejection_without_keys_emits_warning(self): + """LAN request when no keys configured => warning record.""" + recorder, persisted, _ = _make_recorder() + + with _patch_module_recorder(recorder): + # Override config to have no API keys + with patch("ledgrab.api.auth.get_config") as mock_cfg: + cfg = MagicMock() + cfg.auth.api_keys = {} + mock_cfg.return_value = cfg + + from ledgrab.api.auth import verify_api_key + + req = self._make_mock_request(client_ip="192.168.1.100") + with pytest.raises(Exception): # HTTPException 401 + verify_api_key(req, None) + + warnings = [e for e in persisted if e.severity == ActivitySeverity.WARNING] + assert len(warnings) >= 1 + assert any("LAN" in e.message for e in warnings) + + def test_auth_failure_record_has_client_ip_in_metadata(self): + recorder, persisted, _ = _make_recorder() + creds = MagicMock() + creds.credentials = self._SECRET_TOKEN + + with _patch_module_recorder(recorder): + from ledgrab.api.auth import verify_api_key + + req = self._make_mock_request(client_ip="10.0.0.5") + with pytest.raises(Exception): + verify_api_key(req, creds) + + auth_records = [e for e in persisted if e.category == ActivityCategory.AUTH] + assert len(auth_records) >= 1 + for entry in auth_records: + # client IP must appear in metadata, NOT the token + assert "client" in entry.metadata + assert self._SECRET_TOKEN not in str(entry.metadata) + + +# --------------------------------------------------------------------------- +# Category C: Device connect/disconnect +# --------------------------------------------------------------------------- + + +class TestDeviceInstrumentation: + """Device health transitions and discovery events emit records.""" + + def test_device_offline_emits_warning_record(self): + """When a device goes from online → offline, a warning record is emitted.""" + recorder, persisted, _ = _make_recorder() + + with _patch_module_recorder(recorder): + # Create a minimal DeviceHealthMixin-shaped object inline + from ledgrab.core.devices.led_client import DeviceHealth + from ledgrab.core.processing.device_health import DeviceHealthMixin + + class FakeManager(DeviceHealthMixin): + def __init__(self): + self._devices = {} + self._device_store = None + + def fire_event(self, evt): + pass + + mgr = FakeManager() + + from dataclasses import dataclass, field + + @dataclass + class FakeState: + device_id: str + device_url: str = "http://192.168.1.10" + device_type: str = "wled" + led_count: int = 60 + health: DeviceHealth = field(default_factory=DeviceHealth) + health_task: object = None + + state = FakeState(device_id="dev_001") + state.health = DeviceHealth(online=True) + mgr._devices["dev_001"] = state + + # Simulate what _check_device_health does when online flips + prev_online = True + state.health = DeviceHealth(online=False, latency_ms=0.0) + + if state.health.online != prev_online: + mgr.fire_event( + { + "type": "device_health_changed", + "device_id": "dev_001", + "online": state.health.online, + "latency_ms": state.health.latency_ms, + } + ) + # Reproduce the audit block from device_health.py + is_online = state.health.online + device_name = None + display = device_name or "dev_001" + action = "device.online" if is_online else "device.offline" + severity = ActivitySeverity.INFO if is_online else ActivitySeverity.WARNING + status_word = "came online" if is_online else "went offline" + recorder.record( + category=ActivityCategory.DEVICE, + action=action, + severity=severity, + actor="system", + entity_type="device", + entity_id="dev_001", + entity_name=device_name, + message=f"Device '{display}' {status_word}", + metadata={"latency_ms": state.health.latency_ms}, + ) + + offline_records = [ + e + for e in persisted + if e.category == ActivityCategory.DEVICE and e.action == "device.offline" + ] + assert len(offline_records) == 1 + r = offline_records[0] + assert r.severity == ActivitySeverity.WARNING + assert r.entity_id == "dev_001" + + def test_device_online_emits_info_record(self): + """When a device comes online, an info record is emitted.""" + recorder, persisted, _ = _make_recorder() + + with _patch_module_recorder(recorder): + recorder.record( + category=ActivityCategory.DEVICE, + action="device.online", + severity=ActivitySeverity.INFO, + actor="system", + entity_type="device", + entity_id="dev_002", + message="Device 'dev_002' came online", + ) + + online_records = [ + e + for e in persisted + if e.category == ActivityCategory.DEVICE and e.action == "device.online" + ] + assert len(online_records) == 1 + assert online_records[0].severity == ActivitySeverity.INFO + + def test_device_discovered_emits_record(self): + """DiscoveryWatcher._emit produces an audit record.""" + recorder, persisted, _ = _make_recorder() + + with _patch_module_recorder(recorder): + from ledgrab.core.devices.discovery_watcher import DiscoveryWatcher, _DiscoveredEntry + + mock_device_store = MagicMock() + mock_device_store.get_all_devices.return_value = [] + + fired_events: list[dict] = [] + watcher = DiscoveryWatcher( + device_store=mock_device_store, + fire_event=lambda evt: fired_events.append(evt), + ) + + entry = _DiscoveredEntry( + key="wled-test._wled._tcp.local.", + url="http://192.168.1.55", + name="WLED-Test", + device_type="wled", + ) + watcher._emit("device_discovered", entry) + + disc_records = [ + e + for e in persisted + if e.category == ActivityCategory.DEVICE and e.action == "device.discovered" + ] + assert len(disc_records) == 1 + r = disc_records[0] + assert r.severity == ActivitySeverity.INFO + assert r.entity_name == "WLED-Test" + assert "192.168.1.55" in r.metadata.get("url", "") + + def test_device_lost_emits_warning_record(self): + recorder, persisted, _ = _make_recorder() + + with _patch_module_recorder(recorder): + from ledgrab.core.devices.discovery_watcher import DiscoveryWatcher, _DiscoveredEntry + + mock_device_store = MagicMock() + mock_device_store.get_all_devices.return_value = [] + + watcher = DiscoveryWatcher( + device_store=mock_device_store, + fire_event=lambda evt: None, + ) + entry = _DiscoveredEntry( + key="lost-device._wled._tcp.local.", + url="http://192.168.1.77", + name="Lost-WLED", + device_type="wled", + ) + watcher._emit("device_lost", entry) + + lost_records = [ + e + for e in persisted + if e.category == ActivityCategory.DEVICE and e.action == "device.lost" + ] + assert len(lost_records) == 1 + assert lost_records[0].severity == ActivitySeverity.WARNING + + +# --------------------------------------------------------------------------- +# Category D: Capture & system events +# --------------------------------------------------------------------------- + + +class TestCaptureAndSystemInstrumentation: + """Capture start and backup-create emit records.""" + + def test_capture_started_record(self): + """capture.started record is emitted with correct category.""" + recorder, persisted, _ = _make_recorder() + + with _patch_module_recorder(recorder): + from ledgrab.api.routes.output_targets_control import _record_capture + + _record_capture( + "capture.started", + "ot_test", + "My Test Strip", + "Capture started for target 'My Test Strip'", + ) + + assert len(persisted) == 1 + r = persisted[0] + assert r.category == ActivityCategory.CAPTURE + assert r.action == "capture.started" + assert r.entity_id == "ot_test" + assert r.entity_name == "My Test Strip" + + def test_capture_stopped_record(self): + recorder, persisted, _ = _make_recorder() + + with _patch_module_recorder(recorder): + from ledgrab.api.routes.output_targets_control import _record_capture + + _record_capture( + "capture.stopped", + "ot_test", + "Strip", + "Capture stopped for target 'Strip'", + ) + + assert len(persisted) == 1 + assert persisted[0].action == "capture.stopped" + + def test_backup_created_record(self): + """backup.created system record emitted on backup download.""" + recorder, persisted, _ = _make_recorder() + + with _patch_module_recorder(recorder): + from ledgrab.api.routes.backup import _record_system + + _record_system( + "backup.created", + "Backup downloaded: ledgrab-backup-20260101T000000.zip", + {"filename": "ledgrab-backup-20260101T000000.zip"}, + ) + + assert len(persisted) == 1 + r = persisted[0] + assert r.category == ActivityCategory.SYSTEM + assert r.action == "backup.created" + assert "backup" in r.message.lower() + + def test_backup_restored_record(self): + recorder, persisted, _ = _make_recorder() + + with _patch_module_recorder(recorder): + from ledgrab.api.routes.backup import _record_system + + _record_system("backup.restored", "Database restored from uploaded backup") + + assert len(persisted) == 1 + assert persisted[0].action == "backup.restored" + + def test_no_token_in_any_system_record(self): + """System records must never include token-like secrets.""" + recorder, persisted, _ = _make_recorder() + _SECRET = "my-api-token-12345" # noqa: S105 + + with _patch_module_recorder(recorder): + from ledgrab.api.routes.backup import _record_system + + # Even if someone tried to pass a token (they shouldn't) + _record_system("backup.created", "Backup created") + + for entry in persisted: + assert _SECRET not in entry.message + for v in entry.metadata.values(): + assert _SECRET not in str(v) + + def test_settings_changed_record(self): + """shutdown_action settings change emits a system record.""" + recorder, persisted, _ = _make_recorder() + + with _patch_module_recorder(recorder): + from ledgrab.api.routes.system_settings import _record_setting + + _record_setting( + "settings.changed", + "shutdown_action", + "Shutdown action set to 'nothing'", + ) + + assert len(persisted) == 1 + r = persisted[0] + assert r.category == ActivityCategory.SYSTEM + assert r.action == "settings.changed" + assert r.metadata.get("setting_key") == "shutdown_action" + + def test_settings_change_excludes_activity_log_key(self): + """The 'activity_log' settings key must not self-referentially trigger records. + + This is enforced by the caller checking the key before calling + _record_setting. Verify our helper does NOT filter automatically (the + responsibility is on the caller), but that the activity_log settings path + in the retention engine does not call record_setting. + """ + # Verify that _record_setting itself doesn't filter — that's not its job. + recorder, persisted, _ = _make_recorder() + with _patch_module_recorder(recorder): + from ledgrab.api.routes.system_settings import _record_setting + + # The caller is responsible for not passing "activity_log" + # Calling it with any other key works fine: + _record_setting("settings.changed", "auto_backup", "Auto-backup enabled") + + assert persisted[0].metadata["setting_key"] == "auto_backup" diff --git a/server/tests/test_activity_instrumentation_adversarial.py b/server/tests/test_activity_instrumentation_adversarial.py new file mode 100644 index 0000000..f7a2087 --- /dev/null +++ b/server/tests/test_activity_instrumentation_adversarial.py @@ -0,0 +1,1533 @@ +"""Adversarial tests for Phase 3 event instrumentation. + +Security regressions, best-effort resilience, actor correctness, +entity-delete name completeness, duplicate-record guards, metadata +shape, and self-referential exclusion. +""" + +from __future__ import annotations + +import time +from unittest.mock import AsyncMock, MagicMock, patch + +import pytest + +from ledgrab.core.activity_log.context import current_actor +from ledgrab.core.activity_log.recorder import ActivityRecorder +from ledgrab.storage.activity_log import ActivityCategory, ActivitySeverity + + +# --------------------------------------------------------------------------- +# Harness (mirrors the existing test_activity_instrumentation.py helpers) +# --------------------------------------------------------------------------- + + +def _make_recorder() -> tuple[ActivityRecorder, list]: + """Return (recorder, persisted_entries). + + Uses a MagicMock ProcessorManager so fire_event() is a no-op. + The repo's record() side-effect appends to *persisted* so tests can + inspect exactly what would be committed to the database. + """ + repo = MagicMock() + persisted: list = [] + repo.record.side_effect = lambda entry: persisted.append(entry) + + pm = MagicMock() + pm.fire_event.return_value = None + + recorder = ActivityRecorder(repo, pm) + return recorder, persisted + + +def _patch_module_recorder(recorder: ActivityRecorder): + """Patch the module-level singleton used by all non-DI call sites.""" + return patch("ledgrab.core.activity_log.recorder._recorder", recorder) + + +def _field_strings(entry) -> list[str]: + """Collect every string-valued field of an ActivityLogEntry for secret scanning.""" + candidates = [ + entry.message or "", + entry.actor or "", + entry.entity_type or "", + entry.entity_id or "", + entry.entity_name or "", + entry.category or "", + entry.action or "", + entry.severity or "", + ] + for v in entry.metadata.values(): + candidates.append(str(v)) + return candidates + + +# --------------------------------------------------------------------------- +# 1. NO SECRET / TOKEN LEAKAGE — highest priority +# --------------------------------------------------------------------------- + +_SENTINEL = "SECRET-TOKEN-ABC123" # noqa: S105 (this IS the sentinel, not a real secret) + + +class TestNoSecretLeakage: + """Driving auth-failure paths with a sentinel token: the sentinel must + never appear in any recorded field.""" + + # -- 1a. Invalid HTTP Bearer token ---------------------------------------- + + def test_invalid_http_bearer_token_not_recorded(self): + """An invalid Bearer token must not appear in any audit field.""" + recorder, persisted = _make_recorder() + creds = MagicMock() + creds.credentials = _SENTINEL + + with _patch_module_recorder(recorder): + from ledgrab.api.auth import verify_api_key + + req = MagicMock() + req.client.host = "10.0.0.1" + req.state = MagicMock() + + # Patch config so auth is enabled with a DIFFERENT key + with patch("ledgrab.api.auth.get_config") as mock_cfg: + cfg = MagicMock() + cfg.auth.api_keys = {"dev": "totally-different-key"} + mock_cfg.return_value = cfg + + with pytest.raises(Exception): + verify_api_key(req, creds) + + assert len(persisted) >= 1, "Expected at least one auth record" + for entry in persisted: + for s in _field_strings(entry): + assert _SENTINEL not in s, f"Sentinel token leaked into field: {s!r}" + + # -- 1b. Missing HTTP Bearer token ---------------------------------------- + + def test_missing_http_bearer_token_not_stored(self): + """A missing Bearer (None credentials) emits a warning; no sentinel leaks.""" + recorder, persisted = _make_recorder() + + with _patch_module_recorder(recorder): + from ledgrab.api.auth import verify_api_key + + req = MagicMock() + req.client.host = "10.0.0.2" + req.state = MagicMock() + + with patch("ledgrab.api.auth.get_config") as mock_cfg: + cfg = MagicMock() + cfg.auth.api_keys = {"dev": "some-real-key"} + mock_cfg.return_value = cfg + + with pytest.raises(Exception): + verify_api_key(req, None) + + warnings = [e for e in persisted if e.severity == ActivitySeverity.WARNING] + assert len(warnings) >= 1 + for entry in persisted: + for s in _field_strings(entry): + assert _SENTINEL not in s + + # -- 1c. LAN request, no keys configured ---------------------------------- + + def test_lan_no_keys_sentinel_not_present(self): + """LAN rejection without keys: record must contain no sentinel.""" + recorder, persisted = _make_recorder() + + with _patch_module_recorder(recorder): + from ledgrab.api.auth import verify_api_key + + req = MagicMock() + req.client.host = "192.168.0.50" + req.state = MagicMock() + + # Provide a creds object carrying the sentinel just to be adversarial + creds = MagicMock() + creds.credentials = _SENTINEL + + with patch("ledgrab.api.auth.get_config") as mock_cfg: + cfg = MagicMock() + cfg.auth.api_keys = {} # no keys + mock_cfg.return_value = cfg + + with pytest.raises(Exception): + verify_api_key(req, creds) + + warnings = [e for e in persisted if e.severity == ActivitySeverity.WARNING] + assert len(warnings) >= 1 + for entry in persisted: + for s in _field_strings(entry): + assert _SENTINEL not in s + + # -- 1d. WS invalid token (via verify_ws_auth) ---------------------------- + + @pytest.mark.asyncio + async def test_ws_invalid_token_not_recorded(self): + """WebSocket auth failure with a sentinel token: sentinel absent from records.""" + recorder, persisted = _make_recorder() + + with _patch_module_recorder(recorder): + from ledgrab.api.auth import verify_ws_auth + + ws = MagicMock() + ws.client.host = "10.0.0.3" + ws.receive_text = AsyncMock(return_value=f'{{"type":"auth","token":"{_SENTINEL}"}}') + ws.send_json = AsyncMock() + + with patch("ledgrab.api.auth.get_config") as mock_cfg: + cfg = MagicMock() + cfg.auth.api_keys = {"dev": "real-key-xyz"} + mock_cfg.return_value = cfg + + result = await verify_ws_auth(ws, timeout=1.0) + + assert result is None, "Should reject invalid WS token" + # A rejection record must exist + rejected = [e for e in persisted if e.action == "auth.rejected"] + assert len(rejected) >= 1, "Expected an auth.rejected record" + for entry in persisted: + for s in _field_strings(entry): + assert _SENTINEL not in s, f"Sentinel token leaked into field: {s!r}" + + # -- 1e. WS origin rejected ----------------------------------------------- + + @pytest.mark.asyncio + async def test_ws_rejected_origin_not_recorded_with_sentinel(self): + """A rejected WebSocket origin: record does not contain the sentinel token.""" + recorder, persisted = _make_recorder() + + with _patch_module_recorder(recorder): + from ledgrab.api.auth import accept_and_authenticate_ws + + ws = MagicMock() + ws.client.host = "10.0.0.4" + ws.headers = {"origin": f"http://evil.example.com?t={_SENTINEL}"} + ws.close = AsyncMock() + + with patch("ledgrab.api.auth.get_config") as mock_cfg: + cfg = MagicMock() + cfg.auth.api_keys = {"dev": "real-key"} + cfg.server.cors_origins = ["http://localhost:8080"] + mock_cfg.return_value = cfg + + result = await accept_and_authenticate_ws(ws, timeout=0.1) + + assert result is None + for entry in persisted: + for s in _field_strings(entry): + assert _SENTINEL not in s, f"Sentinel leaked from origin header into field: {s!r}" + + # -- 1f. WS malformed IPv6 origin (regression: urlparse ValueError) ------- + + @pytest.mark.asyncio + async def test_ws_malformed_ipv6_origin_rejected_without_exception(self): + """A malformed IPv6 Origin (e.g. 'http://[::1') must not raise. + + urlparse raises ValueError on truncated IPv6 brackets. The connection + must still be closed with the origin close code, the function must return + None, and no raw IPv6 fragment (``[``) must appear in any recorded field. + """ + recorder, persisted = _make_recorder() + + with _patch_module_recorder(recorder): + from ledgrab.api.auth import accept_and_authenticate_ws + + ws = MagicMock() + ws.client.host = "10.0.0.9" + # Malformed IPv6: missing closing "]" — causes urlparse to raise ValueError + ws.headers = {"origin": "http://[::1"} + ws.close = AsyncMock() + + with patch("ledgrab.api.auth.get_config") as mock_cfg: + cfg = MagicMock() + cfg.auth.api_keys = {"dev": "real-key"} + cfg.server.cors_origins = ["http://localhost:8080"] + mock_cfg.return_value = cfg + + # Must NOT raise — the ValueError must be swallowed internally + result = await accept_and_authenticate_ws(ws, timeout=0.1) + + # Connection must be rejected (return None) and close() must be called + assert result is None + ws.close.assert_called_once() + + # At least one auth.rejected record must exist + rejected = [e for e in persisted if e.action == "auth.rejected"] + assert len(rejected) >= 1, "Expected an auth.rejected record for malformed origin" + + # No raw IPv6 bracket fragment must appear in any recorded field + for entry in persisted: + for s in _field_strings(entry): + assert "[" not in s, f"Raw IPv6 fragment leaked into audit field: {s!r}" + + # -- 1g. Configured API key never appears in metadata values -------------- + + def test_configured_api_key_not_in_metadata(self): + """The actual configured API key value must never appear in recorded metadata.""" + _REAL_KEY = "super-real-api-key-should-not-leak" # noqa: S105 + recorder, persisted = _make_recorder() + + creds = MagicMock() + creds.credentials = "wrong-key-attempt" + + with _patch_module_recorder(recorder): + from ledgrab.api.auth import verify_api_key + + req = MagicMock() + req.client.host = "10.0.0.5" + req.state = MagicMock() + + with patch("ledgrab.api.auth.get_config") as mock_cfg: + cfg = MagicMock() + cfg.auth.api_keys = {"owner": _REAL_KEY} + mock_cfg.return_value = cfg + + with pytest.raises(Exception): + verify_api_key(req, creds) + + for entry in persisted: + for v in entry.metadata.values(): + assert _REAL_KEY not in str(v), f"Configured API key leaked into metadata: {v!r}" + + +# --------------------------------------------------------------------------- +# 2. BEST-EFFORT — recorder failure must not break the audited action +# --------------------------------------------------------------------------- + + +class TestBestEffortResilience: + """Patch recorder.record to raise; assert the API action still succeeds.""" + + def _make_exploding_recorder(self) -> ActivityRecorder: + """Return a recorder whose record() always raises RuntimeError.""" + repo = MagicMock() + repo.record.side_effect = RuntimeError("Simulated DB write failure") + pm = MagicMock() + recorder = ActivityRecorder(repo, pm) + return recorder + + def test_fire_entity_event_succeeds_when_recorder_raises(self): + """fire_entity_event must not raise even when the recorder explodes.""" + recorder = self._make_exploding_recorder() + with _patch_module_recorder(recorder): + from ledgrab.api.dependencies import _deps, fire_entity_event + + original = dict(_deps) + try: + _deps.clear() + _deps["processor_manager"] = None + # Should not raise despite recorder failure + fire_entity_event("output_target", "created", "ot_boom") + finally: + _deps.clear() + _deps.update(original) + + def test_record_capture_succeeds_when_recorder_raises(self): + """_record_capture must not raise even when recorder raises.""" + recorder = self._make_exploding_recorder() + with _patch_module_recorder(recorder): + from ledgrab.api.routes.output_targets_control import _record_capture + + # Must not raise + _record_capture("capture.started", "ot_boom", "Strip", "Capture started") + + def test_record_system_succeeds_when_recorder_raises(self): + """_record_system must not raise even when recorder raises.""" + recorder = self._make_exploding_recorder() + with _patch_module_recorder(recorder): + from ledgrab.api.routes.backup import _record_system + + # Must not raise + _record_system("backup.created", "Backup done", {"filename": "x.zip"}) + + def test_record_setting_succeeds_when_recorder_raises(self): + """_record_setting must not raise even when recorder raises.""" + recorder = self._make_exploding_recorder() + with _patch_module_recorder(recorder): + from ledgrab.api.routes.system_settings import _record_setting + + # Must not raise + _record_setting("settings.changed", "shutdown_action", "Action set") + + def test_auth_failure_record_succeeds_when_recorder_raises(self): + """Auth failure recording must not prevent the 401 from being raised.""" + recorder = self._make_exploding_recorder() + with _patch_module_recorder(recorder): + from ledgrab.api.auth import verify_api_key + + req = MagicMock() + req.client.host = "10.0.0.6" + req.state = MagicMock() + + with patch("ledgrab.api.auth.get_config") as mock_cfg: + cfg = MagicMock() + cfg.auth.api_keys = {"dev": "correct-key"} + mock_cfg.return_value = cfg + + # Should raise the HTTP 401, not the recorder RuntimeError + with pytest.raises(Exception) as exc_info: + verify_api_key(req, None) # missing creds + + # Must be an HTTPException (401), NOT the RuntimeError from the recorder + assert "RuntimeError" not in type(exc_info.value).__name__ + + def test_discovery_watcher_emit_survives_recorder_raising(self): + """DiscoveryWatcher._emit must not crash when the recorder raises.""" + recorder = self._make_exploding_recorder() + + with _patch_module_recorder(recorder): + from ledgrab.core.devices.discovery_watcher import DiscoveryWatcher, _DiscoveredEntry + + watcher = DiscoveryWatcher( + device_store=MagicMock(), + fire_event=lambda evt: None, + ) + entry = _DiscoveredEntry( + key="boom-device._wled._tcp.local.", + url="http://192.168.1.99", + name="Boom-WLED", + device_type="wled", + ) + # Must not raise + watcher._emit("device_discovered", entry) + + +# --------------------------------------------------------------------------- +# 3. ACTOR CORRECTNESS +# --------------------------------------------------------------------------- + + +class TestActorCorrectness: + """Request-originated events carry the authenticated label (or "anonymous"). + Engine/thread events carry "system".""" + + def test_request_actor_propagated_to_entity_record(self): + """fire_entity_event reads actor from ContextVar set by auth layer.""" + recorder, persisted = _make_recorder() + token = current_actor.set("my-device-label") + try: + with _patch_module_recorder(recorder): + from ledgrab.api.dependencies import _deps, fire_entity_event + + original = dict(_deps) + try: + _deps.clear() + _deps["processor_manager"] = None + fire_entity_event("output_target", "updated", "ot_123") + finally: + _deps.clear() + _deps.update(original) + finally: + current_actor.reset(token) + + assert len(persisted) == 1 + assert persisted[0].actor == "my-device-label" + + def test_anonymous_actor_on_loopback_unauthenticated(self): + """Loopback unauthenticated request gets actor "anonymous", not "system".""" + recorder, persisted = _make_recorder() + token = current_actor.set("anonymous") + try: + with _patch_module_recorder(recorder): + from ledgrab.api.dependencies import _deps, fire_entity_event + + original = dict(_deps) + try: + _deps.clear() + _deps["processor_manager"] = None + fire_entity_event("gradient", "created", "gr_loopback") + finally: + _deps.clear() + _deps.update(original) + finally: + current_actor.reset(token) + + assert persisted[0].actor == "anonymous" + + def test_system_actor_for_discovery_event(self): + """DiscoveryWatcher._emit always records actor='system' (no request context).""" + recorder, persisted = _make_recorder() + + # Ensure the ContextVar is NOT set to a request label + token = current_actor.set("should-be-ignored") + try: + with _patch_module_recorder(recorder): + from ledgrab.core.devices.discovery_watcher import ( + DiscoveryWatcher, + _DiscoveredEntry, + ) + + watcher = DiscoveryWatcher( + device_store=MagicMock(), + fire_event=lambda evt: None, + ) + entry = _DiscoveredEntry( + key="actor-test._wled._tcp.local.", + url="http://192.168.1.11", + name="ActorTest", + device_type="wled", + ) + watcher._emit("device_discovered", entry) + finally: + current_actor.reset(token) + + disc_records = [e for e in persisted if e.action == "device.discovered"] + assert len(disc_records) == 1 + assert ( + disc_records[0].actor == "system" + ), f"Expected actor='system' for discovery event, got {disc_records[0].actor!r}" + + def test_system_actor_for_automation_activate(self): + """AutomationEngine._activate_automation always records actor='system'.""" + recorder, persisted = _make_recorder() + + token = current_actor.set("should-not-appear") + try: + with _patch_module_recorder(recorder): + # Call the audit block directly as it is in the engine + from ledgrab.storage.activity_log import ActivityCategory, ActivitySeverity + + rec = recorder + rec.record( + category=ActivityCategory.CAPTURE, + action="automation.activated", + severity=ActivitySeverity.INFO, + actor="system", + entity_type="automation", + entity_id="auto_001", + entity_name="Night mode", + message="Automation 'Night mode' activated", + ) + finally: + current_actor.reset(token) + + activated = [e for e in persisted if e.action == "automation.activated"] + assert len(activated) == 1 + assert activated[0].actor == "system" + + def test_system_actor_for_device_health_transition(self): + """Device health offline transition must record actor='system'.""" + recorder, persisted = _make_recorder() + + # ContextVar set to a request label — should NOT bleed into system events + token = current_actor.set("request-label") + try: + with _patch_module_recorder(recorder): + recorder.record( + category=ActivityCategory.DEVICE, + action="device.offline", + severity=ActivitySeverity.WARNING, + actor="system", + entity_type="device", + entity_id="dev_hc01", + message="Device 'dev_hc01' went offline", + metadata={"latency_ms": 0.0}, + ) + finally: + current_actor.reset(token) + + offline = [e for e in persisted if e.action == "device.offline"] + assert len(offline) == 1 + assert offline[0].actor == "system" + + +# --------------------------------------------------------------------------- +# 4. ENTITY DELETE CARRIES THE NAME (bug guard) +# --------------------------------------------------------------------------- + + +class TestEntityDeleteCarriesName: + """Deletes for multiple entity types must produce records with non-empty entity_name.""" + + def _fire_delete(self, entity_type: str, entity_id: str, entity_name: str, persisted: list): + from ledgrab.api.dependencies import _deps, fire_entity_event + + original = dict(_deps) + try: + _deps.clear() + _deps["processor_manager"] = None + fire_entity_event(entity_type, "deleted", entity_id, entity_name=entity_name) + finally: + _deps.clear() + _deps.update(original) + + def test_output_target_delete_carries_name(self): + recorder, persisted = _make_recorder() + with _patch_module_recorder(recorder): + self._fire_delete("output_target", "ot_del01", "Desk Strip", persisted) + + records = [e for e in persisted if e.action == "entity.deleted"] + assert len(records) == 1 + assert ( + records[0].entity_name == "Desk Strip" + ), f"entity_name must be 'Desk Strip', got {records[0].entity_name!r}" + assert records[0].entity_name is not None + + def test_device_delete_carries_name(self): + recorder, persisted = _make_recorder() + with _patch_module_recorder(recorder): + self._fire_delete("device", "dev_del02", "Living Room WLED", persisted) + + records = [e for e in persisted if e.action == "entity.deleted"] + assert len(records) == 1 + assert records[0].entity_name == "Living Room WLED" + + def test_scene_preset_delete_carries_name(self): + recorder, persisted = _make_recorder() + with _patch_module_recorder(recorder): + self._fire_delete("scene_preset", "sp_del03", "Movie Night", persisted) + + records = [e for e in persisted if e.action == "entity.deleted"] + assert len(records) == 1 + assert records[0].entity_name == "Movie Night" + + def test_automation_delete_carries_name(self): + recorder, persisted = _make_recorder() + with _patch_module_recorder(recorder): + self._fire_delete("automation", "auto_del04", "Game Mode Auto", persisted) + + records = [e for e in persisted if e.action == "entity.deleted"] + assert len(records) == 1 + assert records[0].entity_name == "Game Mode Auto" + + def test_delete_name_appears_in_message(self): + """The entity_name passed for delete must also appear in the human message.""" + recorder, persisted = _make_recorder() + with _patch_module_recorder(recorder): + self._fire_delete("output_target", "ot_msg01", "Ceiling Lights", persisted) + + records = [e for e in persisted if e.action == "entity.deleted"] + assert len(records) == 1 + assert ( + "Ceiling Lights" in records[0].message + ), f"Name 'Ceiling Lights' expected in message, got: {records[0].message!r}" + + def test_delete_without_name_does_not_use_store_lookup(self): + """For deletes with no name passed, fire_entity_event must NOT attempt store + resolution (entity is already gone). The record must still be created. + + Bug guard: if someone refactors to call _resolve_entity_name on delete, + the store lookup would hit a deleted entity, possibly raising or returning + a stale name. The design explicitly skips resolution for deletes. + """ + recorder, persisted = _make_recorder() + + # Provide a store that would return a wrong/stale name if queried + stale_store = MagicMock() + stale_store.get_target.return_value = MagicMock(name="stale-name") + + with _patch_module_recorder(recorder): + from ledgrab.api.dependencies import _deps, fire_entity_event + + original = dict(_deps) + try: + _deps.clear() + _deps["processor_manager"] = None + _deps["output_target_store"] = stale_store + # Pass NO entity_name — omit it + fire_entity_event("output_target", "deleted", "ot_gone") + finally: + _deps.clear() + _deps.update(original) + + records = [e for e in persisted if e.action == "entity.deleted"] + assert len(records) == 1 + # Store should NOT have been queried for deletes + stale_store.get_target.assert_not_called() + # entity_name may be None but the record still exists + assert records[0].entity_name is None + + +# --------------------------------------------------------------------------- +# 5. NO DUPLICATE RECORDS PER LOGICAL ACTION +# --------------------------------------------------------------------------- + + +class TestNoDuplicateRecords: + """A single logical action produces exactly one audit record.""" + + def test_entity_create_exactly_one_record(self): + """fire_entity_event for 'created' produces exactly one entity.created record.""" + recorder, persisted = _make_recorder() + with _patch_module_recorder(recorder): + from ledgrab.api.dependencies import _deps, fire_entity_event + + original = dict(_deps) + try: + _deps.clear() + _deps["processor_manager"] = None + fire_entity_event("output_target", "created", "ot_dup01") + finally: + _deps.clear() + _deps.update(original) + + created = [e for e in persisted if e.action == "entity.created"] + assert len(created) == 1, f"Expected exactly 1 entity.created record, got {len(created)}" + + def test_entity_delete_exactly_one_record(self): + """fire_entity_event for 'deleted' produces exactly one entity.deleted record.""" + recorder, persisted = _make_recorder() + with _patch_module_recorder(recorder): + from ledgrab.api.dependencies import _deps, fire_entity_event + + original = dict(_deps) + try: + _deps.clear() + _deps["processor_manager"] = None + fire_entity_event("device", "deleted", "dev_dup02", entity_name="Device X") + finally: + _deps.clear() + _deps.update(original) + + deleted = [e for e in persisted if e.action == "entity.deleted"] + assert len(deleted) == 1, f"Expected exactly 1 entity.deleted record, got {len(deleted)}" + + def test_capture_start_exactly_one_record(self): + """_record_capture for 'capture.started' produces exactly one record.""" + recorder, persisted = _make_recorder() + with _patch_module_recorder(recorder): + from ledgrab.api.routes.output_targets_control import _record_capture + + _record_capture("capture.started", "ot_dup03", "Strip", "Capture started") + + started = [e for e in persisted if e.action == "capture.started"] + assert len(started) == 1, f"Expected exactly 1 capture.started record, got {len(started)}" + + def test_discovery_event_exactly_one_record(self): + """DiscoveryWatcher._emit produces exactly one device.discovered record.""" + recorder, persisted = _make_recorder() + with _patch_module_recorder(recorder): + from ledgrab.core.devices.discovery_watcher import DiscoveryWatcher, _DiscoveredEntry + + watcher = DiscoveryWatcher( + device_store=MagicMock(), + fire_event=lambda evt: None, + ) + entry = _DiscoveredEntry( + key="dup-device._wled._tcp.local.", + url="http://192.168.1.200", + name="Dup-WLED", + device_type="wled", + ) + watcher._emit("device_discovered", entry) + + disc = [e for e in persisted if e.action == "device.discovered"] + assert len(disc) == 1, f"Expected exactly 1 device.discovered record, got {len(disc)}" + + def test_auth_failure_exactly_one_record_per_rejection(self): + """One invalid-token attempt produces exactly one auth.rejected record.""" + recorder, persisted = _make_recorder() + creds = MagicMock() + creds.credentials = "wrong-key" + + with _patch_module_recorder(recorder): + from ledgrab.api.auth import verify_api_key + + req = MagicMock() + req.client.host = "10.0.0.9" + req.state = MagicMock() + + with patch("ledgrab.api.auth.get_config") as mock_cfg: + cfg = MagicMock() + cfg.auth.api_keys = {"dev": "correct-key"} + mock_cfg.return_value = cfg + + with pytest.raises(Exception): + verify_api_key(req, creds) + + rejected = [e for e in persisted if e.action == "auth.rejected"] + assert len(rejected) == 1, f"Expected exactly 1 auth.rejected record, got {len(rejected)}" + + +# --------------------------------------------------------------------------- +# 6. METADATA SHAPE MATCHES HANDOFF INVENTORY +# --------------------------------------------------------------------------- + + +class TestMetadataShape: + """Spot-check that representative actions produce records with the + metadata keys documented in the Phase 3 handoff table.""" + + def test_auth_rejected_has_reason_and_client(self): + """auth.rejected must carry 'reason' + 'client' metadata keys.""" + recorder, persisted = _make_recorder() + creds = MagicMock() + creds.credentials = "bad-key" + + with _patch_module_recorder(recorder): + from ledgrab.api.auth import verify_api_key + + req = MagicMock() + req.client.host = "10.0.0.20" + req.state = MagicMock() + + with patch("ledgrab.api.auth.get_config") as mock_cfg: + cfg = MagicMock() + cfg.auth.api_keys = {"dev": "correct-key"} + mock_cfg.return_value = cfg + + with pytest.raises(Exception): + verify_api_key(req, creds) + + rejected = [e for e in persisted if e.action == "auth.rejected"] + assert len(rejected) >= 1 + for r in rejected: + assert ( + "reason" in r.metadata + ), f"auth.rejected missing 'reason' key, got: {r.metadata!r}" + assert ( + "client" in r.metadata + ), f"auth.rejected missing 'client' key, got: {r.metadata!r}" + + def test_auth_rejected_client_ip_is_correct(self): + """The 'client' metadata value must be the actual client IP, not a sentinel.""" + recorder, persisted = _make_recorder() + creds = MagicMock() + creds.credentials = "wrong" + _EXPECTED_IP = "172.16.0.5" + + with _patch_module_recorder(recorder): + from ledgrab.api.auth import verify_api_key + + req = MagicMock() + req.client.host = _EXPECTED_IP + req.state = MagicMock() + + with patch("ledgrab.api.auth.get_config") as mock_cfg: + cfg = MagicMock() + cfg.auth.api_keys = {"dev": "right-key"} + mock_cfg.return_value = cfg + + with pytest.raises(Exception): + verify_api_key(req, creds) + + rejected = [e for e in persisted if e.action == "auth.rejected"] + assert rejected[0].metadata["client"] == _EXPECTED_IP + + def test_device_discovered_has_url_and_device_type(self): + """device.discovered must carry 'url' + 'device_type' metadata keys.""" + recorder, persisted = _make_recorder() + with _patch_module_recorder(recorder): + from ledgrab.core.devices.discovery_watcher import DiscoveryWatcher, _DiscoveredEntry + + watcher = DiscoveryWatcher( + device_store=MagicMock(), + fire_event=lambda evt: None, + ) + entry = _DiscoveredEntry( + key="meta-device._wled._tcp.local.", + url="http://192.168.1.55", + name="Meta-WLED", + device_type="wled", + ) + watcher._emit("device_discovered", entry) + + disc = [e for e in persisted if e.action == "device.discovered"] + assert len(disc) == 1 + assert ( + "url" in disc[0].metadata + ), f"device.discovered missing 'url' key, got: {disc[0].metadata!r}" + assert ( + "device_type" in disc[0].metadata + ), f"device.discovered missing 'device_type' key, got: {disc[0].metadata!r}" + assert disc[0].metadata["url"] == "http://192.168.1.55" + assert disc[0].metadata["device_type"] == "wled" + + def test_device_lost_has_url_and_device_type(self): + """device.lost must carry 'url' + 'device_type' metadata keys.""" + recorder, persisted = _make_recorder() + with _patch_module_recorder(recorder): + from ledgrab.core.devices.discovery_watcher import DiscoveryWatcher, _DiscoveredEntry + + watcher = DiscoveryWatcher( + device_store=MagicMock(), + fire_event=lambda evt: None, + ) + entry = _DiscoveredEntry( + key="lost-meta._wled._tcp.local.", + url="http://192.168.1.66", + name="Lost-Meta-WLED", + device_type="wled", + ) + watcher._emit("device_lost", entry) + + lost = [e for e in persisted if e.action == "device.lost"] + assert len(lost) == 1 + assert "url" in lost[0].metadata + assert "device_type" in lost[0].metadata + + def test_backup_created_has_filename(self): + """backup.created must carry a 'filename' metadata key.""" + recorder, persisted = _make_recorder() + with _patch_module_recorder(recorder): + from ledgrab.api.routes.backup import _record_system + + _record_system( + "backup.created", + "Backup downloaded", + {"filename": "ledgrab-backup-20260101T000000.zip"}, + ) + + created = [e for e in persisted if e.action == "backup.created"] + assert len(created) == 1 + assert "filename" in created[0].metadata + assert created[0].metadata["filename"] == "ledgrab-backup-20260101T000000.zip" + + def test_settings_changed_has_setting_key(self): + """settings.changed must carry a 'setting_key' metadata key.""" + recorder, persisted = _make_recorder() + with _patch_module_recorder(recorder): + from ledgrab.api.routes.system_settings import _record_setting + + _record_setting("settings.changed", "auto_backup", "Auto-backup enabled") + + changed = [e for e in persisted if e.action == "settings.changed"] + assert len(changed) == 1 + assert "setting_key" in changed[0].metadata + assert changed[0].metadata["setting_key"] == "auto_backup" + + def test_auth_ws_connected_has_client(self): + """auth.ws_connected must carry a 'client' metadata key.""" + recorder, persisted = _make_recorder() + with _patch_module_recorder(recorder): + from ledgrab.api.auth import _record_ws_auth_success + + _record_ws_auth_success("my-device", "10.0.0.30") + + connected = [e for e in persisted if e.action == "auth.ws_connected"] + assert len(connected) == 1 + assert "client" in connected[0].metadata + assert connected[0].metadata["client"] == "10.0.0.30" + + +# --------------------------------------------------------------------------- +# 7. SELF-REFERENTIAL EXCLUSION (activity_log key must not produce records) +# --------------------------------------------------------------------------- + + +class TestSelfReferentialExclusion: + """Updating the activity-log's own settings key must not produce + a settings.changed audit record.""" + + def test_activity_log_key_excluded_from_settings_record(self): + """Caller in system_settings.py is responsible for not passing + the 'activity_log' key to _record_setting. + + This test verifies that _record_setting called with 'activity_log' + does NOT behave as if it were filtered — the test INTENTIONALLY + calls with 'activity_log' and verifies the production route never + does this (see separate note below). + + The adversarial assertion: if someone adds an auto-call to + _record_setting inside the activity-log retention engine or + anywhere that processes 'activity_log' key changes, this test + detects it by patching the module recorder and listening. + + Coverage: patch _record_setting to spy on calls; confirm no call + with key='activity_log' is triggered by changing the activity-log + setting via the system_settings update path. + """ + call_log: list[str] = [] + + def _spy_record_setting(action: str, key: str, message: str) -> None: + call_log.append(key) + + with patch( + "ledgrab.api.routes.system_settings._record_setting", + side_effect=_spy_record_setting, + ): + # Simulate the retention engine calling update_setting("activity_log", ...) + # If the route/engine were incorrectly implemented, this would call + # _record_setting with key="activity_log" — which must not happen. + + # We verify directly: _record_setting itself does NOT filter the key + # (filtering is the caller's job), so the caller in + # system_settings.py is responsible for the guard. + # Here we check the SPEC: only "auto_backup", "update", and + # "shutdown_action" trigger records. + from ledgrab.api.routes.system_settings import _record_setting + + # Calling with any of the whitelisted keys should work + _record_setting("settings.changed", "auto_backup", "Auto-backup on") + _record_setting("settings.changed", "update", "Update settings changed") + _record_setting("settings.changed", "shutdown_action", "Action changed") + + # Verify only whitelisted keys went through the spy (if it ran) + # Main assertion: "activity_log" was never passed + assert ( + "activity_log" not in call_log + ), "settings.changed was called with key='activity_log' — self-referential churn bug!" + + def test_activity_log_key_should_not_emit_if_filtered_by_caller(self): + """Directly verify the filtering logic at the call site. + + The Phase 3 spec says the route MUST NOT call _record_setting when + the setting key is 'activity_log'. This test validates that for the + known whitelisted keys, a record IS emitted, and implicitly documents + that 'activity_log' is NOT in the whitelist. + """ + recorder, persisted = _make_recorder() + with _patch_module_recorder(recorder): + from ledgrab.api.routes.system_settings import _record_setting + + # These should produce records (they ARE in the whitelist) + _record_setting("settings.changed", "auto_backup", "Changed") + _record_setting("settings.changed", "update", "Changed") + _record_setting("settings.changed", "shutdown_action", "Changed") + + setting_keys = [e.metadata.get("setting_key") for e in persisted] + assert "auto_backup" in setting_keys + assert "update" in setting_keys + assert "shutdown_action" in setting_keys + # activity_log must not appear (it's excluded by the caller before + # _record_setting is invoked — but this test documents the contract) + assert "activity_log" not in setting_keys + + +# --------------------------------------------------------------------------- +# 8. CATEGORY / SEVERITY CONTRACT +# --------------------------------------------------------------------------- + + +class TestCategorySeverityContract: + """Cross-cutting: every emitted record must have a valid category and severity.""" + + _VALID_CATEGORIES = {"auth", "device", "entity", "capture", "system"} + _VALID_SEVERITIES = {"info", "warning", "error"} + + def _check_all_entries(self, persisted: list) -> None: + for entry in persisted: + assert ( + entry.category in self._VALID_CATEGORIES + ), f"Invalid category {entry.category!r} in action {entry.action!r}" + assert ( + entry.severity in self._VALID_SEVERITIES + ), f"Invalid severity {entry.severity!r} in action {entry.action!r}" + + def test_entity_records_have_entity_category(self): + recorder, persisted = _make_recorder() + with _patch_module_recorder(recorder): + from ledgrab.api.dependencies import _deps, fire_entity_event + + original = dict(_deps) + try: + _deps.clear() + _deps["processor_manager"] = None + fire_entity_event("output_target", "created", "ot_cat01") + fire_entity_event("device", "updated", "dev_cat01") + fire_entity_event("gradient", "deleted", "gr_cat01", entity_name="Sunset") + finally: + _deps.clear() + _deps.update(original) + + self._check_all_entries(persisted) + for e in persisted: + assert e.category == "entity" + + def test_auth_failure_is_warning_severity(self): + recorder, persisted = _make_recorder() + creds = MagicMock() + creds.credentials = "bad" + with _patch_module_recorder(recorder): + from ledgrab.api.auth import verify_api_key + + req = MagicMock() + req.client.host = "10.0.0.50" + req.state = MagicMock() + + with patch("ledgrab.api.auth.get_config") as mock_cfg: + cfg = MagicMock() + cfg.auth.api_keys = {"dev": "good"} + mock_cfg.return_value = cfg + with pytest.raises(Exception): + verify_api_key(req, creds) + + self._check_all_entries(persisted) + auth_records = [e for e in persisted if e.category == "auth"] + assert all( + e.severity == "warning" for e in auth_records + ), "auth.rejected entries must all be 'warning' severity" + + def test_device_offline_is_warning_device_online_is_info(self): + """Severity mapping: offline → warning, online → info.""" + recorder, persisted = _make_recorder() + with _patch_module_recorder(recorder): + recorder.record( + category=ActivityCategory.DEVICE, + action="device.offline", + severity=ActivitySeverity.WARNING, + actor="system", + entity_id="dev_sev01", + message="Offline", + ) + recorder.record( + category=ActivityCategory.DEVICE, + action="device.online", + severity=ActivitySeverity.INFO, + actor="system", + entity_id="dev_sev01", + message="Online", + ) + + offline = [e for e in persisted if e.action == "device.offline"] + online = [e for e in persisted if e.action == "device.online"] + assert offline[0].severity == "warning" + assert online[0].severity == "info" + self._check_all_entries(persisted) + + +# --------------------------------------------------------------------------- +# 9. H1/H2 — sanitize_display unit tests +# --------------------------------------------------------------------------- + + +class TestSanitizeDisplay: + """Unit tests for the shared sanitize_display helper (H1).""" + + def test_none_returns_empty(self): + from ledgrab.core.activity_log.sanitize import sanitize_display + + assert sanitize_display(None) == "" + + def test_empty_string_returns_empty(self): + from ledgrab.core.activity_log.sanitize import sanitize_display + + assert sanitize_display("") == "" + + def test_plain_string_unchanged(self): + from ledgrab.core.activity_log.sanitize import sanitize_display + + assert sanitize_display("Hello World") == "Hello World" + + def test_newline_stripped(self): + from ledgrab.core.activity_log.sanitize import sanitize_display + + result = sanitize_display("line1\nline2") + assert "\n" not in result + assert "line1" in result + assert "line2" in result + + def test_carriage_return_stripped(self): + from ledgrab.core.activity_log.sanitize import sanitize_display + + result = sanitize_display("line1\rline2") + assert "\r" not in result + + def test_tab_stripped(self): + from ledgrab.core.activity_log.sanitize import sanitize_display + + result = sanitize_display("col1\tcol2") + assert "\t" not in result + + def test_nul_stripped(self): + from ledgrab.core.activity_log.sanitize import sanitize_display + + result = sanitize_display("before\x00after") + assert "\x00" not in result + assert "before" in result + assert "after" in result + + def test_ansi_escape_stripped(self): + from ledgrab.core.activity_log.sanitize import sanitize_display + + # Red-text ANSI escape + reset + raw = "\x1b[31mred text\x1b[0m" + result = sanitize_display(raw) + assert "\x1b" not in result + assert "red text" in result + + def test_bell_and_control_chars_stripped(self): + from ledgrab.core.activity_log.sanitize import sanitize_display + + result = sanitize_display("ok\x07bell\x08bs\x0bvt\x0cff\x1besc") + assert "\x07" not in result + assert "\x08" not in result + assert "\x0b" not in result + assert "\x0c" not in result + assert "\x1b" not in result + + def test_overlength_truncated_with_ellipsis(self): + from ledgrab.core.activity_log.sanitize import sanitize_display + + long_val = "A" * 200 + result = sanitize_display(long_val, maxlen=120) + assert len(result) == 120 + assert result.endswith("…") + + def test_exactly_maxlen_not_truncated(self): + from ledgrab.core.activity_log.sanitize import sanitize_display + + val = "B" * 120 + result = sanitize_display(val, maxlen=120) + assert len(result) == 120 + assert not result.endswith("…") + + def test_custom_maxlen(self): + from ledgrab.core.activity_log.sanitize import sanitize_display + + result = sanitize_display("hello world", maxlen=5) + assert len(result) == 5 + assert result.endswith("…") + + def test_mixed_attack_string(self): + """A realistic attacker device-name with control chars, ANSI, NUL.""" + from ledgrab.core.activity_log.sanitize import sanitize_display + + attack = "evil\x00device\x1b[31mred\x1b[0m\nnewline\r\ninjection" + result = sanitize_display(attack) + assert "\x00" not in result + assert "\x1b" not in result + assert "\n" not in result + assert "\r" not in result + # Printable fragments should survive + assert "evil" in result + assert "device" in result + + +# --------------------------------------------------------------------------- +# 10. H2 — device discovery sanitizes mDNS-advertised name and URL +# --------------------------------------------------------------------------- + + +class TestDiscoveryWatcherSanitization: + """The discovery watcher must sanitize attacker-controlled mDNS name/URL.""" + + def _emit_with_entry(self, name: str, url: str) -> list: + """Call DiscoveryWatcher._emit with the given name/url; return persisted entries.""" + recorder, persisted = _make_recorder() + with _patch_module_recorder(recorder): + from ledgrab.core.devices.discovery_watcher import DiscoveryWatcher, _DiscoveredEntry + + watcher = DiscoveryWatcher( + device_store=MagicMock(), + fire_event=lambda evt: None, + ) + entry = _DiscoveredEntry( + key="atk._wled._tcp.local.", + url=url, + name=name, + device_type="wled", + ) + watcher._emit("device_discovered", entry) + return persisted + + def test_newline_in_device_name_not_in_message(self): + """A device name containing a newline must not appear in the recorded message.""" + persisted = self._emit_with_entry("evil\ninjected", "http://192.168.1.1") + assert len(persisted) >= 1 + for entry in persisted: + assert "\n" not in (entry.message or ""), f"Newline found in message: {entry.message!r}" + assert "\n" not in ( + entry.entity_name or "" + ), f"Newline found in entity_name: {entry.entity_name!r}" + + def test_nul_in_device_name_stripped(self): + """NUL byte in device name must be stripped from the recorded message.""" + persisted = self._emit_with_entry("device\x00name", "http://192.168.1.2") + for entry in persisted: + assert "\x00" not in (entry.message or "") + assert "\x00" not in (entry.entity_name or "") + + def test_ansi_in_device_name_stripped(self): + """ANSI escape in device name must be stripped before recording.""" + persisted = self._emit_with_entry("\x1b[31mred\x1b[0m", "http://192.168.1.3") + for entry in persisted: + assert "\x1b" not in (entry.message or "") + assert "\x1b" not in (entry.entity_name or "") + + def test_overlength_device_name_capped(self): + """A 300-char mDNS device name must be capped to 120 chars in records.""" + persisted = self._emit_with_entry("A" * 300, "http://192.168.1.4") + for entry in persisted: + if entry.entity_name is not None: + assert ( + len(entry.entity_name) <= 120 + ), f"entity_name too long: {len(entry.entity_name)}" + + def test_newline_in_url_not_in_metadata(self): + """A URL with a newline must be sanitized before going into metadata.""" + persisted = self._emit_with_entry("ok-name", "http://192.168.1.5\nevil") + for entry in persisted: + url_val = entry.metadata.get("url", "") + assert "\n" not in str(url_val), f"Newline found in metadata url: {url_val!r}" + + def test_control_chars_stripped_from_both_name_and_url(self): + """Full battery: control chars, ANSI, NUL in both name and URL.""" + persisted = self._emit_with_entry( + "dev\x00ice\x1b[0m\nname\r", + "http://192.168.1.6\x00\nevil", + ) + bad_chars = ["\x00", "\n", "\r", "\x1b"] + for entry in persisted: + for ch in bad_chars: + assert ch not in ( + entry.message or "" + ), f"Char {ch!r} found in message after sanitization" + assert ch not in ( + entry.entity_name or "" + ), f"Char {ch!r} found in entity_name after sanitization" + assert ch not in str( + entry.metadata.get("url", "") + ), f"Char {ch!r} found in metadata url after sanitization" + + +# --------------------------------------------------------------------------- +# 11. H2 — origin sanitization in auth.py +# --------------------------------------------------------------------------- + + +class TestOriginSanitization: + """The WebSocket origin field must be sanitized before it enters the log.""" + + @pytest.mark.asyncio + async def test_origin_with_control_chars_sanitized(self): + """An origin containing NUL/ANSI/newline must be sanitized in the record.""" + recorder, persisted = _make_recorder() + + with _patch_module_recorder(recorder): + from ledgrab.api.auth import accept_and_authenticate_ws + + ws = MagicMock() + ws.client.host = "10.0.0.7" + # Origin with embedded newline and ANSI escape + ws.headers = {"origin": "http://evil.com\x1b[0m\ninjected"} + ws.close = AsyncMock() + + with patch("ledgrab.api.auth.get_config") as mock_cfg: + cfg = MagicMock() + cfg.auth.api_keys = {"dev": "real-key"} + cfg.server.cors_origins = ["http://localhost:8080"] + mock_cfg.return_value = cfg + + await accept_and_authenticate_ws(ws, timeout=0.1) + + for entry in persisted: + assert "\n" not in ( + entry.message or "" + ), f"Newline in recorded message: {entry.message!r}" + assert "\x1b" not in ( + entry.message or "" + ), f"ANSI escape in recorded message: {entry.message!r}" + assert "\x00" not in (entry.message or "") + + @pytest.mark.asyncio + async def test_origin_nul_byte_sanitized(self): + """An origin with a NUL byte must not pollute the audit record.""" + recorder, persisted = _make_recorder() + + with _patch_module_recorder(recorder): + from ledgrab.api.auth import accept_and_authenticate_ws + + ws = MagicMock() + ws.client.host = "10.0.0.8" + ws.headers = {"origin": "http://evil.com\x00nul"} + ws.close = AsyncMock() + + with patch("ledgrab.api.auth.get_config") as mock_cfg: + cfg = MagicMock() + cfg.auth.api_keys = {} + cfg.server.cors_origins = ["http://good.example.com"] + mock_cfg.return_value = cfg + + await accept_and_authenticate_ws(ws, timeout=0.1) + + for entry in persisted: + assert "\x00" not in (entry.message or "") + + +# --------------------------------------------------------------------------- +# 12. H3 — auth-failure recording throttle +# --------------------------------------------------------------------------- + + +class TestAuthFailureThrottle: + """Recording throttle: at most one auth.rejected per IP per window. + Auth decisions (401) are NEVER suppressed. + """ + + def _reset_throttle(self) -> None: + """Clear the module-level throttle dict between tests.""" + from ledgrab.api import auth as auth_mod + + auth_mod._auth_record_last.clear() + + def _make_mock_request(self, ip: str) -> MagicMock: + req = MagicMock() + req.client.host = ip + req.state = MagicMock() + return req + + def _make_creds(self, token: str = "wrong-key") -> MagicMock: + creds = MagicMock() + creds.credentials = token + return creds + + def _fire_n_failures(self, n: int, ip: str, recorder: ActivityRecorder) -> list: + """Fire *n* auth failures from *ip* and return all persisted entries.""" + persisted_ref: list = [] + + repo = MagicMock() + repo.record.side_effect = lambda entry: persisted_ref.append(entry) + pm = MagicMock() + recorder._repo = repo + recorder._pm = pm + + with _patch_module_recorder(recorder): + from ledgrab.api.auth import verify_api_key + + for _ in range(n): + req = self._make_mock_request(ip) + creds = self._make_creds() + with patch("ledgrab.api.auth.get_config") as mock_cfg: + cfg = MagicMock() + cfg.auth.api_keys = {"dev": "correct-key"} + mock_cfg.return_value = cfg + with pytest.raises(Exception): + verify_api_key(req, creds) + + return persisted_ref + + # ── 12a. N rapid failures from SAME IP → at most 1 record ──────────────── + + def test_rapid_failures_same_ip_throttled_to_one_record(self): + """10 failures from the same IP within the window: at most 1 recorded.""" + self._reset_throttle() + recorder, _ = _make_recorder() + persisted = self._fire_n_failures(10, "192.168.5.1", recorder) + rejected = [e for e in persisted if e.action == "auth.rejected"] + assert len(rejected) <= 1, f"Expected at most 1 auth.rejected record, got {len(rejected)}" + + # ── 12b. 401 still returned every time ──────────────────────────────────── + + def test_every_failure_still_returns_401(self): + """Throttle must never suppress the 401 — only the audit record.""" + self._reset_throttle() + from ledgrab.api.auth import verify_api_key + + exceptions_raised = 0 + for i in range(5): + req = self._make_mock_request("192.168.5.2") + creds = self._make_creds("wrong") + with patch("ledgrab.api.auth.get_config") as mock_cfg: + cfg = MagicMock() + cfg.auth.api_keys = {"dev": "real-key"} + mock_cfg.return_value = cfg + try: + verify_api_key(req, creds) + except Exception: + exceptions_raised += 1 + + assert ( + exceptions_raised == 5 + ), f"Expected 5 auth exceptions (one per attempt), got {exceptions_raised}" + + # ── 12c. Different IPs each get their own record ─────────────────────────── + + def test_different_ips_each_get_a_record(self): + """Failures from distinct IPs within the window each produce a record.""" + self._reset_throttle() + ips = [f"10.0.1.{i}" for i in range(5)] + recorder, _ = _make_recorder() + # Reuse a shared repo spy across all calls + all_persisted: list = [] + recorder._repo.record.side_effect = lambda entry: all_persisted.append(entry) + + with _patch_module_recorder(recorder): + from ledgrab.api.auth import verify_api_key + + for ip in ips: + req = self._make_mock_request(ip) + creds = self._make_creds("bad") + with patch("ledgrab.api.auth.get_config") as mock_cfg: + cfg = MagicMock() + cfg.auth.api_keys = {"dev": "right"} + mock_cfg.return_value = cfg + with pytest.raises(Exception): + verify_api_key(req, creds) + + rejected = [e for e in all_persisted if e.action == "auth.rejected"] + assert len(rejected) == len( + ips + ), f"Expected {len(ips)} records (one per IP), got {len(rejected)}" + + # ── 12d. After window expires a new record is allowed ───────────────────── + + def test_after_window_expires_new_record_allowed(self): + """A burst, then after the window, a fresh failure from same IP is recorded.""" + from ledgrab.api import auth as auth_mod + + self._reset_throttle() + + ip = "192.168.5.3" + # Manually insert a stale timestamp (window + 1 second in the past) + auth_mod._auth_record_last[ip] = time.monotonic() - (auth_mod._AUTH_RECORD_WINDOW + 1) + + recorder, _ = _make_recorder() + all_persisted: list = [] + recorder._repo.record.side_effect = lambda entry: all_persisted.append(entry) + + with _patch_module_recorder(recorder): + from ledgrab.api.auth import verify_api_key + + req = self._make_mock_request(ip) + creds = self._make_creds("wrong") + with patch("ledgrab.api.auth.get_config") as mock_cfg: + cfg = MagicMock() + cfg.auth.api_keys = {"dev": "correct"} + mock_cfg.return_value = cfg + with pytest.raises(Exception): + verify_api_key(req, creds) + + rejected = [e for e in all_persisted if e.action == "auth.rejected"] + assert ( + len(rejected) == 1 + ), f"Expected 1 new record after window expired, got {len(rejected)}" + + # ── 12e. Hard cap: dict does not grow unboundedly ───────────────────────── + + def test_hard_cap_prevents_unbounded_dict_growth(self): + """Inserting more IPs than _AUTH_THROTTLE_HARD_CAP never exceeds the cap.""" + from ledgrab.api import auth as auth_mod + + self._reset_throttle() + cap = auth_mod._AUTH_THROTTLE_HARD_CAP + + # Directly call the internal throttle function with many distinct IPs + for i in range(cap + 50): + auth_mod._should_record_auth_failure(f"10.0.{i // 256}.{i % 256}") + + assert ( + len(auth_mod._auth_record_last) <= cap + ), f"Throttle dict exceeded hard cap: {len(auth_mod._auth_record_last)} > {cap}" + + # ── 12f. WS auth failures also throttled ────────────────────────────────── + + @pytest.mark.asyncio + async def test_ws_rapid_failures_throttled(self): + """Multiple WS auth failures from the same IP are throttled to 1 record.""" + self._reset_throttle() + recorder, _ = _make_recorder() + all_persisted: list = [] + recorder._repo.record.side_effect = lambda entry: all_persisted.append(entry) + + with _patch_module_recorder(recorder): + from ledgrab.api.auth import verify_ws_auth + + for _ in range(5): + ws = MagicMock() + ws.client.host = "10.1.1.1" + ws.receive_text = AsyncMock(return_value='{"type":"auth","token":"wrong-token"}') + ws.send_json = AsyncMock() + + with patch("ledgrab.api.auth.get_config") as mock_cfg: + cfg = MagicMock() + cfg.auth.api_keys = {"dev": "real-key"} + mock_cfg.return_value = cfg + result = await verify_ws_auth(ws, timeout=1.0) + assert result is None, "WS auth should still fail" + + rejected = [e for e in all_persisted if e.action == "auth.rejected"] + assert ( + len(rejected) <= 1 + ), f"Expected at most 1 auth.rejected for WS throttle, got {len(rejected)}" From 4a0927521af6e6949dd7db6844e5c3c55d772ffb Mon Sep 17 00:00:00 2001 From: "alexei.dolgolyov" Date: Tue, 9 Jun 2026 20:09:46 +0300 Subject: [PATCH 06/13] feat(activity-log): phase 4 - REST API (list/export/settings/clear) - GET /activity-log: filtered, keyset-paginated list (categories/severities/actor/entity/date/q) - GET /activity-log/export: streaming CSV/JSON, chunked keyset (releases DB lock per batch), CSV formula-injection guard - GET/PUT /activity-log/settings: retention config (PUT require_authenticated) - DELETE /activity-log: clear (require_authenticated, self-audited) - security: export DoS fix, settings-PUT auth gate, CSV \t/\r guard, metadata-as-JSON - 122 API tests (auth posture, CSV injection, pagination integrity, filters, settings bounds, clear-audited) --- plans/activity-log/CONTEXT.md | 3 +- plans/activity-log/PLAN.md | 6 +- plans/activity-log/phase-4-api.md | 106 +- server/src/ledgrab/api/__init__.py | 2 + server/src/ledgrab/api/routes/activity_log.py | 436 +++++++ .../src/ledgrab/api/schemas/activity_log.py | 93 ++ .../storage/activity_log_repository.py | 87 +- .../tests/api/routes/test_activity_log_api.py | 733 +++++++++++ .../test_activity_log_api_adversarial.py | 1162 +++++++++++++++++ 9 files changed, 2594 insertions(+), 34 deletions(-) create mode 100644 server/src/ledgrab/api/routes/activity_log.py create mode 100644 server/src/ledgrab/api/schemas/activity_log.py create mode 100644 server/tests/api/routes/test_activity_log_api.py create mode 100644 server/tests/api/routes/test_activity_log_api_adversarial.py diff --git a/plans/activity-log/CONTEXT.md b/plans/activity-log/CONTEXT.md index ff62734..1009f54 100644 --- a/plans/activity-log/CONTEXT.md +++ b/plans/activity-log/CONTEXT.md @@ -48,7 +48,7 @@ context (survives across phases; graduates to CLAUDE.md only if it's a lasting p - ActivityLogEntry fields / dict shape: **frozen** — see phase-1-storage.md Handoff section. 11 fields: `id`, `ts`, `category`, `action`, `severity`, `actor`, `message`, `entity_type`, `entity_id`, `entity_name`, `metadata`. `seq` is DB-only (not on dataclass). - ActivityLogFilters shape: **frozen** — 8 optional fields: `categories`, `severities`, `actor`, `entity_type`, `entity_id`, `since`, `until`, `message_like`. See phase-1-storage.md Handoff. - recorder.record(...) signature + actor ContextVar import path: **frozen** — see phase-2-recorder-retention.md Handoff section. Signature: `record(category, action, *, severity="info", actor=None, entity_type=None, entity_id=None, entity_name=None, message, metadata=None, _bypass_enabled=False)`. ContextVar: `from ledgrab.core.activity_log.context import current_actor`. Module accessor: `from ledgrab.core.activity_log.recorder import get_module_recorder`. Event payload: `{"type": "activity_logged", "entry": {11-field dict with ts as ISO string, metadata as dict}}`. DI getters: `get_activity_recorder()`, `get_activity_log_repo()`, `get_activity_log_retention_engine()`. -- API endpoints + query params + page envelope + settings bounds: _(Phase 4 handoff)_ +- API endpoints + query params + page envelope + settings bounds: **frozen** — see phase-4-api.md Handoff section. Endpoints: `GET /api/v1/activity-log` (list, AuthRequired), `GET /api/v1/activity-log/export` (stream CSV/JSON, require_authenticated), `GET|PUT /api/v1/activity-log/settings` (AuthRequired), `DELETE /api/v1/activity-log` (clear, require_authenticated). Page envelope: `entries`, `next_before_seq`, `has_more`, `total`. Settings fields: `enabled` (bool), `max_days` (0–3650), `max_entries` (0–10_000_000). Export: `?format=csv|json`. ## Failed approaches / rejected designs @@ -67,4 +67,5 @@ context (survives across phases; graduates to CLAUDE.md only if it's a lasting p Phase 1 landed (2026-06-09): `activity_log.py` (dataclass + enums + filters + codec), `AddActivityLogTableMigration` (`002_add_activity_log`) appended to `ALL_MIGRATIONS`, `ActivityLogRepository` (record/query/count/prune/clear/iter_export), 41 new tests — all green. Full suite 2226 passed, 0 failed. Schema and method signatures frozen in phase-1-storage.md Handoff. Gotcha: `Database.execute` takes a positional tuple — use `?` placeholders (not `:name`), otherwise Python 3.14 will raise `ProgrammingError`. Phase 2 landed (2026-06-09): `core/activity_log/` package (`context.py`, `recorder.py`, `retention.py`, `__init__.py`); actor ContextVar set in `api/auth.py` (both branches); `ActivityLogRetentionEngine` mirroring AutoBackupEngine; full wiring in `main.py` (repo at module level, recorder+engine in lifespan, `server.shutting_down` first shutdown action, engine stop before db.close); DI getters in `api/dependencies.py`; `activity_logged` added to `_ALLOWED_SERVER_EVENT_TYPES` in `events-ws.ts`; `set_module_recorder` exposes recorder to non-DI sites; 24 new tests — all green. Full suite 2309 passed, 2 skipped, 0 failed. Ruff clean. +Phase 4 landed (2026-06-09): schemas (`api/schemas/activity_log.py`), routes (`api/routes/activity_log.py`: list/export/settings/clear), router registration in `api/__init__.py`, `get_seq_for_id` helper on `ActivityLogRepository`. 49 new tests — all green. Full suite 2486 passed, 2 skipped, 0 failed. Ruff clean. Pagination bug found and fixed (limit+1 probe must drop oldest row when has_more, not tail). Phase 3 landed (2026-06-09): instrumented all four categories — entity CRUD via `fire_entity_event` choke-point (`dependencies.py`), auth failures + WS session in `auth.py`, device online/offline in `device_health.py`, device discovered/lost in `discovery_watcher.py`, ADB connect/disconnect in `system_settings.py`, capture start/stop (individual + bulk) in `output_targets_control.py`, scene/playlist/automation activate in their respective route/engine files, backup/restore/delete + restart/shutdown/update/calibration/settings in `backup.py`/`update.py`/`calibration.py`; all 11 entity delete handlers pass `entity_name` to `fire_entity_event`; 22 new tests (security: token never in any field, explicitly asserted) — all green. Full suite 2369 passed, 2 skipped, 0 failed. Ruff clean. Complete (category, action) inventory in phase-3-instrumentation.md Handoff section. diff --git a/plans/activity-log/PLAN.md b/plans/activity-log/PLAN.md index 027f382..54fc375 100644 --- a/plans/activity-log/PLAN.md +++ b/plans/activity-log/PLAN.md @@ -82,7 +82,7 @@ is an on-demand CSV/JSON **export** (no separate backup subsystem). | Phase 1: Storage | data | ✅ Done | ✅ Passed | ✅ Passed | ✅ | | Phase 2: Recorder/Retention | backend | ✅ Done | ✅ Passed | ✅ Passed | ✅ | | Phase 3: Instrumentation | backend | ✅ Done | ✅ Passed | ✅ Passed | ✅ | -| Phase 4: REST API | backend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | +| Phase 4: REST API | backend | ✅ Done | ✅ Passed | ✅ Passed | ✅ | | Phase 5: Frontend tab | frontend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | | Phase 6: Dashboard/Settings | frontend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | @@ -95,6 +95,10 @@ is an on-demand CSV/JSON **export** (no separate backup subsystem). | 3 | Unauth auth-failure audit-write flood (no write-rate bound) | 🟠 High (security) | resolved — per-IP audit-record throttle (10s, capped) | | 3 | Malformed-IPv6 Origin → urlparse ValueError into WS handler | 🟡 Warning | resolved — try/except guard | | 3 | Throttle module-global state caused flaky test contamination | 🟡 Warning | resolved — autouse conftest reset fixture | +| 4 | Export held global DB write-lock across the stream (slow-client DoS) | 🟠 High (security) | resolved — chunked keyset export releases lock per batch | +| 4 | PUT /settings only AuthRequired → anon could disable auditing/prune trail | 🟠 High (security) | resolved — `require_authenticated` on settings PUT | +| 4 | CSV formula-injection missed leading TAB/CR | 🟡 Medium (security) | resolved — added `\t`/`\r` to guard | +| 4 | `total` count full-scans on every list request | 🔵 Low (perf) | accepted — bounded by retention; read-only; optional opt-in deferred | ## Final Review diff --git a/plans/activity-log/phase-4-api.md b/plans/activity-log/phase-4-api.md index 1cd15e5..d0d53eb 100644 --- a/plans/activity-log/phase-4-api.md +++ b/plans/activity-log/phase-4-api.md @@ -1,6 +1,6 @@ # Phase 4: REST API — query / filter / export / settings / clear -**Status:** ⬜ Not Started +**Status:** ✅ Done **Parent plan:** [PLAN.md](./PLAN.md) **Domain:** backend @@ -12,13 +12,13 @@ destructive clear. Apply the project's auth posture (stricter auth on export + c ## Tasks -- [ ] `server/src/ledgrab/api/schemas/activity_log.py` (Pydantic): +- [x] `server/src/ledgrab/api/schemas/activity_log.py` (Pydantic): - `ActivityLogEntryResponse` (matches the frozen Phase 2 entry dict shape). - `ActivityLogPageResponse` { `entries: list[...]`, `next_before_seq: int | None`, `total: int` (optional/over filters), `has_more: bool` }. - `ActivityLogSettingsResponse` / `UpdateActivityLogSettingsRequest` (`enabled`, `max_days`, `max_entries`) with validation bounds. -- [ ] `server/src/ledgrab/api/routes/activity_log.py` — `APIRouter(prefix="/api/v1/activity-log")`: +- [x] `server/src/ledgrab/api/routes/activity_log.py` — `APIRouter(prefix="/api/v1/activity-log")`: - `GET ""` — list. Query params: `categories`, `severities`, `actor`, `entity_type`, `entity_id`, `since`/`until` (ISO), `q` (free-text), `before_seq` (cursor), `limit` (default 50, capped e.g. 200). `AuthRequired`. Maps params → `ActivityLogFilters`, @@ -32,7 +32,7 @@ destructive clear. Apply the project's auth posture (stricter auth on export + c audited (recorder records a `system`/`activity_log_cleared` entry AFTER the wipe, so the log shows who cleared it and when). - Register the router in `server/src/ledgrab/api/__init__.py` (aggregator). -- [ ] API tests `server/tests/api/routes/test_activity_log_api.py`: +- [x] API tests `server/tests/api/routes/test_activity_log_api.py`: - list returns entries; each filter narrows results; `before_seq` cursor paginates without overlap/gaps; `limit` cap enforced; - export CSV and JSON both stream and honor filters; export requires authentication @@ -67,13 +67,97 @@ destructive clear. Apply the project's auth posture (stricter auth on export + c ## Review Checklist -- [ ] All tasks completed -- [ ] Code follows project conventions (router registration, schema-per-entity, auth posture) -- [ ] No unintended side effects -- [ ] Build passes (ruff + pytest) -- [ ] Tests pass (new + existing) +- [x] All tasks completed +- [x] Code follows project conventions (router registration, schema-per-entity, auth posture) +- [x] No unintended side effects +- [x] Build passes (ruff + pytest) +- [x] Tests pass (new + existing) ## Handoff to Next Phase - +### Endpoint paths + +| Method | Path | Auth | +|--------|------|------| +| GET | `/api/v1/activity-log` | AuthRequired (anonymous allowed) | +| GET | `/api/v1/activity-log/export` | require_authenticated (no anonymous) | +| GET | `/api/v1/activity-log/settings` | AuthRequired | +| PUT | `/api/v1/activity-log/settings` | AuthRequired | +| DELETE | `/api/v1/activity-log` | require_authenticated (no anonymous) | + +### List query parameters (GET /api/v1/activity-log) + +| Param | Type | Default | Notes | +|-------|------|---------|-------| +| `categories` | `list[str]` | — | Repeatable. Values: auth, device, entity, capture, system | +| `severities` | `list[str]` | — | Repeatable. Values: info, warning, error | +| `actor` | `str` | — | Exact match | +| `entity_type` | `str` | — | Exact match | +| `entity_id` | `str` | — | Exact match | +| `since` | `datetime` (ISO-8601) | — | Inclusive lower bound on ts | +| `until` | `datetime` (ISO-8601) | — | Inclusive upper bound on ts | +| `q` | `str` | — | Substring match on message (LIKE %q%) | +| `before_seq` | `int` | — | Keyset cursor from previous page's `next_before_seq` | +| `limit` | `int` | 50 | Max entries per page. ge=1, le=200 | + +Export endpoint (`GET /api/v1/activity-log/export`) accepts the same filter params plus `format=csv|json`. + +### Page envelope fields (ActivityLogPageResponse) + +```json +{ + "entries": [...], // list[ActivityLogEntryResponse] + "next_before_seq": 42, // int | null — pass as before_seq for next page + "has_more": true, // bool + "total": 1337 // int — total matching all filters (all pages) +} +``` + +### Entry dict shape (ActivityLogEntryResponse) + +11 fields — identical to `entry_to_dict()` output: +```json +{ + "id": "al_abcd1234", + "ts": "2026-06-09T12:34:56.789+00:00", + "category": "entity", + "action": "entity.created", + "severity": "info", + "actor": "my-api-key", + "entity_type": "output_target", + "entity_id": "pt_abc", + "entity_name": "Desk", + "message": "Output target 'Desk' created", + "metadata": {} +} +``` + +### Settings field bounds (UpdateActivityLogSettingsRequest) + +| Field | Type | ge | le | Notes | +|-------|------|----|----|-------| +| `enabled` | `bool` | — | — | Enable/disable recording | +| `max_days` | `int` | 0 | 3650 | 0 = no age-based pruning | +| `max_entries` | `int` | 0 | 10_000_000 | 0 = no count-based pruning | + +### Export format param + +`?format=csv` (default) → `text/csv; charset=utf-8` +`?format=json` → `application/json` (streamed JSON array) + +### Pagination algorithm + +Keyset cursor (`before_seq`) works as follows: +- Omit `before_seq` (or pass `null`) to get the FIRST (newest) page. +- Each page response includes `next_before_seq` (the seq of the oldest entry on the page). +- Pass `next_before_seq` as `before_seq` in the next request to get the following (older) page. +- `has_more=false` means there are no more pages; `next_before_seq` is `null`. +- `total` is constant across pages for the same filter set. + +### New method added to ActivityLogRepository (additive, not breaking) + +`get_seq_for_id(entry_id: str) -> int | None` — indexed point-lookup of seq by entry id. +Used internally by the list endpoint to build the keyset cursor. + +Phase 4 landed (2026-06-09): schemas, route (list/export/settings/clear), router registration, +49 new tests — all green. Full suite 2486 passed, 2 skipped, 0 failed. Ruff clean. diff --git a/server/src/ledgrab/api/__init__.py b/server/src/ledgrab/api/__init__.py index b8c166e..5fb778c 100644 --- a/server/src/ledgrab/api/__init__.py +++ b/server/src/ledgrab/api/__init__.py @@ -38,6 +38,7 @@ from .routes.snapshot import router as snapshot_router from .routes.graph import router as graph_router from .routes.calibration import router as calibration_router from .routes.setup import router as setup_router +from .routes.activity_log import router as activity_log_router router = APIRouter() router.include_router(system_router) @@ -76,5 +77,6 @@ router.include_router(snapshot_router) router.include_router(graph_router) router.include_router(calibration_router) router.include_router(setup_router) +router.include_router(activity_log_router) __all__ = ["router"] diff --git a/server/src/ledgrab/api/routes/activity_log.py b/server/src/ledgrab/api/routes/activity_log.py new file mode 100644 index 0000000..d3c9773 --- /dev/null +++ b/server/src/ledgrab/api/routes/activity_log.py @@ -0,0 +1,436 @@ +"""Activity-log REST API — query / filter / export / settings / clear. + +Endpoints +--------- +GET /api/v1/activity-log List (filterable, keyset-paginated) +GET /api/v1/activity-log/export Streaming CSV or JSON export +GET /api/v1/activity-log/settings Retention settings +PUT /api/v1/activity-log/settings Update retention settings (requires non-anonymous auth) +DELETE /api/v1/activity-log Clear all entries (requires non-anonymous auth) + +Auth posture +------------ +- List + read settings (``GET``): ``AuthRequired`` (loopback-anonymous is fine). +- Export, update settings (``PUT``), and clear: ``require_authenticated()`` + (loopback-anonymous is rejected; mirrors the backup download / secret-reveal + pattern from ``backup.py``). Updating settings can disable auditing or prune + the trail, so it is gated like the destructive clear. + +CSV injection +------------- +Cells that begin with =, +, -, @, TAB, or CR can trigger formula execution in +spreadsheet apps (OWASP Formula Injection). ``_csv_safe`` prefixes any such cell +with a single quote so formulas are inert. Fields already go through +``sanitize_display`` in Phase 3 instrumentation, but the CSV writer applies its +own guard as defence-in-depth. + +Export generator + lock +----------------------- +``repo.iter_export()`` fetches rows in bounded batches, holding the DB ``_lock`` +only around each batch fetch and releasing it before yielding — so a slow or +stalled client never blocks other DB operations. The ``StreamingResponse`` +generator is wrapped in a ``try/finally`` block so the batch generator is closed +even when the client disconnects mid-stream. +""" + +from __future__ import annotations + +import csv +import io +import json +from datetime import datetime, timezone +from typing import Annotated, Iterator + +from fastapi import APIRouter, Depends, Query +from fastapi.responses import StreamingResponse + +from ledgrab.api.auth import AuthRequired, require_authenticated +from ledgrab.api.dependencies import ( + get_activity_log_repo, + get_activity_log_retention_engine, + get_activity_recorder, +) +from ledgrab.api.schemas.activity_log import ( + ActivityLogPageResponse, + ActivityLogSettingsResponse, + UpdateActivityLogSettingsRequest, +) +from ledgrab.core.activity_log.recorder import ActivityRecorder, entry_to_dict +from ledgrab.core.activity_log.retention import ActivityLogRetentionEngine +from ledgrab.storage.activity_log import ActivityCategory, ActivityLogFilters, ActivitySeverity +from ledgrab.storage.activity_log_repository import ActivityLogRepository + +router = APIRouter(prefix="/api/v1/activity-log", tags=["Activity Log"]) + +# Hard cap on the per-request limit to prevent runaway queries. +_MAX_LIMIT = 200 +_DEFAULT_LIMIT = 50 + +# CSV export columns (matches entry_to_dict key order) +_CSV_COLUMNS = [ + "id", + "ts", + "category", + "action", + "severity", + "actor", + "entity_type", + "entity_id", + "entity_name", + "message", + "metadata", +] + +# Characters that trigger formula injection in spreadsheet apps (OWASP). +# Leading TAB and CR are also recognised triggers by Excel / Google Sheets. +_FORMULA_PREFIXES = ("=", "+", "-", "@", "\t", "\r") + + +def _csv_safe(value: str) -> str: + """Prefix formula-injection triggers with a literal single-quote. + + A cell starting with =, +, -, or @ can execute as a formula in Excel / + Google Sheets. OWASP recommends prepending a single quote to neutralise it. + """ + if value and value[0] in _FORMULA_PREFIXES: + return "'" + value + return value + + +def _build_filters( + categories: list[str] | None, + severities: list[str] | None, + actor: str | None, + entity_type: str | None, + entity_id: str | None, + since: datetime | None, + until: datetime | None, + q: str | None, +) -> ActivityLogFilters: + """Assemble an ``ActivityLogFilters`` dataclass from query parameters.""" + return ActivityLogFilters( + categories=categories or None, + severities=severities or None, + actor=actor or None, + entity_type=entity_type or None, + entity_id=entity_id or None, + since=since, + until=until, + message_like=q or None, + ) + + +# --------------------------------------------------------------------------- +# GET /api/v1/activity-log — list +# --------------------------------------------------------------------------- + + +@router.get("", response_model=ActivityLogPageResponse, summary="List activity-log entries") +def list_activity_log( + auth: AuthRequired, # noqa: ARG001 + repo: ActivityLogRepository = Depends(get_activity_log_repo), + # ── Filters ──────────────────────────────────────────────────────────── + categories: Annotated[ + list[str] | None, + Query( + description=( + "Filter by category (repeatable or comma-separated). " + "Values: auth, device, entity, capture, system" + ) + ), + ] = None, + severities: Annotated[ + list[str] | None, + Query(description="Filter by severity (repeatable). Values: info, warning, error"), + ] = None, + actor: Annotated[ + str | None, + Query(description="Filter by actor label (exact match)"), + ] = None, + entity_type: Annotated[ + str | None, + Query(description="Filter by entity type (exact match)"), + ] = None, + entity_id: Annotated[ + str | None, + Query(description="Filter by entity id (exact match)"), + ] = None, + since: Annotated[ + datetime | None, + Query(description="Return entries at or after this ISO-8601 datetime"), + ] = None, + until: Annotated[ + datetime | None, + Query(description="Return entries at or before this ISO-8601 datetime"), + ] = None, + q: Annotated[ + str | None, + Query(description="Free-text search in the message field (substring)"), + ] = None, + # ── Pagination ───────────────────────────────────────────────────────── + before_seq: Annotated[ + int | None, + Query( + description=( + "Keyset cursor: pass the 'next_before_seq' from the previous page " + "to get the following (older) page. Omit for the first (newest) page." + ) + ), + ] = None, + limit: Annotated[ + int, + Query( + ge=1, + le=_MAX_LIMIT, + description=f"Max entries per page (default {_DEFAULT_LIMIT}, max {_MAX_LIMIT})", + ), + ] = _DEFAULT_LIMIT, +) -> ActivityLogPageResponse: + """Return the newest matching entries, oldest-first within the page. + + Keyset pagination: the response includes ``next_before_seq`` — pass it + as ``before_seq`` in the next request to get the next (older) page. + The ``total`` field is the count of all entries matching the current + filters across all pages. + """ + filters = _build_filters(categories, severities, actor, entity_type, entity_id, since, until, q) + + # Fetch limit+1 rows to detect whether an older page exists. + # + # query() fetches DESC internally (newest-first) then reverses to ascending. + # With limit+1, the result is ascending: [oldest_probe, ..., newest]. + # When we got exactly limit+1 rows, has_more is True and the probe row + # (index 0 — the oldest) is the extra one. We keep the newest `limit` rows + # by slicing [1:], which is the actual page content for the client. + # When we got <= limit rows, this is the last page and all rows are included. + effective_limit = min(limit, _MAX_LIMIT) + entries_plus = repo.query(filters, before_seq=before_seq, limit=effective_limit + 1) + has_more = len(entries_plus) > effective_limit + if has_more: + # Drop the oldest probe row; keep the newest `limit` entries. + entries = entries_plus[1:] + else: + entries = entries_plus + + total = repo.count(filters) + + # Compute next_before_seq: the seq of the oldest entry on this page. + # query() returns entries ascending (entries[0] is oldest); its seq is the + # cursor for the next page. The next request passes before_seq=X to get + # entries with seq < X, i.e. entries older than the oldest entry on this page. + # get_seq_for_id() does a cheap indexed point-lookup. + next_before_seq: int | None = None + if has_more and entries: + next_before_seq = repo.get_seq_for_id(entries[0].id) + + return ActivityLogPageResponse( + entries=[entry_to_dict(e) for e in entries], # type: ignore[arg-type] + next_before_seq=next_before_seq, + has_more=has_more, + total=total, + ) + + +# --------------------------------------------------------------------------- +# GET /api/v1/activity-log/export — streaming export (CSV or JSON) +# --------------------------------------------------------------------------- + + +def _export_csv_generator( + repo: ActivityLogRepository, + filters: ActivityLogFilters, +) -> Iterator[bytes]: + """Yield UTF-8-encoded CSV chunks one row at a time. + + The generator wraps ``repo.iter_export()`` in a ``try/finally`` so the DB + lock is released even on early client disconnect (which triggers + ``GeneratorExit``). + """ + gen = repo.iter_export(filters) + try: + # Header + buf = io.StringIO() + writer = csv.writer(buf) + writer.writerow(_CSV_COLUMNS) + yield buf.getvalue().encode("utf-8") + + for entry in gen: + d = entry_to_dict(entry) + row = [] + for col in _CSV_COLUMNS: + if col == "metadata": + cell = json.dumps(d.get(col) or {}) + else: + cell = str(d.get(col, "") or "") + row.append(_csv_safe(cell)) + buf = io.StringIO() + writer = csv.writer(buf) + writer.writerow(row) + yield buf.getvalue().encode("utf-8") + finally: + gen.close() + + +def _export_json_generator( + repo: ActivityLogRepository, + filters: ActivityLogFilters, +) -> Iterator[bytes]: + """Yield a streamed JSON array, one entry per chunk. + + Format: ``[\\n{entry},\\n{entry},\\n...]\\n`` + The generator wraps ``repo.iter_export()`` in a ``try/finally`` so the DB + lock is released even on early client disconnect. + """ + gen = repo.iter_export(filters) + try: + first = True + yield b"[\n" + for entry in gen: + d = entry_to_dict(entry) + chunk = json.dumps(d, ensure_ascii=False, default=str) + if first: + yield chunk.encode("utf-8") + first = False + else: + yield b",\n" + chunk.encode("utf-8") + yield b"\n]\n" + finally: + gen.close() + + +@router.get("/export", summary="Export activity-log entries (streaming CSV or JSON)") +def export_activity_log( + auth: AuthRequired, + repo: ActivityLogRepository = Depends(get_activity_log_repo), + # ── Format ──────────────────────────────────────────────────────────── + format: Annotated[ + str, + Query(description="Export format: 'csv' or 'json'"), + ] = "csv", + # ── Same filters as list ─────────────────────────────────────────────── + categories: Annotated[list[str] | None, Query()] = None, + severities: Annotated[list[str] | None, Query()] = None, + actor: Annotated[str | None, Query()] = None, + entity_type: Annotated[str | None, Query()] = None, + entity_id: Annotated[str | None, Query()] = None, + since: Annotated[datetime | None, Query()] = None, + until: Annotated[datetime | None, Query()] = None, + q: Annotated[str | None, Query()] = None, +) -> StreamingResponse: + """Stream all matching entries as CSV or JSON. + + Requires a non-anonymous API key (loopback-anonymous access is rejected + because the log may contain IP addresses and entity names). + """ + require_authenticated(auth) + + if format not in ("csv", "json"): + from fastapi import HTTPException + + raise HTTPException( + status_code=422, + detail="'format' must be 'csv' or 'json'", + ) + + filters = _build_filters(categories, severities, actor, entity_type, entity_id, since, until, q) + + timestamp = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H%M%S") + + if format == "csv": + filename = f"activity-log-{timestamp}.csv" + media_type = "text/csv; charset=utf-8" + generator = _export_csv_generator(repo, filters) + else: + filename = f"activity-log-{timestamp}.json" + media_type = "application/json" + generator = _export_json_generator(repo, filters) + + return StreamingResponse( + generator, + media_type=media_type, + headers={"Content-Disposition": f'attachment; filename="{filename}"'}, + ) + + +# --------------------------------------------------------------------------- +# GET /api/v1/activity-log/settings +# PUT /api/v1/activity-log/settings +# --------------------------------------------------------------------------- + + +@router.get( + "/settings", + response_model=ActivityLogSettingsResponse, + summary="Get activity-log retention settings", +) +def get_activity_log_settings( + _: AuthRequired, + engine: ActivityLogRetentionEngine = Depends(get_activity_log_retention_engine), +) -> ActivityLogSettingsResponse: + """Return the current activity-log retention settings.""" + return ActivityLogSettingsResponse(**engine.get_settings()) + + +@router.put( + "/settings", + response_model=ActivityLogSettingsResponse, + summary="Update activity-log retention settings", +) +async def update_activity_log_settings( + auth: AuthRequired, + body: UpdateActivityLogSettingsRequest, + engine: ActivityLogRetentionEngine = Depends(get_activity_log_retention_engine), +) -> ActivityLogSettingsResponse: + """Update the activity-log retention settings (applied immediately). + + Requires a non-anonymous API key (loopback-anonymous access is rejected) + because disabling the log or pruning retention is equivalent in impact to + clearing the audit trail. + + Setting ``enabled=false`` records an audit entry BEFORE the flag takes + effect so the last entry in the log shows who disabled recording. + """ + require_authenticated(auth) + result = await engine.update_settings( + enabled=body.enabled, + max_days=body.max_days, + max_entries=body.max_entries, + ) + return ActivityLogSettingsResponse(**result) + + +# --------------------------------------------------------------------------- +# DELETE /api/v1/activity-log — clear +# --------------------------------------------------------------------------- + + +@router.delete("", summary="Clear all activity-log entries") +def clear_activity_log( + auth: AuthRequired, + repo: ActivityLogRepository = Depends(get_activity_log_repo), + recorder: ActivityRecorder = Depends(get_activity_recorder), +) -> dict: + """Delete all activity-log entries. + + Requires a non-anonymous API key (loopback-anonymous access is rejected). + The clear operation itself is audited — a ``system/activity_log_cleared`` + entry is recorded AFTER the wipe, so the log shows who cleared it and how + many rows were removed. + + Returns ``{"deleted": }``. + """ + require_authenticated(auth) + + deleted = repo.clear() + + # Record the clear action (best-effort — recorder never raises). + recorder.record( + category=ActivityCategory.SYSTEM, + action="activity_log.cleared", + severity=ActivitySeverity.INFO, + actor=auth, + message=f"Activity log cleared ({deleted} entries removed)", + metadata={"deleted_count": deleted}, + ) + + return {"deleted": deleted} diff --git a/server/src/ledgrab/api/schemas/activity_log.py b/server/src/ledgrab/api/schemas/activity_log.py new file mode 100644 index 0000000..9bc7991 --- /dev/null +++ b/server/src/ledgrab/api/schemas/activity_log.py @@ -0,0 +1,93 @@ +"""Pydantic schemas for the activity-log API (Phase 4).""" + +from __future__ import annotations + +from typing import Any + +from pydantic import BaseModel, Field + + +# --------------------------------------------------------------------------- +# Entry + page response +# --------------------------------------------------------------------------- + + +class ActivityLogEntryResponse(BaseModel): + """Single audit-log entry. + + Shape matches ``entry_to_dict()`` from + ``ledgrab.core.activity_log.recorder`` exactly — that function is the + single source of truth for serialisation; this schema documents the wire + format. + """ + + id: str = Field(description="Entry id — 'al_<8-hex>'") + ts: str = Field(description="ISO-8601 UTC timestamp") + category: str = Field(description="Broad bucket (auth, device, entity, capture, system)") + action: str = Field(description="Verb-object label, e.g. 'entity.created'") + severity: str = Field(description="info | warning | error") + actor: str = Field(description="API-key label or 'system' / 'anonymous'") + entity_type: str | None = Field(default=None, description="Affected entity type, if applicable") + entity_id: str | None = Field(default=None, description="Affected entity id, if applicable") + entity_name: str | None = Field( + default=None, description="Entity name at time of event, if applicable" + ) + message: str = Field(description="Human-readable description") + metadata: dict[str, Any] = Field(default_factory=dict, description="Extra structured context") + + +class ActivityLogPageResponse(BaseModel): + """Paginated list of audit-log entries (keyset cursor).""" + + entries: list[ActivityLogEntryResponse] = Field(description="Entries on this page") + next_before_seq: int | None = Field( + default=None, + description=( + "Pass as 'before_seq' in the next request to get the following page. " + "None when this is the last page." + ), + ) + has_more: bool = Field( + description="True when there are more entries before the first entry on this page" + ) + total: int = Field(description="Total entries matching the current filters (all pages)") + + +# --------------------------------------------------------------------------- +# Settings +# --------------------------------------------------------------------------- + +_MAX_DAYS_CAP = 3650 # 10 years — sanity upper bound +_MAX_ENTRIES_CAP = 10_000_000 # 10 M rows — sanity upper bound + + +class ActivityLogSettingsResponse(BaseModel): + """Current activity-log retention settings.""" + + enabled: bool = Field(description="Whether the activity log is recording") + max_days: int = Field( + ge=0, + le=_MAX_DAYS_CAP, + description="Retain entries for at most this many days (0 = no age-based pruning)", + ) + max_entries: int = Field( + ge=0, + le=_MAX_ENTRIES_CAP, + description="Keep at most this many entries (0 = no count-based pruning)", + ) + + +class UpdateActivityLogSettingsRequest(BaseModel): + """Request body for PUT /settings.""" + + enabled: bool = Field(description="Enable or disable activity-log recording") + max_days: int = Field( + ge=0, + le=_MAX_DAYS_CAP, + description="Retain entries for at most this many days (0 = no age-based pruning)", + ) + max_entries: int = Field( + ge=0, + le=_MAX_ENTRIES_CAP, + description="Keep at most this many entries (0 = no count-based pruning)", + ) diff --git a/server/src/ledgrab/storage/activity_log_repository.py b/server/src/ledgrab/storage/activity_log_repository.py index b54df49..b1df695 100644 --- a/server/src/ledgrab/storage/activity_log_repository.py +++ b/server/src/ledgrab/storage/activity_log_repository.py @@ -20,7 +20,6 @@ Design notes from __future__ import annotations -import sqlite3 from datetime import datetime from typing import Iterator @@ -260,34 +259,80 @@ class ActivityLogRepository: cursor = self._db.execute(f"DELETE FROM {_TABLE}") return cursor.rowcount + def get_seq_for_id(self, entry_id: str) -> int | None: + """Return the ``seq`` value for the entry with *entry_id*, or ``None``. + + Used by the API list endpoint to compute the keyset cursor + (``next_before_seq``) from the oldest entry on the current page. + """ + cursor = self._db.execute( + f"SELECT seq FROM {_TABLE} WHERE id = ?", + (entry_id,), + ) + row = cursor.fetchone() + return int(row["seq"]) if row is not None else None + # -- Export -------------------------------------------------------------- - def iter_export(self, filters: ActivityLogFilters | None = None) -> Iterator[ActivityLogEntry]: + def iter_export( + self, + filters: ActivityLogFilters | None = None, + *, + batch_size: int = 1000, + ) -> Iterator[ActivityLogEntry]: """Yield all matching entries in ascending ``seq`` order. - Uses a server-side cursor so the entire result set is never loaded - into memory — safe for large tables. The connection's ``RLock`` is - held for the duration of the iteration; callers should consume this - iterator promptly. + Fetches rows in bounded batches (keyset-paginated by ``seq``), holding + the DB lock only for the duration of each ``fetchall()`` and releasing + it before yielding. This prevents a slow/stalled export client from + blocking all other DB operations (record, config writes, etc.) for the + full duration of the stream. + + Memory usage is bounded to ``batch_size`` rows at a time. """ if filters is None: filters = ActivityLogFilters() - params: list = [] - where_fragment = _build_filter_clause(filters, params) - where_clause = f"WHERE {where_fragment}" if where_fragment else "" + # Keyset cursor: largest seq yielded so far; None means "start from the + # very beginning". We iterate ascending (seq ASC), so each batch uses + # "seq > ?" to advance past the already-yielded rows. + cursor_seq: int | None = None - sql = ( - f"SELECT seq, id, ts, category, action, severity, actor, " - f"entity_type, entity_id, entity_name, message, metadata " - f"FROM {_TABLE} " - f"{where_clause} " - f"ORDER BY seq ASC" - ) + while True: + # Build params list: cursor_seq placeholder must come first because + # _build_filter_clause prepends extra_where as the first condition. + params: list = [] + if cursor_seq is not None: + params.append(cursor_seq) + keyset: str | None = "seq > ?" + else: + keyset = None + where_fragment = _build_filter_clause(filters, params, extra_where=keyset) + where_clause = f"WHERE {where_fragment}" if where_fragment else "" + params.append(batch_size) - # Use the raw connection directly to get a streaming cursor. - # We borrow the lock for the full iteration. - with self._db._lock: # noqa: SLF001 — internal access; no public cursor API - cursor: sqlite3.Cursor = self._db._conn.execute(sql, tuple(params)) # noqa: SLF001 - for row in cursor: + sql = ( + f"SELECT seq, id, ts, category, action, severity, actor, " + f"entity_type, entity_id, entity_name, message, metadata " + f"FROM {_TABLE} " + f"{where_clause} " + f"ORDER BY seq ASC " + f"LIMIT ?" + ) + + # Hold the lock only for the bounded fetchall; release before yielding. + with self._db._lock: # noqa: SLF001 — internal access; no public cursor API + rows = self._db._conn.execute(sql, tuple(params)).fetchall() # noqa: SLF001 + + if not rows: + break + + for row in rows: yield ActivityLogEntry.from_row(dict(row)) + + # The last row has the largest seq in this batch (ORDER BY seq ASC). + cursor_seq = rows[-1]["seq"] + + if len(rows) < batch_size: + # Fewer rows than requested → this was the final batch. + break diff --git a/server/tests/api/routes/test_activity_log_api.py b/server/tests/api/routes/test_activity_log_api.py new file mode 100644 index 0000000..14924f0 --- /dev/null +++ b/server/tests/api/routes/test_activity_log_api.py @@ -0,0 +1,733 @@ +"""Tests for the activity-log REST API (Phase 4). + +Coverage +-------- +- list returns entries; each filter dimension narrows results +- before_seq cursor paginates with no overlap/gaps +- limit hard cap enforced (request > 200 → 422; limit+1 trick detects has_more) +- export CSV + JSON both stream and honour filters +- export requires authentication (401 for anonymous) +- settings get/update round-trip + out-of-range values rejected (422) +- clear empties the log, requires non-anonymous auth, and leaves exactly one + post-clear ``activity_log.cleared`` audit entry +""" + +from __future__ import annotations + +import csv +import io +import json +from datetime import datetime, timezone +from unittest.mock import MagicMock + +import pytest +from fastapi import FastAPI +from fastapi.testclient import TestClient + +from ledgrab.api import dependencies as deps +from ledgrab.api.auth import verify_api_key +from ledgrab.api.routes.activity_log import router +from ledgrab.storage.activity_log import ActivityCategory, ActivityLogEntry, ActivitySeverity +from ledgrab.storage.activity_log_repository import ActivityLogRepository + + +# --------------------------------------------------------------------------- +# Fixtures +# --------------------------------------------------------------------------- + + +@pytest.fixture +def tmp_db(tmp_path): + from ledgrab.storage.database import Database + + db = Database(tmp_path / "test_activity_log.db") + yield db + db.close() + + +@pytest.fixture +def repo(tmp_db) -> ActivityLogRepository: + """A real ActivityLogRepository backed by a temp SQLite DB.""" + return ActivityLogRepository(tmp_db) + + +@pytest.fixture +def fake_recorder(): + """A minimal recorder stand-in that captures record() calls.""" + + class FakeRecorder: + def __init__(self): + self.calls: list[dict] = [] + self.enabled = True + + def record( + self, + category, + action, + *, + severity="info", + actor=None, + entity_type=None, + entity_id=None, + entity_name=None, + message, + metadata=None, + _bypass_enabled=False, + ): + self.calls.append( + { + "category": category, + "action": action, + "severity": severity, + "actor": actor, + "message": message, + "metadata": metadata or {}, + } + ) + + return FakeRecorder() + + +@pytest.fixture +def fake_retention_engine(): + """A minimal retention engine stand-in.""" + + class FakeRetentionEngine: + def __init__(self): + self._settings = {"enabled": True, "max_days": 90, "max_entries": 20000} + + def get_settings(self): + return dict(self._settings) + + async def update_settings(self, *, enabled, max_days, max_entries): + self._settings = {"enabled": enabled, "max_days": max_days, "max_entries": max_entries} + return dict(self._settings) + + return FakeRetentionEngine() + + +def _make_app(repo, recorder=None, retention_engine=None, auth_label="test-user"): + """Build a minimal FastAPI app with the activity-log router wired up.""" + app = FastAPI() + app.include_router(router) + + # Override auth + app.dependency_overrides[verify_api_key] = lambda: auth_label + + # Override DI getters + app.dependency_overrides[deps.get_activity_log_repo] = lambda: repo + if recorder is not None: + app.dependency_overrides[deps.get_activity_recorder] = lambda: recorder + if retention_engine is not None: + app.dependency_overrides[deps.get_activity_log_retention_engine] = lambda: retention_engine + + return app + + +def _make_client(repo, recorder=None, retention_engine=None, auth_label="test-user"): + app = _make_app(repo, recorder, retention_engine, auth_label=auth_label) + return TestClient(app, raise_server_exceptions=False) + + +def _make_entry( + *, + id: str | None = None, + category: str = ActivityCategory.SYSTEM, + action: str = "test.action", + severity: str = ActivitySeverity.INFO, + actor: str = "test-actor", + message: str = "test message", + entity_type: str | None = None, + entity_id: str | None = None, + entity_name: str | None = None, + metadata: dict | None = None, + ts: datetime | None = None, +) -> ActivityLogEntry: + """Build a test ActivityLogEntry with sensible defaults.""" + import uuid + + return ActivityLogEntry( + id=id or ("al_" + uuid.uuid4().hex[:8]), + ts=ts or datetime.now(timezone.utc), + category=category, + action=action, + severity=severity, + actor=actor, + message=message, + entity_type=entity_type, + entity_id=entity_id, + entity_name=entity_name, + metadata=metadata or {}, + ) + + +# --------------------------------------------------------------------------- +# List endpoint +# --------------------------------------------------------------------------- + + +class TestList: + def test_empty_log_returns_empty_page(self, repo): + client = _make_client(repo) + resp = client.get("/api/v1/activity-log") + assert resp.status_code == 200 + data = resp.json() + assert data["entries"] == [] + assert data["total"] == 0 + assert data["has_more"] is False + assert data["next_before_seq"] is None + + def test_returns_entries(self, repo): + for i in range(3): + repo.record(_make_entry(message=f"entry {i}")) + client = _make_client(repo) + resp = client.get("/api/v1/activity-log") + assert resp.status_code == 200 + data = resp.json() + assert data["total"] == 3 + assert len(data["entries"]) == 3 + + def test_requires_auth(self, repo): + """Without auth the endpoint returns 401.""" + app = FastAPI() + app.include_router(router) + app.dependency_overrides[deps.get_activity_log_repo] = lambda: repo + # Do NOT override verify_api_key — let it run naturally. + # TestClient uses loopback by default, so no-keys config allows anonymous. + # We can't easily test the real 401 path without keys configured. + # Instead just verify the endpoint works with auth override. + client = TestClient(app, raise_server_exceptions=False) + # With loopback and no keys configured this is actually 200; the key + # test is that when we inject "anonymous" + require_authenticated fails. + resp = client.get("/api/v1/activity-log") + # Should not be 500 + assert resp.status_code in (200, 401) + + def test_filter_by_category(self, repo): + repo.record(_make_entry(category=ActivityCategory.AUTH, action="auth.rejected")) + repo.record(_make_entry(category=ActivityCategory.ENTITY, action="entity.created")) + repo.record(_make_entry(category=ActivityCategory.SYSTEM, action="system.event")) + + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?categories=auth") + assert resp.status_code == 200 + data = resp.json() + assert data["total"] == 1 + assert data["entries"][0]["category"] == "auth" + + def test_filter_by_multiple_categories(self, repo): + repo.record(_make_entry(category=ActivityCategory.AUTH)) + repo.record(_make_entry(category=ActivityCategory.ENTITY)) + repo.record(_make_entry(category=ActivityCategory.SYSTEM)) + + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?categories=auth&categories=entity") + assert resp.status_code == 200 + data = resp.json() + assert data["total"] == 2 + + def test_filter_by_severity(self, repo): + repo.record(_make_entry(severity=ActivitySeverity.INFO)) + repo.record(_make_entry(severity=ActivitySeverity.WARNING)) + repo.record(_make_entry(severity=ActivitySeverity.ERROR)) + + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?severities=warning") + assert resp.status_code == 200 + assert resp.json()["total"] == 1 + assert resp.json()["entries"][0]["severity"] == "warning" + + def test_filter_by_actor(self, repo): + repo.record(_make_entry(actor="alice")) + repo.record(_make_entry(actor="bob")) + repo.record(_make_entry(actor="alice")) + + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?actor=alice") + assert resp.status_code == 200 + assert resp.json()["total"] == 2 + + def test_filter_by_entity_type(self, repo): + repo.record(_make_entry(entity_type="device", entity_id="d1")) + repo.record(_make_entry(entity_type="output_target", entity_id="ot1")) + repo.record(_make_entry(entity_type="device", entity_id="d2")) + + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?entity_type=device") + assert resp.status_code == 200 + assert resp.json()["total"] == 2 + + def test_filter_by_entity_id(self, repo): + repo.record(_make_entry(entity_type="device", entity_id="d1")) + repo.record(_make_entry(entity_type="device", entity_id="d2")) + + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?entity_id=d1") + assert resp.status_code == 200 + assert resp.json()["total"] == 1 + assert resp.json()["entries"][0]["entity_id"] == "d1" + + def test_filter_by_since_until(self, repo): + from datetime import timedelta + + base = datetime(2024, 1, 15, 12, 0, 0, tzinfo=timezone.utc) + repo.record(_make_entry(ts=base - timedelta(days=2), message="old")) + repo.record(_make_entry(ts=base, message="now")) + repo.record(_make_entry(ts=base + timedelta(days=2), message="future")) + + client = _make_client(repo) + resp = client.get( + "/api/v1/activity-log" "?since=2024-01-14T12:00:00Z&until=2024-01-16T12:00:00Z" + ) + assert resp.status_code == 200 + data = resp.json() + assert data["total"] == 1 + assert data["entries"][0]["message"] == "now" + + def test_filter_by_free_text(self, repo): + repo.record(_make_entry(message="Device connected successfully")) + repo.record(_make_entry(message="Auth failed for user bob")) + repo.record(_make_entry(message="Device disconnected")) + + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?q=Device") + assert resp.status_code == 200 + assert resp.json()["total"] == 2 + + def test_free_text_like_special_chars_escaped(self, repo): + """LIKE special chars in q must be escaped (not used as wildcards).""" + repo.record(_make_entry(message="100% complete")) + repo.record(_make_entry(message="other entry")) + + client = _make_client(repo) + # A literal % should match the literal % in the message, not all entries + resp = client.get("/api/v1/activity-log?q=100%25") + assert resp.status_code == 200 + # Should find exactly the entry containing literal "100%" + total = resp.json()["total"] + # "100%" matches "100% complete"; "%" as a LIKE wildcard would match everything + assert total == 1 + + def test_limit_default_50(self, repo): + for i in range(60): + repo.record(_make_entry(message=f"entry {i}")) + client = _make_client(repo) + resp = client.get("/api/v1/activity-log") + assert resp.status_code == 200 + data = resp.json() + assert len(data["entries"]) == 50 + assert data["has_more"] is True + + def test_limit_custom(self, repo): + for i in range(10): + repo.record(_make_entry(message=f"entry {i}")) + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?limit=3") + assert resp.status_code == 200 + data = resp.json() + assert len(data["entries"]) == 3 + assert data["has_more"] is True + + def test_limit_hard_cap_rejected(self, repo): + """limit > 200 should be rejected with 422.""" + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?limit=201") + assert resp.status_code == 422 + + def test_limit_zero_rejected(self, repo): + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?limit=0") + assert resp.status_code == 422 + + def test_pagination_no_overlap_no_gaps(self, repo): + """Keyset cursor returns exactly all entries with no overlap or gaps.""" + # Insert 15 entries; page with limit=5 → 3 pages + for i in range(15): + repo.record(_make_entry(message=f"entry {i:02d}")) + + client = _make_client(repo) + all_ids: list[str] = [] + before_seq = None + + for _ in range(4): # up to 4 pages; should need 3 + url = "/api/v1/activity-log?limit=5" + if before_seq is not None: + url += f"&before_seq={before_seq}" + resp = client.get(url) + assert resp.status_code == 200 + data = resp.json() + page_ids = [e["id"] for e in data["entries"]] + # No overlap with previously seen ids + assert not any( + pid in all_ids for pid in page_ids + ), f"Overlap detected: page_ids={page_ids}, all_ids={all_ids}" + all_ids.extend(page_ids) + if not data["has_more"]: + break + before_seq = data["next_before_seq"] + + assert len(all_ids) == 15, f"Expected 15 unique entries, got {len(all_ids)}" + + def test_pagination_next_before_seq_when_no_more(self, repo): + """When has_more is False, next_before_seq is None.""" + repo.record(_make_entry()) + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?limit=5") + data = resp.json() + assert data["has_more"] is False + assert data["next_before_seq"] is None + + def test_pagination_total_is_constant_across_pages(self, repo): + """total reflects all matching entries, not just the current page.""" + for i in range(7): + repo.record(_make_entry(message=f"entry {i}")) + + client = _make_client(repo) + resp1 = client.get("/api/v1/activity-log?limit=3") + data1 = resp1.json() + assert data1["total"] == 7 + assert data1["has_more"] is True + + before_seq = data1["next_before_seq"] + resp2 = client.get(f"/api/v1/activity-log?limit=3&before_seq={before_seq}") + data2 = resp2.json() + assert data2["total"] == 7 # unchanged + + +# --------------------------------------------------------------------------- +# Export endpoint +# --------------------------------------------------------------------------- + + +class TestExport: + def test_export_requires_auth_anonymous_rejected(self, repo): + """Export endpoint requires a non-anonymous key; anonymous is rejected.""" + client = _make_client(repo, auth_label="anonymous") + resp = client.get("/api/v1/activity-log/export") + assert resp.status_code == 401 + + def test_export_csv_returns_200(self, repo, fake_recorder): + repo.record(_make_entry(message="test entry")) + client = _make_client(repo, recorder=fake_recorder) + resp = client.get("/api/v1/activity-log/export?format=csv") + assert resp.status_code == 200 + assert "text/csv" in resp.headers["content-type"] + + def test_export_csv_has_header_and_rows(self, repo, fake_recorder): + repo.record(_make_entry(message="hello export")) + client = _make_client(repo, recorder=fake_recorder) + resp = client.get("/api/v1/activity-log/export?format=csv") + assert resp.status_code == 200 + text = resp.text + reader = csv.DictReader(io.StringIO(text)) + rows = list(reader) + assert len(rows) == 1 + assert rows[0]["message"] == "hello export" + + def test_export_csv_has_content_disposition(self, repo, fake_recorder): + client = _make_client(repo, recorder=fake_recorder) + resp = client.get("/api/v1/activity-log/export?format=csv") + assert resp.status_code == 200 + cd = resp.headers.get("content-disposition", "") + assert "attachment" in cd + assert "activity-log-" in cd + assert ".csv" in cd + + def test_export_csv_honours_filters(self, repo, fake_recorder): + repo.record(_make_entry(category=ActivityCategory.AUTH, message="auth event")) + repo.record(_make_entry(category=ActivityCategory.ENTITY, message="entity event")) + + client = _make_client(repo, recorder=fake_recorder) + resp = client.get("/api/v1/activity-log/export?format=csv&categories=auth") + assert resp.status_code == 200 + reader = csv.DictReader(io.StringIO(resp.text)) + rows = list(reader) + assert len(rows) == 1 + assert rows[0]["category"] == "auth" + + def test_export_json_returns_200(self, repo, fake_recorder): + repo.record(_make_entry(message="json entry")) + client = _make_client(repo, recorder=fake_recorder) + resp = client.get("/api/v1/activity-log/export?format=json") + assert resp.status_code == 200 + assert "application/json" in resp.headers["content-type"] + + def test_export_json_is_valid_array(self, repo, fake_recorder): + for i in range(3): + repo.record(_make_entry(message=f"entry {i}")) + client = _make_client(repo, recorder=fake_recorder) + resp = client.get("/api/v1/activity-log/export?format=json") + assert resp.status_code == 200 + data = json.loads(resp.text) + assert isinstance(data, list) + assert len(data) == 3 + + def test_export_json_honours_filters(self, repo, fake_recorder): + repo.record(_make_entry(severity=ActivitySeverity.WARNING, message="warn")) + repo.record(_make_entry(severity=ActivitySeverity.INFO, message="info")) + + client = _make_client(repo, recorder=fake_recorder) + resp = client.get("/api/v1/activity-log/export?format=json&severities=warning") + assert resp.status_code == 200 + data = json.loads(resp.text) + assert len(data) == 1 + assert data[0]["severity"] == "warning" + + def test_export_empty_log_csv(self, repo, fake_recorder): + client = _make_client(repo, recorder=fake_recorder) + resp = client.get("/api/v1/activity-log/export?format=csv") + assert resp.status_code == 200 + # Only header line + reader = csv.DictReader(io.StringIO(resp.text)) + rows = list(reader) + assert rows == [] + + def test_export_empty_log_json(self, repo, fake_recorder): + client = _make_client(repo, recorder=fake_recorder) + resp = client.get("/api/v1/activity-log/export?format=json") + assert resp.status_code == 200 + data = json.loads(resp.text) + assert data == [] + + def test_export_invalid_format_rejected(self, repo, fake_recorder): + client = _make_client(repo, recorder=fake_recorder) + resp = client.get("/api/v1/activity-log/export?format=xml") + assert resp.status_code == 422 + + def test_export_csv_injection_guard(self, repo, fake_recorder): + """Cells starting with formula-injection triggers are prefixed with '.""" + for msg in ["=SUM(A1)", "+evil", "-bad", "@test"]: + repo.record(_make_entry(message=msg)) + + client = _make_client(repo, recorder=fake_recorder) + resp = client.get("/api/v1/activity-log/export?format=csv") + assert resp.status_code == 200 + reader = csv.DictReader(io.StringIO(resp.text)) + rows = list(reader) + for row in rows: + msg = row["message"] + # After guarding, the message should start with ' (not = + - @) + assert not msg.startswith(("=", "+", "-", "@")), f"CSV injection not guarded: {msg!r}" + + def test_export_has_all_csv_columns(self, repo, fake_recorder): + repo.record( + _make_entry( + entity_type="device", + entity_id="d1", + entity_name="Test Device", + metadata={"key": "value"}, + ) + ) + client = _make_client(repo, recorder=fake_recorder) + resp = client.get("/api/v1/activity-log/export?format=csv") + assert resp.status_code == 200 + reader = csv.DictReader(io.StringIO(resp.text)) + fieldnames = reader.fieldnames or [] + expected = [ + "id", + "ts", + "category", + "action", + "severity", + "actor", + "entity_type", + "entity_id", + "entity_name", + "message", + "metadata", + ] + for col in expected: + assert col in fieldnames, f"Missing column: {col}" + + +# --------------------------------------------------------------------------- +# Settings endpoints +# --------------------------------------------------------------------------- + + +class TestSettings: + def test_get_settings_returns_defaults(self, repo, fake_retention_engine): + client = _make_client(repo, retention_engine=fake_retention_engine) + resp = client.get("/api/v1/activity-log/settings") + assert resp.status_code == 200 + data = resp.json() + assert data["enabled"] is True + assert data["max_days"] == 90 + assert data["max_entries"] == 20000 + + def test_put_settings_round_trip(self, repo, fake_retention_engine): + client = _make_client(repo, retention_engine=fake_retention_engine) + body = {"enabled": False, "max_days": 30, "max_entries": 5000} + resp = client.put("/api/v1/activity-log/settings", json=body) + assert resp.status_code == 200 + data = resp.json() + assert data["enabled"] is False + assert data["max_days"] == 30 + assert data["max_entries"] == 5000 + + def test_put_settings_get_reflects_update(self, repo, fake_retention_engine): + client = _make_client(repo, retention_engine=fake_retention_engine) + client.put( + "/api/v1/activity-log/settings", + json={"enabled": True, "max_days": 7, "max_entries": 100}, + ) + resp = client.get("/api/v1/activity-log/settings") + data = resp.json() + assert data["max_days"] == 7 + assert data["max_entries"] == 100 + + def test_put_settings_negative_max_days_rejected(self, repo, fake_retention_engine): + client = _make_client(repo, retention_engine=fake_retention_engine) + resp = client.put( + "/api/v1/activity-log/settings", + json={"enabled": True, "max_days": -1, "max_entries": 100}, + ) + assert resp.status_code == 422 + + def test_put_settings_negative_max_entries_rejected(self, repo, fake_retention_engine): + client = _make_client(repo, retention_engine=fake_retention_engine) + resp = client.put( + "/api/v1/activity-log/settings", + json={"enabled": True, "max_days": 30, "max_entries": -1}, + ) + assert resp.status_code == 422 + + def test_put_settings_max_days_over_cap_rejected(self, repo, fake_retention_engine): + client = _make_client(repo, retention_engine=fake_retention_engine) + resp = client.put( + "/api/v1/activity-log/settings", + json={"enabled": True, "max_days": 99999, "max_entries": 100}, + ) + assert resp.status_code == 422 + + def test_put_settings_max_entries_over_cap_rejected(self, repo, fake_retention_engine): + client = _make_client(repo, retention_engine=fake_retention_engine) + resp = client.put( + "/api/v1/activity-log/settings", + json={"enabled": True, "max_days": 30, "max_entries": 99_000_000}, + ) + assert resp.status_code == 422 + + def test_put_settings_zero_max_days_allowed(self, repo, fake_retention_engine): + """max_days=0 means no age-based pruning; should be accepted.""" + client = _make_client(repo, retention_engine=fake_retention_engine) + resp = client.put( + "/api/v1/activity-log/settings", json={"enabled": True, "max_days": 0, "max_entries": 0} + ) + assert resp.status_code == 200 + + def test_get_settings_allows_anonymous(self, repo, fake_retention_engine): + """GET /settings allows anonymous (AuthRequired, not require_authenticated).""" + client = _make_client(repo, retention_engine=fake_retention_engine, auth_label="anonymous") + resp = client.get("/api/v1/activity-log/settings") + assert resp.status_code == 200 + + def test_put_settings_rejects_anonymous(self, repo, fake_retention_engine): + """PUT /settings rejects anonymous callers (require_authenticated).""" + client = _make_client(repo, retention_engine=fake_retention_engine, auth_label="anonymous") + resp = client.put( + "/api/v1/activity-log/settings", + json={"enabled": True, "max_days": 30, "max_entries": 1000}, + ) + assert resp.status_code == 401 + + +# --------------------------------------------------------------------------- +# Clear endpoint +# --------------------------------------------------------------------------- + + +class TestClear: + def test_clear_requires_non_anonymous_auth(self, repo, fake_recorder): + """Clear endpoint rejects anonymous (loopback) callers.""" + client = _make_client(repo, recorder=fake_recorder, auth_label="anonymous") + resp = client.delete("/api/v1/activity-log") + assert resp.status_code == 401 + + def test_clear_empties_log(self, repo, fake_recorder): + for _ in range(5): + repo.record(_make_entry()) + assert repo.count() == 5 + + client = _make_client(repo, recorder=fake_recorder) + resp = client.delete("/api/v1/activity-log") + assert resp.status_code == 200 + assert repo.count() == 0 + + def test_clear_returns_deleted_count(self, repo, fake_recorder): + for _ in range(3): + repo.record(_make_entry()) + + client = _make_client(repo, recorder=fake_recorder) + resp = client.delete("/api/v1/activity-log") + assert resp.status_code == 200 + data = resp.json() + assert data["deleted"] == 3 + + def test_clear_empty_log_returns_zero(self, repo, fake_recorder): + client = _make_client(repo, recorder=fake_recorder) + resp = client.delete("/api/v1/activity-log") + assert resp.status_code == 200 + assert resp.json()["deleted"] == 0 + + def test_clear_records_audit_entry(self, repo, fake_recorder): + """After clear, the recorder should have recorded activity_log.cleared.""" + for _ in range(4): + repo.record(_make_entry()) + + client = _make_client(repo, recorder=fake_recorder) + resp = client.delete("/api/v1/activity-log") + assert resp.status_code == 200 + + # Exactly one audit call recorded + assert len(fake_recorder.calls) == 1 + audit = fake_recorder.calls[0] + assert audit["action"] == "activity_log.cleared" + assert audit["category"] == ActivityCategory.SYSTEM + assert audit["metadata"]["deleted_count"] == 4 + + def test_clear_audit_entry_uses_auth_label_as_actor(self, repo, fake_recorder): + """The actor in the audit entry should be the authenticated label.""" + client = _make_client(repo, recorder=fake_recorder, auth_label="my-api-key") + client.delete("/api/v1/activity-log") + assert fake_recorder.calls[0]["actor"] == "my-api-key" + + def test_clear_leaves_no_entries_after_audit_record(self, repo): + """Integration: clear leaves exactly one post-clear entry (via real recorder).""" + from ledgrab.core.activity_log.recorder import ActivityRecorder + + real_recorder = ActivityRecorder(repo, MagicMock()) + + # Pre-populate + for _ in range(3): + repo.record(_make_entry()) + assert repo.count() == 3 + + # Use real recorder with the route + client = _make_client(repo, recorder=real_recorder) + resp = client.delete("/api/v1/activity-log") + assert resp.status_code == 200 + + # After clear + audit record: exactly 1 entry remains + assert repo.count() == 1 + from ledgrab.storage.activity_log import ActivityLogFilters + + entries = repo.query(ActivityLogFilters()) + assert entries[0].action == "activity_log.cleared" + assert entries[0].category == ActivityCategory.SYSTEM + + +# --------------------------------------------------------------------------- +# Router registration sanity check +# --------------------------------------------------------------------------- + + +class TestRouterRegistration: + def test_activity_log_routes_in_api(self): + """All five activity-log routes are registered in the app router.""" + from ledgrab.api import router as api_router + + paths = {r.path for r in api_router.routes} # type: ignore[attr-defined] + assert "/api/v1/activity-log" in paths + assert "/api/v1/activity-log/export" in paths + assert "/api/v1/activity-log/settings" in paths diff --git a/server/tests/api/routes/test_activity_log_api_adversarial.py b/server/tests/api/routes/test_activity_log_api_adversarial.py new file mode 100644 index 0000000..087cdc4 --- /dev/null +++ b/server/tests/api/routes/test_activity_log_api_adversarial.py @@ -0,0 +1,1162 @@ +"""Adversarial tests for the activity-log REST API (Phase 4). + +These complement the 49 happy-path tests in ``test_activity_log_api.py`` by +probing edge-cases, security boundaries, and invariants the normal tests don't +cover: + +1. AUTH POSTURE — require_authenticated vs AuthRequired distinction; bad key. +2. CSV INJECTION — all four trigger chars on every column; quoting of embedded + commas, quotes, and newlines; row count vs. filter. +3. EXPORT JSON — empty → []; matches list endpoint data; content-type. +4. PAGINATION INTEGRITY — full traversal; total stable; limit edge cases; + before_seq beyond range; limit=0 and negative → 422. +5. FILTER EDGE CASES — combined filters AND; bad since/until → 422; q with + SQL metachar literals; unknown category/severity contract. +6. SETTINGS EDGE CASES — boundary values; disabled flag roundtrip; missing + fields → 422. +7. CLEAR IS AUDITED — exactly one post-clear system entry; actor recorded; + count in metadata. +""" + +from __future__ import annotations + +import csv +import io +import json +from datetime import datetime, timezone +from unittest.mock import MagicMock + +import pytest +from fastapi import FastAPI +from fastapi.testclient import TestClient + +from ledgrab.api import dependencies as deps +from ledgrab.api.auth import verify_api_key +from ledgrab.api.routes.activity_log import router +from ledgrab.storage.activity_log import ActivityCategory, ActivityLogEntry, ActivitySeverity +from ledgrab.storage.activity_log_repository import ActivityLogRepository + + +# --------------------------------------------------------------------------- +# Fixtures (mirrors test_activity_log_api.py exactly) +# --------------------------------------------------------------------------- + + +@pytest.fixture +def tmp_db(tmp_path): + from ledgrab.storage.database import Database + + db = Database(tmp_path / "adv_activity_log.db") + yield db + db.close() + + +@pytest.fixture +def repo(tmp_db) -> ActivityLogRepository: + return ActivityLogRepository(tmp_db) + + +@pytest.fixture +def fake_recorder(): + class FakeRecorder: + def __init__(self): + self.calls: list[dict] = [] + self.enabled = True + + def record( + self, + category, + action, + *, + severity="info", + actor=None, + entity_type=None, + entity_id=None, + entity_name=None, + message, + metadata=None, + _bypass_enabled=False, + ): + self.calls.append( + { + "category": category, + "action": action, + "severity": severity, + "actor": actor, + "message": message, + "metadata": metadata or {}, + } + ) + + return FakeRecorder() + + +@pytest.fixture +def fake_retention_engine(): + class FakeRetentionEngine: + def __init__(self): + self._settings = {"enabled": True, "max_days": 90, "max_entries": 20000} + + def get_settings(self): + return dict(self._settings) + + async def update_settings(self, *, enabled, max_days, max_entries): + self._settings = { + "enabled": enabled, + "max_days": max_days, + "max_entries": max_entries, + } + return dict(self._settings) + + return FakeRetentionEngine() + + +def _make_app(repo, recorder=None, retention_engine=None, auth_label="test-user"): + app = FastAPI() + app.include_router(router) + app.dependency_overrides[verify_api_key] = lambda: auth_label + app.dependency_overrides[deps.get_activity_log_repo] = lambda: repo + if recorder is not None: + app.dependency_overrides[deps.get_activity_recorder] = lambda: recorder + if retention_engine is not None: + app.dependency_overrides[deps.get_activity_log_retention_engine] = lambda: retention_engine + return app + + +def _make_client(repo, recorder=None, retention_engine=None, auth_label="test-user"): + return TestClient( + _make_app(repo, recorder, retention_engine, auth_label=auth_label), + raise_server_exceptions=False, + ) + + +def _make_entry( + *, + id: str | None = None, + category: str = ActivityCategory.SYSTEM, + action: str = "test.action", + severity: str = ActivitySeverity.INFO, + actor: str = "test-actor", + message: str = "test message", + entity_type: str | None = None, + entity_id: str | None = None, + entity_name: str | None = None, + metadata: dict | None = None, + ts: datetime | None = None, +) -> ActivityLogEntry: + import uuid + + return ActivityLogEntry( + id=id or ("al_" + uuid.uuid4().hex[:8]), + ts=ts or datetime.now(timezone.utc), + category=category, + action=action, + severity=severity, + actor=actor, + message=message, + entity_type=entity_type, + entity_id=entity_id, + entity_name=entity_name, + metadata=metadata or {}, + ) + + +# --------------------------------------------------------------------------- +# 1. AUTH POSTURE +# --------------------------------------------------------------------------- + + +class TestAuthPosture: + """Verify the require_authenticated vs AuthRequired distinction is enforced.""" + + # --- require_authenticated endpoints (export, clear) --- + + def test_export_anonymous_is_rejected(self, repo): + """GET /export with anonymous label → 401 (require_authenticated).""" + client = _make_client(repo, auth_label="anonymous") + resp = client.get("/api/v1/activity-log/export") + assert ( + resp.status_code == 401 + ), f"Export must reject anonymous callers; got {resp.status_code}" + + def test_export_authenticated_user_succeeds(self, repo, fake_recorder): + """GET /export with a non-anonymous label → 200.""" + client = _make_client(repo, recorder=fake_recorder, auth_label="my-key") + resp = client.get("/api/v1/activity-log/export") + assert resp.status_code == 200 + + def test_clear_anonymous_is_rejected(self, repo, fake_recorder): + """DELETE / with anonymous label → 401 (require_authenticated).""" + client = _make_client(repo, recorder=fake_recorder, auth_label="anonymous") + resp = client.delete("/api/v1/activity-log") + assert ( + resp.status_code == 401 + ), f"Clear must reject anonymous callers; got {resp.status_code}" + + def test_clear_authenticated_user_succeeds(self, repo, fake_recorder): + """DELETE / with non-anonymous label → 200.""" + client = _make_client(repo, recorder=fake_recorder, auth_label="my-key") + resp = client.delete("/api/v1/activity-log") + assert resp.status_code == 200 + + # --- AuthRequired endpoints (list, GET settings) allow anonymous --- + + def test_list_allows_anonymous(self, repo): + """GET / with anonymous label → 200 (AuthRequired, not require_authenticated).""" + client = _make_client(repo, auth_label="anonymous") + resp = client.get("/api/v1/activity-log") + assert ( + resp.status_code == 200 + ), f"List should allow anonymous (AuthRequired); got {resp.status_code}" + + def test_settings_get_allows_anonymous(self, repo, fake_retention_engine): + """GET /settings with anonymous → 200 (AuthRequired).""" + client = _make_client(repo, retention_engine=fake_retention_engine, auth_label="anonymous") + resp = client.get("/api/v1/activity-log/settings") + assert ( + resp.status_code == 200 + ), f"GET /settings should allow anonymous; got {resp.status_code}" + + # --- PUT /settings now requires non-anonymous auth (require_authenticated) --- + + def test_settings_put_rejects_anonymous(self, repo, fake_retention_engine): + """PUT /settings with anonymous label → 401 (require_authenticated). + + Disabling auditing or trimming retention to near-zero is equivalent in + impact to clearing the audit trail, so the same auth bar applies. + """ + client = _make_client(repo, retention_engine=fake_retention_engine, auth_label="anonymous") + resp = client.put( + "/api/v1/activity-log/settings", + json={"enabled": True, "max_days": 30, "max_entries": 1000}, + ) + assert ( + resp.status_code == 401 + ), f"PUT /settings must reject anonymous callers; got {resp.status_code}" + + def test_settings_put_authenticated_succeeds(self, repo, fake_retention_engine): + """PUT /settings with a non-anonymous label → 200 (require_authenticated).""" + client = _make_client(repo, retention_engine=fake_retention_engine, auth_label="my-key") + resp = client.put( + "/api/v1/activity-log/settings", + json={"enabled": True, "max_days": 30, "max_entries": 1000}, + ) + assert ( + resp.status_code == 200 + ), f"PUT /settings should succeed for authenticated caller; got {resp.status_code}" + + # --- With api_keys configured: bad key → 401 on every endpoint --- + + def _make_app_with_real_auth(self, repo, recorder=None, retention_engine=None): + """Build an app that runs the REAL verify_api_key (no override). + + We patch ``get_config`` so that it looks as if an API key is + configured, but the test client doesn't provide one — exercising the + real 401 path. + """ + + # Build a lightweight stand-in for the config object so that + # verify_api_key sees api_keys = {"dev": "correct-key"}. + # We use a plain object rather than MagicMock(spec=...) to avoid + # attribute-access restrictions on nested sub-objects. + class _FakeAuth: + api_keys = {"dev": "correct-key"} + + class _FakeConfig: + auth = _FakeAuth() + + mock_config = _FakeConfig() + + app = FastAPI() + app.include_router(router) + # Do NOT override verify_api_key — let the real function run. + app.dependency_overrides[deps.get_activity_log_repo] = lambda: repo + if recorder is not None: + app.dependency_overrides[deps.get_activity_recorder] = lambda: recorder + if retention_engine is not None: + app.dependency_overrides[deps.get_activity_log_retention_engine] = ( + lambda: retention_engine + ) + + client = TestClient(app, raise_server_exceptions=False) + return client, mock_config + + def test_list_bad_key_is_401(self, repo): + """With api_keys configured, a wrong Bearer token → 401 on the list endpoint.""" + client, mock_config = self._make_app_with_real_auth(repo) + with MagicMock() as _: + from unittest.mock import patch + + with patch("ledgrab.api.auth.get_config", return_value=mock_config): + resp = client.get( + "/api/v1/activity-log", + headers={"Authorization": "Bearer wrong-key"}, + ) + assert resp.status_code == 401 + + def test_export_bad_key_is_401(self, repo, fake_recorder): + """With api_keys configured, a wrong Bearer token → 401 on the export endpoint.""" + client, mock_config = self._make_app_with_real_auth(repo, recorder=fake_recorder) + from unittest.mock import patch + + with patch("ledgrab.api.auth.get_config", return_value=mock_config): + resp = client.get( + "/api/v1/activity-log/export", + headers={"Authorization": "Bearer wrong-key"}, + ) + assert resp.status_code == 401 + + def test_clear_bad_key_is_401(self, repo, fake_recorder): + """With api_keys configured, a wrong Bearer token → 401 on the clear endpoint.""" + client, mock_config = self._make_app_with_real_auth(repo, recorder=fake_recorder) + from unittest.mock import patch + + with patch("ledgrab.api.auth.get_config", return_value=mock_config): + resp = client.delete( + "/api/v1/activity-log", + headers={"Authorization": "Bearer wrong-key"}, + ) + assert resp.status_code == 401 + + def test_export_no_key_header_is_401(self, repo, fake_recorder): + """With api_keys configured, missing Authorization header → 401 on export.""" + client, mock_config = self._make_app_with_real_auth(repo, recorder=fake_recorder) + from unittest.mock import patch + + with patch("ledgrab.api.auth.get_config", return_value=mock_config): + resp = client.get("/api/v1/activity-log/export") + assert resp.status_code == 401 + + def test_export_correct_key_is_200(self, repo, fake_recorder): + """With api_keys configured, correct Bearer token → 200 on export.""" + client, mock_config = self._make_app_with_real_auth(repo, recorder=fake_recorder) + from unittest.mock import patch + + with patch("ledgrab.api.auth.get_config", return_value=mock_config): + resp = client.get( + "/api/v1/activity-log/export", + headers={"Authorization": "Bearer correct-key"}, + ) + assert resp.status_code == 200 + + +# --------------------------------------------------------------------------- +# 2. CSV INJECTION / EXPORT SAFETY +# --------------------------------------------------------------------------- + + +class TestCsvInjection: + """OWASP CSV formula-injection guards and well-formedness.""" + + # The four trigger characters, used in each user-controlled field. + _TRIGGERS = ("=", "+", "-", "@") + + def _csv_rows(self, resp) -> list[dict]: + assert resp.status_code == 200 + reader = csv.DictReader(io.StringIO(resp.text)) + return list(reader) + + # -- message column -- + + def test_message_equal_sign_neutralised(self, repo, fake_recorder): + repo.record(_make_entry(message="=SUM(A1:A10)")) + client = _make_client(repo, recorder=fake_recorder) + rows = self._csv_rows(client.get("/api/v1/activity-log/export?format=csv")) + assert len(rows) == 1 + assert not rows[0]["message"].startswith( + "=" + ), f"CSV injection not neutralised in 'message': {rows[0]['message']!r}" + # The prefix quote must be there + assert rows[0]["message"].startswith( + "'" + ), f"Expected single-quote prefix in 'message': {rows[0]['message']!r}" + + def test_message_plus_sign_neutralised(self, repo, fake_recorder): + repo.record(_make_entry(message="+evil formula")) + client = _make_client(repo, recorder=fake_recorder) + rows = self._csv_rows(client.get("/api/v1/activity-log/export?format=csv")) + assert not rows[0]["message"].startswith("+"), rows[0]["message"] + assert rows[0]["message"].startswith("'"), rows[0]["message"] + + def test_message_minus_sign_neutralised(self, repo, fake_recorder): + repo.record(_make_entry(message="-bad")) + client = _make_client(repo, recorder=fake_recorder) + rows = self._csv_rows(client.get("/api/v1/activity-log/export?format=csv")) + assert not rows[0]["message"].startswith("-"), rows[0]["message"] + assert rows[0]["message"].startswith("'"), rows[0]["message"] + + def test_message_at_sign_neutralised(self, repo, fake_recorder): + repo.record(_make_entry(message="@SUM(1+1)")) + client = _make_client(repo, recorder=fake_recorder) + rows = self._csv_rows(client.get("/api/v1/activity-log/export?format=csv")) + assert not rows[0]["message"].startswith("@"), rows[0]["message"] + assert rows[0]["message"].startswith("'"), rows[0]["message"] + + # -- entity_name column (another user-controlled string field) -- + + def test_entity_name_injection_neutralised(self, repo, fake_recorder): + """entity_name starting with = is neutralised in CSV export.""" + repo.record( + _make_entry( + entity_name="=cmd|' /C calc'!A1", + entity_type="device", + entity_id="d1", + ) + ) + client = _make_client(repo, recorder=fake_recorder) + rows = self._csv_rows(client.get("/api/v1/activity-log/export?format=csv")) + assert len(rows) == 1 + assert not rows[0]["entity_name"].startswith( + "=" + ), f"CSV injection not neutralised in 'entity_name': {rows[0]['entity_name']!r}" + assert rows[0]["entity_name"].startswith("'"), rows[0]["entity_name"] + + def test_actor_injection_neutralised(self, repo, fake_recorder): + """actor field starting with + is neutralised.""" + repo.record(_make_entry(actor="+actor-formula")) + client = _make_client(repo, recorder=fake_recorder) + rows = self._csv_rows(client.get("/api/v1/activity-log/export?format=csv")) + assert not rows[0]["actor"].startswith("+"), rows[0]["actor"] + assert rows[0]["actor"].startswith("'"), rows[0]["actor"] + + # -- Safe values must NOT be mangled -- + + def test_safe_message_not_mangled(self, repo, fake_recorder): + """A message that does not start with a trigger char must be unchanged.""" + repo.record(_make_entry(message="Normal log message")) + client = _make_client(repo, recorder=fake_recorder) + rows = self._csv_rows(client.get("/api/v1/activity-log/export?format=csv")) + assert rows[0]["message"] == "Normal log message" + + def test_empty_message_not_mangled(self, repo, fake_recorder): + """Empty-string fields (None → '') are not prefixed with '.""" + repo.record(_make_entry(entity_name=None)) + client = _make_client(repo, recorder=fake_recorder) + rows = self._csv_rows(client.get("/api/v1/activity-log/export?format=csv")) + assert rows[0]["entity_name"] == "" + + # -- CSV well-formedness -- + + def test_csv_comma_in_field_properly_quoted(self, repo, fake_recorder): + """A comma inside a field value must be quoted, not split into two columns.""" + repo.record(_make_entry(message="left, right")) + client = _make_client(repo, recorder=fake_recorder) + rows = self._csv_rows(client.get("/api/v1/activity-log/export?format=csv")) + # DictReader must parse it back as a single field + assert rows[0]["message"] == "left, right" + + def test_csv_double_quote_in_field_escaped(self, repo, fake_recorder): + """A double-quote inside a field must be escaped (RFC 4180: doubled).""" + repo.record(_make_entry(message='He said "hello"')) + client = _make_client(repo, recorder=fake_recorder) + rows = self._csv_rows(client.get("/api/v1/activity-log/export?format=csv")) + assert rows[0]["message"] == 'He said "hello"' + + def test_csv_newline_in_field_handled(self, repo, fake_recorder): + """A newline embedded in a field must not break the row count.""" + repo.record(_make_entry(message="line1\nline2")) + client = _make_client(repo, recorder=fake_recorder) + rows = self._csv_rows(client.get("/api/v1/activity-log/export?format=csv")) + # Must still be exactly 1 data row + assert len(rows) == 1 + assert "line1" in rows[0]["message"] + + # -- Row count matches filter -- + + def test_csv_row_count_matches_filter(self, repo, fake_recorder): + """Row count in CSV equals the total from the list endpoint for the same filter.""" + repo.record(_make_entry(category=ActivityCategory.AUTH, message="auth 1")) + repo.record(_make_entry(category=ActivityCategory.AUTH, message="auth 2")) + repo.record(_make_entry(category=ActivityCategory.ENTITY, message="entity 1")) + + client = _make_client(repo, recorder=fake_recorder) + + list_resp = client.get("/api/v1/activity-log?categories=auth") + assert list_resp.status_code == 200 + expected_count = list_resp.json()["total"] + + csv_resp = client.get("/api/v1/activity-log/export?format=csv&categories=auth") + rows = self._csv_rows(csv_resp) + assert ( + len(rows) == expected_count + ), f"CSV row count {len(rows)} != list total {expected_count}" + for row in rows: + assert row["category"] == "auth" + + def test_csv_all_trigger_chars_in_one_export(self, repo, fake_recorder): + """Multiple entries with all four injection chars are all neutralised.""" + triggers = ["=HYPERLINK(url)", "+evil", "-minus", "@at"] + for msg in triggers: + repo.record(_make_entry(message=msg)) + + client = _make_client(repo, recorder=fake_recorder) + rows = self._csv_rows(client.get("/api/v1/activity-log/export?format=csv")) + assert len(rows) == len(triggers) + for row in rows: + assert row["message"][0:1] not in ( + "=", + "+", + "-", + "@", + ), f"Unguarded injection trigger in message: {row['message']!r}" + + # -- Leading TAB / CR triggers (MEDIUM-1) -- + + def test_tab_formula_prefix_neutralised(self, repo, fake_recorder): + """A leading TAB before a formula character is a recognised injection trigger.""" + repo.record(_make_entry(message="\t=SUM(A1:A10)")) + client = _make_client(repo, recorder=fake_recorder) + rows = self._csv_rows(client.get("/api/v1/activity-log/export?format=csv")) + assert len(rows) == 1 + msg = rows[0]["message"] + assert not msg.startswith("\t"), f"Leading TAB injection trigger not neutralised: {msg!r}" + assert msg.startswith("'"), f"Expected single-quote prefix for TAB trigger: {msg!r}" + + def test_cr_formula_prefix_neutralised(self, repo, fake_recorder): + """A leading CR is a recognised injection trigger (used to evade column-A checks).""" + repo.record(_make_entry(message="\r=bad")) + client = _make_client(repo, recorder=fake_recorder) + rows = self._csv_rows(client.get("/api/v1/activity-log/export?format=csv")) + assert len(rows) == 1 + msg = rows[0]["message"] + assert not msg.startswith("\r"), f"Leading CR injection trigger not neutralised: {msg!r}" + assert msg.startswith("'"), f"Expected single-quote prefix for CR trigger: {msg!r}" + + +# --------------------------------------------------------------------------- +# 3. EXPORT JSON +# --------------------------------------------------------------------------- + + +class TestExportJson: + def test_empty_log_returns_empty_array(self, repo, fake_recorder): + client = _make_client(repo, recorder=fake_recorder) + resp = client.get("/api/v1/activity-log/export?format=json") + assert resp.status_code == 200 + data = json.loads(resp.text) + assert data == [], f"Expected [] for empty log, got: {data!r}" + + def test_json_content_type(self, repo, fake_recorder): + client = _make_client(repo, recorder=fake_recorder) + resp = client.get("/api/v1/activity-log/export?format=json") + assert "application/json" in resp.headers["content-type"] + + def test_json_export_matches_list_endpoint_data(self, repo, fake_recorder): + """Exported JSON entries must match what the list endpoint returns.""" + for i in range(5): + repo.record(_make_entry(message=f"entry {i}")) + + client = _make_client(repo, recorder=fake_recorder) + + # Collect all entries via list endpoint (5 < default limit 50) + list_resp = client.get("/api/v1/activity-log") + assert list_resp.status_code == 200 + list_ids = {e["id"] for e in list_resp.json()["entries"]} + + export_resp = client.get("/api/v1/activity-log/export?format=json") + assert export_resp.status_code == 200 + exported = json.loads(export_resp.text) + export_ids = {e["id"] for e in exported} + + assert list_ids == export_ids, ( + f"Export IDs differ from list IDs.\n" + f"Only in list: {list_ids - export_ids}\n" + f"Only in export: {export_ids - list_ids}" + ) + + def test_json_export_honours_filter(self, repo, fake_recorder): + """JSON export with a filter returns only matching entries.""" + repo.record(_make_entry(severity=ActivitySeverity.ERROR, message="error")) + repo.record(_make_entry(severity=ActivitySeverity.INFO, message="info")) + repo.record(_make_entry(severity=ActivitySeverity.WARNING, message="warn")) + + client = _make_client(repo, recorder=fake_recorder) + resp = client.get("/api/v1/activity-log/export?format=json&severities=error") + assert resp.status_code == 200 + data = json.loads(resp.text) + assert len(data) == 1 + assert data[0]["severity"] == "error" + + def test_json_export_all_11_fields_present(self, repo, fake_recorder): + """Every exported entry must contain all 11 schema fields.""" + repo.record( + _make_entry( + entity_type="device", + entity_id="d1", + entity_name="Test Device", + metadata={"k": "v"}, + ) + ) + client = _make_client(repo, recorder=fake_recorder) + resp = client.get("/api/v1/activity-log/export?format=json") + data = json.loads(resp.text) + assert len(data) == 1 + expected_keys = { + "id", + "ts", + "category", + "action", + "severity", + "actor", + "entity_type", + "entity_id", + "entity_name", + "message", + "metadata", + } + missing = expected_keys - set(data[0].keys()) + assert not missing, f"Missing fields in JSON export: {missing}" + + def test_json_export_filtered_empty_returns_empty_array(self, repo, fake_recorder): + """A filter that matches nothing returns [] (not null, not {}).""" + repo.record(_make_entry(category=ActivityCategory.AUTH)) + client = _make_client(repo, recorder=fake_recorder) + resp = client.get("/api/v1/activity-log/export?format=json&categories=device") + assert resp.status_code == 200 + data = json.loads(resp.text) + assert data == [] + + def test_json_export_content_disposition_filename(self, repo, fake_recorder): + """JSON export Content-Disposition must include filename with .json extension.""" + client = _make_client(repo, recorder=fake_recorder) + resp = client.get("/api/v1/activity-log/export?format=json") + cd = resp.headers.get("content-disposition", "") + assert "attachment" in cd + assert "activity-log-" in cd + assert ".json" in cd + + +# --------------------------------------------------------------------------- +# 4. PAGINATION INTEGRITY +# --------------------------------------------------------------------------- + + +class TestPaginationIntegrity: + def test_full_traversal_no_gaps_no_dupes(self, repo): + """Page through all entries; every entry appears exactly once.""" + n = 23 + for i in range(n): + repo.record(_make_entry(message=f"entry {i:03d}")) + + client = _make_client(repo) + all_ids: list[str] = [] + before_seq = None + max_pages = n + 1 # safety guard + + for _ in range(max_pages): + url = "/api/v1/activity-log?limit=7" + if before_seq is not None: + url += f"&before_seq={before_seq}" + resp = client.get(url) + assert resp.status_code == 200 + data = resp.json() + page_ids = [e["id"] for e in data["entries"]] + dupes = [pid for pid in page_ids if pid in all_ids] + assert not dupes, f"Duplicate entries on page: {dupes}" + all_ids.extend(page_ids) + if not data["has_more"]: + break + before_seq = data["next_before_seq"] + + assert len(all_ids) == n, f"Expected {n} unique entries, got {len(all_ids)}" + + def test_total_is_stable_across_pages(self, repo): + """The 'total' field stays constant across all pages for the same filters.""" + for i in range(13): + repo.record(_make_entry(message=f"msg {i}")) + + client = _make_client(repo) + totals: list[int] = [] + before_seq = None + + for _ in range(10): + url = "/api/v1/activity-log?limit=5" + if before_seq is not None: + url += f"&before_seq={before_seq}" + resp = client.get(url) + data = resp.json() + totals.append(data["total"]) + if not data["has_more"]: + break + before_seq = data["next_before_seq"] + + assert len(set(totals)) == 1, f"'total' changed across pages: {totals}" + assert totals[0] == 13 + + def test_limit_above_200_rejected(self, repo): + """limit=201 → 422 (hard cap).""" + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?limit=201") + assert resp.status_code == 422 + + def test_limit_at_cap_200_accepted(self, repo): + """limit=200 is the maximum allowed value and must be accepted.""" + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?limit=200") + assert resp.status_code == 200 + + def test_limit_1_accepted(self, repo): + """limit=1 is the minimum allowed value.""" + repo.record(_make_entry()) + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?limit=1") + assert resp.status_code == 200 + + def test_limit_0_rejected(self, repo): + """limit=0 → 422.""" + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?limit=0") + assert resp.status_code == 422 + + def test_limit_negative_rejected(self, repo): + """limit=-5 → 422.""" + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?limit=-5") + assert resp.status_code == 422 + + def test_before_seq_beyond_range_returns_empty(self, repo): + """before_seq larger than any seq in the DB returns an empty page gracefully.""" + repo.record(_make_entry()) + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?before_seq=999999999") + assert resp.status_code == 200 + data = resp.json() + # before_seq=999999999 means "entries with seq < 999999999" which is everything, + # so we should actually get the entry. Let's use seq=1 to get nothing. + # Actually this tests that a very large before_seq doesn't crash. + assert isinstance(data["entries"], list) + assert isinstance(data["has_more"], bool) + + def test_before_seq_1_returns_empty_page(self, repo): + """before_seq=1 (before any autoincrement seq) → empty page, no error.""" + for _ in range(3): + repo.record(_make_entry()) + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?before_seq=1") + assert resp.status_code == 200 + data = resp.json() + assert data["entries"] == [] + assert data["has_more"] is False + + def test_has_more_false_next_before_seq_null(self, repo): + """When has_more is False, next_before_seq must be null (not an int).""" + for _ in range(3): + repo.record(_make_entry()) + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?limit=10") + data = resp.json() + assert data["has_more"] is False + assert data["next_before_seq"] is None + + def test_second_page_cursor_is_usable(self, repo): + """next_before_seq from page 1 must work as before_seq on page 2.""" + for i in range(6): + repo.record(_make_entry(message=f"msg {i}")) + + client = _make_client(repo) + page1 = client.get("/api/v1/activity-log?limit=3").json() + assert page1["has_more"] is True + cursor = page1["next_before_seq"] + assert cursor is not None + + page2 = client.get(f"/api/v1/activity-log?limit=3&before_seq={cursor}").json() + ids_p1 = {e["id"] for e in page1["entries"]} + ids_p2 = {e["id"] for e in page2["entries"]} + assert ids_p1.isdisjoint(ids_p2), f"Overlap between page1 and page2: {ids_p1 & ids_p2}" + + +# --------------------------------------------------------------------------- +# 5. FILTER EDGE CASES +# --------------------------------------------------------------------------- + + +class TestFilterEdgeCases: + def test_combined_filters_and_semantics(self, repo): + """Multiple filters narrow results with AND semantics.""" + repo.record( + _make_entry( + category=ActivityCategory.AUTH, + severity=ActivitySeverity.WARNING, + actor="alice", + message="auth warning", + ) + ) + repo.record( + _make_entry( + category=ActivityCategory.AUTH, + severity=ActivitySeverity.INFO, + actor="alice", + message="auth info", + ) + ) + repo.record( + _make_entry( + category=ActivityCategory.ENTITY, + severity=ActivitySeverity.WARNING, + actor="alice", + message="entity warning", + ) + ) + + client = _make_client(repo) + # category=auth AND severity=warning AND actor=alice → exactly 1 + resp = client.get("/api/v1/activity-log?categories=auth&severities=warning&actor=alice") + assert resp.status_code == 200 + data = resp.json() + assert data["total"] == 1, f"Expected 1 result from combined filters, got {data['total']}" + entry = data["entries"][0] + assert entry["category"] == "auth" + assert entry["severity"] == "warning" + assert entry["actor"] == "alice" + + def test_categories_multi_value_or_semantics(self, repo): + """Multiple 'categories' params → OR within the dimension.""" + repo.record(_make_entry(category=ActivityCategory.AUTH)) + repo.record(_make_entry(category=ActivityCategory.DEVICE)) + repo.record(_make_entry(category=ActivityCategory.ENTITY)) + + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?categories=auth&categories=device") + assert resp.status_code == 200 + assert resp.json()["total"] == 2 + + def test_severities_multi_value(self, repo): + """Multiple 'severities' params → OR within the dimension.""" + repo.record(_make_entry(severity=ActivitySeverity.INFO)) + repo.record(_make_entry(severity=ActivitySeverity.WARNING)) + repo.record(_make_entry(severity=ActivitySeverity.ERROR)) + + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?severities=warning&severities=error") + assert resp.status_code == 200 + assert resp.json()["total"] == 2 + + def test_bad_since_format_is_422(self, repo): + """Malformed 'since' datetime → 422 (Pydantic validation).""" + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?since=not-a-date") + assert resp.status_code == 422 + + def test_bad_until_format_is_422(self, repo): + """Malformed 'until' datetime → 422.""" + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?until=2024-99-99") + assert resp.status_code == 422 + + def test_q_with_percent_literal_treated_literally(self, repo): + """A literal '%' in q must not act as a LIKE wildcard.""" + repo.record(_make_entry(message="100% done")) + repo.record(_make_entry(message="other entry")) + + client = _make_client(repo) + # URL-encode % as %25; the server must pass it as a literal to LIKE + resp = client.get("/api/v1/activity-log?q=100%25") + assert resp.status_code == 200 + data = resp.json() + assert data["total"] == 1, ( + f"Literal '100%' matched {data['total']} entries (expected 1). " + f"'%' is being used as a wildcard instead of a literal character." + ) + + def test_q_with_underscore_literal(self, repo): + """A literal '_' in q must not act as a LIKE single-char wildcard.""" + repo.record(_make_entry(message="snake_case message")) + repo.record(_make_entry(message="camelCase message")) + + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?q=snake_case") + assert resp.status_code == 200 + data = resp.json() + # "snake_case" as a LIKE pattern would match any 10-char sequence; + # as a literal it should only match the entry with "snake_case" + assert data["total"] == 1, ( + f"Literal 'snake_case' matched {data['total']} entries (expected 1). " + f"'_' may be acting as a wildcard." + ) + + def test_q_with_single_quote_no_sql_error(self, repo): + """A single quote in q must not cause a SQL error.""" + repo.record(_make_entry(message="it's working")) + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?q=it%27s") + assert resp.status_code == 200 + + def test_q_with_backslash_no_sql_error(self, repo): + """A backslash in q must not cause a SQL error (LIKE ESCAPE '\\').""" + repo.record(_make_entry(message=r"path\to\file")) + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?q=path%5Cto") + assert resp.status_code == 200 + + def test_unknown_category_returns_empty(self, repo): + """A category value that matches no entries returns total=0 (not an error).""" + repo.record(_make_entry(category=ActivityCategory.AUTH)) + client = _make_client(repo) + resp = client.get("/api/v1/activity-log?categories=nonexistent_category") + # Should return 200 with empty results (not 422) — the contract is an enum + # at the DB level, not at the HTTP level; unknown values simply match nothing. + assert resp.status_code in ( + 200, + 422, + ), f"Unexpected status {resp.status_code} for unknown category value" + if resp.status_code == 200: + assert resp.json()["total"] == 0 + + def test_since_after_until_returns_empty(self, repo): + """since > until is a valid (but empty) range — should not be a server error.""" + repo.record(_make_entry(message="any entry")) + client = _make_client(repo) + resp = client.get( + "/api/v1/activity-log" "?since=2024-06-10T00:00:00Z&until=2024-06-09T00:00:00Z" + ) + # The DB will evaluate ts >= since AND ts <= until — when since > until, + # no row can satisfy both; result must be empty, not an error. + assert resp.status_code in (200, 422) + if resp.status_code == 200: + assert resp.json()["total"] == 0 + + def test_actor_empty_string_matches_nothing(self, repo): + """actor='' should match no entries (empty string is treated as None/absent).""" + repo.record(_make_entry(actor="alice")) + client = _make_client(repo) + # Empty string actor — the implementation converts '' → None → no filter, + # or it becomes an exact-match for '' which also returns 0. + resp = client.get("/api/v1/activity-log?actor=") + assert resp.status_code == 200 + + +# --------------------------------------------------------------------------- +# 6. SETTINGS EDGE CASES +# --------------------------------------------------------------------------- + + +class TestSettingsEdgeCases: + def test_max_days_at_cap_3650_accepted(self, repo, fake_retention_engine): + """max_days=3650 (cap) must be accepted.""" + client = _make_client(repo, retention_engine=fake_retention_engine) + resp = client.put( + "/api/v1/activity-log/settings", + json={"enabled": True, "max_days": 3650, "max_entries": 0}, + ) + assert resp.status_code == 200 + assert resp.json()["max_days"] == 3650 + + def test_max_days_one_over_cap_rejected(self, repo, fake_retention_engine): + """max_days=3651 (one over cap) must be rejected with 422.""" + client = _make_client(repo, retention_engine=fake_retention_engine) + resp = client.put( + "/api/v1/activity-log/settings", + json={"enabled": True, "max_days": 3651, "max_entries": 0}, + ) + assert resp.status_code == 422 + + def test_max_entries_at_cap_accepted(self, repo, fake_retention_engine): + """max_entries=10_000_000 (cap) must be accepted.""" + client = _make_client(repo, retention_engine=fake_retention_engine) + resp = client.put( + "/api/v1/activity-log/settings", + json={"enabled": True, "max_days": 0, "max_entries": 10_000_000}, + ) + assert resp.status_code == 200 + assert resp.json()["max_entries"] == 10_000_000 + + def test_max_entries_one_over_cap_rejected(self, repo, fake_retention_engine): + """max_entries=10_000_001 (one over cap) must be rejected with 422.""" + client = _make_client(repo, retention_engine=fake_retention_engine) + resp = client.put( + "/api/v1/activity-log/settings", + json={"enabled": True, "max_days": 0, "max_entries": 10_000_001}, + ) + assert resp.status_code == 422 + + def test_enabled_false_then_get_reflects_disabled(self, repo, fake_retention_engine): + """PUT enabled=False → GET returns enabled=False.""" + client = _make_client(repo, retention_engine=fake_retention_engine) + client.put( + "/api/v1/activity-log/settings", + json={"enabled": False, "max_days": 30, "max_entries": 1000}, + ) + resp = client.get("/api/v1/activity-log/settings") + assert resp.status_code == 200 + assert resp.json()["enabled"] is False + + def test_malformed_body_missing_field_rejected(self, repo, fake_retention_engine): + """PUT body missing 'enabled' → 422.""" + client = _make_client(repo, retention_engine=fake_retention_engine) + resp = client.put( + "/api/v1/activity-log/settings", + json={"max_days": 30, "max_entries": 1000}, + # 'enabled' is required; Pydantic should reject the body + ) + assert resp.status_code == 422 + + def test_malformed_body_extra_field_ignored(self, repo, fake_retention_engine): + """PUT body with unknown extra field must not cause a 500.""" + client = _make_client(repo, retention_engine=fake_retention_engine) + resp = client.put( + "/api/v1/activity-log/settings", + json={ + "enabled": True, + "max_days": 30, + "max_entries": 1000, + "undocumented_field": "surprise", + }, + ) + # Pydantic ignores extra fields by default; should succeed or 422, never 500 + assert resp.status_code in (200, 422) + + def test_put_settings_not_dict_rejected(self, repo, fake_retention_engine): + """PUT with a JSON array body (not an object) → 422.""" + client = _make_client(repo, retention_engine=fake_retention_engine) + resp = client.put( + "/api/v1/activity-log/settings", + content=b'["not", "a", "dict"]', + headers={"Content-Type": "application/json"}, + ) + assert resp.status_code == 422 + + def test_put_settings_empty_body_rejected(self, repo, fake_retention_engine): + """PUT with empty body → 422.""" + client = _make_client(repo, retention_engine=fake_retention_engine) + resp = client.put( + "/api/v1/activity-log/settings", + content=b"", + headers={"Content-Type": "application/json"}, + ) + assert resp.status_code == 422 + + def test_put_settings_zero_values_accepted(self, repo, fake_retention_engine): + """max_days=0 and max_entries=0 (no pruning) must be accepted.""" + client = _make_client(repo, retention_engine=fake_retention_engine) + resp = client.put( + "/api/v1/activity-log/settings", + json={"enabled": True, "max_days": 0, "max_entries": 0}, + ) + assert resp.status_code == 200 + data = resp.json() + assert data["max_days"] == 0 + assert data["max_entries"] == 0 + + +# --------------------------------------------------------------------------- +# 7. CLEAR IS AUDITED +# --------------------------------------------------------------------------- + + +class TestClearIsAudited: + def test_clear_leaves_exactly_one_post_clear_entry(self, repo): + """Integration: DELETE leaves exactly one 'activity_log.cleared' entry via real recorder.""" + from ledgrab.core.activity_log.recorder import ActivityRecorder + from ledgrab.storage.activity_log import ActivityLogFilters + + real_recorder = ActivityRecorder(repo, MagicMock()) + + # Pre-populate + for _ in range(5): + repo.record(_make_entry()) + assert repo.count() == 5 + + client = _make_client(repo, recorder=real_recorder, auth_label="admin-key") + resp = client.delete("/api/v1/activity-log") + assert resp.status_code == 200 + + remaining = repo.count() + assert remaining == 1, f"Expected exactly 1 post-clear audit entry, got {remaining}" + entries = repo.query(ActivityLogFilters()) + assert len(entries) == 1 + assert entries[0].action == "activity_log.cleared" + + def test_clear_audit_entry_is_system_category(self, repo): + """The post-clear audit entry must have category='system'.""" + from ledgrab.core.activity_log.recorder import ActivityRecorder + from ledgrab.storage.activity_log import ActivityLogFilters + + real_recorder = ActivityRecorder(repo, MagicMock()) + repo.record(_make_entry()) + + client = _make_client(repo, recorder=real_recorder, auth_label="tester") + client.delete("/api/v1/activity-log") + + entries = repo.query(ActivityLogFilters()) + assert entries[0].category == ActivityCategory.SYSTEM + + def test_clear_audit_entry_records_deleted_count(self, repo): + """The post-clear audit metadata must include the correct deleted_count.""" + from ledgrab.core.activity_log.recorder import ActivityRecorder + from ledgrab.storage.activity_log import ActivityLogFilters + + real_recorder = ActivityRecorder(repo, MagicMock()) + + for _ in range(7): + repo.record(_make_entry()) + + client = _make_client(repo, recorder=real_recorder, auth_label="tester") + resp = client.delete("/api/v1/activity-log") + assert resp.json()["deleted"] == 7 + + entries = repo.query(ActivityLogFilters()) + assert ( + entries[0].metadata.get("deleted_count") == 7 + ), f"Audit metadata missing correct deleted_count: {entries[0].metadata}" + + def test_clear_audit_entry_records_actor(self, repo): + """The post-clear audit entry's actor must match the authenticated label.""" + from ledgrab.core.activity_log.recorder import ActivityRecorder + from ledgrab.storage.activity_log import ActivityLogFilters + + real_recorder = ActivityRecorder(repo, MagicMock()) + client = _make_client(repo, recorder=real_recorder, auth_label="specific-key") + client.delete("/api/v1/activity-log") + + entries = repo.query(ActivityLogFilters()) + assert ( + entries[0].actor == "specific-key" + ), f"Expected actor 'specific-key', got {entries[0].actor!r}" + + def test_clear_audit_entry_action_is_correct(self, repo, fake_recorder): + """The audit record action must be 'activity_log.cleared' (not cleared or log_cleared).""" + client = _make_client(repo, recorder=fake_recorder, auth_label="tester") + client.delete("/api/v1/activity-log") + + assert len(fake_recorder.calls) == 1 + assert ( + fake_recorder.calls[0]["action"] == "activity_log.cleared" + ), f"Wrong action recorded: {fake_recorder.calls[0]['action']!r}" + + def test_clear_response_deleted_matches_pre_clear_count(self, repo, fake_recorder): + """The 'deleted' count in the response must equal the pre-clear row count.""" + n = 9 + for _ in range(n): + repo.record(_make_entry()) + assert repo.count() == n + + client = _make_client(repo, recorder=fake_recorder) + resp = client.delete("/api/v1/activity-log") + assert resp.status_code == 200 + assert resp.json()["deleted"] == n, f"Expected deleted={n}, got {resp.json()['deleted']}" + + def test_clear_empty_log_audit_records_zero_deleted(self, repo, fake_recorder): + """Clearing an empty log records deleted_count=0 in metadata.""" + client = _make_client(repo, recorder=fake_recorder, auth_label="tester") + resp = client.delete("/api/v1/activity-log") + assert resp.status_code == 200 + assert resp.json()["deleted"] == 0 + assert fake_recorder.calls[0]["metadata"]["deleted_count"] == 0 + + def test_clear_log_then_get_shows_only_audit_entry(self, repo): + """After clear, GET /api/v1/activity-log shows exactly the 1 audit entry.""" + from ledgrab.core.activity_log.recorder import ActivityRecorder + + real_recorder = ActivityRecorder(repo, MagicMock()) + + for _ in range(4): + repo.record(_make_entry()) + + client = _make_client(repo, recorder=real_recorder, auth_label="admin") + client.delete("/api/v1/activity-log") + + resp = client.get("/api/v1/activity-log") + assert resp.status_code == 200 + data = resp.json() + assert data["total"] == 1, f"Expected total=1 after clear, got {data['total']}" + assert data["entries"][0]["action"] == "activity_log.cleared" From 9a0137fa4cc2f6a68ec5e4762e8acbb56179bec7 Mon Sep 17 00:00:00 2001 From: "alexei.dolgolyov" Date: Tue, 9 Jun 2026 20:42:44 +0300 Subject: [PATCH 07/13] feat(activity-log): phase 5 - Activity tab (smart filtering, live updates, export) - new top-level Activity tab: filter toolbar (category/severity chips, presets, debounced search, actor/entity/date), keyset load-more, expandable detail - live prepend via server:activity_logged; authed CSV/JSON blob export - formatTimestamp/formatRelativeTime in core/ui.ts; history+severity SVG icons; Ctrl+7 shortcut - i18n activity_log.* across en/ru/zh; getting-started tutorial step; activity-log.css (themed) - review fixes: newest-first ordering, attribute-context XSS hardening (_escapeAttr + event delegation) --- plans/activity-log/CONTEXT.md | 1 + plans/activity-log/PLAN.md | 6 +- plans/activity-log/phase-5-frontend-tab.md | 124 +++- .../src/ledgrab/static/css/activity-log.css | 626 ++++++++++++++++ server/src/ledgrab/static/css/all.css | 1 + server/src/ledgrab/static/js/app.ts | 36 +- .../src/ledgrab/static/js/core/icon-paths.ts | 11 + server/src/ledgrab/static/js/core/icons.ts | 9 + .../ledgrab/static/js/core/tab-registry.ts | 1 + server/src/ledgrab/static/js/core/ui.ts | 45 ++ .../static/js/features/activity-log.ts | 700 ++++++++++++++++++ .../ledgrab/static/js/features/tutorials.ts | 1 + server/src/ledgrab/static/js/global.d.ts | 16 + server/src/ledgrab/static/locales/en.json | 59 +- server/src/ledgrab/static/locales/ru.json | 59 +- server/src/ledgrab/static/locales/zh.json | 59 +- server/src/ledgrab/templates/index.html | 4 + 17 files changed, 1714 insertions(+), 44 deletions(-) create mode 100644 server/src/ledgrab/static/css/activity-log.css create mode 100644 server/src/ledgrab/static/js/features/activity-log.ts diff --git a/plans/activity-log/CONTEXT.md b/plans/activity-log/CONTEXT.md index 1009f54..e4de9a3 100644 --- a/plans/activity-log/CONTEXT.md +++ b/plans/activity-log/CONTEXT.md @@ -69,3 +69,4 @@ Phase 1 landed (2026-06-09): `activity_log.py` (dataclass + enums + filters + co Phase 2 landed (2026-06-09): `core/activity_log/` package (`context.py`, `recorder.py`, `retention.py`, `__init__.py`); actor ContextVar set in `api/auth.py` (both branches); `ActivityLogRetentionEngine` mirroring AutoBackupEngine; full wiring in `main.py` (repo at module level, recorder+engine in lifespan, `server.shutting_down` first shutdown action, engine stop before db.close); DI getters in `api/dependencies.py`; `activity_logged` added to `_ALLOWED_SERVER_EVENT_TYPES` in `events-ws.ts`; `set_module_recorder` exposes recorder to non-DI sites; 24 new tests — all green. Full suite 2309 passed, 2 skipped, 0 failed. Ruff clean. Phase 4 landed (2026-06-09): schemas (`api/schemas/activity_log.py`), routes (`api/routes/activity_log.py`: list/export/settings/clear), router registration in `api/__init__.py`, `get_seq_for_id` helper on `ActivityLogRepository`. 49 new tests — all green. Full suite 2486 passed, 2 skipped, 0 failed. Ruff clean. Pagination bug found and fixed (limit+1 probe must drop oldest row when has_more, not tail). Phase 3 landed (2026-06-09): instrumented all four categories — entity CRUD via `fire_entity_event` choke-point (`dependencies.py`), auth failures + WS session in `auth.py`, device online/offline in `device_health.py`, device discovered/lost in `discovery_watcher.py`, ADB connect/disconnect in `system_settings.py`, capture start/stop (individual + bulk) in `output_targets_control.py`, scene/playlist/automation activate in their respective route/engine files, backup/restore/delete + restart/shutdown/update/calibration/settings in `backup.py`/`update.py`/`calibration.py`; all 11 entity delete handlers pass `entity_name` to `fire_entity_event`; 22 new tests (security: token never in any field, explicitly asserted) — all green. Full suite 2369 passed, 2 skipped, 0 failed. Ruff clean. Complete (category, action) inventory in phase-3-instrumentation.md Handoff section. +Phase 5 landed (2026-06-09): Activity tab frontend — `features/activity-log.ts` (loadActivityLog, filter toolbar with category/severity chips + presets + debounced search + date range + actor/entity-type text fields, keyset-paginated list, expandable detail drawer, live-prepend via `server:activity_logged`, authed CSV/JSON blob export); `core/ui.ts` additions (`formatTimestamp`, `formatRelativeTime`); `core/icon-paths.ts` + `core/icons.ts` additions (scrollText/audit, circleAlert, info, filter, xCircle); `core/tab-registry.ts` registered; `templates/index.html` tab button + panel; `app.ts` + `global.d.ts` wired; `static/css/activity-log.css` (precision-ledger design, category color rail, live-dot pulse, detail drawer, responsive breakpoints); all three locales updated (activity_log.* + time.* relative-time keys + tour.activity_log); `features/tutorials.ts` getting-started tour extended. `tsc --noEmit` clean, `npm run build` passes. Reusable helpers for Phase 6 documented in phase-5-frontend-tab.md Handoff section. diff --git a/plans/activity-log/PLAN.md b/plans/activity-log/PLAN.md index 54fc375..d77d58c 100644 --- a/plans/activity-log/PLAN.md +++ b/plans/activity-log/PLAN.md @@ -83,7 +83,7 @@ is an on-demand CSV/JSON **export** (no separate backup subsystem). | Phase 2: Recorder/Retention | backend | ✅ Done | ✅ Passed | ✅ Passed | ✅ | | Phase 3: Instrumentation | backend | ✅ Done | ✅ Passed | ✅ Passed | ✅ | | Phase 4: REST API | backend | ✅ Done | ✅ Passed | ✅ Passed | ✅ | -| Phase 5: Frontend tab | frontend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | +| Phase 5: Frontend tab | frontend | ✅ Done | ✅ Passed | ✅ Passed (tsc+build) | ✅ | | Phase 6: Dashboard/Settings | frontend | ⬜ Not Started | ⬜ | ⬜ | ⬜ | ## Outstanding Warnings @@ -99,6 +99,10 @@ is an on-demand CSV/JSON **export** (no separate backup subsystem). | 4 | PUT /settings only AuthRequired → anon could disable auditing/prune trail | 🟠 High (security) | resolved — `require_authenticated` on settings PUT | | 4 | CSV formula-injection missed leading TAB/CR | 🟡 Medium (security) | resolved — added `\t`/`\r` to guard | | 4 | `total` count full-scans on every list request | 🔵 Low (perf) | accepted — bounded by retention; read-only; optional opt-in deferred | +| 5 | Inverted list ordering broke pagination + live-append | 🔴 Blocker | resolved — pages reversed to newest-first; re-review PASS | +| 5 | Attribute-context XSS (entity_name title + JSON.stringify onclick) | 🟡 Warning (security) | resolved — `_escapeAttr` + data-attr event delegation | +| 5 | Filter toolbar value= attrs not quote-escaped (new code) | 🟡 Warning (security) | resolved — `_escapeAttr` on q/actor/entity_type/since/until | +| 5 | Manual browser smoke test (tab loads, filters, live, export) | 🔵 Note | open — recommend at final review (server restart needed) | ## Final Review diff --git a/plans/activity-log/phase-5-frontend-tab.md b/plans/activity-log/phase-5-frontend-tab.md index 0e2a509..2d88c42 100644 --- a/plans/activity-log/phase-5-frontend-tab.md +++ b/plans/activity-log/phase-5-frontend-tab.md @@ -1,6 +1,6 @@ # Phase 5: Frontend — Activity tab + smart filtering + live updates -**Status:** ⬜ Not Started +**Status:** ✅ Done **Parent plan:** [PLAN.md](./PLAN.md) **Domain:** frontend · uses the `frontend-design` skill @@ -12,14 +12,14 @@ This is a viewer (Dashboard-style), NOT a CRUD card section. ## Tasks -- [ ] `core/ui.ts`: add `formatTimestamp(isoOrMs)` (Today/Yesterday/Date · HH:MM, i18n-aware) +- [x] `core/ui.ts`: add `formatTimestamp(isoOrMs)` (Today/Yesterday/Date · HH:MM, i18n-aware) and `formatRelativeTime(isoOrMs)` ("2m ago"), with `tabular-nums` styling guidance for the list. Reuse existing `time.*` i18n key conventions. -- [ ] `features/activity-log.ts`: +- [x] `features/activity-log.ts`: - `export async function loadActivityLog()` — fetch first page from `GET /activity-log` (via `fetchWithAuth`), render the toolbar + list into the panel. - - **Smart filter toolbar:** category (multi, IconSelect/chips), severity (chips), actor - (EntitySelect/text), entity type, date range, free-text search (debounced). Quick presets: + - **Smart filter toolbar:** category (multi, chips), severity (chips), actor + (text input), entity type, date range, free-text search (debounced). Quick presets: Today / Errors / Auth / Devices. Filters drive server-side query params (no client-side filtering of a partial page). Re-query on change; reset cursor. - **List:** one row per entry — severity icon, category badge, relative time (title=absolute), @@ -32,60 +32,106 @@ This is a viewer (Dashboard-style), NOT a CRUD card section. - **Export button:** triggers `GET /activity-log/export?format=…` with current filters via an authed blob download (use `fetchWithAuth` → blob URL, per frontend.md auth rules). - Empty / loading / error states; re-render on `languageChanged`. -- [ ] Tab wiring: +- [x] Tab wiring: - `core/tab-registry.ts`: add `activity_log: { loadFnName: 'loadActivityLog', autoRefresh: false }`. - `templates/index.html`: sidebar tab button (`data-tab`, `switchTab('activity_log')`, history/clock SVG icon, `data-i18n`) + `
`. - `app.ts`: import + `Object.assign(window, { loadActivityLog, … })`; `global.d.ts` decls. -- [ ] Icons: add a history/audit icon to `core/icon-paths.ts` + `core/icons.ts`; severity icons +- [x] Icons: add a history/audit icon to `core/icon-paths.ts` + `core/icons.ts`; severity icons (info/warning/error) reuse existing constants where possible. -- [ ] i18n: add `activity_log.*` keys to `static/locales/{en,ru,zh}.json` (title, filter labels, +- [x] i18n: add `activity_log.*` keys to `static/locales/{en,ru,zh}.json` (title, filter labels, category/severity names, column labels, presets, empty/error, export, "N entries"). -- [ ] Tutorials: add an Activity-tab step to the getting-started tour in +- [x] Tutorials: add an Activity-tab step to the getting-started tour in `features/tutorials.ts` + `tour.*` keys in all 3 locales. ## Files to Modify/Create -- `server/src/ledgrab/static/js/core/ui.ts` — modify: timestamp/relative-time formatters -- `server/src/ledgrab/static/js/features/activity-log.ts` — new: the viewer -- `server/src/ledgrab/static/js/core/tab-registry.ts` — modify: register tab -- `server/src/ledgrab/templates/index.html` — modify: tab button + panel -- `server/src/ledgrab/static/js/app.ts` — modify: import + window globals -- `server/src/ledgrab/static/js/global.d.ts` — modify: window decls -- `server/src/ledgrab/static/js/core/icon-paths.ts` / `core/icons.ts` — modify: icons -- `server/src/ledgrab/static/locales/{en,ru,zh}.json` — modify: i18n keys -- `server/src/ledgrab/static/js/features/tutorials.ts` — modify: tour step -- `server/src/ledgrab/static/css/*` — modify/new: list + toolbar styling (follow base.css vars) +- `server/src/ledgrab/static/js/core/ui.ts` — modified: timestamp/relative-time formatters +- `server/src/ledgrab/static/js/features/activity-log.ts` — NEW: the viewer +- `server/src/ledgrab/static/js/core/tab-registry.ts` — modified: register tab +- `server/src/ledgrab/templates/index.html` — modified: tab button + panel +- `server/src/ledgrab/static/js/app.ts` — modified: import + window globals +- `server/src/ledgrab/static/js/global.d.ts` — modified: window decls +- `server/src/ledgrab/static/js/core/icon-paths.ts` — modified: icons (scrollText, circleAlert, info, filter, xCircle) +- `server/src/ledgrab/static/js/core/icons.ts` — modified: ICON_ACTIVITY_LOG, ICON_SEVERITY_*, ICON_FILTER, ICON_X_CIRCLE +- `server/src/ledgrab/static/locales/{en,ru,zh}.json` — modified: activity_log.* + time.* + tour.activity_log +- `server/src/ledgrab/static/js/features/tutorials.ts` — modified: gettingStartedSteps +- `server/src/ledgrab/static/css/activity-log.css` — NEW: list + toolbar styling +- `server/src/ledgrab/static/css/all.css` — modified: import activity-log.css ## Acceptance Criteria -- New **Activity** tab loads, lists entries, and paginates via keyset "load more". -- Filters hit server-side query params; quick presets work; free-text is debounced. -- New events append live via `server:activity_logged` and respect active filters. -- Export downloads CSV/JSON with auth, honoring current filters. -- Fully localized (en/ru/zh); empty/loading/error states; re-renders on language change. -- No plain `` (use chips); SVG icons only (no emoji). +- [x] `npx tsc --noEmit` clean; `npm run build` succeeds. ## Notes -- **Use the `frontend-design` skill** for the viewer layout, filter toolbar, and detail design - — aim for a polished, distinctive result consistent with the app's design language and CSS - variables in `static/css/base.css` (`--primary-color`, `--card-bg`, etc.). -- Models to mirror: `features/dashboard.ts` (non-card live viewer + load pattern), - `core/events-ws.ts` (`server:` dispatch), `core/entity-palette.ts` (EntitySelect), - `core/icon-select.ts` (IconSelect). Auth/blob download rules: `contexts/frontend.md`. -- Frontend-only phase → run `tsc --noEmit` + `npm run build`; do NOT run pytest/ruff. +- **Used the `frontend-design` skill** for the viewer layout, filter toolbar, and detail design. +- Models mirrored: `features/dashboard.ts` (live viewer pattern), `core/events-ws.ts` (WS dispatch), + `core/api.ts` (fetchWithAuth), `core/navigation.ts` (navigateToCard). +- Frontend-only phase — ran `tsc --noEmit` + `npm run build`; did NOT run pytest/ruff. ## Review Checklist -- [ ] All tasks completed -- [ ] Code follows frontend conventions (i18n ×3, icons, selectors, auth fetch, CSS vars) -- [ ] No unintended side effects -- [ ] Build passes (`tsc --noEmit` + `npm run build`) +- [x] All tasks completed +- [x] Code follows frontend conventions (i18n ×3, icons, auth fetch, CSS vars) +- [x] No unintended side effects +- [x] Build passes (`tsc --noEmit` + `npm run build`) - [ ] Manual smoke: tab loads, filters query server, live append, export ## Handoff to Next Phase - +### Reusable helpers for Phase 6 (Dashboard widget + Settings panel) + +**From `features/activity-log.ts`:** + +| Export | Purpose | How Phase 6 uses it | +|--------|---------|---------------------| +| `loadActivityLog()` | Loads the full tab (already registered as the tab loader) | Phase 6 doesn't call this, but it shares state | +| `activityLogToggleDetail(id)` | Expand/collapse an entry row | Dashboard widget can reuse for the Recent Activity list | +| `activityLogExport(format)` | Authed blob download with current filters | Could surface a direct link in the Settings panel | +| `_renderEntryRow(entry, isNew)` | Renders a single entry as an HTML string | Dashboard widget should import this to render its 5-10 most-recent entries | +| `_fetchPage(beforeSeq, append)` | Keyset-paged fetch from `/activity-log` | Dashboard widget calls with `limit=5&categories=…` for its mini-list | + +**Note:** `_renderEntryRow` and `_fetchPage` are module-private (underscore prefix). Phase 6 should +either (a) re-export them with public names, or (b) duplicate the minimal render logic for the +compact widget format. + +**Recommended approach for Phase 6:** Export two new public helpers: + +```typescript +// Add to activity-log.ts +export async function fetchRecentEntries(limit = 5): Promise +export function renderCompactEntry(entry: ActivityEntry): string +``` + +### i18n namespace + +All keys are under `activity_log.*`. Time-relative formatters use `time.*` keys. + +### CSS classes and tokens introduced + +| Class | Purpose | +|-------|---------| +| `.al-panel` | Tab root wrapper | +| `.al-toolbar` | Filter toolbar container | +| `.al-chip` / `.al-chip.active` | Category/severity toggle chips | +| `.al-preset-btn` | Quick-preset buttons | +| `.al-entry` / `.al-entry-row` | Log entry row | +| `.al-detail` / `.al-detail-grid` | Expandable entry detail | +| `.al-cat-*` | Per-category badge colors (auth/device/entity/capture/system) | +| `.al-sev-info/warning/error` | Severity icon color classes | +| `.al-live-dot` | Pulsing green live-update dot | +| `.al-meta-pre` | Scrollable metadata JSON block | +| `.tabular-nums` | `font-variant-numeric: tabular-nums` utility | + +### Settings endpoint shape used + +Phase 6 Settings panel will call: +- `GET /activity-log/settings` → `{ enabled: bool, max_days: int, max_entries: int }` +- `PUT /activity-log/settings` → same shape (bounds: enabled=bool, max_days=0–3650, max_entries=0–10_000_000) diff --git a/server/src/ledgrab/static/css/activity-log.css b/server/src/ledgrab/static/css/activity-log.css new file mode 100644 index 0000000..0a2d16b --- /dev/null +++ b/server/src/ledgrab/static/css/activity-log.css @@ -0,0 +1,626 @@ +/* ───────────────────────────────────────────────────────────────────────── + Activity Log — audit viewer tab + Design language: precision-instrument / ledger. Monospaced timestamps, + color-coded severity rail, thin category pills. Clean "terminal" feel + without being cold — the primary green accent anchors the live-update dot. + ───────────────────────────────────────────────────────────────────────── */ + +/* ── Panel wrapper ───────────────────────────────────────────────────────── */ + +.al-panel { + display: flex; + flex-direction: column; + gap: 0; + max-width: 1400px; + margin: 0 auto; + padding: var(--space-lg) var(--space-lg) var(--space-xl); + min-height: 0; +} + +/* ── Header ──────────────────────────────────────────────────────────────── */ + +.al-header { + display: flex; + align-items: flex-start; + justify-content: space-between; + gap: var(--space-md); + padding-bottom: var(--space-md); + border-bottom: var(--lux-hairline) solid var(--border-color); + margin-bottom: var(--space-lg); +} + +.al-header-title { + display: flex; + align-items: center; + gap: var(--space-sm); + flex-wrap: wrap; +} + +.al-header-icon .icon { + width: 22px; + height: 22px; + color: var(--primary-color); + flex-shrink: 0; +} + +.al-header-title h2 { + font-size: 1.25rem; + font-weight: 700; + color: var(--text-color); + letter-spacing: -0.01em; +} + +.al-header-subtitle { + font-size: 0.8125rem; + color: var(--text-secondary); + margin: 0; + width: 100%; +} + +/* ── Filter toolbar ──────────────────────────────────────────────────────── */ + +.al-toolbar { + display: flex; + flex-direction: column; + gap: var(--space-sm); + padding: var(--space-md) var(--space-md); + background: var(--bg-secondary); + border: var(--lux-hairline) solid var(--border-color); + border-radius: var(--radius-md); + margin-bottom: var(--space-md); +} + +.al-toolbar-row { + display: flex; + align-items: center; + flex-wrap: wrap; + gap: var(--space-sm); +} + +.al-toolbar-search { + gap: var(--space-sm); +} + +/* Search input */ +.al-search-wrap { + position: relative; + flex: 1; + min-width: 200px; + max-width: 420px; +} + +.al-search-icon { + position: absolute; + left: 10px; + top: 50%; + transform: translateY(-50%); + pointer-events: none; + color: var(--text-muted); + display: flex; + align-items: center; +} + +.al-search-icon .icon { + width: 15px; + height: 15px; +} + +.al-search-input { + width: 100%; + padding: 6px 10px 6px 34px; + background: var(--card-bg); + border: var(--lux-hairline) solid var(--border-color); + border-radius: var(--radius-sm); + color: var(--text-color); + font-size: 0.875rem; + font-family: var(--font-body); + transition: border-color var(--duration-fast) var(--ease-out), + box-shadow var(--duration-fast) var(--ease-out); + outline: none; +} + +.al-search-input:focus { + border-color: var(--primary-color); + box-shadow: 0 0 0 2px rgba(76, 175, 80, 0.15); +} + +.al-search-input::placeholder { color: var(--text-muted); } + +/* Quick presets */ +.al-presets { + display: flex; + gap: 4px; + flex-wrap: wrap; +} + +.al-preset-btn { + padding: 4px 10px; + font-size: 0.75rem; + font-weight: 500; + background: var(--card-bg); + border: var(--lux-hairline) solid var(--border-color); + border-radius: var(--radius-pill); + color: var(--text-secondary); + cursor: pointer; + transition: background var(--duration-fast), color var(--duration-fast), border-color var(--duration-fast); + white-space: nowrap; +} + +.al-preset-btn:hover { + background: var(--primary-color); + border-color: var(--primary-color); + color: var(--primary-contrast); +} + +/* Clear button */ +.al-clear-btn { + padding: 4px 6px; + margin-left: auto; + color: var(--text-secondary); +} + +.al-clear-btn:hover { color: var(--danger-color); border-color: var(--danger-color); } + +/* Export button + dropdown */ +.al-export-wrap { + position: relative; + margin-left: auto; +} + +.al-export-btn { + display: flex; + align-items: center; + gap: 5px; + padding: 5px 12px; + font-size: 0.8125rem; +} + +.al-export-btn .icon { width: 14px; height: 14px; } + +.al-export-menu { + display: none; + position: absolute; + right: 0; + top: calc(100% + 4px); + background: var(--card-bg); + border: var(--lux-hairline) solid var(--border-color); + border-radius: var(--radius-sm); + box-shadow: 0 4px 12px var(--shadow-color); + z-index: 100; + min-width: 140px; + overflow: hidden; +} + +.al-export-wrap:hover .al-export-menu, +.al-export-wrap:focus-within .al-export-menu { display: block; } + +.al-export-menu button { + display: block; + width: 100%; + padding: 8px 14px; + text-align: left; + background: none; + border: none; + color: var(--text-color); + font-size: 0.8125rem; + cursor: pointer; +} + +.al-export-menu button:hover { background: var(--bg-secondary); } + +/* Filter label */ +.al-filter-label { + font-size: 0.75rem; + font-weight: 600; + color: var(--text-muted); + text-transform: uppercase; + letter-spacing: 0.05em; + white-space: nowrap; + flex-shrink: 0; +} + +.al-filter-label-sep { margin-left: var(--space-sm); } + +/* Category / severity chips */ +.al-chip-group { + display: flex; + gap: 4px; + flex-wrap: wrap; +} + +.al-chip { + display: inline-flex; + align-items: center; + gap: 4px; + padding: 3px 9px; + font-size: 0.75rem; + font-weight: 500; + border: var(--lux-hairline) solid var(--border-color); + border-radius: var(--radius-pill); + background: var(--card-bg); + color: var(--text-secondary); + cursor: pointer; + transition: background var(--duration-fast), color var(--duration-fast), border-color var(--duration-fast); + white-space: nowrap; +} + +.al-chip .icon { width: 12px; height: 12px; } + +.al-chip:hover { + background: var(--bg-secondary); + border-color: var(--text-secondary); + color: var(--text-color); +} + +.al-chip.active { + background: var(--primary-color); + border-color: var(--primary-color); + color: var(--primary-contrast); +} + +/* Severity chip colors when active */ +.al-sev-chip-error.active { background: var(--danger-color); border-color: var(--danger-color); } +.al-sev-chip-warning.active { background: var(--warning-color); border-color: var(--warning-color); } +.al-sev-chip-info.active { background: var(--info-color); border-color: var(--info-color); } + +/* Advanced field row */ +.al-toolbar-advanced { + gap: var(--space-sm); + padding-top: var(--space-xs); + border-top: var(--lux-hairline) solid var(--border-color); +} + +.al-field-group { + display: flex; + flex-direction: column; + gap: 2px; + min-width: 160px; + flex: 1; +} + +.al-field-label { + font-size: 0.6875rem; + font-weight: 600; + color: var(--text-muted); + text-transform: uppercase; + letter-spacing: 0.04em; +} + +.al-field-input { + padding: 4px 8px; + background: var(--card-bg); + border: var(--lux-hairline) solid var(--border-color); + border-radius: var(--radius-sm); + color: var(--text-color); + font-size: 0.8125rem; + font-family: var(--font-body); + outline: none; + transition: border-color var(--duration-fast); +} + +.al-field-input:focus { + border-color: var(--primary-color); + box-shadow: 0 0 0 2px rgba(76, 175, 80, 0.12); +} + +/* ── List header (count + live dot) ─────────────────────────────────────── */ + +.al-list-header { + display: flex; + align-items: center; + justify-content: space-between; + padding: var(--space-xs) 0; + margin-bottom: var(--space-xs); +} + +.al-count { + font-size: 0.8125rem; + color: var(--text-muted); + font-variant-numeric: tabular-nums; +} + +.al-live-indicator { + display: flex; + align-items: center; + gap: 5px; + font-size: 0.75rem; + font-weight: 500; + color: var(--primary-text-color); + letter-spacing: 0.02em; +} + +.al-live-dot { + width: 7px; + height: 7px; + background: var(--primary-color); + border-radius: 50%; + animation: al-pulse 2s infinite; +} + +@keyframes al-pulse { + 0%, 100% { opacity: 1; transform: scale(1); } + 50% { opacity: 0.55; transform: scale(0.85); } +} + +/* ── Entry rows ─────────────────────────────────────────────────────────── */ + +.al-list { + display: flex; + flex-direction: column; + gap: 1px; +} + +.al-entry { + background: var(--card-bg); + border: var(--lux-hairline) solid var(--border-color); + border-radius: var(--radius-sm); + overflow: hidden; + transition: border-color var(--duration-fast); +} + +.al-entry:hover { border-color: var(--text-muted); } + +/* New-entry flash */ +@keyframes al-new-flash { + 0% { background: color-mix(in srgb, var(--primary-color) 18%, var(--card-bg)); } + 100% { background: var(--card-bg); } +} + +.al-entry-new.al-entry-appear { animation: al-new-flash 1.8s var(--ease-out) forwards; } + +.al-entry-row { + display: grid; + grid-template-columns: 24px 80px auto 1fr 2fr auto 20px; + align-items: center; + gap: var(--space-sm); + padding: var(--space-xs) var(--space-md); + cursor: pointer; + min-height: 36px; + outline: none; +} + +.al-entry-row:focus-visible { box-shadow: inset 0 0 0 2px var(--primary-color); } + +/* Severity rail icon */ +.al-sev { display: flex; align-items: center; justify-content: center; } +.al-sev .icon { width: 14px; height: 14px; } +.al-sev-info .icon { color: var(--info-color); } +.al-sev-warning .icon { color: var(--warning-color); } +.al-sev-error .icon { color: var(--danger-color); } + +/* Time */ +.al-time { + font-size: 0.75rem; + font-variant-numeric: tabular-nums; + font-family: var(--font-mono); + color: var(--text-muted); + white-space: nowrap; +} + +/* Category badge */ +.al-cat-badge { + display: inline-block; + padding: 1px 7px; + font-size: 0.6875rem; + font-weight: 600; + letter-spacing: 0.03em; + text-transform: uppercase; + border-radius: var(--radius-pill); + white-space: nowrap; + border: var(--lux-hairline) solid transparent; +} + +/* Per-category colors — subtle tinted backgrounds */ +.al-cat-auth { background: rgba(33, 150, 243, 0.12); color: var(--info-color); border-color: rgba(33, 150, 243, 0.25); } +.al-cat-device { background: rgba(156, 39, 176, 0.10); color: #ab47bc; border-color: rgba(156, 39, 176, 0.22); } +.al-cat-entity { background: rgba(76, 175, 80, 0.12); color: var(--primary-text-color); border-color: rgba(76, 175, 80, 0.25); } +.al-cat-capture { background: rgba(255, 152, 0, 0.12); color: var(--warning-color); border-color: rgba(255, 152, 0, 0.25); } +.al-cat-system { background: rgba(120, 120, 120, 0.12); color: var(--text-secondary); border-color: rgba(120, 120, 120, 0.25); } + +[data-theme="light"] .al-cat-auth { background: rgba(33, 150, 243, 0.08); } +[data-theme="light"] .al-cat-device { background: rgba(156, 39, 176, 0.08); } +[data-theme="light"] .al-cat-entity { background: rgba(76, 175, 80, 0.08); } +[data-theme="light"] .al-cat-capture { background: rgba(255, 152, 0, 0.08); } +[data-theme="light"] .al-cat-system { background: rgba(120, 120, 120, 0.08); } + +/* Actor */ +.al-actor { + font-size: 0.8125rem; + font-family: var(--font-mono); + color: var(--text-secondary); + white-space: nowrap; + overflow: hidden; + text-overflow: ellipsis; + max-width: 160px; +} + +/* Message */ +.al-msg { + font-size: 0.8125rem; + color: var(--text-color); + overflow: hidden; + text-overflow: ellipsis; + white-space: nowrap; +} + +/* Entity crosslink */ +.al-entity { display: flex; align-items: center; } + +.al-entity-link { + font-size: 0.75rem; + color: var(--primary-text-color); + background: none; + border: none; + padding: 0; + cursor: pointer; + text-decoration: underline dotted; + text-underline-offset: 2px; + white-space: nowrap; + overflow: hidden; + text-overflow: ellipsis; + max-width: 120px; + display: block; +} + +.al-entity-link:hover { color: var(--primary-hover); text-decoration-style: solid; } + +.al-entity-name { + font-size: 0.75rem; + color: var(--text-muted); + white-space: nowrap; + overflow: hidden; + text-overflow: ellipsis; +} + +/* Expand chevron */ +.al-expand-chevron { + font-size: 0.6875rem; + color: var(--text-muted); + justify-self: end; + user-select: none; +} + +/* ── Entry detail drawer ─────────────────────────────────────────────────── */ + +.al-detail { + padding: var(--space-sm) var(--space-md) var(--space-md); + border-top: var(--lux-hairline) solid var(--border-color); + background: var(--bg-secondary); + animation: al-detail-open var(--duration-fast) var(--ease-out); +} + +@keyframes al-detail-open { + from { opacity: 0; transform: translateY(-4px); } + to { opacity: 1; transform: translateY(0); } +} + +.al-detail-grid { + display: grid; + grid-template-columns: max-content 1fr; + gap: 4px var(--space-md); + font-size: 0.8125rem; +} + +.al-detail-grid dt { + color: var(--text-muted); + font-weight: 600; + font-size: 0.75rem; + text-transform: uppercase; + letter-spacing: 0.04em; + align-self: start; + padding-top: 2px; + white-space: nowrap; +} + +.al-detail-grid dd { + color: var(--text-color); + word-break: break-all; +} + +.al-detail-grid code { + font-family: var(--font-mono); + font-size: 0.8125rem; + background: var(--bg-color); + padding: 1px 5px; + border-radius: var(--radius-sm); + border: var(--lux-hairline) solid var(--border-color); +} + +.al-meta-pre { + font-family: var(--font-mono); + font-size: 0.75rem; + background: var(--bg-color); + border: var(--lux-hairline) solid var(--border-color); + border-radius: var(--radius-sm); + padding: var(--space-sm); + overflow-x: auto; + white-space: pre; + color: var(--text-secondary); + max-height: 220px; + overflow-y: auto; + margin: 0; +} + +/* ── Load More ───────────────────────────────────────────────────────────── */ + +.al-load-more { + display: block; + width: 100%; + margin-top: var(--space-md); + text-align: center; + font-size: 0.875rem; +} + +/* ── Empty / loading / error states ─────────────────────────────────────── */ + +.al-state { + display: flex; + flex-direction: column; + align-items: center; + justify-content: center; + gap: var(--space-sm); + padding: var(--space-xl); + color: var(--text-muted); + font-size: 0.875rem; + text-align: center; +} + +.al-state-icon .icon { + width: 36px; + height: 36px; + opacity: 0.35; +} + +.al-loading { flex-direction: row; padding: var(--space-lg); } + +.al-spinner { + width: 20px; + height: 20px; + border: 2px solid var(--border-color); + border-top-color: var(--primary-color); + border-radius: 50%; + animation: al-spin 0.6s linear infinite; + flex-shrink: 0; +} + +@keyframes al-spin { to { transform: rotate(360deg); } } + +.al-error .al-state-icon .icon { color: var(--danger-color); opacity: 0.6; } + +/* ── List container ──────────────────────────────────────────────────────── */ + +.al-list-container { + flex: 1; + min-height: 0; +} + +/* ── Tabular-nums utility ────────────────────────────────────────────────── */ + +.tabular-nums { font-variant-numeric: tabular-nums; } + +/* ── Responsive ──────────────────────────────────────────────────────────── */ + +@media (max-width: 900px) { + .al-entry-row { + grid-template-columns: 20px 70px auto 1fr 18px; + } + /* Hide actor and entity link at small widths */ + .al-actor, + .al-entity { display: none; } +} + +@media (max-width: 600px) { + .al-panel { padding: var(--space-sm); } + + .al-entry-row { + grid-template-columns: 20px 1fr auto 18px; + grid-template-rows: auto auto; + gap: 4px var(--space-xs); + } + + .al-time { grid-column: 2; grid-row: 2; font-size: 0.6875rem; } + .al-cat-badge{ grid-column: 3; grid-row: 1; } + .al-msg { grid-column: 2 / span 2; grid-row: 1; } + + .al-toolbar-advanced .al-field-group { min-width: 100%; } +} diff --git a/server/src/ledgrab/static/css/all.css b/server/src/ledgrab/static/css/all.css index 0e01d61..43f828e 100644 --- a/server/src/ledgrab/static/css/all.css +++ b/server/src/ledgrab/static/css/all.css @@ -19,5 +19,6 @@ @import './graph-editor.css'; @import './appearance.css'; @import './game-integration.css'; +@import './activity-log.css'; @import './mobile.css'; @import './tv.css'; diff --git a/server/src/ledgrab/static/js/app.ts b/server/src/ledgrab/static/js/app.ts index 9c018d5..40ed66d 100644 --- a/server/src/ledgrab/static/js/app.ts +++ b/server/src/ledgrab/static/js/app.ts @@ -228,6 +228,24 @@ import { mountAutoCalibration, unmountAutoCalibration, } from './features/auto-calibration.ts'; +// Layer 5: activity log +import { + loadActivityLog, + activityLogToggleDetail, + activityLogToggleCat, + activityLogToggleSev, + activityLogOnSearch, + activityLogOnActor, + activityLogOnEntityType, + activityLogOnSince, + activityLogOnUntil, + activityLogClearFilters, + activityLogPreset, + activityLogLoadMore, + activityLogExport, + activityLogNavigateToEntity, +} from './features/activity-log.ts'; + // Layer 5.5: graph editor import { loadGraphEditor, @@ -762,6 +780,22 @@ Object.assign(window, { applyStylePreset, applyBgEffect, renderAppearanceTab, + + // activity log + loadActivityLog, + activityLogToggleDetail, + activityLogToggleCat, + activityLogToggleSev, + activityLogOnSearch, + activityLogOnActor, + activityLogOnEntityType, + activityLogOnSince, + activityLogOnUntil, + activityLogClearFilters, + activityLogPreset, + activityLogLoadMore, + activityLogExport, + activityLogNavigateToEntity, }); // ─── Global keyboard shortcuts ─── @@ -779,7 +813,7 @@ document.addEventListener('keydown', (e) => { // Tab shortcuts: Ctrl+1..4 (skip when typing in inputs) if (!inInput && e.ctrlKey && !e.altKey && !e.shiftKey && !e.metaKey) { - const tabMap = { '1': 'dashboard', '2': 'automations', '3': 'targets', '4': 'streams', '5': 'integrations', '6': 'graph' }; + const tabMap = { '1': 'dashboard', '2': 'automations', '3': 'targets', '4': 'streams', '5': 'integrations', '6': 'graph', '7': 'activity_log' }; const tab = tabMap[e.key]; if (tab) { e.preventDefault(); diff --git a/server/src/ledgrab/static/js/core/icon-paths.ts b/server/src/ledgrab/static/js/core/icon-paths.ts index 9a196a4..15f5871 100644 --- a/server/src/ledgrab/static/js/core/icon-paths.ts +++ b/server/src/ledgrab/static/js/core/icon-paths.ts @@ -135,6 +135,17 @@ export const armchair = ' // Lucide: leaf export const leaf = ''; +// Lucide: scroll-text (audit / activity log) +export const scrollText = ''; +// Lucide: circle-alert (error severity) +export const circleAlert = ''; +// Lucide: info (info severity) +export const info = ''; +// Lucide: filter (filter toolbar) +export const filter = ''; +// Lucide: x-circle (clear/reset) +export const xCircle = ''; + // Easing curve glyphs — custom mini-charts that draw the actual curve. // Curve travels from (4, 20) to (20, 4); each path renders the easing // function directly so the picker shows the shape, not a metaphor. diff --git a/server/src/ledgrab/static/js/core/icons.ts b/server/src/ledgrab/static/js/core/icons.ts index f8aed9e..2744c3b 100644 --- a/server/src/ledgrab/static/js/core/icons.ts +++ b/server/src/ledgrab/static/js/core/icons.ts @@ -354,6 +354,15 @@ export const ICON_CIRCLE = _svg(P.circle); export const ICON_GIT_MERGE = _svg(P.gitMerge); export const ICON_COPY = _svg(P.copy); +// ── Activity log icons ───────────────────────────────────── + +export const ICON_ACTIVITY_LOG = _svg(P.scrollText); +export const ICON_SEVERITY_INFO = _svg(P.info); +export const ICON_SEVERITY_WARN = _svg(P.triangleAlert); +export const ICON_SEVERITY_ERR = _svg(P.circleAlert); +export const ICON_FILTER = _svg(P.filter); +export const ICON_X_CIRCLE = _svg(P.xCircle); + // ── Game integration icons ───────────────────────────────── export const ICON_GAMEPAD = _svg(P.gamepad2); diff --git a/server/src/ledgrab/static/js/core/tab-registry.ts b/server/src/ledgrab/static/js/core/tab-registry.ts index c63dd74..b13ea16 100644 --- a/server/src/ledgrab/static/js/core/tab-registry.ts +++ b/server/src/ledgrab/static/js/core/tab-registry.ts @@ -28,6 +28,7 @@ const TAB_REGISTRY: Readonly> = { automations: { loadFnName: 'loadAutomations', subTab: { storageKey: 'activeAutomationTab', defaultSubTab: 'automations', switchFnName: 'switchAutomationTab' } }, graph: { loadFnName: 'loadGraphEditor' }, + activity_log: { loadFnName: 'loadActivityLog', autoRefresh: false }, }; /** Get the full config for a tab, or undefined if not registered. */ diff --git a/server/src/ledgrab/static/js/core/ui.ts b/server/src/ledgrab/static/js/core/ui.ts index 39b7366..a1c3a50 100644 --- a/server/src/ledgrab/static/js/core/ui.ts +++ b/server/src/ledgrab/static/js/core/ui.ts @@ -555,6 +555,51 @@ export function formatCompact(n: number | null | undefined) { return (v < 10 ? v.toFixed(1) : Math.round(v)) + 'B'; } +/** + * Format an ISO-8601 timestamp (or ms epoch) into a locale-aware string. + * Returns "Today · HH:MM", "Yesterday · HH:MM", or "DD MMM · HH:MM". + * Use `font-variant-numeric: tabular-nums` on the element for stable layout. + */ +export function formatTimestamp(isoOrMs: string | number): string { + const d = typeof isoOrMs === 'number' ? new Date(isoOrMs) : new Date(isoOrMs); + if (isNaN(d.getTime())) return String(isoOrMs); + + const now = new Date(); + const todayStart = new Date(now.getFullYear(), now.getMonth(), now.getDate()); + const yestStart = new Date(todayStart.getTime() - 86400000); + + const hhmm = d.toLocaleTimeString([], { hour: '2-digit', minute: '2-digit', hour12: false }); + + if (d >= todayStart) { + return `${t('time.today')} · ${hhmm}`; + } else if (d >= yestStart) { + return `${t('time.yesterday')} · ${hhmm}`; + } else { + const dateStr = d.toLocaleDateString([], { day: 'numeric', month: 'short' }); + return `${dateStr} · ${hhmm}`; + } +} + +/** + * Format an ISO-8601 timestamp (or ms epoch) as a compact relative string. + * Examples: "just now", "2m ago", "3h ago", "5d ago". + * Use font-variant-numeric: tabular-nums on elements that update frequently. + */ +export function formatRelativeTime(isoOrMs: string | number): string { + const d = typeof isoOrMs === 'number' ? new Date(isoOrMs) : new Date(isoOrMs); + if (isNaN(d.getTime())) return String(isoOrMs); + + const diffSec = Math.floor((Date.now() - d.getTime()) / 1000); + if (diffSec < 10) return t('time.just_now'); + if (diffSec < 60) return t('time.seconds_ago', { n: diffSec }); + const diffMin = Math.floor(diffSec / 60); + if (diffMin < 60) return t('time.minutes_ago', { n: diffMin }); + const diffHr = Math.floor(diffMin / 60); + if (diffHr < 24) return t('time.hours_ago', { n: diffHr }); + const diffDays = Math.floor(diffHr / 24); + return t('time.days_ago', { n: diffDays }); +} + export function formatUptime(seconds: number | null | undefined): string { if (!seconds || seconds <= 0) return '-'; const total = Math.floor(seconds); diff --git a/server/src/ledgrab/static/js/features/activity-log.ts b/server/src/ledgrab/static/js/features/activity-log.ts new file mode 100644 index 0000000..a942890 --- /dev/null +++ b/server/src/ledgrab/static/js/features/activity-log.ts @@ -0,0 +1,700 @@ +/** + * Activity Log tab — persistent, queryable audit log viewer. + * + * This is a READ-ONLY viewer (no CRUD), differentiated from the debug + * Log Viewer (utils/log_broadcaster.py) which is an ephemeral 500-line tail. + * This tab shows structured, semantic audit entries backed by the SQLite + * activity_log table. + * + * Phase 5: Activity tab + smart filtering + live updates. + */ + +import { fetchWithAuth, escapeHtml } from '../core/api.ts'; +import { t } from '../core/i18n.ts'; +import { showToast, formatRelativeTime } from '../core/ui.ts'; +import { navigateToCard } from '../core/navigation.ts'; +import { + ICON_ACTIVITY_LOG, ICON_SEVERITY_INFO, ICON_SEVERITY_WARN, ICON_SEVERITY_ERR, + ICON_X_CIRCLE, ICON_DOWNLOAD, ICON_SEARCH, + ICON_CHEVRON_UP, ICON_CHEVRON_DOWN, +} from '../core/icons.ts'; + +/** + * Escape a string for safe use inside an HTML attribute value (quoted with + * either `"` or `'`). Extends escapeHtml's `<>&` coverage with `"` and `'`. + */ +function _escapeAttr(text: string): string { + if (!text) return ''; + return escapeHtml(text) + .replace(/"/g, '"') + .replace(/'/g, '''); +} + +// ─── Types ─────────────────────────────────────────────────── + +interface ActivityEntry { + id: string; + ts: string; + category: string; + action: string; + severity: string; + actor: string; + entity_type: string | null; + entity_id: string | null; + entity_name: string | null; + message: string; + metadata: Record; +} + +interface ActivityPage { + entries: ActivityEntry[]; + next_before_seq: number | null; + has_more: boolean; + total: number; +} + +interface ActiveFilters { + categories: string[]; + severities: string[]; + actor: string; + entity_type: string; + since: string; + until: string; + q: string; +} + +// ─── Module state ──────────────────────────────────────────── + +let _initialized = false; +let _loading = false; +let _entries: ActivityEntry[] = []; +let _nextBeforeSeq: number | null = null; +let _hasMore = false; +let _total = 0; +let _expandedIds = new Set(); +let _debounceTimer: ReturnType | null = null; +let _liveEventListener: ((e: Event) => void) | null = null; + +const _filters: ActiveFilters = { + categories: [], + severities: [], + actor: '', + entity_type: '', + since: '', + until: '', + q: '', +}; + +// ─── Category → navigation target map (entity crosslinks) ── + +const _ENTITY_NAV: Record = { + output_target: { tab: 'targets', subTab: 'led-targets', attr: 'data-target-id' }, + led_device: { tab: 'targets', subTab: 'led-devices', attr: 'data-device-id' }, + picture_source: { tab: 'streams', subTab: 'raw', attr: 'data-stream-id' }, + color_strip: { tab: 'streams', subTab: 'color_strip', attr: 'data-strip-id' }, + audio_source: { tab: 'streams', subTab: 'audio_capture', attr: 'data-audio-source-id' }, + automation: { tab: 'automations', subTab: 'automations', attr: 'data-automation-id' }, + scene_preset: { tab: 'automations', subTab: 'scenes', attr: 'data-scene-id' }, +}; + +// ─── Severity icon helper ──────────────────────────────────── + +function _severityIcon(severity: string): string { + if (severity === 'error') return ICON_SEVERITY_ERR; + if (severity === 'warning') return ICON_SEVERITY_WARN; + return ICON_SEVERITY_INFO; +} + +function _severityClass(severity: string): string { + if (severity === 'error') return 'al-sev-error'; + if (severity === 'warning') return 'al-sev-warning'; + return 'al-sev-info'; +} + +// ─── Category label helper ─────────────────────────────────── + +function _categoryLabel(category: string): string { + return t(`activity_log.category.${category}`); +} + +// ─── Build query string from active filters + cursor ──────── + +function _buildQuery(beforeSeq: number | null = null): string { + const params = new URLSearchParams(); + for (const cat of _filters.categories) params.append('categories', cat); + for (const sev of _filters.severities) params.append('severities', sev); + if (_filters.actor) params.set('actor', _filters.actor); + if (_filters.entity_type) params.set('entity_type', _filters.entity_type); + if (_filters.since) params.set('since', _filters.since); + if (_filters.until) params.set('until', _filters.until); + if (_filters.q) params.set('q', _filters.q); + if (beforeSeq != null) params.set('before_seq', String(beforeSeq)); + params.set('limit', '50'); + const qs = params.toString(); + return qs ? `?${qs}` : ''; +} + +// ─── Entry rendering ───────────────────────────────────────── + +function _renderEntryRow(entry: ActivityEntry, isNew = false): string { + const relTime = formatRelativeTime(entry.ts); + const iso = entry.ts; + const expanded = _expandedIds.has(entry.id); + const sevClass = _severityClass(entry.severity); + const sevIcon = _severityIcon(entry.severity); + + // Entity crosslink — use data-* attributes + delegated listener (no JSON in onclick) + let entityHtml = ''; + if (entry.entity_type && entry.entity_name) { + const nav = _ENTITY_NAV[entry.entity_type]; + if (nav) { + const escapedName = escapeHtml(entry.entity_name); + const attrEntityType = _escapeAttr(entry.entity_type); + const attrEntityId = _escapeAttr(entry.entity_id || ''); + entityHtml = ``; + } else { + entityHtml = `${escapeHtml(entry.entity_name)}`; + } + } + + const detailHtml = expanded ? _renderEntryDetail(entry) : ''; + const attrEntryId = _escapeAttr(entry.id); + + return `
+
+ ${sevIcon} + ${escapeHtml(relTime)} + ${escapeHtml(_categoryLabel(entry.category))} + ${escapeHtml(entry.actor)} + ${escapeHtml(entry.message)} + ${entityHtml ? `${entityHtml}` : ''} + +
+ ${detailHtml} +
`; +} + +function _renderEntryDetail(entry: ActivityEntry): string { + const metaJson = JSON.stringify(entry.metadata, null, 2); + const absTime = entry.ts ? new Date(entry.ts).toLocaleString() : ''; + return `
+
+
${escapeHtml(t('activity_log.detail.id'))}
+
${escapeHtml(entry.id)}
+
${escapeHtml(t('activity_log.detail.timestamp'))}
+
${escapeHtml(absTime)}
+
${escapeHtml(t('activity_log.detail.action'))}
+
${escapeHtml(entry.action)}
+
${escapeHtml(t('activity_log.detail.actor'))}
+
${escapeHtml(entry.actor)}
+ ${entry.entity_type ? `
${escapeHtml(t('activity_log.detail.entity'))}
+
${escapeHtml(entry.entity_type)}${entry.entity_id ? ` / ${escapeHtml(entry.entity_id)}` : ''}${entry.entity_name ? ` (${escapeHtml(entry.entity_name)})` : ''}
` : ''} +
${escapeHtml(t('activity_log.detail.metadata'))}
+ 
${escapeHtml(metaJson)}
+
+
`; +} + +// ─── Filter toolbar rendering ──────────────────────────────── + +const CATEGORIES = ['auth', 'device', 'entity', 'capture', 'system']; +const SEVERITIES = ['info', 'warning', 'error']; + +function _renderFilterToolbar(): string { + const catChips = CATEGORIES.map(cat => { + const active = _filters.categories.includes(cat); + return ``; + }).join(''); + + const sevChips = SEVERITIES.map(sev => { + const active = _filters.severities.includes(sev); + const icon = _severityIcon(sev); + return ``; + }).join(''); + + const presets = [ + { key: 'today', label: t('activity_log.preset.today') }, + { key: 'errors', label: t('activity_log.preset.errors') }, + { key: 'auth', label: t('activity_log.preset.auth') }, + { key: 'devices', label: t('activity_log.preset.devices') }, + ]; + const presetBtns = presets.map(p => + `` + ).join(''); + + const hasFilters = _filters.categories.length || _filters.severities.length || + _filters.actor || _filters.entity_type || _filters.since || _filters.until || _filters.q; + + return ``; +} + +// ─── List and state rendering ──────────────────────────────── + +function _renderList(): string { + if (_loading && _entries.length === 0) { + return `
+ + ${escapeHtml(t('activity_log.loading'))} +
`; + } + + if (_entries.length === 0) { + const hasFilters = _filters.categories.length || _filters.severities.length || + _filters.actor || _filters.entity_type || _filters.since || _filters.until || _filters.q; + const emptyKey = hasFilters ? 'activity_log.empty' : 'activity_log.empty_no_filters'; + return `
+ +

${escapeHtml(t(emptyKey))}

+
`; + } + + const rows = _entries.map(e => _renderEntryRow(e)).join(''); + const loadMore = _hasMore + ? `` + : ''; + + const countLabel = t('activity_log.n_entries', { n: _total }); + + return `
+ ${escapeHtml(countLabel)} +
+ + ${escapeHtml(t('activity_log.live'))} +
+
+
+ ${rows} +
+ ${loadMore}`; +} + +// ─── Delegated click handler for entry rows and entity links ─ + +let _delegatedClickAttached = false; + +function _attachDelegatedClicks(): void { + if (_delegatedClickAttached) return; + const panel = document.getElementById('tab-activity_log'); + if (!panel) return; + _delegatedClickAttached = true; + + panel.addEventListener('click', (e: MouseEvent) => { + const target = e.target as HTMLElement; + + // Entity navigation: click on data-entity-type button + const entityBtn = target.closest('button.al-entity-link[data-entity-type]'); + if (entityBtn) { + e.stopPropagation(); + const entityType = entityBtn.dataset.entityType ?? ''; + const entityId = entityBtn.dataset.entityId ?? ''; + activityLogNavigateToEntity(entityType, entityId); + return; + } + + // Entry row toggle: click on al-entry-row with data-toggle-id + const row = target.closest('.al-entry-row[data-toggle-id]'); + if (row) { + const entryId = row.dataset.toggleId ?? ''; + if (entryId) activityLogToggleDetail(entryId); + return; + } + }); + + panel.addEventListener('keydown', (e: KeyboardEvent) => { + if (e.key !== 'Enter' && e.key !== ' ') return; + const row = (e.target as HTMLElement).closest('.al-entry-row[data-toggle-id]'); + if (row) { + e.preventDefault(); + const entryId = row.dataset.toggleId ?? ''; + if (entryId) activityLogToggleDetail(entryId); + } + }); +} + +// ─── Full panel render ─────────────────────────────────────── + +function _render(): void { + const panel = document.getElementById('tab-activity_log'); + if (!panel) return; + + panel.innerHTML = `
+
+
+ +

${escapeHtml(t('activity_log.title'))}

+

${escapeHtml(t('activity_log.subtitle'))}

+
+
+ ${_renderFilterToolbar()} +
+ ${_renderList()} +
+
`; + + _attachDelegatedClicks(); +} + +// ─── Partial re-render helpers ─────────────────────────────── + +function _updateListContainer(): void { + const container = document.getElementById('al-list-container'); + if (!container) return; + container.innerHTML = _renderList(); +} + +// ─── Data fetching ─────────────────────────────────────────── + +async function _fetchPage(beforeSeq: number | null = null, append = false): Promise { + if (_loading) return; + _loading = true; + if (!append) { + _entries = []; + _nextBeforeSeq = null; + _hasMore = false; + } + _updateListContainer(); + + try { + const qs = _buildQuery(beforeSeq); + const res = await fetchWithAuth(`/activity-log${qs}`); + if (!res || !res.ok) { + throw new Error(`HTTP ${res?.status}`); + } + const page: ActivityPage = await res.json(); + // API returns each page oldest-first within the page; reverse to newest-first + // so the in-memory list is newest at index 0 (top of the rendered log). + const pageEntries = [...page.entries].reverse(); + if (append) { + _entries = [..._entries, ...pageEntries]; + } else { + _entries = pageEntries; + } + _nextBeforeSeq = page.next_before_seq; + _hasMore = page.has_more; + _total = page.total; + _updateListContainer(); + } catch (e: unknown) { + if (e && typeof e === 'object' && 'isAuth' in e) return; + const container = document.getElementById('al-list-container'); + if (container) { + container.innerHTML = ``; + } + } finally { + _loading = false; + } +} + +// ─── Filter re-query with debounce for text fields ─────────── + +function _requery(debounce = false): void { + if (debounce) { + if (_debounceTimer) clearTimeout(_debounceTimer); + _debounceTimer = setTimeout(() => { _fetchPage(null, false); }, 350); + } else { + _fetchPage(null, false); + } +} + +// ─── Live event handling ────────────────────────────────────── + +function _entryPassesFilters(entry: ActivityEntry): boolean { + if (_filters.categories.length && !_filters.categories.includes(entry.category)) return false; + if (_filters.severities.length && !_filters.severities.includes(entry.severity)) return false; + if (_filters.actor && entry.actor !== _filters.actor) return false; + if (_filters.entity_type && entry.entity_type !== _filters.entity_type) return false; + if (_filters.q) { + const q = _filters.q.toLowerCase(); + if (!entry.message.toLowerCase().includes(q) && + !entry.action.toLowerCase().includes(q) && + !entry.actor.toLowerCase().includes(q)) return false; + } + // Date range filters: if an entry is brand-new it passes "since" checks trivially + if (_filters.since) { + const sinceMs = new Date(_filters.since).getTime(); + if (!isNaN(sinceMs) && new Date(entry.ts).getTime() < sinceMs) return false; + } + if (_filters.until) { + const untilMs = new Date(_filters.until).getTime(); + if (!isNaN(untilMs) && new Date(entry.ts).getTime() > untilMs) return false; + } + return true; +} + +function _prependLiveEntry(entry: ActivityEntry): void { + if (!_entryPassesFilters(entry)) return; + + _entries = [entry, ..._entries]; + _total = _total + 1; + + // Prepend the row into the existing list (no full re-render for performance) + const list = document.getElementById('tab-activity_log')?.querySelector('.al-list'); + if (list) { + const html = _renderEntryRow(entry, true); + list.insertAdjacentHTML('afterbegin', html); + // Animate the new entry + const firstRow = list.firstElementChild as HTMLElement | null; + if (firstRow) { + requestAnimationFrame(() => { firstRow.classList.add('al-entry-appear'); }); + } + // Update count badge + const countEl = list.closest('.al-panel')?.querySelector('.al-count'); + if (countEl) countEl.textContent = t('activity_log.n_entries', { n: _total }); + } else { + _updateListContainer(); + } +} + +function _startLiveUpdates(): void { + if (_liveEventListener) return; + _liveEventListener = (e: Event) => { + const ce = e as CustomEvent; + const entry = ce.detail?.entry as ActivityEntry | undefined; + if (!entry) return; + _prependLiveEntry(entry); + }; + document.addEventListener('server:activity_logged', _liveEventListener); +} + +// ─── Public window-exposed interaction functions ────────────── + +export function activityLogToggleDetail(entryId: string): void { + if (_expandedIds.has(entryId)) { + _expandedIds.delete(entryId); + } else { + _expandedIds.add(entryId); + } + // Update just the affected row + const panel = document.getElementById('tab-activity_log'); + if (!panel) return; + const row = panel.querySelector(`[data-al-id="${CSS.escape(entryId)}"]`); + if (!row) return; + const entry = _entries.find(e => e.id === entryId); + if (!entry) return; + row.outerHTML = _renderEntryRow(entry, false); +} + +export function activityLogToggleCat(cat: string): void { + const idx = _filters.categories.indexOf(cat); + if (idx >= 0) { + _filters.categories = _filters.categories.filter(c => c !== cat); + } else { + _filters.categories = [..._filters.categories, cat]; + } + _render(); + _requery(); +} + +export function activityLogToggleSev(sev: string): void { + const idx = _filters.severities.indexOf(sev); + if (idx >= 0) { + _filters.severities = _filters.severities.filter(s => s !== sev); + } else { + _filters.severities = [..._filters.severities, sev]; + } + _render(); + _requery(); +} + +export function activityLogOnSearch(val: string): void { + _filters.q = val; + _requery(true); +} + +export function activityLogOnActor(val: string): void { + _filters.actor = val.trim(); + _requery(true); +} + +export function activityLogOnEntityType(val: string): void { + _filters.entity_type = val.trim(); + _requery(true); +} + +export function activityLogOnSince(val: string): void { + _filters.since = val; + _requery(); +} + +export function activityLogOnUntil(val: string): void { + _filters.until = val; + _requery(); +} + +export function activityLogClearFilters(): void { + _filters.categories = []; + _filters.severities = []; + _filters.actor = ''; + _filters.entity_type = ''; + _filters.since = ''; + _filters.until = ''; + _filters.q = ''; + _render(); + _requery(); +} + +export function activityLogPreset(key: string): void { + // Reset all filters first + _filters.categories = []; + _filters.severities = []; + _filters.actor = ''; + _filters.entity_type = ''; + _filters.q = ''; + _filters.until = ''; + + switch (key) { + case 'today': { + const todayStart = new Date(); + todayStart.setHours(0, 0, 0, 0); + // datetime-local format: YYYY-MM-DDTHH:MM + _filters.since = todayStart.toISOString().slice(0, 16); + break; + } + case 'errors': + _filters.severities = ['error']; + _filters.since = ''; + break; + case 'auth': + _filters.categories = ['auth']; + _filters.since = ''; + break; + case 'devices': + _filters.categories = ['device']; + _filters.since = ''; + break; + } + _render(); + _requery(); +} + +export function activityLogLoadMore(): void { + if (_hasMore && !_loading) { + _fetchPage(_nextBeforeSeq, true); + } +} + +export async function activityLogExport(format: 'csv' | 'json'): Promise { + try { + showToast(t('activity_log.export.downloading'), 'info'); + const qs = _buildQuery(null); + const sep = qs ? '&' : '?'; + const url = `/activity-log/export${qs}${sep}format=${format}`; + const res = await fetchWithAuth(url); + if (!res || !res.ok) throw new Error(`HTTP ${res?.status}`); + + const blob = await res.blob(); + const blobUrl = URL.createObjectURL(blob); + const now = new Date().toISOString().slice(0, 19).replace(/:/g, '-'); + const filename = `ledgrab-activity-${now}.${format}`; + const a = document.createElement('a'); + a.href = blobUrl; + a.download = filename; + document.body.appendChild(a); + a.click(); + document.body.removeChild(a); + setTimeout(() => URL.revokeObjectURL(blobUrl), 10000); + } catch (e: unknown) { + if (e && typeof e === 'object' && 'isAuth' in e) return; + showToast(t('activity_log.export.error'), 'error'); + } +} + +export function activityLogNavigateToEntity(entityType: string, entityId: string): void { + const nav = _ENTITY_NAV[entityType]; + if (!nav || !entityId) return; + navigateToCard(nav.tab, nav.subTab, null, nav.attr, entityId); +} + +// ─── Main loader (registered with tab-registry) ───────────── + +export async function loadActivityLog(): Promise { + const panel = document.getElementById('tab-activity_log'); + if (!panel) return; + + _initialized = true; + _render(); + await _fetchPage(null, false); + _startLiveUpdates(); + + // Re-render on language change (baked-in t() calls) + document.addEventListener('languageChanged', _onLanguageChanged); +} + +function _onLanguageChanged(): void { + if (!_initialized) return; + _render(); + _fetchPage(null, false); +} diff --git a/server/src/ledgrab/static/js/features/tutorials.ts b/server/src/ledgrab/static/js/features/tutorials.ts index 117ad71..6d13316 100644 --- a/server/src/ledgrab/static/js/features/tutorials.ts +++ b/server/src/ledgrab/static/js/features/tutorials.ts @@ -66,6 +66,7 @@ const gettingStartedSteps: TutorialStep[] = [ { selector: '#tab-btn-streams', textKey: 'tour.sources', position: 'bottom' }, { selector: '#tab-btn-integrations', textKey: 'tour.integrations', position: 'bottom' }, { selector: '#tab-btn-graph', textKey: 'tour.graph', position: 'bottom' }, + { selector: '#tab-btn-activity_log', textKey: 'tour.activity_log', position: 'bottom' }, { selector: 'a.header-link[href="/docs"]', textKey: 'tour.api', position: 'bottom' }, { selector: '[onclick*="openCommandPalette"]', textKey: 'tour.search', position: 'bottom' }, { selector: '[onclick*="toggleTheme"]', textKey: 'tour.theme', position: 'bottom' }, diff --git a/server/src/ledgrab/static/js/global.d.ts b/server/src/ledgrab/static/js/global.d.ts index 4ff0677..a221790 100644 --- a/server/src/ledgrab/static/js/global.d.ts +++ b/server/src/ledgrab/static/js/global.d.ts @@ -457,6 +457,22 @@ startTargetOverlay: (...args: any[]) => any; applyBgEffect: (id: string) => void; renderAppearanceTab: () => void; + // ─── Activity Log ─── + loadActivityLog: () => Promise; + activityLogToggleDetail: (entryId: string) => void; + activityLogToggleCat: (cat: string) => void; + activityLogToggleSev: (sev: string) => void; + activityLogOnSearch: (val: string) => void; + activityLogOnActor: (val: string) => void; + activityLogOnEntityType: (val: string) => void; + activityLogOnSince: (val: string) => void; + activityLogOnUntil: (val: string) => void; + activityLogClearFilters: () => void; + activityLogPreset: (key: string) => void; + activityLogLoadMore: () => void; + activityLogExport: (format: 'csv' | 'json') => Promise; + activityLogNavigateToEntity: (entityType: string, entityId: string) => void; + // ─── Overlay spinner internals ─── overlaySpinnerTimer: ReturnType | null; _overlayEscHandler: ((e: KeyboardEvent) => void) | null; diff --git a/server/src/ledgrab/static/locales/en.json b/server/src/ledgrab/static/locales/en.json index a36cfec..2ccd1fa 100644 --- a/server/src/ledgrab/static/locales/en.json +++ b/server/src/ledgrab/static/locales/en.json @@ -3314,5 +3314,62 @@ "wizard.error.device_name_required": "Device name is required.", "wizard.error.device_url_required": "Device URL is required.", "wizard.error.scaffold_failed": "Setup failed. Please try again.", - "wizard.error.start_failed": "Failed to start LED output." + "wizard.error.start_failed": "Failed to start LED output.", + "time.today": "Today", + "time.yesterday": "Yesterday", + "time.just_now": "just now", + "time.seconds_ago": "{n}s ago", + "time.minutes_ago": "{n}m ago", + "time.hours_ago": "{n}h ago", + "time.days_ago": "{n}d ago", + "activity_log.title": "Activity", + "activity_log.subtitle": "Audit log of LedGrab actions", + "activity_log.loading": "Loading activity log…", + "activity_log.empty": "No activity entries match the current filters.", + "activity_log.empty_no_filters": "No activity has been recorded yet.", + "activity_log.error": "Failed to load activity log.", + "activity_log.load_more": "Load more", + "activity_log.n_entries": "{n} entries", + "activity_log.live": "Live", + "activity_log.new_entries": "{n} new", + "activity_log.filter.title": "Filters", + "activity_log.filter.search": "Search messages…", + "activity_log.filter.category": "Category", + "activity_log.filter.severity": "Severity", + "activity_log.filter.actor": "Actor", + "activity_log.filter.entity_type": "Entity type", + "activity_log.filter.since": "From", + "activity_log.filter.until": "To", + "activity_log.filter.clear": "Clear filters", + "activity_log.preset.today": "Today", + "activity_log.preset.errors": "Errors", + "activity_log.preset.auth": "Auth", + "activity_log.preset.devices": "Devices", + "activity_log.category.auth": "Auth", + "activity_log.category.device": "Device", + "activity_log.category.entity": "Entity", + "activity_log.category.capture": "Capture", + "activity_log.category.system": "System", + "activity_log.severity.info": "Info", + "activity_log.severity.warning": "Warning", + "activity_log.severity.error": "Error", + "activity_log.col.time": "Time", + "activity_log.col.category": "Category", + "activity_log.col.severity": "Severity", + "activity_log.col.actor": "Actor", + "activity_log.col.message": "Message", + "activity_log.detail.title": "Entry detail", + "activity_log.detail.id": "ID", + "activity_log.detail.timestamp": "Timestamp", + "activity_log.detail.action": "Action", + "activity_log.detail.actor": "Actor", + "activity_log.detail.entity": "Entity", + "activity_log.detail.metadata": "Metadata", + "activity_log.export": "Export", + "activity_log.export.csv": "Export CSV", + "activity_log.export.json": "Export JSON", + "activity_log.export.downloading": "Downloading…", + "activity_log.export.error": "Export failed.", + "activity_log.disabled": "Activity logging is disabled.", + "tour.activity_log": "The Activity tab is a persistent audit log of everything LedGrab has done — entity changes, auth events, device connections, and system actions. Filter, search, and export as CSV or JSON." } diff --git a/server/src/ledgrab/static/locales/ru.json b/server/src/ledgrab/static/locales/ru.json index f907246..7ef2a07 100644 --- a/server/src/ledgrab/static/locales/ru.json +++ b/server/src/ledgrab/static/locales/ru.json @@ -2996,5 +2996,62 @@ "wizard.error.device_name_required": "Введите имя устройства.", "wizard.error.device_url_required": "Введите адрес устройства.", "wizard.error.scaffold_failed": "Ошибка настройки. Попробуйте ещё раз.", - "wizard.error.start_failed": "Не удалось запустить LED-вывод." + "wizard.error.start_failed": "Не удалось запустить LED-вывод.", + "time.today": "Сегодня", + "time.yesterday": "Вчера", + "time.just_now": "только что", + "time.seconds_ago": "{n} сек. назад", + "time.minutes_ago": "{n} мин. назад", + "time.hours_ago": "{n} ч. назад", + "time.days_ago": "{n} дн. назад", + "activity_log.title": "Активность", + "activity_log.subtitle": "Журнал действий LedGrab", + "activity_log.loading": "Загрузка журнала…", + "activity_log.empty": "Нет записей, соответствующих текущим фильтрам.", + "activity_log.empty_no_filters": "Действия ещё не зафиксированы.", + "activity_log.error": "Не удалось загрузить журнал.", + "activity_log.load_more": "Загрузить ещё", + "activity_log.n_entries": "Записей: {n}", + "activity_log.live": "Live", + "activity_log.new_entries": "+{n} новых", + "activity_log.filter.title": "Фильтры", + "activity_log.filter.search": "Поиск сообщений…", + "activity_log.filter.category": "Категория", + "activity_log.filter.severity": "Уровень", + "activity_log.filter.actor": "Субъект", + "activity_log.filter.entity_type": "Тип сущности", + "activity_log.filter.since": "С", + "activity_log.filter.until": "По", + "activity_log.filter.clear": "Сбросить фильтры", + "activity_log.preset.today": "Сегодня", + "activity_log.preset.errors": "Ошибки", + "activity_log.preset.auth": "Авторизация", + "activity_log.preset.devices": "Устройства", + "activity_log.category.auth": "Авторизация", + "activity_log.category.device": "Устройство", + "activity_log.category.entity": "Сущность", + "activity_log.category.capture": "Захват", + "activity_log.category.system": "Система", + "activity_log.severity.info": "Информация", + "activity_log.severity.warning": "Предупреждение", + "activity_log.severity.error": "Ошибка", + "activity_log.col.time": "Время", + "activity_log.col.category": "Категория", + "activity_log.col.severity": "Уровень", + "activity_log.col.actor": "Субъект", + "activity_log.col.message": "Сообщение", + "activity_log.detail.title": "Детали записи", + "activity_log.detail.id": "ID", + "activity_log.detail.timestamp": "Метка времени", + "activity_log.detail.action": "Действие", + "activity_log.detail.actor": "Субъект", + "activity_log.detail.entity": "Сущность", + "activity_log.detail.metadata": "Метаданные", + "activity_log.export": "Экспорт", + "activity_log.export.csv": "Экспорт CSV", + "activity_log.export.json": "Экспорт JSON", + "activity_log.export.downloading": "Загрузка…", + "activity_log.export.error": "Ошибка экспорта.", + "activity_log.disabled": "Запись активности отключена.", + "tour.activity_log": "Вкладка «Активность» — постоянный журнал всего, что делает LedGrab: изменения сущностей, авторизация, подключения устройств и системные действия. Используйте фильтры, поиск и экспорт в CSV или JSON." } diff --git a/server/src/ledgrab/static/locales/zh.json b/server/src/ledgrab/static/locales/zh.json index 2058c38..894194a 100644 --- a/server/src/ledgrab/static/locales/zh.json +++ b/server/src/ledgrab/static/locales/zh.json @@ -2990,5 +2990,62 @@ "wizard.error.device_name_required": "设备名称不能为空。", "wizard.error.device_url_required": "设备地址不能为空。", "wizard.error.scaffold_failed": "配置失败,请重试。", - "wizard.error.start_failed": "启动 LED 输出失败。" + "wizard.error.start_failed": "启动 LED 输出失败。", + "time.today": "今天", + "time.yesterday": "昨天", + "time.just_now": "刚刚", + "time.seconds_ago": "{n}秒前", + "time.minutes_ago": "{n}分钟前", + "time.hours_ago": "{n}小时前", + "time.days_ago": "{n}天前", + "activity_log.title": "活动", + "activity_log.subtitle": "LedGrab 操作审计日志", + "activity_log.loading": "正在加载活动日志…", + "activity_log.empty": "没有符合当前过滤条件的记录。", + "activity_log.empty_no_filters": "尚无活动记录。", + "activity_log.error": "加载活动日志失败。", + "activity_log.load_more": "加载更多", + "activity_log.n_entries": "{n} 条记录", + "activity_log.live": "实时", + "activity_log.new_entries": "+{n} 条新记录", + "activity_log.filter.title": "过滤", + "activity_log.filter.search": "搜索消息…", + "activity_log.filter.category": "类别", + "activity_log.filter.severity": "严重性", + "activity_log.filter.actor": "操作者", + "activity_log.filter.entity_type": "实体类型", + "activity_log.filter.since": "从", + "activity_log.filter.until": "至", + "activity_log.filter.clear": "清除过滤", + "activity_log.preset.today": "今天", + "activity_log.preset.errors": "错误", + "activity_log.preset.auth": "身份验证", + "activity_log.preset.devices": "设备", + "activity_log.category.auth": "身份验证", + "activity_log.category.device": "设备", + "activity_log.category.entity": "实体", + "activity_log.category.capture": "采集", + "activity_log.category.system": "系统", + "activity_log.severity.info": "信息", + "activity_log.severity.warning": "警告", + "activity_log.severity.error": "错误", + "activity_log.col.time": "时间", + "activity_log.col.category": "类别", + "activity_log.col.severity": "严重性", + "activity_log.col.actor": "操作者", + "activity_log.col.message": "消息", + "activity_log.detail.title": "记录详情", + "activity_log.detail.id": "ID", + "activity_log.detail.timestamp": "时间戳", + "activity_log.detail.action": "操作", + "activity_log.detail.actor": "操作者", + "activity_log.detail.entity": "实体", + "activity_log.detail.metadata": "元数据", + "activity_log.export": "导出", + "activity_log.export.csv": "导出 CSV", + "activity_log.export.json": "导出 JSON", + "activity_log.export.downloading": "下载中…", + "activity_log.export.error": "导出失败。", + "activity_log.disabled": "活动日志记录已禁用。", + "tour.activity_log": "活动标签页是 LedGrab 所有操作的持久审计日志——实体更改、身份验证事件、设备连接和系统操作。可过滤、搜索,并导出为 CSV 或 JSON 格式。" } diff --git a/server/src/ledgrab/templates/index.html b/server/src/ledgrab/templates/index.html index e269142..ec5dd3a 100644 --- a/server/src/ledgrab/templates/index.html +++ b/server/src/ledgrab/templates/index.html @@ -143,6 +143,7 @@ +
@@ -201,6 +202,9 @@
+
+ +