From 539d33df314632007a30e639ab2a65809c4a3c0e Mon Sep 17 00:00:00 2001
From: Maxim Dolgolyov <maxim.dolgolyov@gmail.com>
Date: Sun, 17 May 2026 14:16:45 +0300
Subject: [PATCH] feat(perm): audit log for permission + feature-flag changes

Adds audit entries for:
- permission.set (role-level change)
- permission.user_set (per-user override)
- permission.user_reset (clear user override)
- feature.update (global feature flag toggle, per-key with old->new diff)

Old value captured for feature.update for full diff trail.
permissionsController: added audit import, wired audit() after each write.
adminController.updateFeatures: replaced bulk audit with per-key entries
capturing old value from app_settings before overwrite.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/src/controllers/adminController.js       | 11 +++++++----
 backend/src/controllers/permissionsController.js |  4 ++++
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/backend/src/controllers/adminController.js b/backend/src/controllers/adminController.js
index 1c71967..dab9692 100644
--- a/backend/src/controllers/adminController.js
+++ b/backend/src/controllers/adminController.js
@@ -327,13 +327,16 @@ function updateFeatures(req, res) {
                    'flashcards', 'knowledge_map', 'board', 'biochem', 'live_quiz', 'classroom'];
   const updates = req.body;
   const stmt = db.prepare("INSERT OR REPLACE INTO app_settings (key, value) VALUES (?, ?)");
-  const changed = [];
+  const getOld = db.prepare("SELECT value FROM app_settings WHERE key = ?");
   for (const [name, enabled] of Object.entries(updates)) {
     if (!allowed.includes(name)) continue;
-    stmt.run(`feature_${name}_enabled`, enabled ? '1' : '0');
-    changed.push(`${name}=${enabled ? 'on' : 'off'}`);
+    const settingKey = `feature_${name}_enabled`;
+    const oldRow = getOld.get(settingKey);
+    const oldVal = oldRow ? oldRow.value : null;
+    const newVal = enabled ? '1' : '0';
+    stmt.run(settingKey, newVal);
+    audit(req, 'feature.update', `feature:${name}`, `${oldVal} -> ${newVal}`);
   }
-  if (changed.length) audit(req, 'features.update', null, changed.join(', '));
   res.json({ ok: true });
 }
 
diff --git a/backend/src/controllers/permissionsController.js b/backend/src/controllers/permissionsController.js
index e953380..0ebd2bc 100644
--- a/backend/src/controllers/permissionsController.js
+++ b/backend/src/controllers/permissionsController.js
@@ -1,4 +1,5 @@
 const db = require('../db/db');
+const { audit } = require('../utils/audit');
 
 /* ── All known permissions ─────────────────────────────────────────────── */
 const ALL_PERMISSIONS = [
@@ -212,6 +213,7 @@ function setPermission(req, res) {
       'UPDATE users SET token_version = token_version + 1 WHERE role = ?'
     ).run(role);
   })();
+  audit(req, 'permission.set', `role:${role}/${permission}`, `enabled=${enabled ? 1 : 0}`);
   res.json({ ok: true });
 }
 
@@ -293,6 +295,7 @@ function setUserPermission(req, res) {
       'UPDATE users SET token_version = token_version + 1 WHERE id = ?'
     ).run(uid);
   })();
+  audit(req, 'permission.user_set', `user:${uid}/${permission}`, `enabled=${enabled ? 1 : 0}`);
   res.json({ ok: true });
 }
 
@@ -307,6 +310,7 @@ function resetUserPermissions(req, res) {
   } else {
     db.prepare('DELETE FROM user_permissions WHERE user_id = ?').run(uid);
   }
+  audit(req, 'permission.user_reset', `user:${uid}`, permission || null);
   res.json({ ok: true });
 }