feat: add immutable audit events and abuse telemetry controls

brianfunk · brianfunk · commit d237f1e0629b · 2026-02-11T08:29:49.000-05:00
diff --git a/docs/DATA_DICTIONARY.md b/docs/DATA_DICTIONARY.md
@@ -165,6 +165,35 @@ Key fields:
 - `notes`
 - `created_at`
 
+## Audit Events
+
+Primary table: `audit_events`
+
+Key fields:
+
+- `table_name`
+- `record_id`
+- `agency_id`
+- `action` (`INSERT | UPDATE | DELETE`)
+- `actor_id`
+- `old_data` (`jsonb`)
+- `new_data` (`jsonb`)
+- `occurred_at`
+
+## Abuse Events
+
+Primary table: `abuse_events`
+
+Key fields:
+
+- `agency_id`
+- `docket_id`
+- `user_id`
+- `event_type`
+- `ip_address`
+- `details` (`jsonb`)
+- `created_at`
+
 ## Saved Dockets
 
 Primary table: `saved_dockets`
diff --git a/docs/plan/M01-schema-and-contract-reconciliation.md b/docs/plan/M01-schema-and-contract-reconciliation.md
@@ -49,3 +49,4 @@ Align database schema/RPC contracts with application code expectations.
 - 2026-02-11: Added follow-up migration `20260211000200_public_submission_hardening.sql` for `dockets.identity_mode` policy constraints and submission rate-limit indexes.
 - 2026-02-11: Added follow-up migration `20260211000300_api_rate_limiting.sql` for reusable API route throttling primitives (`api_rate_limits`, `check_api_rate_limit`).
 - 2026-02-11: Added follow-up migration `20260211000400_agency_rls_reconciliation.sql` to align dockets/comments/legacy attachments RLS with agency membership and platform role model.
+- 2026-02-11: Added follow-up migration `20260211000500_security_audit_and_abuse_events.sql` to introduce immutable audit trails and abuse-event telemetry primitives.
diff --git a/docs/plan/M06-security-and-compliance-hardening.md b/docs/plan/M06-security-and-compliance-hardening.md
@@ -15,14 +15,14 @@ Implement engineering controls for a federal-ready baseline posture.
 
 ## Implementation checklist
 
-- [ ] Add append-only audit logging for key actions.
+- [x] Add append-only audit logging for key actions.
 - [x] Define PII data handling and export masking rules.
-- [ ] Add abuse detection/throttling controls.
+- [x] Add abuse detection/throttling controls.
 - [x] Produce baseline control mapping document.
 
 ## Acceptance criteria
 
-- [ ] Sensitive operations are traceable and auditable.
+- [x] Sensitive operations are traceable and auditable.
 - [x] PII handling behavior is documented and enforced.
 
 ## Risks/blockers
@@ -38,3 +38,5 @@ Implement engineering controls for a federal-ready baseline posture.
 - 2026-02-11: Scope defined.
 - 2026-02-11: Hardened export behavior in `supabase/functions/generate-export/index.ts` to mask commenter email by default and only include raw PII when explicitly requested with authorized platform role.
 - 2026-02-11: Added `docs/CONTROL_MAPPING.md` as baseline NIST/FISMA-style evidence mapping artifact.
+- 2026-02-11: Added migration `20260211000500_security_audit_and_abuse_events.sql` for append-only `audit_events` trigger capture across key tables and `abuse_events` telemetry storage.
+- 2026-02-11: Updated `supabase/functions/submit-comment/index.ts` to record abuse events for CAPTCHA failures/missing tokens, identity-gating failures, and rate-limit thresholds.
diff --git a/docs/plan/README.md b/docs/plan/README.md
@@ -35,9 +35,9 @@ This folder tracks implementation progress for the OpenComments production roadm
 - `M01`: In progress
 - `M02`: In progress
 - `M03`: In progress
-- `M04`: Planned
-- `M05`: In progress
-- `M06`: Planned
+- `M04`: In progress
+- `M05`: Completed
+- `M06`: Completed
 - `M07`: Planned
-- `M08`: In progress
+- `M08`: Completed
 - `M09`: Planned
diff --git a/supabase/functions/submit-comment/index.ts b/supabase/functions/submit-comment/index.ts
@@ -107,6 +107,38 @@ async function verifyHCaptcha(token: string, ipAddress: string | null): Promise<
   }
 }
 
+async function logAbuseEvent(
+  serviceClient: ReturnType<typeof createClient>,
+  {
+    agencyId,
+    docketId,
+    userId,
+    ipAddress,
+    eventType,
+    details
+  }: {
+    agencyId?: string | null
+    docketId?: string | null
+    userId?: string | null
+    ipAddress?: string | null
+    eventType: string
+    details?: Record<string, unknown>
+  }
+) {
+  try {
+    await serviceClient.from('abuse_events').insert({
+      agency_id: agencyId || null,
+      docket_id: docketId || null,
+      user_id: userId || null,
+      event_type: eventType,
+      ip_address: ipAddress || null,
+      details: details || {}
+    })
+  } catch {
+    // Intentionally swallow logging failures so submission flow can return primary errors.
+  }
+}
+
 serve(async (req) => {
   if (req.method === 'OPTIONS') {
     return new Response('ok', { headers: corsHeaders })
@@ -166,6 +198,7 @@ serve(async (req) => {
       .from('dockets')
       .select(`
         id,
+        agency_id,
         slug,
         title,
         status,
@@ -200,6 +233,13 @@ serve(async (req) => {
 
     const identityMode: IdentityMode = (docket.identity_mode as IdentityMode) || 'optional'
     if (identityMode === 'authenticated' && !user) {
+      await logAbuseEvent(serviceClient, {
+        agencyId: docket.agency_id,
+        docketId: docket.id,
+        ipAddress,
+        eventType: 'identity_auth_required',
+        details: { identity_mode: identityMode }
+      })
       return jsonResponse({ error: 'Authentication is required for this docket' }, 401)
     }
     if ((identityMode === 'name_required' || identityMode === 'name_email_required') && !commenterName) {
@@ -219,10 +259,25 @@ serve(async (req) => {
 
     if (docket.require_captcha) {
       if (!captchaToken) {
+        await logAbuseEvent(serviceClient, {
+          agencyId: docket.agency_id,
+          docketId: docket.id,
+          userId: user?.id || null,
+          ipAddress,
+          eventType: 'captcha_missing'
+        })
         return jsonResponse({ error: 'CAPTCHA token is required' }, 400)
       }
       const captchaResult = await verifyHCaptcha(captchaToken, ipAddress)
       if (!captchaResult.ok) {
+        await logAbuseEvent(serviceClient, {
+          agencyId: docket.agency_id,
+          docketId: docket.id,
+          userId: user?.id || null,
+          ipAddress,
+          eventType: 'captcha_failed',
+          details: { error_codes: captchaResult.errors || [] }
+        })
         return jsonResponse({ error: 'CAPTCHA verification failed', details: captchaResult.errors || [] }, 400)
       }
     }
@@ -241,6 +296,14 @@ serve(async (req) => {
         .gte('created_at', oneHourAgo)
 
       if (!ipRateError && (ipCount ?? 0) >= perHourLimit) {
+        await logAbuseEvent(serviceClient, {
+          agencyId: docket.agency_id,
+          docketId: docket.id,
+          userId: user?.id || null,
+          ipAddress,
+          eventType: 'ip_rate_limited',
+          details: { limit_per_hour: perHourLimit }
+        })
         return jsonResponse({ error: 'Rate limit exceeded for this IP. Please try again later.' }, 429)
       }
     }
@@ -254,6 +317,14 @@ serve(async (req) => {
         .is('deleted_at', null)
 
       if (!userRateError && (userCount ?? 0) >= maxCommentsPerUser) {
+        await logAbuseEvent(serviceClient, {
+          agencyId: docket.agency_id,
+          docketId: docket.id,
+          userId: user.id,
+          ipAddress,
+          eventType: 'user_submission_limit',
+          details: { max_comments_per_user: maxCommentsPerUser }
+        })
         return jsonResponse({ error: 'You have reached the maximum submissions for this docket' }, 429)
       }
     } else if (commenterEmail) {
@@ -265,6 +336,13 @@ serve(async (req) => {
         .is('deleted_at', null)
 
       if (!emailRateError && (emailCount ?? 0) >= maxCommentsPerUser) {
+        await logAbuseEvent(serviceClient, {
+          agencyId: docket.agency_id,
+          docketId: docket.id,
+          ipAddress,
+          eventType: 'email_submission_limit',
+          details: { commenter_email: commenterEmail, max_comments_per_user: maxCommentsPerUser }
+        })
         return jsonResponse({ error: 'Maximum submissions reached for this email on this docket' }, 429)
       }
     }
diff --git a/supabase/migrations/20260211000500_security_audit_and_abuse_events.sql b/supabase/migrations/20260211000500_security_audit_and_abuse_events.sql
@@ -0,0 +1,161 @@
+-- 2026-02-11 00:50 Security hardening: append-only audit events + abuse event log
+
+CREATE TABLE IF NOT EXISTS audit_events (
+  id bigint GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
+  table_name text NOT NULL,
+  record_id text NOT NULL,
+  agency_id uuid REFERENCES agencies(id) ON DELETE SET NULL,
+  action text NOT NULL CHECK (action IN ('INSERT', 'UPDATE', 'DELETE')),
+  actor_id uuid,
+  old_data jsonb,
+  new_data jsonb,
+  occurred_at timestamptz NOT NULL DEFAULT now()
+);
+
+CREATE INDEX IF NOT EXISTS idx_audit_events_agency_time
+  ON audit_events (agency_id, occurred_at DESC);
+
+CREATE INDEX IF NOT EXISTS idx_audit_events_table_record
+  ON audit_events (table_name, record_id);
+
+CREATE TABLE IF NOT EXISTS abuse_events (
+  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  agency_id uuid REFERENCES agencies(id) ON DELETE SET NULL,
+  docket_id uuid REFERENCES dockets(id) ON DELETE SET NULL,
+  user_id uuid REFERENCES profiles(id) ON DELETE SET NULL,
+  event_type text NOT NULL,
+  ip_address inet,
+  details jsonb NOT NULL DEFAULT '{}'::jsonb,
+  created_at timestamptz NOT NULL DEFAULT now()
+);
+
+CREATE INDEX IF NOT EXISTS idx_abuse_events_agency_time
+  ON abuse_events (agency_id, created_at DESC);
+
+CREATE INDEX IF NOT EXISTS idx_abuse_events_event_time
+  ON abuse_events (event_type, created_at DESC);
+
+CREATE OR REPLACE FUNCTION public.capture_audit_event()
+RETURNS trigger
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = public
+AS $$
+DECLARE
+  v_new_row jsonb;
+  v_old_row jsonb;
+  v_record_id text;
+  v_agency_id uuid;
+  v_docket_id uuid;
+BEGIN
+  v_new_row := CASE WHEN TG_OP IN ('INSERT', 'UPDATE') THEN to_jsonb(NEW) ELSE NULL END;
+  v_old_row := CASE WHEN TG_OP IN ('UPDATE', 'DELETE') THEN to_jsonb(OLD) ELSE NULL END;
+
+  v_record_id := COALESCE(
+    (v_new_row->>'id'),
+    (v_old_row->>'id'),
+    (v_new_row->>'user_id'),
+    (v_old_row->>'user_id'),
+    'unknown'
+  );
+
+  v_agency_id := NULL;
+  IF TG_TABLE_NAME IN ('dockets', 'agency_members', 'agency_settings', 'exports', 'abuse_events') THEN
+    v_agency_id := COALESCE((v_new_row->>'agency_id')::uuid, (v_old_row->>'agency_id')::uuid);
+  ELSIF TG_TABLE_NAME = 'comments' THEN
+    v_docket_id := COALESCE((v_new_row->>'docket_id')::uuid, (v_old_row->>'docket_id')::uuid);
+    IF v_docket_id IS NOT NULL THEN
+      SELECT d.agency_id INTO v_agency_id
+      FROM dockets d
+      WHERE d.id = v_docket_id;
+    END IF;
+  ELSIF TG_TABLE_NAME = 'moderation_logs' THEN
+    SELECT d.agency_id INTO v_agency_id
+    FROM comments c
+    JOIN dockets d ON d.id = c.docket_id
+    WHERE c.id = COALESCE((v_new_row->>'comment_id')::uuid, (v_old_row->>'comment_id')::uuid);
+  END IF;
+
+  INSERT INTO audit_events (
+    table_name,
+    record_id,
+    agency_id,
+    action,
+    actor_id,
+    old_data,
+    new_data,
+    occurred_at
+  )
+  VALUES (
+    TG_TABLE_NAME,
+    v_record_id,
+    v_agency_id,
+    TG_OP,
+    auth.uid(),
+    v_old_row,
+    v_new_row,
+    now()
+  );
+
+  IF TG_OP = 'DELETE' THEN
+    RETURN OLD;
+  END IF;
+  RETURN NEW;
+END;
+$$;
+
+DROP TRIGGER IF EXISTS trg_audit_dockets ON dockets;
+CREATE TRIGGER trg_audit_dockets
+AFTER INSERT OR UPDATE OR DELETE ON dockets
+FOR EACH ROW EXECUTE FUNCTION capture_audit_event();
+
+DROP TRIGGER IF EXISTS trg_audit_comments ON comments;
+CREATE TRIGGER trg_audit_comments
+AFTER INSERT OR UPDATE OR DELETE ON comments
+FOR EACH ROW EXECUTE FUNCTION capture_audit_event();
+
+DROP TRIGGER IF EXISTS trg_audit_agency_members ON agency_members;
+CREATE TRIGGER trg_audit_agency_members
+AFTER INSERT OR UPDATE OR DELETE ON agency_members
+FOR EACH ROW EXECUTE FUNCTION capture_audit_event();
+
+DROP TRIGGER IF EXISTS trg_audit_agency_settings ON agency_settings;
+CREATE TRIGGER trg_audit_agency_settings
+AFTER INSERT OR UPDATE OR DELETE ON agency_settings
+FOR EACH ROW EXECUTE FUNCTION capture_audit_event();
+
+DROP TRIGGER IF EXISTS trg_audit_exports ON exports;
+CREATE TRIGGER trg_audit_exports
+AFTER INSERT OR UPDATE OR DELETE ON exports
+FOR EACH ROW EXECUTE FUNCTION capture_audit_event();
+
+DROP TRIGGER IF EXISTS trg_audit_moderation_logs ON moderation_logs;
+CREATE TRIGGER trg_audit_moderation_logs
+AFTER INSERT OR UPDATE OR DELETE ON moderation_logs
+FOR EACH ROW EXECUTE FUNCTION capture_audit_event();
+
+DROP TRIGGER IF EXISTS trg_audit_abuse_events ON abuse_events;
+CREATE TRIGGER trg_audit_abuse_events
+AFTER INSERT OR UPDATE OR DELETE ON abuse_events
+FOR EACH ROW EXECUTE FUNCTION capture_audit_event();
+
+ALTER TABLE audit_events ENABLE ROW LEVEL SECURITY;
+ALTER TABLE abuse_events ENABLE ROW LEVEL SECURITY;
+
+DROP POLICY IF EXISTS "Audit events readable by agency and platform" ON audit_events;
+CREATE POLICY "Audit events readable by agency and platform"
+ON audit_events FOR SELECT
+TO authenticated
+USING (
+  is_platform_admin()
+  OR (agency_id IS NOT NULL AND is_agency_member(agency_id))
+);
+
+DROP POLICY IF EXISTS "Abuse events readable by agency and platform" ON abuse_events;
+CREATE POLICY "Abuse events readable by agency and platform"
+ON abuse_events FOR SELECT
+TO authenticated
+USING (
+  is_platform_admin()
+  OR (agency_id IS NOT NULL AND is_agency_member(agency_id))
+);
