M: audit-log uniformity + renderBodyHTML helper for issues/PRs/reviews

Status	File	+	-
M	`internal/auth/audit/audit.go`	9	2
M	`internal/issues/issues.go`	39	2
M	`internal/pulls/pulls.go`	24	18
M	`internal/pulls/review/comment.go`	2	3
M	`internal/pulls/review/review.go`	16	0
M	`internal/pulls/review/submit.go`	1	2
M	`internal/pulls/state.go`	10	1

internal/auth/audit/audit.gomodified

  	ActionRepoTransferDeclined   Action = "repo_transfer_declined"
  	ActionRepoTransferCanceled   Action = "repo_transfer_canceled"
  	ActionRepoTransferExpired    Action = "repo_transfer_expired"
++	ActionIssueStateChanged      Action = "issue_state_changed"
++	ActionIssueLockChanged       Action = "issue_lock_changed"
++	ActionIssueCommentCreated    Action = "issue_comment_created"
++	ActionPullStateChanged       Action = "pull_state_changed"
++	ActionPullMerged             Action = "pull_merged"
+ )
  // Target is a typed target-type constant.
  type Target string
  const (
--	TargetUser Target = "user"
++	TargetUser  Target = "user"
--	TargetRepo Target = "repo"
++	TargetRepo  Target = "repo"
++	TargetIssue Target = "issue"
++	TargetPull  Target = "pull"
+ )
  // Recorder writes audit rows. Bound to the sqlc queries handle.

internal/issues/issues.gomodified

  	"github.com/jackc/pgx/v5/pgtype"
  	"github.com/jackc/pgx/v5/pgxpool"
++	"github.com/tenseleyFlow/shithub/internal/auth/audit"
  	"github.com/tenseleyFlow/shithub/internal/auth/throttle"
  	issuesdb "github.com/tenseleyFlow/shithub/internal/issues/sqlc"
  	mdrender "github.com/tenseleyFlow/shithub/internal/markdown"
  	Pool    *pgxpool.Pool
  	Limiter *throttle.Limiter
  	Logger  *slog.Logger
++	// Audit is optional; when non-nil, state-changing orchestrator
++	// calls (SetState, SetLock, AddComment) record an audit row. The
++	// repo lifecycle package writes audit rows directly via deps.Audit;
++	// this field ensures issues/PR mutations are equally traceable
++	// (S00-S25 audit, M).
++	Audit *audit.Recorder
+ }
  // Errors returned by the orchestrator. Handlers map these to status
+ 	}
  	// Render markdown for the cached body html.
--	html, _ := mdrender.RenderHTML([]byte(p.Body))
++	html := renderBodyHTML(ctx, deps, p.Body)
  	row.BodyHtmlCached = pgtype.Text{String: html, Valid: html != ""}
  	if err := q.UpdateIssueTitleBody(ctx, tx, issuesdb.UpdateIssueTitleBodyParams{
  		return issuesdb.IssueComment{}, ErrIssueLocked
+ 	}
--	html, _ := mdrender.RenderHTML([]byte(body))
++	html := renderBodyHTML(ctx, deps, body)
  	tx, err := deps.Pool.Begin(ctx)
  	if err != nil {
  		return issuesdb.IssueComment{}, err
+ 	}
  	committed = true
++	if deps.Audit != nil {
++		_ = deps.Audit.Record(ctx, deps.Pool, p.AuthorUserID,
++			audit.ActionIssueCommentCreated, audit.TargetIssue, p.IssueID,
++			map[string]any{"comment_id": c.ID})
++	}
  	return c, nil
+ }
  		return err
+ 	}
  	committed = true
++	if deps.Audit != nil {
++		_ = deps.Audit.Record(ctx, deps.Pool, actorUserID,
++			audit.ActionIssueStateChanged, audit.TargetIssue, issueID,
++			map[string]any{"state": newState, "reason": reason})
++	}
  	return nil
+ }
  		return err
+ 	}
  	committed = true
++	if deps.Audit != nil {
++		_ = deps.Audit.Record(ctx, deps.Pool, actorUserID,
++			audit.ActionIssueLockChanged, audit.TargetIssue, issueID,
++			map[string]any{"locked": locked, "reason": reason})
++	}
  	return nil
+ }
++
++// renderBodyHTML wraps markdown.RenderHTML with a logger-aware error
++// path. Body length is bounded upstream (orchestrator validation +
++// DB CHECK at 65535), so ErrInputTooLarge is structurally impossible
++// here — but if it ever fires, log loudly: it means a precondition
++// somewhere upstream regressed. The audit (S00-S25, M) flagged the
++// `_`-discard pattern as the kind of slop where a real bug could hide.
++func renderBodyHTML(ctx context.Context, deps Deps, body string) string {
++	html, err := mdrender.RenderHTML([]byte(body))
++	if err != nil && deps.Logger != nil {
++		deps.Logger.WarnContext(ctx, "issues: markdown render failed",
++			"error", err, "body_bytes", len(body))
++	}
++	return html
++}

internal/pulls/pulls.gomodified

  	"errors"
  	"fmt"
  	"log/slog"
--	"path/filepath"
  	"strings"
  	"github.com/jackc/pgx/v5"
  	"github.com/jackc/pgx/v5/pgtype"
  	"github.com/jackc/pgx/v5/pgxpool"
++	"github.com/tenseleyFlow/shithub/internal/auth/audit"
  	"github.com/tenseleyFlow/shithub/internal/checks"
  	"github.com/tenseleyFlow/shithub/internal/issues"
  	issuesdb "github.com/tenseleyFlow/shithub/internal/issues/sqlc"
++	mdrender "github.com/tenseleyFlow/shithub/internal/markdown"
  	"github.com/tenseleyFlow/shithub/internal/pulls/review"
  	pullsdb "github.com/tenseleyFlow/shithub/internal/pulls/sqlc"
  	repogit "github.com/tenseleyFlow/shithub/internal/repos/git"
--	mdrender "github.com/tenseleyFlow/shithub/internal/markdown"
++	"github.com/tenseleyFlow/shithub/internal/repos/protection"
  	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"
+ )
  type Deps struct {
  	Pool   *pgxpool.Pool
  	Logger *slog.Logger
++	// Audit is optional; when non-nil, Merge and SetState write audit
++	// rows. Mirrors the issues orchestrator's contract so PR-side
++	// state changes are equally traceable (S00-S25 audit, M).
++	Audit *audit.Recorder
+ }
  // Errors surfaced to handlers.
  	if err != nil {
  		return nil, err
+ 	}
--	var best reposdb.BranchProtectionRule
++	rule, ok := protection.MatchLongestRule(rules, baseRef)
--	bestLen := -1
++	if !ok {
--	for _, r := range rules {
--		ok, _ := filepath.Match(r.Pattern, baseRef)
--		if !ok {
--			continue
--		}
--		if len(r.Pattern) > bestLen ||
--			(len(r.Pattern) == bestLen && r.Pattern < best.Pattern) {
--			best = r
--			bestLen = len(r.Pattern)
--		}
--	}
--	if bestLen < 0 {
  		return []string{}, nil
+ 	}
--	return best.StatusChecksRequired, nil
++	return rule.StatusChecksRequired, nil
+ }
  // int64FromPg unwraps a pgtype.Int8; returns 0 when invalid.
  	if len(body) > 65535 {
  		return issues.ErrBodyTooLong
+ 	}
--	html, _ := mdrender.RenderHTML([]byte(body))
++	html := renderBodyHTML(ctx, deps, body)
  	q := issuesdb.New()
  	return q.UpdateIssueTitleBody(ctx, deps.Pool, issuesdb.UpdateIssueTitleBodyParams{
  		ID:             prID,
+ 	}
  	return false
+ }
++
++// renderBodyHTML wraps markdown.RenderHTML with a logger-aware error
++// path. PR body length is bounded upstream at 65535 chars by the
++// orchestrator; markdown caps at 1 MiB. ErrInputTooLarge here means
++// a precondition regressed — log loudly. (S00-S25 audit, M.)
++func renderBodyHTML(ctx context.Context, deps Deps, body string) string {
++	html, err := mdrender.RenderHTML([]byte(body))
++	if err != nil && deps.Logger != nil {
++		deps.Logger.WarnContext(ctx, "pulls: markdown render failed",
++			"error", err, "body_bytes", len(body))
++	}
++	return html
++}

internal/pulls/review/comment.gomodified

  	"github.com/jackc/pgx/v5/pgtype"
  	pullsdb "github.com/tenseleyFlow/shithub/internal/pulls/sqlc"
--	mdrender "github.com/tenseleyFlow/shithub/internal/markdown"
  )
  // CommentParams describes a single inline comment on a PR. When
  		}
  	}
--	html, _ := mdrender.RenderHTML([]byte(body))
++	html := renderBodyHTML(ctx, deps, body)
  	cur := pgtype.Int4{}
  	if p.CurrentPosition >= 0 {
  	if len(body) > 65535 {
  		return ErrBodyTooLong
  	}
--	html, _ := mdrender.RenderHTML([]byte(body))
++	html := renderBodyHTML(ctx, deps, body)
  	return pullsdb.New().UpdatePRReviewCommentBody(ctx, deps.Pool, pullsdb.UpdatePRReviewCommentBodyParams{
  		ID: commentID, Body: body, BodyHtmlCached: pgtype.Text{String: html, Valid: html != ""},
  	})

internal/pulls/review/review.gomodified

  package review
  import (
++	"context"
  	"errors"
  	"log/slog"
  	"github.com/jackc/pgx/v5/pgxpool"
++
++	mdrender "github.com/tenseleyFlow/shithub/internal/markdown"
+ )
  // Deps wires this package into the runtime.
  // MaxReviewersPerPR caps active review requests per PR. Matches the
  // spec pitfall section.
  const MaxReviewersPerPR = 20
++
++// renderBodyHTML wraps markdown.RenderHTML with a logger-aware error
++// path. Review/comment body length is bounded upstream at 65535 chars
++// by the orchestrator. ErrInputTooLarge here means a precondition
++// regressed — log loudly. (S00-S25 audit, M.)
++func renderBodyHTML(ctx context.Context, deps Deps, body string) string {
++	html, err := mdrender.RenderHTML([]byte(body))
++	if err != nil && deps.Logger != nil {
++		deps.Logger.WarnContext(ctx, "review: markdown render failed",
++			"error", err, "body_bytes", len(body))
++	}
++	return html
++}

internal/pulls/review/submit.gomodified

  	issuesdb "github.com/tenseleyFlow/shithub/internal/issues/sqlc"
  	pullsdb "github.com/tenseleyFlow/shithub/internal/pulls/sqlc"
--	mdrender "github.com/tenseleyFlow/shithub/internal/markdown"
  )
  // SubmitParams describes the submit-a-review action.
  	if len(body) > 65535 {
  		return pullsdb.PrReview{}, ErrBodyTooLong
  	}
--	html, _ := mdrender.RenderHTML([]byte(body))
++	html := renderBodyHTML(ctx, deps, body)
  	tx, err := deps.Pool.Begin(ctx)
  	if err != nil {

internal/pulls/state.gomodified

  	"context"
  	"errors"
++	"github.com/tenseleyFlow/shithub/internal/auth/audit"
  	"github.com/tenseleyFlow/shithub/internal/issues"
  	pullsdb "github.com/tenseleyFlow/shithub/internal/pulls/sqlc"
  	repogit "github.com/tenseleyFlow/shithub/internal/repos/git"
  			return err
+ 		}
+ 	}
--	return issues.SetState(ctx, issues.Deps{Pool: deps.Pool, Logger: deps.Logger}, actorUserID, prID, newState, "")
++	if err := issues.SetState(ctx, issues.Deps{Pool: deps.Pool, Logger: deps.Logger}, actorUserID, prID, newState, ""); err != nil {
++		return err
++	}
++	if deps.Audit != nil {
++		_ = deps.Audit.Record(ctx, deps.Pool, actorUserID,
++			audit.ActionPullStateChanged, audit.TargetPull, prID,
++			map[string]any{"state": newState})
++	}
++	return nil
+ }

tenseleyflow/shithub / `ad6dfd8`

7 changed files