feat: PAT principal in audit records and auth context

[AmanGIT07]

Summary

• Add PAT actor enrichment in audit record service — resolves PAT title and owner user metadata from DB when actor type is app/pat
• GetPrincipalNameAndTitle to return PAT title for PAT principals (takes precedence over user)
• mapPrincipalTypeToAuditType maps PATPrincipal → PATType
• Add PAT user info to audit actor context in authentication interceptor
• Fix log labels from "user_id" → "principal_id" where principal.ID is logged

Test plan

• TestService_Create_PATActorEnrichment — 5 cases (happy path, existing metadata, nil metadata, PAT not found, user not found)
• TestSetAuditRecordActorContext — 3 cases (metadata type conversion, nil, empty)
• TestGetPrincipalNameAndTitle — 6 cases (nil, user, serviceuser, PAT, PAT precedence, empty)

Sample AuditRecord with PAT:

{
  "id": "019d6c68-e4df-705f-a7d5-f88ee6dde50d",
  "actor": {
    "id": "b1ebf24e-cd86-46e5-af8d-dcb1d4faf9d6",
    "type": "app/pat",
    "metadata": {
      "context": {
        "Browser": "Other",
        "IpAddress": "",
        "Location": {
          "City": "",
          "Country": "",
          "Latitude": "",
          "Longitude": ""
        },
        "OperatingSystem": "Other"
      },
      "user": {
        "email": "aman@test.pixxel.co.in",
        "id": "083624b6-dcf5-4564-b5a6-1e23bbdd1c23",
        "name": "aman_test_pixxel_co_in",
        "title": ""
      }
    },
    "title": "all-access"
  },
  "event": "organization.update",
  "resource": {
    "id": "eefb7622-fd9a-4bf1-9ef6-2c0ca2cde683",
    "type": "organization",
    "name": "Aman test org",
    "metadata": {}
  },
  "occurredAt": "2026-04-08T09:25:06.895085Z",
  "orgId": "eefb7622-fd9a-4bf1-9ef6-2c0ca2cde683",
  "metadata": {},
  "createdAt": "2026-04-08T09:25:06.895085Z",
  "orgName": "Aman test org"
}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
frontier	Ready	Preview, Comment	Apr 9, 2026 6:29am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4badcb21-24a0-4c9c-8b86-a31cb0336679

📥 Commits

Reviewing files that changed from the base of the PR and between fcf6d35 and 381d52e.

📒 Files selected for processing (2)

• core/auditrecord/service.go
• core/auditrecord/service_test.go

---

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • PAT principals are now first-class in audit handling: PAT title is used as actor display name and audit records include enriched user metadata when available. API actor validation accepts PAT principals.

• Tests

  • Added PAT-focused mocks and comprehensive tests for PAT actor enrichment and metadata handling.

• Refactor

  • Logging field keys renamed from user_id to principal_id for clearer authentication logs.

Walkthrough

Adds Personal Access Token (PAT) support across audit/auth flows: new UserPATService interface and mocks, wiring userPATService into auditrecord service initialization, PAT-based actor enrichment and metadata handling, updates to principal name/title resolution, and corresponding tests and logging key changes.

Changes

Cohort / File(s)	Summary
Service wiring cmd/serve.go	Delay creation of auditRecordService until after userPATService exists and pass userPATService into auditrecord.NewService.
Audit record core & tests core/auditrecord/service.go, core/auditrecord/service_test.go	Add UserPATService interface; accept it in NewService; implement PAT principal enrichment in Create; adjust context metadata handling; add extensive tests for PAT enrichment and SetAuditRecordActorContext.
Auditrecord mocks core/auditrecord/mocks/repository.go, core/auditrecord/mocks/session_service.go, core/auditrecord/mocks/user_pat_service.go	Switch repository mock signatures to models.* types; reorder imports; add new autogenerated UserPATService mock with GetByID and testify/expecter helpers.
Authenticate principal handling & tests core/authenticate/context.go, core/authenticate/context_test.go	Return PAT title when principal.PAT is present in GetPrincipalNameAndTitle; add table-driven tests covering PAT precedence and other principal types.
Authenticate mocks core/authenticate/mocks/user_pat_service.go	Add GetByID mock method and expecter/call helpers for authenticate package mocks.
Organization service core/organization/service.go	Treat PAT principals as first-class for audit display name and audit type mapping (use PAT title and PATType); merge user metadata only when principal.User exists.
API handlers (logging / validation) internal/api/v1beta1connect/audit_record.go, internal/api/v1beta1connect/preferences.go, internal/api/v1beta1connect/session.go, internal/api/v1beta1connect/user.go	Allow schema.PATPrincipal where applicable; replace user_id log key with principal_id in multiple handlers' error logs.
Server interceptors pkg/server/connect_interceptors/authentication.go	Populate audit actor metadata user object (id, name, title, email) when principal includes PAT with user details and pass actorMetadata into audit context.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• feat: CreateCurrentUserPAT RPC implementation #1401: Directly overlaps on adding/instantiating UserPATService and wiring it into auditrecord service.
• feat: add PAT identity to JWT claims  #1509: Adds/uses UserPATService.GetByID and introduces PAT-aware principal handling used in authentication/audit paths.
• feat: implement RegenerateCurrentUserPAT RPC #1468: Modifies PAT services and mocks; relates to mock/interface changes and PAT audit events.

Suggested reviewers

• whoAbhishekSah
• rohilsurana

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 245fb3f0-904a-46a2-8959-02fa116eea99

📥 Commits

Reviewing files that changed from the base of the PR and between e704f68 and fcf6d35.

📒 Files selected for processing (15)

• cmd/serve.go
• core/auditrecord/mocks/repository.go
• core/auditrecord/mocks/session_service.go
• core/auditrecord/mocks/user_pat_service.go
• core/auditrecord/service.go
• core/auditrecord/service_test.go
• core/authenticate/context.go
• core/authenticate/context_test.go
• core/authenticate/mocks/user_pat_service.go
• core/organization/service.go
• internal/api/v1beta1connect/audit_record.go
• internal/api/v1beta1connect/preferences.go
• internal/api/v1beta1connect/session.go
• internal/api/v1beta1connect/user.go
• pkg/server/connect_interceptors/authentication.go

[coveralls]

Coverage Report for CI Build 24175974524

Coverage increased (+0.09%) to 41.282%

Details

• Coverage increased (+0.09%) from the base build.
• Patch coverage: 26 uncovered changes across 4 files (50 of 76 lines covered, 65.79%).
• No coverage regressions found.

Uncovered Changes

File	Changed	Covered	%
core/organization/service.go	13	2	15.38%
pkg/server/connect_interceptors/authentication.go	10	0	0.0%
internal/api/v1beta1connect/user.go	10	6	60.0%
cmd/serve.go	1	0	0.0%

Coverage Regressions

No coverage regressions found.

---

Coverage Stats

Relevant Lines:	36389
Covered Lines:	15022
Line Coverage:	41.28%
Coverage Strength:	11.88 hits per line

---

💛 - Coveralls