refactor(audit): direct-DB audit-cleanup CronJob (#3270)

Author: Viczei

.claude/rules/audit-logging.md

@@ -144,9 +144,17 @@ Notes:
 
 ### 5. New cron-triggered / system action
 
-Use `logAction` directly with category `system` inside the route handler or
-helper that the cron calls. See `/api/audit/cleanup/route.ts` for the canonical
-pattern (success + failure self-audit with metadata).
+Two patterns are in use, depending on whether the cron runs **inside** the app
+(a tRPC procedure or Next.js route called by a CronJob container) or **out of
+band** (a standalone `.mjs` script invoked by the CronJob with direct DB
+access — see `packages/app/scripts/audit-cleanup.mjs` for the canonical
+example, issue #3268).
+
+- **In-app trigger**: use `logAction` directly with category `system` inside
+  the route handler / helper that the cron calls.
+- **Out-of-band script**: self-audit via a raw `INSERT INTO audit.action_log`
+  statement at the end of the script (success) and in a try/catch arm
+  (failure, outside the rolled-back transaction so the row survives).
 
 ---
 
@@ -196,10 +204,10 @@ the caller is responsible for sanitisation:
 | `export` | 365 days | Data exports and third-party API consumers. |
 | `system` | 365 days | Cron-triggered / admin actions. |
 
-The cleanup cron (`/api/audit/cleanup` → `cleanupAuditLogs`) drops
-`read_sensitive` rows after 180 days and everything else after 365 days. This
-is enforced at the DB level; the category you choose **defines** the retention
-window.
+The cleanup cron (`packages/app/scripts/audit-cleanup.mjs`, wired up in
+`.kontinuous/templates/audit-cleanup-cron.yaml`) drops `read_sensitive` rows
+after 180 days and everything else after 365 days. This is enforced at the DB
+level; the category you choose **defines** the retention window.
 
 ---
 

.claude/rules/automation.md

@@ -114,7 +114,7 @@ Apply these rules **as you write code**, before any agent runs:
 - New auth event / cron → direct `logAction` call; `logger.error` must stay synchronous (`void (async () => {...})()`)
 - Every new action requires **3 wire-up points**: `AUDIT_ACTIONS.*` constant, `AUDIT_ACTION_CATEGORIES` mapping, and the surface-specific wire (tRPC map / wrapper / direct call)
 - `metadata` jsonb must not contain secrets (auto-stripped keys: `password`, `token`, `refresh_token`, `secret`, `client_secret`, `authorization`, `apikey`, `api_key`, `accesskey`, `access_key`, `private_key`)
-- DB-layer changes in `~/server/audit/cleanup.ts` → add an integration test (`*.integration.test.ts`, runs via `pnpm test:integration`) — unit tests mock drizzle and miss driver bugs
+- DB-layer changes in `packages/app/scripts/audit-cleanup.mjs` (or any file that touches `audit.action_log` via non-trivial SQL) → add an integration test (`*.integration.test.ts`, runs via `pnpm test:integration`) — unit tests mock the DB driver and miss driver bugs
 
 ### E2E tests (when relevant)
 

.github/workflows/e2e.yaml

@@ -32,10 +32,6 @@ jobs:
       CLAMAV_HOST: localhost
       CLAMAV_PORT: 3310
       ADMIN_EMAILS: test@fia1.fr
-      # Required by env.js but never exercised by E2E tests (the audit
-      # cleanup route is only called by the K8s CronJob). A dummy value
-      # that satisfies the `.min(32)` Zod check is enough.
-      EGAPRO_AUDIT_CLEANUP_TOKEN: e2e-dummy-audit-cleanup-token-not-used-1234567890
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

.kontinuous/env/dev/templates/audit-cleanup.sealed-secret.yaml

@@ -10,51 +10,75 @@ spec:
   failedJobsHistoryLimit: 3
   jobTemplate:
     spec:
-      # Fail fast: a failure here is either a transient 5xx (next daily run
-      # will retry naturally) or a permanent auth error (retry is pointless
-      # and noisy). Either way a single attempt is enough.
+      # Fail fast: a failure here is either a transient DB error (next daily
+      # run will retry naturally) or a permanent schema / driver error (retry
+      # is pointless and noisy). Either way a single attempt is enough.
       backoffLimit: 0
       template:
         metadata:
           labels:
             app: audit-cleanup-daily
         spec:
-          restartPolicy: OnFailure
+          # `Never` is consistent with `backoffLimit: 0`: the kubelet does not
+          # restart the failed container and the Job does not re-queue a new
+          # pod. A failed cleanup waits for the next daily cron run.
+          restartPolicy: Never
           securityContext:
-            runAsUser: 100
+            runAsUser: 1000
             runAsNonRoot: true
           containers:
-            - name: trigger
-              image: curlimages/curl:8.12.1
+            - name: audit-cleanup
+              # `app` matches `.Values.app.imagePackage` in `values.yaml` — but
+              # that lookup lands in the `app` subchart's scope, not the
+              # project-level templates, so the literal is inlined here.
+              image: "{{ .Values.global.registry }}/{{ .Values.global.imageProject }}/{{ .Values.global.imageRepository }}/app:{{ .Values.global.imageTag }}"
               securityContext:
                 allowPrivilegeEscalation: false
               env:
-                - name: EGAPRO_AUDIT_CLEANUP_TOKEN
+                - name: POSTGRES_HOST
                   valueFrom:
                     secretKeyRef:
-                      name: audit-cleanup
-                      key: EGAPRO_AUDIT_CLEANUP_TOKEN
+                      name: "{{ .Values.global.pgSecretName }}"
+                      key: PGHOST
+                - name: POSTGRES_DB
+                  valueFrom:
+                    secretKeyRef:
+                      name: "{{ .Values.global.pgSecretName }}"
+                      key: PGDATABASE
+                - name: POSTGRES_PORT
+                  valueFrom:
+                    secretKeyRef:
+                      name: "{{ .Values.global.pgSecretName }}"
+                      key: PGPORT
+                - name: POSTGRES_USER
+                  valueFrom:
+                    secretKeyRef:
+                      name: "{{ .Values.global.pgSecretName }}"
+                      key: PGUSER
+                - name: POSTGRES_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: "{{ .Values.global.pgSecretName }}"
+                      key: PGPASSWORD
+                - name: POSTGRES_SSLMODE
+                  valueFrom:
+                    secretKeyRef:
+                      name: "{{ .Values.global.pgSecretName }}"
+                      key: PGSSLMODE
+              # Retention windows (days) — optional. The script defaults to
+              # the CNIL thresholds (180 / 365) when these are absent, so an
+              # unset `audit-retention` configmap is a no-op.
+              envFrom:
+                - configMapRef:
+                    name: "audit-retention"
+                    optional: true
               command:
-                - /bin/sh
-                - -c
-                - |
-                  # Capture the HTTP status explicitly so the failure reason
-                  # (auth vs. server vs. network) lands in stderr for
-                  # observability instead of the opaque "curl: exit 22".
-                  HTTP_STATUS=$(curl -s -o /dev/stderr \
-                    -w "%{http_code}" \
-                    -X POST "http://app:3000/api/audit/cleanup" \
-                    -H "Authorization: Bearer ${EGAPRO_AUDIT_CLEANUP_TOKEN}" \
-                    --connect-timeout 10 \
-                    --max-time 300)
-                  if [ "$HTTP_STATUS" -lt 200 ] || [ "$HTTP_STATUS" -ge 300 ]; then
-                    echo "Cleanup request failed with HTTP $HTTP_STATUS" >&2
-                    exit 1
-                  fi
+                - node
+                - packages/app/scripts/audit-cleanup.mjs
               resources:
                 requests:
                   cpu: 50m
-                  memory: 32Mi
-                limits:
-                  cpu: 100m
                   memory: 64Mi
+                limits:
+                  cpu: 200m
+                  memory: 256Mi

.kontinuous/env/preprod/templates/audit-cleanup.sealed-secret.yaml

@@ -44,9 +44,6 @@ app:
     - secretRef:
         name: "admin"
         optional: true
-    - secretRef:
-        name: "audit-cleanup"
-        optional: true
     - configMapRef:
         name: "valkey"
         optional: true

.kontinuous/env/prod/templates/audit-cleanup.sealed-secret.yaml

@@ -23,7 +23,6 @@ S3_BUCKET_NAME="egapro-dev-app"
 CLAMAV_HOST="localhost"
 CLAMAV_PORT="3310"
 ADMIN_EMAILS="test@fia1.fr"
-EGAPRO_AUDIT_CLEANUP_TOKEN="change-me-to-a-32-chars-minimum-token"
 MAIL_ENABLED="true"
 SMTP_HOST="localhost"
 SMTP_PORT="1025"

.kontinuous/templates/audit-cleanup-cron.yaml

@@ -315,7 +315,7 @@ Every new action needs **3 wire-up points**:
 
 The `metadata` jsonb must **never** contain secrets. The recursive sanitizer auto-strips `password`, `token`, `refresh_token`, `secret`, `client_secret`, `authorization`, `apikey`, `api_key`, `accesskey`, `access_key`, `private_key` at any depth — but when calling `logAction` directly (outside tRPC), the caller is responsible for staying clean. Never put IP addresses in `metadata` — there is a dedicated `ip_address` column.
 
-DB-layer changes in `~/server/audit/cleanup.ts` (or any file that touches `audit.action_log` via non-trivial SQL) **must** come with an integration test `*.integration.test.ts` — unit tests mock drizzle and will miss driver-level bugs. Run locally with `pnpm test:integration` (requires Docker).
+DB-layer changes in `packages/app/scripts/audit-cleanup.mjs` (or any file that touches `audit.action_log` via non-trivial SQL) **must** come with an integration test `*.integration.test.ts` — unit tests mock the DB driver and will miss driver-level bugs. Run locally with `pnpm test:integration` (requires Docker).
 
 > Full playbook with code snippets and a PR checklist → [`.claude/rules/audit-logging.md`](../../.claude/rules/audit-logging.md)