feature: global approvals v1

[x032205]

global approvals system V1

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR implements a comprehensive global approvals system V1 that adds multi-step approval workflows for PAM (Privileged Access Management) account access. The implementation introduces approval policies, requests, and grants as reusable abstractions.

Key Changes:

• Added new database tables for approval policies, policy steps, approval requests, request steps, and grants with proper foreign key constraints and cascading deletes
• Implemented policy matching logic using picomatch for path-based access control in PAM resources
• Created approval workflow engine with multi-step approval process, eligible approvers (users/groups), and required approval counts
• Integrated approval checks into PAM account access flow - checks for active grants first, then policy requirements, then falls back to permission checks
• Added comprehensive audit logging for all approval operations (create, update, delete, approve, reject, cancel, revoke)
• Implemented resource cleanup jobs for expired approval requests and grants
• Added new permission subjects and actions: ApprovalRequests (read, create) and ApprovalRequestGrants (read, revoke)
• Notification system alerts eligible approvers when approval steps become active

Code Quality:

• Clean query patterns with no unsafe OR conditions detected
• Proper transaction handling for multi-step operations
• Admin role gets full access to approval policies; regular users can create requests and see requests where they're requester or approver
• Simple regex pattern (/\*/g) used for wildcard counting is safe from ReDoS attacks

Minor Observations:

• Import reordering in app-connection-types.ts (non-functional change)
• New permission actions are appropriately specific to their subjects

Confidence Score: 4/5

• This PR is safe to merge with proper testing of the approval workflows
• The implementation shows solid engineering practices with proper permission checks, transaction handling, comprehensive audit logging, and clean database schema design. The approval logic integrates well with existing PAM access control. Security patterns are generally sound with no major vulnerabilities detected. Deducted one point because the approval workflow is complex and should be thoroughly tested in staging before production deployment.
• Pay close attention to backend/src/services/approval-policy/approval-policy-service.ts and backend/src/ee/services/pam-account/pam-account-service.ts to ensure the approval workflow logic behaves correctly under various edge cases (expired requests, concurrent approvals, revoked grants)

Important Files Changed

File Analysis

Filename	Score	Overview
backend/src/services/approval-policy/pam-access/pam-access-policy-factory.ts	3/5	PAM access policy factory with regex usage that should be reviewed for ReDoS safety
backend/src/services/approval-policy/approval-policy-service.ts	4/5	Core approval policy service with proper permission checks and transaction handling
backend/src/db/migrations/20251203002657_global-approvals.ts	5/5	Clean database migration creating approval policy tables with proper foreign keys and constraints
backend/src/services/approval-policy/approval-policy-dal.ts	5/5	Data access layer with clean query patterns, no unsafe OR conditions detected
backend/src/server/routes/v1/approval-policy-routers/approval-policy-endpoints.ts	5/5	API endpoints with comprehensive audit logging for all approval operations
backend/src/ee/services/pam-account/pam-account-service.ts	4/5	PAM account service integrates approval policy checks before granting access

[greptile-apps]

_{87 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}