HQD-134: Improve safety checks in AuditController and update audit …

[tafid]

…asset scripts

• Added null checks for user.id and request.trace_id in AuditController to prevent potential errors.
• Renamed prod script to build in audit/package.json for better clarity.
• Updated main.js.map with the latest build mapping.

Summary by CodeRabbit

• Bug Fixes

  • Audit UI now shows "Restricted" for missing user/table/entity/trace values and only displays user/trace links when the underlying data exists.

• Chores

  • Build configuration updated (source maps disabled), production script renamed, asset cache-busting ID refreshed for main.js, and generated build artifacts added to ignore rules.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5a22dc70-8367-4032-a2e3-d5eef31af0fa

📥 Commits

Reviewing files that changed from the base of the PR and between 7cc4da1 and 151b407.

⛔ Files ignored due to path filters (1)

• src/assets/audit/build/main.js.map is excluded by !**/*.map

📒 Files selected for processing (6)

• src/assets/audit/.gitignore
• src/assets/audit/build/main.js
• src/assets/audit/build/mix-manifest.json
• src/assets/audit/src/app/App.tsx
• src/assets/audit/webpack.mix.js
• src/controllers/AuditController.php

---

📝 Walkthrough

Walkthrough

Frontend and backend were hardened to tolerate missing audit fields (optional request, guarded renderers, conditional link generation). Build artifacts and scripts were updated: mix-manifest cache id changed, production script key renamed to build, source maps disabled, and audit asset .gitignore extended.

Changes

Audit data defensive handling

Layer / File(s)	Summary
Build artifact, script and ignore updates src/assets/audit/build/mix-manifest.json, src/assets/audit/package.json, src/assets/audit/.gitignore, src/assets/audit/webpack.mix.js	Updates /main.js cache-bust id in manifest; renames scripts.prod → scripts.build; adds node_modules and build/*.txt/build/*.map to .gitignore; disables webpack source maps via .sourceMaps(false).
Frontend audit table defensive rendering src/assets/audit/src/app/App.tsx	Makes request optional; adds Restricted UI placeholder; guards "User", "Table", "Entity", and "Trace ID" renderers to show links/values only when data present; uses record.request ?? {} for expanded rows; adds centered Desc + Flex layout for diff headers.
Backend defensive link generation src/controllers/AuditController.php	prepareData() sets user['link'] and request['link'] only when required ids/trace_id exist; constructs trace route via Url::toRoute() with the provided route string.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• hiqdev/hipanel-core#307: Initial AuditController implementation that generates navigation links now guarded in this PR.
• hiqdev/hipanel-core#325: Overlapping frontend changes to src/assets/audit/src/app/App.tsx affecting column render/link logic.

Suggested reviewers

• SilverFire

Poem

🐰 I hopped through audit rows at night,
Found gaps where links would lose their light,
I stitched a guard, a banner: "RESTRICTED" — neat,
Now front and back walk safely down the street.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title references improving safety checks in AuditController, which aligns with the main changes adding null checks for user.id and request.trace_id, along with updating audit-related files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Adds defensive null/missing-field checks when rendering audit data, both server-side (PHP controller) and client-side (React table columns), so that restricted or absent fields no longer break link generation. Also renames the npm prod script to build and refreshes the mix manifest.

Changes:

• Guard user.id and request.trace_id access in AuditController::prepareData() before building URLs.
• Render a RESTRICTED placeholder in the React audit table when user.link, table, entity_id, or request is missing; add a "Before / After" header above the diff viewer.
• Rename the prod npm script to build and update the mix-manifest hash.

Reviewed changes

Copilot reviewed 4 out of 6 changed files in this pull request and generated 1 comment.

File	Description
src/controllers/AuditController.php	Adds null checks for user id and trace_id before building route URLs.
src/assets/audit/src/app/App.tsx	Adds Restricted placeholder for missing fields and a Before/After header via a new Desc component.
src/assets/audit/package.json	Renames prod script to build.
src/assets/audit/build/mix-manifest.json	Updates main.js bundle hash.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

src/assets/audit/src/app/App.tsx (2)

122-130: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Table filter predicate is unsafe for missing table values.

Line 130 explicitly handles missing table, but Line 122 still does record.table.indexOf(...). Using filters with restricted rows can throw.

Suggested fix

-      onFilter: (value, record) => record.table.indexOf(value as string) === 0,
+      onFilter: (value, record) => (record.table ?? "").indexOf(value as string) === 0,

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/assets/audit/src/app/App.tsx` around lines 122 - 130, The filter
predicate onFilter currently calls record.table.indexOf(...) which will throw
when record.table is null/undefined; update the onFilter implementation (the
onFilter callback used in the column definition) to first verify record.table is
a string (e.g., typeof record.table === 'string' or Boolean(record.table))
before calling indexOf (or use startsWith) so it safely returns false for
missing table values; ensure the change aligns with the existing render(table:
string) handling for empty/missing table.

---

223-229: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Expanded row can crash when request is missing.

Line 223 calls Object.entries(record.request) unguarded. If request is absent (the case this PR is defending), this throws at runtime.

Suggested fix

-          const items: DescriptionsProps["items"] = Object.entries(record.request)
+          const items: DescriptionsProps["items"] = Object.entries(record.request ?? {})
             .filter(([key]) => ["app", "log_id", "ip"].includes(key))
             .map(([key, value]) => ({

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/assets/audit/src/app/App.tsx` around lines 223 - 229, The code calls
Object.entries(record.request) unguarded which will throw when record.request is
undefined; update the items construction (the const items:
DescriptionsProps["items"] block) to safely handle a missing request by using a
fallback empty object (e.g., record.request || {}) or optional chaining so
Object.entries never receives undefined, preserving the same filter/map logic
and types.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/assets/audit/src/app/App.tsx`:
- Line 188: The render callback in App.tsx currently only checks for request and
can render an empty <a> when request.link or request.trace_id is missing; update
the render function (the renderer for that column) to verify both request.link
and request.trace_id are truthy before returning the anchor, and return
<Restricted/> if either is missing (i.e., replace the single request check with
a presence check of request.link && request.trace_id to avoid broken links).

In `@src/controllers/AuditController.php`:
- Around line 91-95: The loop is reusing a previous row's $traceId because it
uses the null-coalescing assignment operator ($traceId ??=) — change the logic
to assign/reset $traceId for each $datum instead of preserving prior value: for
each iteration set $traceId explicitly from $datum['request']['trace_id'] (or
null when absent) and then compute $datum['request']['link'] from that per-row
$traceId; update the AuditController.php block that currently checks $trace and
uses $traceId ??= to perform a direct per-row assignment and link creation.

---

Outside diff comments:
In `@src/assets/audit/src/app/App.tsx`:
- Around line 122-130: The filter predicate onFilter currently calls
record.table.indexOf(...) which will throw when record.table is null/undefined;
update the onFilter implementation (the onFilter callback used in the column
definition) to first verify record.table is a string (e.g., typeof record.table
=== 'string' or Boolean(record.table)) before calling indexOf (or use
startsWith) so it safely returns false for missing table values; ensure the
change aligns with the existing render(table: string) handling for empty/missing
table.
- Around line 223-229: The code calls Object.entries(record.request) unguarded
which will throw when record.request is undefined; update the items construction
(the const items: DescriptionsProps["items"] block) to safely handle a missing
request by using a fallback empty object (e.g., record.request || {}) or
optional chaining so Object.entries never receives undefined, preserving the
same filter/map logic and types.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a450418e-54a8-4441-b457-10030e8ebe96

📥 Commits

Reviewing files that changed from the base of the PR and between 7429014 and 7cc4da1.

⛔ Files ignored due to path filters (1)

• src/assets/audit/build/main.js.map is excluded by !**/*.map

📒 Files selected for processing (5)

• src/assets/audit/build/main.js
• src/assets/audit/build/mix-manifest.json
• src/assets/audit/package.json
• src/assets/audit/src/app/App.tsx
• src/controllers/AuditController.php

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Trace ID fallback is incomplete; this still renders broken links.

Line 188 only checks request, not request.link/request.trace_id. Records with partial request data will render an empty anchor instead of Restricted.

Suggested fix

-      render: (_, { request }) => request ? <a href={request.link}>{request.trace_id}</a> : <Restricted/>,
+      render: (_, { request }) =>
+        request?.link && request?.trace_id
+          ? <a href={request.link}>{request.trace_id}</a>
+          : <Restricted/>,

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	render: (_, { request }) => request ? <a href={request.link}>{request.trace_id}</a> : <Restricted/>,
	render: (_, { request }) =>
	request?.link && request?.trace_id
	? <a href={request.link}>{request.trace_id}</a>
	: <Restricted/>,

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/assets/audit/src/app/App.tsx` at line 188, The render callback in App.tsx
currently only checks for request and can render an empty <a> when request.link
or request.trace_id is missing; update the render function (the renderer for
that column) to verify both request.link and request.trace_id are truthy before
returning the anchor, and return <Restricted/> if either is missing (i.e.,
replace the single request check with a presence check of request.link &&
request.trace_id to avoid broken links).