feat(audit): record user action events across gateway and channels

src/gateway/handlers/agent.test.ts

@@ -4,6 +4,7 @@ import { LaneQueue, LaneQueueRejectedError } from '../lane-queue.js';
 import { createAgentHandlers } from './agent.js';
 import type { AgentHandlerDeps } from './agent.js';
 import { CommandRegistry, registerBuiltinCommands } from '../../commands/index.js';
+import { initAuditLogger } from '../../audit/index.js';
 
 describe('createAgentHandlers command fast-path', () => {
   const mockAgent = {
@@ -35,6 +36,9 @@ describe('createAgentHandlers command fast-path', () => {
 
   const commandRegistry = new CommandRegistry();
   registerBuiltinCommands(commandRegistry);
+  const mockAuditLogger = {
+    userAction: vi.fn(),
+  };
 
   const handlers = createAgentHandlers({
     sessionBridge: sessionBridge as unknown as AgentHandlerDeps['sessionBridge'],
@@ -45,6 +49,7 @@ describe('createAgentHandlers command fast-path', () => {
 
   beforeEach(() => {
     vi.clearAllMocks();
+    initAuditLogger(mockAuditLogger as any);
     mockAgent.process.mockResolvedValue('agent response');
     mockAgent.compact.mockResolvedValue(null);
   });
@@ -125,6 +130,26 @@ describe('createAgentHandlers command fast-path', () => {
     expect(((sent[0] as GatewayEvent).data as { content: string }).content).toBe('agent response');
   });
 
+  it('emits user.action audit events for gateway requests', async () => {
+    const sent: OutboundMessage[] = [];
+    const send = vi.fn((msg: OutboundMessage) => sent.push(msg));
+    const req: GatewayRequest = {
+      id: 7,
+      method: 'agent.send',
+      params: { message: 'hello there', connectionId: 'conn-1' },
+    };
+
+    await handlers['agent.send'](req, send);
+
+    expect(mockAuditLogger.userAction).toHaveBeenCalledWith(
+      expect.objectContaining({
+        source: 'gateway',
+        action_type: 'message',
+        sender: 'conn-1',
+      }),
+    );
+  });
+
   it('handles /queue command via fast-path and persists queue session config', async () => {
     const sent: OutboundMessage[] = [];
     const send = vi.fn((msg: OutboundMessage) => sent.push(msg));

src/gateway/handlers/agent.ts

@@ -72,6 +72,20 @@ export function createAgentHandlers(deps: AgentHandlerDeps) {
           ? `/${safeParams.metadata.command}${safeParams.metadata.commandArgs ? ` ${safeParams.metadata.commandArgs}` : ''}`
           : (safeParams.message ?? '');
 
+        const parsedCommand = safeParams.metadata?.isCommand
+          ? safeParams.metadata.command
+          : commandInput.startsWith('/') ? commandInput.slice(1).split(/\s+/, 1)[0] : undefined;
+        auditLogger?.userAction({
+          session_id: sessionId ?? `ws:${connectionId}`,
+          channel: 'ws',
+          sender: connectionId,
+          source: 'gateway',
+          action_type: parsedCommand ? 'command' : 'message',
+          content_length: commandInput.length,
+          attachments_count: safeParams.attachments?.length ?? 0,
+          command: parsedCommand,
+        });
+
         if (commandInput && deps.commandRegistry?.isCommand(commandInput)) {
           const sessionId = deps.sessionBridge.getSessionId(connectionId);
           const commandResult = await deps.commandRegistry.execute(commandInput, {