feat(pam): real-time session log sync via incremental batch uploads#5965
feat(pam): real-time session log sync via incremental batch uploads#5965
Conversation
Replaces end-of-session bulk upload with incremental 10-second batch uploads from the gateway to enable live monitoring and session intervention. - Add pam_session_event_batches table with (sessionId, startOffset) unique constraint for idempotent upserts - Add pamSessionEventBatchDAL with findBySessionId and upsertBatch methods - Add POST /v1/pam/sessions/:sessionId/event-batches route (identity-only) - Update getById to read logs from batches first, falling back to legacy encryptedLogsBlob for older sessions - Add PAM_SESSION_EVENT_BATCH_UPLOAD audit log event type - Poll session page every 5s while session is active/starting
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
Greptile SummaryThis PR introduces incremental batch uploads of PAM session events: the gateway uploads event blobs every 10 seconds, the backend stores them in a new
Confidence Score: 3/5Not safe to merge — the new batch-upload endpoint lacks org-level authorization, allowing any identity token to pollute session logs. One P1 security finding: uploadEventBatch omits the org/gateway permission check present in all other gateway-only write operations. Two additional P2s (unhandled JSON.parse in decryptBatches, audit log flooding on polled endpoint) lower confidence further. backend/src/ee/services/pam-session/pam-session-service.ts — requires the org-level permission check in uploadEventBatch before merging. Important Files Changed
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 705acde1ff
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
frontend/src/pages/pam/PamSessionsByIDPage/PamSessionByIDPage.tsx
Outdated
Show resolved
Hide resolved
|
Note: The "Check API for Breaking Changes" check is throwing a false positive |
frontend/src/pages/pam/PamSessionsByIDPage/PamSessionByIDPage.tsx
Outdated
Show resolved
Hide resolved
Replaces the all-at-once batch fetch in getById with a dedicated GET /:sessionId/logs?offset&limit endpoint (max 100 batches/page). Legacy blob-based sessions are unaffected and returned in full on the first page. The frontend uses useInfiniteQuery with a load-more button and polls every 5s for active sessions.
…GET audit log Polling the session endpoint every 5s would decrypt all loaded batches on each interval — expensive under load. Removing live refresh from both the session query and the logs infinite query. Also restores the PAM_SESSION_GET audit log entry that was dropped by d890840.
Parses the raw buffer as JSON and validates against the event union schema so malformed batches are rejected at the API boundary rather than failing silently at read time.
Uses Postgres xmax to detect whether the upsert was a fresh insert or a re-upload of an existing offset. Only creates a PAM_SESSION_EVENT_BATCH_UPLOAD audit log entry on first insert, not on retry overwrites.
bernie-g
force-pushed
the
feat/pam-session-real-time-log-sync
branch
2 times, most recently
from
635f34e to
8c15154
Compare
bernie-g
force-pushed
the
feat/pam-session-real-time-log-sync
branch
from
97282ed to
05b16f3
Compare
|
@claude review this |
There was a problem hiding this comment.
Code review is billed via overage credits. To resume reviews, an organization admin can raise the monthly limit at claude.ai/admin-settings/claude-code.
Once credits are available, comment @claude review on this pull request to trigger a review.
Initial load auto-paginates all existing batches. Active sessions poll every 5s using a batch cursor so only new batches are fetched — no re-decryption of existing logs. Load more button removed.
Active sessions poll every 5s advancing a batch cursor — bounded per tick, catches up then tracks new batches. Completed sessions get a single initial fetch with a manual load more button for history.
…g-sync feat(pam): real-time session log sync via incremental batch uploads
3 participants
Context
Instead of uploading session logs in a single bulk request at the end of a session, the gateway now uploads events incrementally every 10 seconds. This unblocks live session monitoring and intervention in the UI, which previously had to wait until the session ended to show any activity.
On the backend, a new
pam_session_event_batchestable stores encrypted event batches keyed by session ID and byte offset. The session detail page polls every 5 seconds while a session is active. Re-uploads of the same byte range are idempotent via an upsert on(sessionId, startOffset). The existingencryptedLogsBlobread path is preserved for legacy sessions.The corresponding gateway changes are in a separate CLI repo PR and must be merged after this one.
Screenshots
Steps to verify the change
SELECT * FROM pam_session_event_batches WHERE "sessionId" = '<id>' ORDER BY "startOffset"— rows should appear every ~10 secondsencryptedLogsBlobstill returns logs correctly (legacy read path)Type
Checklist
type(scope): short description(scope is optional, e.g.,fix: prevent crash on syncorfix(api): handle null response).