fix(tracking): align root user-path fallbacks

SantiagoDePolonia · SantiagoDePolonia · commit f5ab9ffc873b · 2026-03-31T12:33:17.000+02:00
diff --git a/internal/admin/handler.go b/internal/admin/handler.go
@@ -161,7 +161,7 @@ func parseUsageParams(c *echo.Context) (usage.UsageQueryParams, error) {
 		params.Interval = "daily"
 	}
 
-	userPath, err := normalizeUserPathQueryParam(c.QueryParam("user_path"))
+	userPath, err := normalizeUserPathQueryParam("user_path", c.QueryParam("user_path"))
 	if err != nil {
 		return params, err
 	}
@@ -170,10 +170,10 @@ func parseUsageParams(c *echo.Context) (usage.UsageQueryParams, error) {
 	return params, nil
 }
 
-func normalizeUserPathQueryParam(raw string) (string, error) {
+func normalizeUserPathQueryParam(fieldName, raw string) (string, error) {
 	userPath, err := core.NormalizeUserPath(raw)
 	if err != nil {
-		return "", core.NewInvalidRequestError("invalid user_path: "+err.Error(), err)
+		return "", core.NewInvalidRequestError("invalid "+fieldName+": "+err.Error(), err)
 	}
 	return userPath, nil
 }
@@ -454,7 +454,7 @@ func (h *Handler) AuditLog(c *echo.Context) error {
 	if err != nil {
 		return handleError(c, err)
 	}
-	userPath, err := normalizeUserPathQueryParam(c.QueryParam("user_path"))
+	userPath, err := normalizeUserPathQueryParam("user_path", c.QueryParam("user_path"))
 	if err != nil {
 		return handleError(c, err)
 	}
@@ -911,7 +911,7 @@ func (h *Handler) CreateExecutionPlan(c *echo.Context) error {
 		return handleError(c, core.NewInvalidRequestError("invalid request body: "+err.Error(), err))
 	}
 
-	scopeUserPath, err := normalizeUserPathQueryParam(req.ScopeUserPath)
+	scopeUserPath, err := normalizeUserPathQueryParam("scope_user_path", req.ScopeUserPath)
 	if err != nil {
 		return handleError(c, err)
 	}
diff --git a/internal/admin/handler_executionplans_test.go b/internal/admin/handler_executionplans_test.go
@@ -792,6 +792,56 @@ func TestCreateExecutionPlanRejectsUnknownProviderOrModelScope(t *testing.T) {
 	}
 }
 
+func TestCreateExecutionPlan_UsesScopeUserPathInValidationErrors(t *testing.T) {
+	store := &executionPlanTestStore{
+		versions: []executionplans.Version{
+			{
+				ID:       "global-plan",
+				Scope:    executionplans.Scope{},
+				ScopeKey: "global",
+				Version:  1,
+				Active:   true,
+				Name:     "global",
+				Payload: executionplans.Payload{
+					SchemaVersion: 1,
+					Features:      executionplans.FeatureFlags{Cache: true, Audit: true, Usage: true, Guardrails: false},
+				},
+				PlanHash: "hash-global",
+			},
+		},
+	}
+	h := newExecutionPlanHandler(t, store, nil)
+	e := echo.New()
+
+	req := httptest.NewRequest(http.MethodPost, "/admin/api/v1/execution-plans", bytes.NewBufferString(`{
+		"scope_user_path":"/team/../alpha",
+		"name":"invalid path",
+		"plan_payload":{
+			"schema_version":1,
+			"features":{"cache":true,"audit":true,"usage":true,"guardrails":false},
+			"guardrails":[]
+		}
+	}`))
+	req.Header.Set("Content-Type", "application/json")
+	rec := httptest.NewRecorder()
+	c := e.NewContext(req, rec)
+
+	if err := h.CreateExecutionPlan(c); err != nil {
+		t.Fatalf("CreateExecutionPlan() error = %v", err)
+	}
+	if rec.Code != http.StatusBadRequest {
+		t.Fatalf("status = %d, want 400", rec.Code)
+	}
+
+	body := decodeExecutionPlanErrorEnvelope(t, rec.Body.Bytes())
+	if body.Error.Type != "invalid_request_error" {
+		t.Fatalf("error type = %q, want invalid_request_error", body.Error.Type)
+	}
+	if body.Error.Message != `invalid scope_user_path: user path cannot contain '.' or '..' segments` {
+		t.Fatalf("error message = %q, want invalid scope_user_path message", body.Error.Message)
+	}
+}
+
 func TestExecutionPlanViewReflectsFeatureCaps(t *testing.T) {
 	store := &executionPlanTestStore{
 		versions: []executionplans.Version{
diff --git a/internal/admin/handler_test.go b/internal/admin/handler_test.go
@@ -1457,6 +1457,25 @@ func TestParseUsageParams_InvalidEndDate(t *testing.T) {
 	}
 }
 
+func TestParseUsageParams_InvalidUserPath(t *testing.T) {
+	c := newContext("user_path=/team/../alpha")
+	_, err := parseUsageParams(c)
+	if err == nil {
+		t.Fatal("expected error for invalid user_path, got nil")
+	}
+
+	var gatewayErr *core.GatewayError
+	if !errors.As(err, &gatewayErr) {
+		t.Fatalf("expected GatewayError, got %T", err)
+	}
+	if gatewayErr.Message != `invalid user_path: user path cannot contain '.' or '..' segments` {
+		t.Fatalf("message = %q, want invalid user_path message", gatewayErr.Message)
+	}
+	if gatewayErr.HTTPStatusCode() != http.StatusBadRequest {
+		t.Errorf("expected status 400, got %d", gatewayErr.HTTPStatusCode())
+	}
+}
+
 func TestParseUsageParams_IntervalWeekly(t *testing.T) {
 	c := newContext("interval=weekly")
 	params, err := parseUsageParams(c)
diff --git a/internal/auditlog/auditlog_test.go b/internal/auditlog/auditlog_test.go
@@ -699,6 +699,31 @@ func TestMiddleware_StoresAuthKeyIDFromContext(t *testing.T) {
 	}
 }
 
+func TestMiddleware_DefaultsMissingUserPathToRoot(t *testing.T) {
+	logger := &capturingLogger{cfg: Config{Enabled: true}}
+	middleware := Middleware(logger)
+	e := echo.New()
+
+	req := httptest.NewRequest(http.MethodPost, "/v1/chat/completions", strings.NewReader(`{"model":"gpt-4o-mini"}`))
+	req.Header.Set("Content-Type", "application/json")
+	rec := httptest.NewRecorder()
+	c := e.NewContext(req, rec)
+
+	handler := middleware(func(c *echo.Context) error {
+		return c.NoContent(http.StatusOK)
+	})
+
+	if err := handler(c); err != nil {
+		t.Fatalf("handler() error = %v", err)
+	}
+	if len(logger.entries) != 1 {
+		t.Fatalf("logger.entries len = %d, want 1", len(logger.entries))
+	}
+	if got := logger.entries[0].UserPath; got != "/" {
+		t.Fatalf("UserPath = %q, want /", got)
+	}
+}
+
 func TestMiddleware_SkipsWriteWhenExecutionPlanDisablesAudit(t *testing.T) {
 	e := echo.New()
 	logger := &capturingLogger{
diff --git a/internal/auditlog/middleware.go b/internal/auditlog/middleware.go
@@ -57,6 +57,10 @@ func Middleware(logger LoggerInterface) echo.MiddlewareFunc {
 
 			// Read request ID (always set by the request ID middleware in http.go)
 			requestID := req.Header.Get("X-Request-ID")
+			userPath := core.UserPathFromContext(req.Context())
+			if userPath == "" {
+				userPath = "/"
+			}
 
 			// Create initial log entry
 			entry := &LogEntry{
@@ -66,7 +70,7 @@ func Middleware(logger LoggerInterface) echo.MiddlewareFunc {
 				ClientIP:  c.RealIP(),
 				Method:    req.Method,
 				Path:      req.URL.Path,
-				UserPath:  core.UserPathFromContext(req.Context()),
+				UserPath:  userPath,
 				Data: &LogData{
 					UserAgent: req.UserAgent(),
 				},
diff --git a/internal/auditlog/reader_mongodb.go b/internal/auditlog/reader_mongodb.go
@@ -6,6 +6,8 @@ import (
 	"regexp"
 	"time"
 
+	"gomodel/internal/core"
+
 	"go.mongodb.org/mongo-driver/v2/bson"
 	"go.mongodb.org/mongo-driver/v2/mongo"
 	"go.mongodb.org/mongo-driver/v2/mongo/options"
@@ -120,7 +122,7 @@ func (r *MongoDBReader) GetLogs(ctx context.Context, params LogQueryParams) (*Lo
 		})
 	}
 	if userPath, err := normalizeAuditUserPathFilter(params.UserPath); err != nil {
-		return nil, err
+		return nil, core.NewInvalidRequestError(err.Error(), err)
 	} else if userPath != "" {
 		matchFilters = append(matchFilters, bson.E{
 			Key: "user_path",
diff --git a/internal/auditlog/reader_mongodb_test.go b/internal/auditlog/reader_mongodb_test.go
@@ -1,6 +1,12 @@
 package auditlog
 
-import "testing"
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"gomodel/internal/core"
+)
 
 func TestSanitizeLogDataRedactsHeaders(t *testing.T) {
 	original := &LogData{
@@ -64,3 +70,20 @@ func TestMongoLogRowToLogEntryPreservesCacheType(t *testing.T) {
 		t.Fatalf("CacheType = %q, want %q", entry.CacheType, CacheTypeSemantic)
 	}
 }
+
+func TestMongoDBReader_GetLogsInvalidUserPathReturnsGatewayError(t *testing.T) {
+	reader := &MongoDBReader{}
+
+	_, err := reader.GetLogs(context.Background(), LogQueryParams{UserPath: "/team/../alpha"})
+	if err == nil {
+		t.Fatal("expected error, got nil")
+	}
+
+	var gatewayErr *core.GatewayError
+	if !errors.As(err, &gatewayErr) {
+		t.Fatalf("expected GatewayError, got %T", err)
+	}
+	if gatewayErr.Type != core.ErrorTypeInvalidRequest {
+		t.Fatalf("gatewayErr.Type = %q, want %q", gatewayErr.Type, core.ErrorTypeInvalidRequest)
+	}
+}
diff --git a/internal/auditlog/reader_postgresql.go b/internal/auditlog/reader_postgresql.go
@@ -53,7 +53,11 @@ func (r *PostgreSQLReader) GetLogs(ctx context.Context, params LogQueryParams) (
 		argIdx++
 	}
 	if userPath != "" {
-		conditions = append(conditions, fmt.Sprintf("(user_path = $%d OR user_path LIKE $%d ESCAPE '\\')", argIdx, argIdx+1))
+		conditions = append(conditions, auditUserPathSQLPredicate(
+			userPath,
+			fmt.Sprintf("user_path = $%d", argIdx),
+			fmt.Sprintf("user_path LIKE $%d ESCAPE '\\'", argIdx+1),
+		))
 		args = append(args, userPath, auditUserPathSubtreePattern(userPath))
 		argIdx += 2
 	}
diff --git a/internal/auditlog/reader_sqlite.go b/internal/auditlog/reader_sqlite.go
@@ -52,7 +52,7 @@ func (r *SQLiteReader) GetLogs(ctx context.Context, params LogQueryParams) (*Log
 		args = append(args, "%"+escapeLikeWildcards(params.Path)+"%")
 	}
 	if userPath != "" {
-		conditions = append(conditions, "(user_path = ? OR user_path LIKE ? ESCAPE '\\')")
+		conditions = append(conditions, auditUserPathSQLPredicate(userPath, "user_path = ?", "user_path LIKE ? ESCAPE '\\'"))
 		args = append(args, userPath, auditUserPathSubtreePattern(userPath))
 	}
 	if params.ErrorType != "" {
diff --git a/internal/auditlog/store_sqlite_test.go b/internal/auditlog/store_sqlite_test.go
@@ -415,6 +415,78 @@ func TestSQLiteReader_GetLogsFiltersByUserPathSubtree(t *testing.T) {
 	}
 }
 
+func TestSQLiteReader_GetLogsRootUserPathIncludesLegacyNullRows(t *testing.T) {
+	db := createTestDB(t)
+	defer db.Close()
+
+	store, err := NewSQLiteStore(db, 0)
+	if err != nil {
+		t.Fatalf("failed to create store: %v", err)
+	}
+	defer store.Close()
+
+	now := time.Now().UTC().Format(time.RFC3339Nano)
+	_, err = db.Exec(`
+		INSERT INTO audit_logs (
+			id, timestamp, duration_ns, model, resolved_model, provider, alias_used, execution_plan_version_id,
+			status_code, request_id, client_ip, method, path, user_path, stream, error_type, data
+		) VALUES
+			(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?),
+			(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+	`,
+		"legacy-null",
+		now,
+		0,
+		"gpt-4",
+		"",
+		"openai",
+		0,
+		nil,
+		200,
+		"req-legacy",
+		"127.0.0.1",
+		"POST",
+		"/v1/chat/completions",
+		nil,
+		0,
+		"",
+		nil,
+		"root-explicit",
+		now,
+		0,
+		"gpt-4",
+		"",
+		"openai",
+		0,
+		nil,
+		200,
+		"req-root",
+		"127.0.0.1",
+		"POST",
+		"/v1/chat/completions",
+		"/",
+		0,
+		"",
+		nil,
+	)
+	if err != nil {
+		t.Fatalf("failed to insert audit log rows: %v", err)
+	}
+
+	reader, err := NewSQLiteReader(db)
+	if err != nil {
+		t.Fatalf("failed to create reader: %v", err)
+	}
+
+	logs, err := reader.GetLogs(context.Background(), LogQueryParams{UserPath: "/", Limit: 10})
+	if err != nil {
+		t.Fatalf("GetLogs failed: %v", err)
+	}
+	if len(logs.Entries) != 2 {
+		t.Fatalf("len(entries) = %d, want 2", len(logs.Entries))
+	}
+}
+
 func TestSQLiteStoreAndReader_PreserveCacheType(t *testing.T) {
 	db := createTestDB(t)
 	defer db.Close()
diff --git a/internal/auditlog/user_path_filter.go b/internal/auditlog/user_path_filter.go
@@ -22,6 +22,14 @@ func auditUserPathSubtreePattern(userPath string) string {
 	return escapeLikeWildcards(userPath) + "/%"
 }
 
+func auditUserPathSQLPredicate(userPath, exactExpr, subtreeExpr string) string {
+	predicate := "(" + exactExpr + " OR " + subtreeExpr
+	if userPath == "/" {
+		predicate += " OR user_path IS NULL"
+	}
+	return predicate + ")"
+}
+
 func auditUserPathSubtreeRegex(userPath string) string {
 	if userPath == "/" {
 		return "^/"
diff --git a/internal/auditlog/user_path_filter_test.go b/internal/auditlog/user_path_filter_test.go
@@ -28,3 +28,30 @@ func TestAuditUserPathSubtreePattern(t *testing.T) {
 		})
 	}
 }
+
+func TestAuditUserPathSQLPredicate(t *testing.T) {
+	tests := []struct {
+		name     string
+		userPath string
+		want     string
+	}{
+		{
+			name:     "root includes legacy null rows",
+			userPath: "/",
+			want:     "(user_path = ? OR user_path LIKE ? ESCAPE '\\' OR user_path IS NULL)",
+		},
+		{
+			name:     "non-root excludes legacy null rows",
+			userPath: "/team",
+			want:     "(user_path = ? OR user_path LIKE ? ESCAPE '\\')",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := auditUserPathSQLPredicate(tt.userPath, "user_path = ?", "user_path LIKE ? ESCAPE '\\'"); got != tt.want {
+				t.Fatalf("auditUserPathSQLPredicate(%q) = %q, want %q", tt.userPath, got, tt.want)
+			}
+		})
+	}
+}
diff --git a/internal/executionplans/store_helpers.go b/internal/executionplans/store_helpers.go
diff --git a/internal/executionplans/store_helpers_test.go b/internal/executionplans/store_helpers_test.go
diff --git a/internal/executionplans/store_postgresql.go b/internal/executionplans/store_postgresql.go
diff --git a/internal/executionplans/store_sqlite.go b/internal/executionplans/store_sqlite.go
diff --git a/internal/usage/stream_observer_test.go b/internal/usage/stream_observer_test.go
diff --git a/tests/integration/dbassert/auditlog.go b/tests/integration/dbassert/auditlog.go

Original file line number	Diff line number	Diff line change
`@@ -161,7 +161,7 @@ func parseUsageParams(c *echo.Context) (usage.UsageQueryParams, error) {`
`161`	`161`	`params.Interval = "daily"`
`162`	`162`	`}`
`163`	`163`
`164`		`- userPath, err := normalizeUserPathQueryParam(c.QueryParam("user_path"))`
	`164`	`+ userPath, err := normalizeUserPathQueryParam("user_path", c.QueryParam("user_path"))`
`165`	`165`	`if err != nil {`
`166`	`166`	`return params, err`
`167`	`167`	`}`
`@@ -170,10 +170,10 @@ func parseUsageParams(c *echo.Context) (usage.UsageQueryParams, error) {`
`170`	`170`	`return params, nil`
`171`	`171`	`}`
`172`	`172`
`173`		`-func normalizeUserPathQueryParam(raw string) (string, error) {`
	`173`	`+func normalizeUserPathQueryParam(fieldName, raw string) (string, error) {`
`174`	`174`	`userPath, err := core.NormalizeUserPath(raw)`
`175`	`175`	`if err != nil {`
`176`		`- return "", core.NewInvalidRequestError("invalid user_path: "+err.Error(), err)`
	`176`	`+ return "", core.NewInvalidRequestError("invalid "+fieldName+": "+err.Error(), err)`
`177`	`177`	`}`
`178`	`178`	`return userPath, nil`
`179`	`179`	`}`
`@@ -454,7 +454,7 @@ func (h Handler) AuditLog(c echo.Context) error {`
`454`	`454`	`if err != nil {`
`455`	`455`	`return handleError(c, err)`
`456`	`456`	`}`
`457`		`- userPath, err := normalizeUserPathQueryParam(c.QueryParam("user_path"))`
	`457`	`+ userPath, err := normalizeUserPathQueryParam("user_path", c.QueryParam("user_path"))`
`458`	`458`	`if err != nil {`
`459`	`459`	`return handleError(c, err)`
`460`	`460`	`}`
`@@ -911,7 +911,7 @@ func (h Handler) CreateExecutionPlan(c echo.Context) error {`
`911`	`911`	`return handleError(c, core.NewInvalidRequestError("invalid request body: "+err.Error(), err))`
`912`	`912`	`}`
`913`	`913`
`914`		`- scopeUserPath, err := normalizeUserPathQueryParam(req.ScopeUserPath)`
	`914`	`+ scopeUserPath, err := normalizeUserPathQueryParam("scope_user_path", req.ScopeUserPath)`
`915`	`915`	`if err != nil {`
`916`	`916`	`return handleError(c, err)`
`917`	`917`	`}`
Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,11 @@ func (r *PostgreSQLReader) GetLogs(ctx context.Context, params LogQueryParams) (`
`53`	`53`	`argIdx++`
`54`	`54`	`}`
`55`	`55`	`if userPath != "" {`
`56`		`- conditions = append(conditions, fmt.Sprintf("(user_path = $%d OR user_path LIKE $%d ESCAPE '\\')", argIdx, argIdx+1))`
	`56`	`+ conditions = append(conditions, auditUserPathSQLPredicate(`
	`57`	`+ userPath,`
	`58`	`+ fmt.Sprintf("user_path = $%d", argIdx),`
	`59`	`+ fmt.Sprintf("user_path LIKE $%d ESCAPE '\\'", argIdx+1),`
	`60`	`+ ))`
`57`	`61`	`args = append(args, userPath, auditUserPathSubtreePattern(userPath))`
`58`	`62`	`argIdx += 2`
`59`	`63`	`}`
Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ func (r SQLiteReader) GetLogs(ctx context.Context, params LogQueryParams) (Log`
`52`	`52`	`args = append(args, "%"+escapeLikeWildcards(params.Path)+"%")`
`53`	`53`	`}`
`54`	`54`	`if userPath != "" {`
`55`		`- conditions = append(conditions, "(user_path = ? OR user_path LIKE ? ESCAPE '\\')")`
	`55`	`+ conditions = append(conditions, auditUserPathSQLPredicate(userPath, "user_path = ?", "user_path LIKE ? ESCAPE '\\'"))`
`56`	`56`	`args = append(args, userPath, auditUserPathSubtreePattern(userPath))`
`57`	`57`	`}`
`58`	`58`	`if params.ErrorType != "" {`