feat(events): event dispatch backbone, audit log, webhooks & notifications

[melihsunbul]

What

The eventing backbone: a structured event dispatch layer, an append-only audit log, webhook delivery, and in-app notifications. This is the substrate that tickets, integrations and email notifications publish to.

Concepts

• Domain event — a typed record of something that happened (for example ticket.created, ticket.status_changed, comment.created). Features emit events rather than calling subscribers directly.
• Delivery target — a durable subscriber to an event (webhook, integration, email, in-app notification, audit). Targets are resolved per event so delivery is decoupled from the feature that raised it.
• Audit event — an append-only entry capturing actor, resource and a before/after diff. It is the system of record for "who changed what".
• Webhook delivery — a persisted attempt with status/redelivery, so failures are inspectable rather than silent.

How it works

• Event dispatch (server/events/) — expanded dispatch.ts, a full types.ts taxonomy, sample-payloads.ts, ticket-targets.ts (durable per-event targets) and integrations/webhook/constants.ts, with dispatch-wrappers.test.ts.
• Audit (domains/audit/, server/audit/) — actor/resource/diff writes; admin views with unified workspace/security pagination, CSV export and filters (/admin/settings/audit, /admin/settings/security/audit-log).
• Webhooks (domains/webhooks/) — webhook-deliveries, /api/v1/webhooks CRUD plus test, delivery inspection and redelivery, and sample-payloads; admin dialogs and an event picker.
• Notifications (domains/notifications/) — in-app notifications plus components/notifications/ and use-notifications-queries.

How to use

• Add a webhook: Settings → Webhooks — create an endpoint, pick the events to subscribe to, and send a test delivery. Inspect and redeliver past deliveries from the same screen.
• Review the audit log: Settings → Audit (/admin/settings/audit) and Security → Audit log (/admin/settings/security/audit-log); filter by actor/resource/date and export to CSV.
• Notifications: in-app notifications appear under /admin/notifications.
• For developers: raise events through the dispatch layer; subscribers (webhooks/integrations/email/notifications/audit) are resolved from the event's targets — no per-feature wiring.

Safety

• Audit writes are append-only and capture actor identity; sensitive fields are redacted before persistence.
• Webhook delivery uses the existing SSRF-guarded fetch path; payloads carry identifiers, not secrets.

Verification

• bun run typecheck, bun run lint; unit tests for dispatch wrappers, audit CSV/diff, webhook dialogs/event-picker defaults and notifications queries (included).

Depends on 02-rbac-authz-teams.

---

📚 This is a stacked series — please review & merge in order

These 10 PRs are split by concern and ordered by dependency. Each is opened against main, so until the PRs before it have merged, a PR's diff is cumulative (it also contains the earlier batches). As the earlier PRs merge and we rebase the next branch onto main, each diff reduces to just its own batch. Merging all 10 in order reproduces our integrated branch exactly (verified: the cumulative tip of the series is byte-identical to it).

Order (by branch):

1. 01-data-model-foundation — data model, TypeIDs, migrations
2. 02-rbac-authz-teams — RBAC, teams, organisation & auth surfaces
3. 03-events-audit-webhooks — event dispatch, audit log, webhooks, notifications
4. 04-ticketing-crm-core — ticketing / CRM core
5. 05-sla-inboxes-routing — SLA policies, inboxes, business hours, routing
6. 06-github-sync-and-ticket-email — GitHub ticket sync, ticket email, integration platform
7. 07-widget-profiles — scoped widget profiles + ticket submission
8. 08-api-openapi-mcp — OpenAPI surface, MCP tools, conversation actions, API keys
9. 09-content-visibility — changelog/help-centre visibility, segments, portal tabs
10. 10-test-coverage — broad unit/integration test suite + supporting infra

Part of the roadmap: #283

[CLAassistant]

All committers have signed the CLA.