feat: remote audit storage backend#22
Open
math280h wants to merge 1 commit into
Open
Conversation
Coverage Report
Per-file coverage (top 40 by missed lines)
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a pluggable audit logging abstraction (AuditSink) so audit records can be persisted either to the existing local file log or to a remote HTTP endpoint, configured via new [audit] config keys.
Changes:
- Introduces
AuditSinkwithFileAuditSink(existing behavior) and a newHttpAuditSinkthat POSTs audit records as JSON. - Adds
[audit]config (backend,endpoint,token_env) with overlay merging and validation for the HTTP backend. - Updates the service decision-logging path to be async and adds wiremock-backed tests for the HTTP sink.
Reviewed changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
src/audit_log.rs |
Adds AuditSink, implements file + HTTP backends, and provides build_audit_sink factory. |
src/service.rs |
Switches service to hold an AuditSink and makes decision logging async. |
src/config/overlay.rs |
Adds overlay parsing support for the new [audit] config table. |
src/config/mod.rs |
Adds AuditConfig/AuditBackend, validation, defaults, and overlay merge behavior. |
src/tests/audit_log.rs |
Updates file backend test for rename/async and adds HTTP sink test using wiremock. |
docs/configuration-spec.md |
Documents new [audit] config keys and provides an example. |
README.md |
Marks “remote audit storage backends” as completed in the roadmap list. |
Cargo.toml |
Adds reqwest as a workspace dependency for the HTTP sink. |
Cargo.lock |
Updates lockfile for the added dependency. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
math280h
force-pushed
the
feat/remote-audit-storage
branch
from
6c9b3ec to
40feafc
Compare
math280h
force-pushed
the
feat/remote-audit-storage
branch
from
40feafc to
3ef2d47
Compare
Abstract the audit log behind an async AuditSink trait with selectable backends. Keep the local file backend (default, renamed to FileAuditSink) and add an HttpAuditSink that POSTs each JSON record to a configured endpoint with optional bearer auth. Add an [audit] config section (backend, endpoint, token_env) with overlay merging and validation, build the sink in the service, and make the decision logging path async.
math280h
force-pushed
the
feat/remote-audit-storage
branch
from
3ef2d47 to
9048624
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Abstracts the audit log behind an async
AuditSinktrait with selectable backends.AuditLoggertoFileAuditSink(default, unchanged behavior) and implementsAuditSinkfor it.HttpAuditSinkthat POSTs each audit record as JSON to a configured endpoint, with optional bearer auth.[audit]config section (backend,endpoint,token_env) with overlay merging plus validation requiringendpointwhenbackend = http.build_audit_sinkin the service and makes the decision-logging path async; the token is resolved fromtoken_envat construction.