feat: add structured audit event system (#1027)

Add a complete audit event pipeline that emits structured, machine-
parseable events for every gateway request and IAM decision.

Schema and publisher:
- AuditEvent dataclass and notify-class queue (audit_events_queue)
- AuditPublisher utility: fire-and-forget emission with envelope
  (schema_version, event_id, event_type, timestamp, producer)
- New request_id and client_ip fields on IamRequest for correlation

Gateway (gateway.request events):
- aiohttp middleware assigns request_id, captures timing/status/sizes
  and emits an event after every HTTP request completes
- IamAuth.authenticate annotates the request with identity
- Main endpoint handlers annotate capability and workspace
- request_id and client_ip forwarded to IAM on authenticate/authorise

IAM service (iam.authenticate, iam.authorise, iam.management events):
- Emits iam.authenticate for resolve-api-key, login, anonymous auth
- Emits iam.authorise for authorise and authorise-many decisions
- Emits iam.management for user/workspace/key mutations
- All events include request_id for correlation with gateway events

Design: events land on a pub/sub notify topic — non-persistent,
per-subscriber delivery. If no audit consumer is deployed, events
are silently discarded. Storage, retention, and alerting are
consumer-side concerns outside this boundary.

Added unit tests for the publisher and gateway middleware, unit
tests for IAM audit emission, and a contract test for the AuditEvent
schema.

Tech spec: docs/tech-specs/audit-events.md
This commit is contained in:
cybermaggedon 2026-07-06 10:47:49 +01:00 committed by GitHub
parent 12ea6d46bc
commit d5f3b6d9f6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
19 changed files with 1426 additions and 18 deletions

View file

@ -24,6 +24,8 @@ from trustgraph.schema import (
EntityContext,
EntityEmbeddings,
ChunkEmbeddings,
AuditEvent,
IamRequest,
)
@ -72,3 +74,21 @@ class TestSchemaFieldContracts:
"context",
"chunk_id",
}
def test_audit_event_fields(self):
assert _field_names(AuditEvent) == {
"schema_version",
"event_id",
"event_type",
"timestamp",
"producer",
"payload_json",
}
def test_iam_request_has_audit_fields(self):
"""IamRequest must carry request_id and client_ip for audit
correlation. Removing these breaks the gatewayIAM audit
chain."""
names = _field_names(IamRequest)
assert "request_id" in names
assert "client_ip" in names