mirror of
https://github.com/trustgraph-ai/trustgraph.git
synced 2026-07-09 21:32:10 +02:00
feat: add structured audit event system (#1027)
Add a complete audit event pipeline that emits structured, machine- parseable events for every gateway request and IAM decision. Schema and publisher: - AuditEvent dataclass and notify-class queue (audit_events_queue) - AuditPublisher utility: fire-and-forget emission with envelope (schema_version, event_id, event_type, timestamp, producer) - New request_id and client_ip fields on IamRequest for correlation Gateway (gateway.request events): - aiohttp middleware assigns request_id, captures timing/status/sizes and emits an event after every HTTP request completes - IamAuth.authenticate annotates the request with identity - Main endpoint handlers annotate capability and workspace - request_id and client_ip forwarded to IAM on authenticate/authorise IAM service (iam.authenticate, iam.authorise, iam.management events): - Emits iam.authenticate for resolve-api-key, login, anonymous auth - Emits iam.authorise for authorise and authorise-many decisions - Emits iam.management for user/workspace/key mutations - All events include request_id for correlation with gateway events Design: events land on a pub/sub notify topic — non-persistent, per-subscriber delivery. If no audit consumer is deployed, events are silently discarded. Storage, retention, and alerting are consumer-side concerns outside this boundary. Added unit tests for the publisher and gateway middleware, unit tests for IAM audit emission, and a contract test for the AuditEvent schema. Tech spec: docs/tech-specs/audit-events.md
This commit is contained in:
parent
12ea6d46bc
commit
d5f3b6d9f6
19 changed files with 1426 additions and 18 deletions
|
|
@ -24,6 +24,8 @@ from trustgraph.schema import (
|
|||
EntityContext,
|
||||
EntityEmbeddings,
|
||||
ChunkEmbeddings,
|
||||
AuditEvent,
|
||||
IamRequest,
|
||||
)
|
||||
|
||||
|
||||
|
|
@ -72,3 +74,21 @@ class TestSchemaFieldContracts:
|
|||
"context",
|
||||
"chunk_id",
|
||||
}
|
||||
|
||||
def test_audit_event_fields(self):
|
||||
assert _field_names(AuditEvent) == {
|
||||
"schema_version",
|
||||
"event_id",
|
||||
"event_type",
|
||||
"timestamp",
|
||||
"producer",
|
||||
"payload_json",
|
||||
}
|
||||
|
||||
def test_iam_request_has_audit_fields(self):
|
||||
"""IamRequest must carry request_id and client_ip for audit
|
||||
correlation. Removing these breaks the gateway→IAM audit
|
||||
chain."""
|
||||
names = _field_names(IamRequest)
|
||||
assert "request_id" in names
|
||||
assert "client_ip" in names
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue