Expand description
Compliance-grade audit trail.
Answers the regulator’s question — who did what, to which resource, when, from where, and did it succeed — for every annotated mutation, on a tamper-evident (hash-chained) append-only stream.
§Hot-path contract
AuditPipeline::record is a single try_send onto a bounded MPSC
channel: O(1), lock-free, never blocks the request. A background worker
(spawned once at construction) batches records, computes the hash chain,
and flushes to the app-provided AuditSink (Postgres append-only table,
Kafka, S3 WORM bucket, …). If the channel is full the record is dropped
and audit_dropped_total is incremented — alert on it; silently blocking
requests on a slow sink would be the worse failure mode.
§Usage
ⓘ
// boot:
ctx.provide(AuditPipeline::new(Arc::new(PgAuditSink::new(pool)), 8192, 64));
// handler — declarative:
#[Delete("/:id", status(204), security("bearer"))]
#[AuditLog(action = "user.delete", resource = "user")]
async fn delete_user(ctx: RequestContext, #[Param("id")] id: u64) -> Result<Json<Value>, HttpException> { /* ... */ }Structs§
- Audit
Pipeline - Lock-free front door for audit records.
- Audit
Record - One immutable audit entry.
prev_hashchains each record to its predecessor (SHA-256), so post-hoc tampering breaks the chain visibly.
Enums§
Traits§
- Audit
Sink - Durable destination, implemented by the app. Must be append-only in production deployments — the framework never updates or deletes records.