Module audit 

Structured per-call audit events + pluggable sinks.

AuditSink is the observation hook called at dispatch return points. It sits OUTSIDE Middleware (which is a result-rewriter, success-only) because audit needs to observe every outcome including failures.

JsonLinesAuditSink is the default sink shipped in v1: one JSON object per line. SP-concurrency-baseline §5.4: an internal bounded tokio::sync::mpsc + dedicated drain task decouple the dispatch hot path from synchronous file I/O, eliminating the §1.3 secondary cliff (mutex-blocked reactor stall at ~50 concurrent dispatches per second). Construction requires a tokio runtime context.

Structs

CallEvent

One per-call audit event. Emitted at every Request::RunTool return point (success, invalid_args, execution_failed, cap_denied, rate_limited, tool_not_found). Ping / Hello / ToolList / ToolSchema do NOT emit events in v1.

JsonLinesAuditSink

SP-concurrency-baseline §5.4. Writes one JSON object per line to the wrapped writer via a dedicated tokio task. on_call is non-blocking (try_send); if the bounded channel is full the event is dropped and the audit_drops counter increments — log loss >> dispatch stall.

Enums

Outcome

Outcome variants cover the full dispatch-return space for RunTool.

Constants

DEFAULT_AUDIT_QUEUE_CAPACITY

Default channel capacity. 1024 events × ~500 bytes ≈ 512 KB peak buffer; drains at the rate the wrapped writer can absorb (typical disk write rate: 10k events/s sustained, transient bursts much higher).

SCHEMA_VERSION

Audit schema version. Consumers should branch on this if future breaking changes land.

Traits

AuditSink

Observer hook. Non-blocking: writes happen synchronously to the sink’s own backpressure (no queuing here). Must not panic.

Functions

now_rfc3339

Produce an RFC 3339 UTC timestamp string suitable for CallEvent::ts. Dispatch sites use this rather than calling chrono directly so the format stays consistent.