auths_telemetry/event.rs
1use schemars::JsonSchema;
2use serde::Serialize;
3
4/// Represents a standardized security event for SIEM ingestion.
5///
6/// Args:
7/// * `timestamp` - Unix epoch seconds when the event was recorded.
8/// * `actor_did` - The KERI decentralized identifier initiating the action.
9/// * `action` - The specific capability or operation attempted.
10/// * `status` - The resolution of the event (e.g., "Success", "Denied").
11/// * `trace_id` - Optional W3C traceparent-compatible trace identifier.
12///
13/// Usage:
14/// ```rust
15/// use auths_telemetry::build_audit_event;
16/// let event = build_audit_event("did:keri:abc...", "assume_role", "Denied", 0);
17/// ```
18#[derive(Serialize, JsonSchema)]
19pub struct AuditEvent<'a> {
20 pub timestamp: i64,
21 pub actor_did: &'a str,
22 pub action: &'a str,
23 pub status: &'a str,
24 #[serde(skip_serializing_if = "Option::is_none")]
25 pub trace_id: Option<String>,
26}
27
28/// Constructs a standardized audit event for security tracking.
29///
30/// Args:
31/// * `actor_did` - The identifier of the actor.
32/// * `action` - The capability being exercised.
33/// * `status` - The policy evaluation outcome.
34/// * `timestamp` - Unix epoch seconds for this event (caller supplies).
35///
36/// Usage:
37/// ```rust
38/// use auths_telemetry::build_audit_event;
39/// let event = build_audit_event("did:keri:abc...", "session_verification", "Success", 0);
40/// ```
41pub fn build_audit_event<'a>(
42 actor_did: &'a str,
43 action: &'a str,
44 status: &'a str,
45 timestamp: i64,
46) -> AuditEvent<'a> {
47 AuditEvent {
48 timestamp,
49 actor_did,
50 action,
51 status,
52 trace_id: None,
53 }
54}