Expand description
Doctrine-compliant audit record shape.
AuditRecord is the typed primitive for answering five doctrine
questions about every privileged operation:
- Who acted —
AuditRecord::actor_json. - What happened —
AuditRecord::operation+AuditRecord::target_ref. - When —
AuditRecord::created_atin UTC. - Outcome —
AuditRecord::outcome(success vs failure with code+reason). - Correlation — optional
AuditRecord::correlation_idjoining related causal chains across traces.
These are the doctrine-minimum fields per
.doctrine/principles/audit-logging.md §1. Additional fields (before/after
hashes, reason, source refs) are persisted alongside an AuditRecord by
cortex-store (see BUILD_SPEC §10 audit_records table) but the typed
shape on this layer is intentionally minimal so the doctrine invariant is
impossible to violate at construction time.
§Construction invariant
There is no Default impl, no public field-init shorthand, and
no builder that tolerates missing required fields. The single public
constructor is AuditRecord::new, which takes every doctrine-required
field as a positional argument. Construction with any required field
missing fails to compile. This is the doctrine-shape gate enforced by the
type system, not by runtime validation.
§Anti-criterion: no secret values
AuditRecord MUST NOT carry secret values or decryptable sensitive
payloads. All fields are either:
- typed identifiers (IDs, refs),
- free-form low-entropy strings (operation name, target ref, error code),
- or a
serde_json::Valuefor the actor (intentionally opaque at this layer, but conventions forbid passwords / tokens / keys — see the doctrine doc).
The probe test audit_record_has_no_secret_named_keys walks the serialized
fixture and fails if any key matches the secret-name allowlist
(password, secret, token, api_key, private_key, etc.).
Structs§
- Audit
Record - Doctrine-compliant audit record.
Enums§
- Outcome
- Outcome of the audited operation.