Skip to main content

systemprompt_security/authz/audit/
mod.rs

1//! Audit sink for authorization decisions.
2//!
3//! Every decision made *inside core* (webhook fault, default deny,
4//! unrestricted allow) flows through an [`AuthzAuditSink`] so it lands in the
5//! same `governance_decisions` table the extension's `POST /govern/authz`
6//! handler writes to. Successful webhook round-trips are audited by the
7//! extension itself (single writer per code path); core's sink only records
8//! decisions the extension never sees.
9//!
10//! [`NullAuditSink`] is the bootstrap default — it exists so unit tests and
11//! pre-database bootstrap stages can install hooks without a `DbPool`.
12//! Production replaces it with [`DbAuditSink`] once the database is available.
13
14mod db_sink;
15mod repository;
16
17use async_trait::async_trait;
18
19use super::types::{AuthzDecision, AuthzRequest};
20
21pub use db_sink::DbAuditSink;
22pub use repository::{
23    AUDIT_WRITE_FAILED_TOTAL, GovernanceDecisionRecord, GovernanceDecisionRepository,
24    insert_governance_decision,
25};
26
27#[derive(Debug, Clone, Copy, PartialEq, Eq)]
28pub enum AuthzSource {
29    WebhookFault,
30    DenyAllDefault,
31    AllowAllUnrestricted,
32    ExtensionHook,
33    RuleBased,
34}
35
36impl AuthzSource {
37    pub const fn policy(self) -> &'static str {
38        match self {
39            Self::WebhookFault => "authz_hook_fault",
40            Self::DenyAllDefault => "authz_default_deny",
41            Self::AllowAllUnrestricted => "authz_unrestricted",
42            Self::ExtensionHook => "authz_extension_hook",
43            Self::RuleBased => "authz_rule_based",
44        }
45    }
46}
47
48/// `#[async_trait]`: this trait is consumed as `Arc<dyn AuthzAuditSink>` by
49/// every hook implementation, so it must be `dyn`-compatible — native
50/// `async fn` in traits is not yet object-safe.
51#[async_trait]
52pub trait AuthzAuditSink: Send + Sync + std::fmt::Debug {
53    async fn record(&self, req: &AuthzRequest, decision: &AuthzDecision, source: AuthzSource);
54}
55
56#[derive(Debug, Default, Clone, Copy)]
57pub struct NullAuditSink;
58
59#[async_trait]
60impl AuthzAuditSink for NullAuditSink {
61    async fn record(&self, _req: &AuthzRequest, _decision: &AuthzDecision, _source: AuthzSource) {}
62}