pub async fn audit_log_middleware(req: Request, next: Next) -> ResponseExpand description
Axum middleware that synthesises one AuditRecord per state-mutating
HTTP call and dispatches it to the configured AuditSink.
Wiring contract:
- The router must layer
axum::Extension(AuditConfig)so this middleware can recover the sink. - Run this middleware after
bearer_authandtenant_scopeso theAuthContextandExtension<TenantId>are populated by the time the audit record is built. - The route-shape filter (
AuditAction::classify) suppresses emission for read-only routes (GET /healthz,GET /metrics,GET /jobs/{id}); those calls flow through with zero serialisation cost.
On entry the middleware stamps the request extensions with a fresh
Uuid so handlers can correlate their own logs against the audit
trail (recovered via Extension<Uuid> or directly from request
extensions). The same id appears in AuditRecord::request_id.