jesus/Vapora
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Vapora/docs/adrs/0020-audit-trail.html

541 lines
22 KiB
HTML
Raw Normal View History

chore: extend doc: adr, tutorials, operations, etc
2026-01-12 03:32:47 +00:00
<!DOCTYPE HTML>
<html lang="en" class="light sidebar-visible" dir="ltr">
<head>
<!-- Book generated using mdBook -->
<meta charset="UTF-8">
<title>0020: Audit Trail - VAPORA Platform Documentation</title>
<!-- Custom HTML head -->
<meta name="description" content="Comprehensive documentation for VAPORA, an intelligent development orchestration platform built entirely in Rust.">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="theme-color" content="#ffffff">
<link rel="icon" href="../favicon.svg">
<link rel="shortcut icon" href="../favicon.png">
<link rel="stylesheet" href="../css/variables.css">
<link rel="stylesheet" href="../css/general.css">
<link rel="stylesheet" href="../css/chrome.css">
<link rel="stylesheet" href="../css/print.css" media="print">
<!-- Fonts -->
<link rel="stylesheet" href="../FontAwesome/css/font-awesome.css">
<link rel="stylesheet" href="../fonts/fonts.css">
<!-- Highlight.js Stylesheets -->
<link rel="stylesheet" id="highlight-css" href="../highlight.css">
<link rel="stylesheet" id="tomorrow-night-css" href="../tomorrow-night.css">
<link rel="stylesheet" id="ayu-highlight-css" href="../ayu-highlight.css">
<!-- Custom theme stylesheets -->
<!-- Provide site root and default themes to javascript -->
<script>
const path_to_root = "../";
const default_light_theme = "light";
const default_dark_theme = "dark";
</script>
<!-- Start loading toc.js asap -->
<script src="../toc.js"></script>
</head>
<body>
<div id="mdbook-help-container">
<div id="mdbook-help-popup">
<h2 class="mdbook-help-title">Keyboard shortcuts</h2>
<div>
<p>Press <kbd></kbd> or <kbd></kbd> to navigate between chapters</p>
<p>Press <kbd>S</kbd> or <kbd>/</kbd> to search in the book</p>
<p>Press <kbd>?</kbd> to show this help</p>
<p>Press <kbd>Esc</kbd> to hide this help</p>
</div>
</div>
</div>
<div id="body-container">
<!-- Work around some values being stored in localStorage wrapped in quotes -->
<script>
try {
let theme = localStorage.getItem('mdbook-theme');
let sidebar = localStorage.getItem('mdbook-sidebar');
if (theme.startsWith('"') && theme.endsWith('"')) {
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
}
if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
}
} catch (e) { }
</script>
<!-- Set the theme before any content is loaded, prevents flash -->
<script>
const default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? default_dark_theme : default_light_theme;
let theme;
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
if (theme === null || theme === undefined) { theme = default_theme; }
const html = document.documentElement;
html.classList.remove('light')
html.classList.add(theme);
html.classList.add("js");
</script>
<input type="checkbox" id="sidebar-toggle-anchor" class="hidden">
<!-- Hide / unhide sidebar before it is displayed -->
<script>
let sidebar = null;
const sidebar_toggle = document.getElementById("sidebar-toggle-anchor");
if (document.body.clientWidth >= 1080) {
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
sidebar = sidebar || 'visible';
} else {
sidebar = 'hidden';
}
sidebar_toggle.checked = sidebar === 'visible';
html.classList.remove('sidebar-visible');
html.classList.add("sidebar-" + sidebar);
</script>
<nav id="sidebar" class="sidebar" aria-label="Table of contents">
<!-- populated by js -->
<mdbook-sidebar-scrollbox class="sidebar-scrollbox"></mdbook-sidebar-scrollbox>
<noscript>
<iframe class="sidebar-iframe-outer" src="../toc.html"></iframe>
</noscript>
<div id="sidebar-resize-handle" class="sidebar-resize-handle">
<div class="sidebar-resize-indicator"></div>
</div>
</nav>
<div id="page-wrapper" class="page-wrapper">
<div class="page">
<div id="menu-bar-hover-placeholder"></div>
<div id="menu-bar" class="menu-bar sticky">
<div class="left-buttons">
<label id="sidebar-toggle" class="icon-button" for="sidebar-toggle-anchor" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
<i class="fa fa-bars"></i>
</label>
<button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
<i class="fa fa-paint-brush"></i>
</button>
<ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
<li role="none"><button role="menuitem" class="theme" id="default_theme">Auto</button></li>
<li role="none"><button role="menuitem" class="theme" id="light">Light</button></li>
<li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
<li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
<li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
<li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
</ul>
<button id="search-toggle" class="icon-button" type="button" title="Search (`/`)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="/ s" aria-controls="searchbar">
<i class="fa fa-search"></i>
</button>
</div>
<h1 class="menu-title">VAPORA Platform Documentation</h1>
<div class="right-buttons">
<a href="../print.html" title="Print this book" aria-label="Print this book">
<i id="print-button" class="fa fa-print"></i>
</a>
<a href="https://github.com/vapora-platform/vapora" title="Git repository" aria-label="Git repository">
<i id="git-repository-button" class="fa fa-github"></i>
</a>
<a href="https://github.com/vapora-platform/vapora/edit/main/docs/src/../adrs/0020-audit-trail.md" title="Suggest an edit" aria-label="Suggest an edit">
<i id="git-edit-button" class="fa fa-edit"></i>
</a>
</div>
</div>
<div id="search-wrapper" class="hidden">
<form id="searchbar-outer" class="searchbar-outer">
<input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
</form>
<div id="searchresults-outer" class="searchresults-outer hidden">
<div id="searchresults-header" class="searchresults-header"></div>
<ul id="searchresults">
</ul>
</div>
</div>
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
<script>
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
});
</script>
<div id="content" class="content">
<main>
<h1 id="adr-020-audit-trail-para-compliance"><a class="header" href="#adr-020-audit-trail-para-compliance">ADR-020: Audit Trail para Compliance</a></h1>
<p><strong>Status</strong>: Accepted | Implemented
<strong>Date</strong>: 2024-11-01
<strong>Deciders</strong>: Security &amp; Compliance Team
<strong>Technical Story</strong>: Logging all significant workflow events for compliance and incident investigation</p>
<hr />
<h2 id="decision"><a class="header" href="#decision">Decision</a></h2>
<p>Implementar <strong>comprehensive audit trail</strong> con logging de todos los workflow events, queryable por workflow/actor/tipo.</p>
<hr />
<h2 id="rationale"><a class="header" href="#rationale">Rationale</a></h2>
<ol>
<li><strong>Compliance</strong>: Regulaciones requieren audit trail (HIPAA, SOC2, etc.)</li>
<li><strong>Incident Investigation</strong>: Reconstruir qué pasó cuando</li>
<li><strong>Event Sourcing Ready</strong>: Audit trail puede ser base para event sourcing architecture</li>
<li><strong>User Accountability</strong>: Track quién hizo qué cuándo</li>
</ol>
<hr />
<h2 id="alternatives-considered"><a class="header" href="#alternatives-considered">Alternatives Considered</a></h2>
<h3 id="-logs-only-no-structured-audit"><a class="header" href="#-logs-only-no-structured-audit">❌ Logs Only (No Structured Audit)</a></h3>
<ul>
<li><strong>Pros</strong>: Simple</li>
<li><strong>Cons</strong>: Hard to query, no compliance value</li>
</ul>
<h3 id="-application-embedded-logging"><a class="header" href="#-application-embedded-logging">❌ Application-Embedded Logging</a></h3>
<ul>
<li><strong>Pros</strong>: Close to business logic</li>
<li><strong>Cons</strong>: Fragmented, easy to miss events</li>
</ul>
<h3 id="-centralized-audit-trail-chosen"><a class="header" href="#-centralized-audit-trail-chosen">✅ Centralized Audit Trail (CHOSEN)</a></h3>
<ul>
<li>Queryable, compliant, comprehensive</li>
</ul>
<hr />
<h2 id="trade-offs"><a class="header" href="#trade-offs">Trade-offs</a></h2>
<p><strong>Pros</strong>:</p>
<ul>
<li>✅ Queryable by workflow, actor, event type</li>
<li>✅ Compliance-ready</li>
<li>✅ Incident investigation support</li>
<li>✅ Event sourcing ready</li>
</ul>
<p><strong>Cons</strong>:</p>
<ul>
<li>⚠️ Storage overhead (every event logged)</li>
<li>⚠️ Query performance depends on indexing</li>
<li>⚠️ Retention policy tradeoff</li>
</ul>
<hr />
<h2 id="implementation"><a class="header" href="#implementation">Implementation</a></h2>
<p><strong>Audit Event Model</strong>:</p>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>// crates/vapora-backend/src/audit.rs
pub struct AuditEvent {
pub id: String,
pub timestamp: DateTime&lt;Utc&gt;,
pub actor: String, // User ID or service name
pub action: AuditAction, // Create, Update, Delete, Execute
pub resource_type: String, // Project, Task, Agent, Workflow
pub resource_id: String,
pub details: serde_json::Value, // Action-specific details
pub outcome: AuditOutcome, // Success, Failure, PartialSuccess
pub error: Option&lt;String&gt;, // Error message if failed
}
#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum AuditAction {
Create,
Update,
Delete,
Execute,
Assign,
Complete,
Override,
QuerySecret,
ViewAudit,
}
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum AuditOutcome {
Success,
Failure,
PartialSuccess,
}
<span class="boring">}</span></code></pre></pre>
<p><strong>Logging Events</strong>:</p>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>pub async fn log_event(
db: &amp;Surreal&lt;Ws&gt;,
actor: &amp;str,
action: AuditAction,
resource_type: &amp;str,
resource_id: &amp;str,
details: serde_json::Value,
outcome: AuditOutcome,
) -&gt; Result&lt;String&gt; {
let event = AuditEvent {
id: uuid::Uuid::new_v4().to_string(),
timestamp: Utc::now(),
actor: actor.to_string(),
action,
resource_type: resource_type.to_string(),
resource_id: resource_id.to_string(),
details,
outcome,
error: None,
};
let id = db
.create("audit_events")
.content(&amp;event)
.await?
.id
.unwrap();
Ok(id)
}
pub async fn log_event_with_error(
db: &amp;Surreal&lt;Ws&gt;,
actor: &amp;str,
action: AuditAction,
resource_type: &amp;str,
resource_id: &amp;str,
error: String,
) -&gt; Result&lt;String&gt; {
let event = AuditEvent {
id: uuid::Uuid::new_v4().to_string(),
timestamp: Utc::now(),
actor: actor.to_string(),
action,
resource_type: resource_type.to_string(),
resource_id: resource_id.to_string(),
details: json!({}),
outcome: AuditOutcome::Failure,
error: Some(error),
};
let id = db
.create("audit_events")
.content(&amp;event)
.await?
.id
.unwrap();
Ok(id)
}
<span class="boring">}</span></code></pre></pre>
<p><strong>Audit Integration in Handlers</strong>:</p>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>// In task creation handler
pub async fn create_task(
State(app_state): State&lt;AppState&gt;,
Path(project_id): Path&lt;String&gt;,
Json(req): Json&lt;CreateTaskRequest&gt;,
) -&gt; Result&lt;Json&lt;Task&gt;, ApiError&gt; {
let user = get_current_user()?;
// Create task
let task = app_state
.task_service
.create_task(&amp;user.tenant_id, &amp;project_id, &amp;req)
.await?;
// Log audit event
app_state.audit_log(
&amp;user.id,
AuditAction::Create,
"task",
&amp;task.id,
json!({
"project_id": &amp;project_id,
"title": &amp;task.title,
"priority": &amp;task.priority,
}),
AuditOutcome::Success,
).await.ok(); // Don't fail if audit logging fails
Ok(Json(task))
}
<span class="boring">}</span></code></pre></pre>
<p><strong>Querying Audit Trail</strong>:</p>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>pub async fn query_audit_trail(
db: &amp;Surreal&lt;Ws&gt;,
filters: AuditQuery,
) -&gt; Result&lt;Vec&lt;AuditEvent&gt;&gt; {
let mut query = String::from(
"SELECT * FROM audit_events WHERE 1=1"
);
if let Some(workflow_id) = filters.workflow_id {
query.push_str(&amp;format!(" AND resource_id = '{}'", workflow_id));
}
if let Some(actor) = filters.actor {
query.push_str(&amp;format!(" AND actor = '{}'", actor));
}
if let Some(action) = filters.action {
query.push_str(&amp;format!(" AND action = '{:?}'", action));
}
if let Some(since) = filters.since {
query.push_str(&amp;format!(" AND timestamp &gt; '{}'", since));
}
query.push_str(" ORDER BY timestamp DESC LIMIT 1000");
let events = db.query(&amp;query).await?
.take::&lt;Vec&lt;AuditEvent&gt;&gt;(0)?
.unwrap_or_default();
Ok(events)
}
<span class="boring">}</span></code></pre></pre>
<p><strong>Compliance Report</strong>:</p>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>pub async fn generate_compliance_report(
db: &amp;Surreal&lt;Ws&gt;,
start_date: Date,
end_date: Date,
) -&gt; Result&lt;ComplianceReport&gt; {
// Query all events in date range
let events = db.query(
"SELECT COUNT() as event_count, actor, action \
FROM audit_events \
WHERE timestamp &gt;= $1 AND timestamp &lt; $2 \
GROUP BY actor, action"
)
.bind((start_date, end_date))
.await?;
// Generate report with statistics
Ok(ComplianceReport {
period: (start_date, end_date),
total_events: events.len(),
unique_actors: /* count unique */,
actions_by_type: /* aggregate */,
failures: /* filter failures */,
})
}
<span class="boring">}</span></code></pre></pre>
<p><strong>Key Files</strong>:</p>
<ul>
<li><code>/crates/vapora-backend/src/audit.rs</code> (audit implementation)</li>
<li><code>/crates/vapora-backend/src/api/</code> (audit logging in handlers)</li>
<li><code>/crates/vapora-backend/src/services/</code> (audit logging in services)</li>
</ul>
<hr />
<h2 id="verification"><a class="header" href="#verification">Verification</a></h2>
<pre><code class="language-bash"># Test audit event creation
cargo test -p vapora-backend test_audit_event_logging
# Test audit trail querying
cargo test -p vapora-backend test_query_audit_trail
# Test filtering by actor/action/resource
cargo test -p vapora-backend test_audit_filtering
# Test error logging
cargo test -p vapora-backend test_audit_error_logging
# Integration: full workflow with audit
cargo test -p vapora-backend test_audit_full_workflow
# Compliance report generation
cargo test -p vapora-backend test_compliance_report_generation
</code></pre>
<p><strong>Expected Output</strong>:</p>
<ul>
<li>All significant events logged</li>
<li>Queryable by workflow/actor/action</li>
<li>Timestamps accurate</li>
<li>Errors captured with messages</li>
<li>Compliance reports generated correctly</li>
</ul>
<hr />
<h2 id="consequences"><a class="header" href="#consequences">Consequences</a></h2>
<h3 id="data-management"><a class="header" href="#data-management">Data Management</a></h3>
<ul>
<li>Audit events retained per compliance policy</li>
<li>Separate archive for long-term retention</li>
<li>Immutable logs (append-only)</li>
</ul>
<h3 id="performance"><a class="header" href="#performance">Performance</a></h3>
<ul>
<li>Audit logging should not block main operation</li>
<li>Async logging to avoid latency impact</li>
<li>Indexes on (resource_id, timestamp) for queries</li>
</ul>
<h3 id="privacy"><a class="header" href="#privacy">Privacy</a></h3>
<ul>
<li>Sensitive data (passwords, keys) not logged</li>
<li>PII handled per data protection regulations</li>
<li>Access to audit trail restricted</li>
</ul>
<h3 id="compliance"><a class="header" href="#compliance">Compliance</a></h3>
<ul>
<li>Supports HIPAA, SOC2, GDPR requirements</li>
<li>Incident investigation support</li>
<li>Regulatory audit trail available</li>
</ul>
<hr />
<h2 id="references"><a class="header" href="#references">References</a></h2>
<ul>
<li><code>/crates/vapora-backend/src/audit.rs</code> (implementation)</li>
<li>ADR-011 (SecretumVault - secrets management)</li>
<li>ADR-025 (Multi-Tenancy - tenant isolation)</li>
</ul>
<hr />
<p><strong>Related ADRs</strong>: ADR-011 (Secrets), ADR-025 (Multi-Tenancy), ADR-009 (Istio)</p>
</main>
<nav class="nav-wrapper" aria-label="Page navigation">
<!-- Mobile navigation buttons -->
<a rel="prev" href="../../adrs/0019-temporal-execution-history.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../../adrs/0021-websocket-updates.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
<div style="clear: both"></div>
</nav>
</div>
</div>
<nav class="nav-wide-wrapper" aria-label="Page navigation">
<a rel="prev" href="../../adrs/0019-temporal-execution-history.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../../adrs/0021-websocket-updates.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
</nav>
</div>
<script>
window.playground_copyable = true;
</script>
<script src="../elasticlunr.min.js"></script>
<script src="../mark.min.js"></script>
<script src="../searcher.js"></script>
<script src="../clipboard.min.js"></script>
<script src="../highlight.js"></script>
<script src="../book.js"></script>
<!-- Custom JS scripts -->
</div>
</body>
</html>
Reference in New Issue Copy Permalink