Skip to content

Slice 000 - Audit Platform (Foundational)

Date: 2026-02-07

Goal

Provide a centralized audit platform that ingests audit events from all services, supports tenant/workspace filtering, enables SIEM streaming configuration, and exposes canonical/discovered action inventories for UI filtering across tenant-isolated data planes.

See ADR 0005 for the accepted decision and rationale.

Scope

  • Audit Service (API + storage)
  • Outbox pattern in producer services (reliable delivery)
  • Action inventory (discovered vs canonical)
  • SIEM sink configuration (workspace-scoped in v0; tenant-wide optional in future)
  • Metrics for audit health and inventory drift

Functional Requirements

MUST: - Ingest audit events via API and persist append-only records - Support tenant-isolated data-plane boundaries and workspace isolation - Accept any action name (do not drop events) - Inventory action names that match the naming convention - Provide canonical vs discovered action lists - Allow workspace admins to configure workspace-scoped sinks - Provide audit metrics (counts, invalid action count, sink status, last delivery time) - Audit ingestion should be resilient via producer outbox

SHOULD: - Provide action tags/categories for UI grouping - Auto-suggest/promote canonical actions based on frequency + age thresholds

RBAC

  • Tenant Admin: approve explicit admin operations (including workspace owner transfer workflows)
  • Admin / Connector Builder: manage workspace sinks
  • Viewer/Auditor: read-only access

Tenancy & Isolation Requirements

  • All audit events must include tenant_id; workspace-scoped events must include workspace_id.
  • Query endpoints must enforce tenant isolation and workspace visibility rules from caller context.
  • Cross-tenant event queries are out of scope for v0 product flows.
  • Cross-workspace views are explicit and audited admin operations only.

API (summary)

  • POST /v1/audit/events
  • GET /v1/audit/events (cursor pagination)
  • GET /v1/audit/actions (canonical vs discovered)
  • PATCH /v1/audit/actions/:action (canonical toggle)
  • PATCH /v1/audit/actions/:action/tags (set tags)
  • GET /v1/audit/actions/canonical (dropdown list)
  • GET /v1/audit/sinks
  • POST /v1/audit/sinks
  • PATCH /v1/audit/sinks/:sinkId
  • DELETE /v1/audit/sinks/:sinkId
  • GET /v1/audit/metrics

Naming Convention

Audit action names follow: - snake_case (e.g., connection_created) - Optional service prefix: service.action (e.g., discovery.run_started)

Invalid names are accepted but not inventoried.

Delivery Semantics

  • Syslog (UDP 514): best-effort streaming, no ACK
  • HTTP/S3: job tracking with delivery history
  • Console logging from audit service for centralized AWS logging (v0)

Definition of Done

  • Audit events ingested and queryable
  • Outbox delivery working for producer services
  • SIEM sinks configurable and discoverable
  • Action inventory supports canonical + discovered and tags
  • Metrics expose invalid action count