Add durable audit pipeline with guaranteed delivery

[haasonsaas]

Summary

Audit events are emitted to an in-memory sink. If the process crashes, audit history is lost. For a security broker, audit durability is a hard requirement.

Current state

• internal/audit/memory/sink.go — in-memory audit sink (append to a slice)
• internal/app/service.go — emits audit events for session creation, grant issuance, revocations, proxy execution
• Postgres schema has an audit_events table but the service layer writes to the in-memory sink, not Postgres
• No guarantee that audit events survive a process restart
• No external audit export (SIEM, log aggregator, object storage)

Required work

• Implement a Postgres audit sink that writes events transactionally alongside the state change they describe (e.g., grant issuance + audit event in the same transaction)
• Add an async export pipeline: buffer events in Postgres, export to external systems (S3, ClickHouse, SIEM webhook) with at-least-once delivery
• Add audit event schema versioning so consumers can handle format changes
• Add retention policy: keep N days in Postgres, archive older events to cold storage
• Ensure audit events include: timestamp, event type, tenant, session, grant, actor, outcome, and request metadata (source IP, request ID)
• Add tamper evidence: hash-chain or Merkle tree over sequential audit events so gaps or modifications are detectable

Files

• internal/audit/ — new Postgres sink, export pipeline
• internal/app/service.go — ensure audit events are written in the same transaction as state changes
• db/migrations/ — audit event indexes and partitioning

Priority

Low-medium — critical for compliance but the current in-memory sink works for development.

🤖 Generated with Claude Code