fix(audit): M5.3 review I-1 — use the request-start options snapshot for header redaction (no mid-request reload split)

2026-06-16 21:49:43 -04:00
parent 20760014c2
commit de2968b03d
1 changed files with 8 additions and 3 deletions
@@ -234,6 +234,7 @@ public sealed class AuditWriteMiddleware

            EmitInboundAudit(
                ctx,
+                opts,
                sw.ElapsedMilliseconds,
                thrown,
                requestBody,
@@ -251,6 +252,7 @@ public sealed class AuditWriteMiddleware
    /// </summary>
    private void EmitInboundAudit(
        HttpContext ctx,
+        AuditLogOptions opts,
        long durationMs,
        Exception? thrown,
        string? requestBody,
@@ -289,10 +291,13 @@ public sealed class AuditWriteMiddleware
            // collection is run through the SAME header-redaction list
            // (AuditLogOptions.HeaderRedactList) that the ScadaBridgeAuditRedactor
            // applies to RequestSummary / ResponseSummary — auth/sensitive
-            // headers are redacted before they land in the row.
-            var currentOpts = _options.CurrentValue;
+            // headers are redacted before they land in the row. Uses the SAME
+            // options snapshot captured at request start (passed in as opts) as
+            // the SkipBodyCapture / PerTargetOverrides decisions, so a mid-request
+            // live-reload can't split the body-capture and header-redaction
+            // verdicts across two different snapshots.
            var redactSet = new HashSet<string>(
-                currentOpts.HeaderRedactList,
+                opts.HeaderRedactList,
                StringComparer.OrdinalIgnoreCase);

            var headerDict = new Dictionary<string, string>(StringComparer.Ordinal);