feat(health): surface AuditRedactionFailure in central snapshot (#23 M6)

2026-05-20 19:13:19 -04:00
parent 70ed8d4557
commit 2744011ce9
3 changed files with 166 additions and 6 deletions
--- a/src/ScadaLink.AuditLog/Central/CentralAuditRedactionFailureCounter.cs
+++ b/src/ScadaLink.AuditLog/Central/CentralAuditRedactionFailureCounter.cs
@@ -0,0 +1,57 @@
+using ScadaLink.AuditLog.Payload;
+
+namespace ScadaLink.AuditLog.Central;
+
+/// <summary>
+/// Audit Log (#23) M6 Bundle E (T9) — bridges
+/// <see cref="IAuditRedactionFailureCounter"/> (incremented by
+/// <see cref="DefaultAuditPayloadFilter"/> every time a header / body / SQL
+/// parameter redactor stage throws and the filter has to over-redact the
+/// offending field) into <see cref="AuditCentralHealthSnapshot"/> so the
+/// failure surfaces on the central health surface as
+/// <c>AuditCentralHealthSnapshot.AuditRedactionFailure</c>.
+/// </summary>
+/// <remarks>
+/// <para>
+/// <b>Site vs central.</b> M5 Bundle C wired the SITE-side bridge
+/// (<see cref="ScadaLink.AuditLog.Site.HealthMetricsAuditRedactionFailureCounter"/>),
+/// which routes increments into the site health report payload's
+/// <c>AuditRedactionFailure</c> field. That handles redactor failures on the
+/// site SQLite hot-path (FallbackAuditWriter). M6 Bundle E (T9) adds the
+/// MIRROR bridge here so the same payload filter — when it runs on the
+/// central <see cref="CentralAuditWriter"/> /
+/// <see cref="AuditLogIngestActor"/> paths — surfaces its failures on the
+/// central dashboard rather than disappearing into a NoOp.
+/// </para>
+/// <para>
+/// <b>Registration shape.</b> Site composition roots call
+/// <see cref="ServiceCollectionExtensions.AddAuditLogHealthMetricsBridge"/>,
+/// which overrides the binding with the site bridge. Central composition
+/// roots call <see cref="ServiceCollectionExtensions.AddAuditLogCentralMaintenance"/>,
+/// which overrides with this central bridge. A node never wears both hats —
+/// site and central are distinct host roles — so the two bridges never
+/// fight over the same binding at runtime.
+/// </para>
+/// <para>
+/// <b>Why not a thin wrapper around the snapshot directly?</b> The snapshot
+/// itself <i>could</i> be the bound implementation (it already implements
+/// <see cref="IAuditRedactionFailureCounter"/>), but a dedicated class makes
+/// the central-vs-site asymmetry explicit at the DI boundary — readers of
+/// <see cref="ServiceCollectionExtensions.AddAuditLogCentralMaintenance"/>
+/// see "site → site bridge, central → central bridge", matching the
+/// <see cref="ScadaLink.AuditLog.Site.HealthMetricsAuditRedactionFailureCounter"/>
+/// shape one-for-one.
+/// </para>
+/// </remarks>
+public sealed class CentralAuditRedactionFailureCounter : IAuditRedactionFailureCounter
+{
+    private readonly AuditCentralHealthSnapshot _snapshot;
+
+    public CentralAuditRedactionFailureCounter(AuditCentralHealthSnapshot snapshot)
+    {
+        _snapshot = snapshot ?? throw new ArgumentNullException(nameof(snapshot));
+    }
+
+    /// <inheritdoc/>
+    public void Increment() => ((IAuditRedactionFailureCounter)_snapshot).Increment();
+}
--- a/src/ScadaLink.AuditLog/ServiceCollectionExtensions.cs
+++ b/src/ScadaLink.AuditLog/ServiceCollectionExtensions.cs
@@ -295,14 +295,18 @@ public static class ServiceCollectionExtensions
        services.Replace(ServiceDescriptor.Singleton<ICentralAuditWriteFailureCounter>(
            sp => sp.GetRequiredService<AuditCentralHealthSnapshot>()));
        // M6 Bundle E (T9): override the NoOp IAuditRedactionFailureCounter
-        // (registered by AddAuditLog) with the central snapshot binding so
-        // payload-filter throws on CentralAuditWriter / AuditLogIngestActor
-        // paths surface on the central dashboard. The site composition root
+        // (registered by AddAuditLog) with the CentralAuditRedactionFailureCounter
+        // bridge so payload-filter throws on CentralAuditWriter /
+        // AuditLogIngestActor paths surface on the central dashboard. The
+        // bridge is a thin wrapper around the AuditCentralHealthSnapshot
+        // singleton so all central redactor failures route into the same
+        // counter as CentralAuditWriteFailures. The site composition root
        // overrides this binding AGAIN via AddAuditLogHealthMetricsBridge —
        // central nodes do not call that bridge, so this is the final
-        // binding on a central host.
-        services.Replace(ServiceDescriptor.Singleton<IAuditRedactionFailureCounter>(
-            sp => sp.GetRequiredService<AuditCentralHealthSnapshot>()));
+        // binding on a central host. Mirrors the M5 Bundle C
+        // HealthMetricsAuditRedactionFailureCounter shape one-for-one.
+        services.Replace(ServiceDescriptor.Singleton<IAuditRedactionFailureCounter,
+            CentralAuditRedactionFailureCounter>());

        return services;
    }