feat(health): CentralAuditWriteFailures + AuditCentralHealthSnapshot (#23 M6)

2026-05-20 19:11:52 -04:00
parent 42333a72ed
commit 70ed8d4557
8 changed files with 398 additions and 2 deletions
--- a/src/ScadaLink.AuditLog/Central/CentralAuditWriter.cs
+++ b/src/ScadaLink.AuditLog/Central/CentralAuditWriter.cs
@@ -42,6 +42,7 @@ public sealed class CentralAuditWriter : ICentralAuditWriter
    private readonly IServiceProvider _services;
    private readonly ILogger<CentralAuditWriter> _logger;
    private readonly IAuditPayloadFilter? _filter;
+    private readonly ICentralAuditWriteFailureCounter _failureCounter;

    /// <summary>
    /// Bundle C (M5-T6) — the central direct-write path used by the
@@ -50,15 +51,23 @@ public sealed class CentralAuditWriter : ICentralAuditWriter
    /// optional so the M4 test composition roots that don't pass one keep
    /// working (they only ever write small payloads); production DI registers
    /// the real filter via <see cref="ServiceCollectionExtensions.AddAuditLog"/>.
+    /// M6 Bundle E (T8) — adds the optional
+    /// <see cref="ICentralAuditWriteFailureCounter"/> so a swallowed repository
+    /// throw bumps the central health surface's
+    /// <c>CentralAuditWriteFailures</c> counter. Defaults to a NoOp so test
+    /// composition roots that don't wire the counter keep their current
+    /// behaviour.
    /// </summary>
    public CentralAuditWriter(
        IServiceProvider services,
        ILogger<CentralAuditWriter> logger,
-        IAuditPayloadFilter? filter = null)
+        IAuditPayloadFilter? filter = null,
+        ICentralAuditWriteFailureCounter? failureCounter = null)
    {
        _services = services ?? throw new ArgumentNullException(nameof(services));
        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
        _filter = filter;
+        _failureCounter = failureCounter ?? new NoOpCentralAuditWriteFailureCounter();
    }

    /// <summary>
@@ -92,6 +101,19 @@ public sealed class CentralAuditWriter : ICentralAuditWriter
        catch (Exception ex)
        {
            // Audit failure NEVER aborts the user-facing action — swallow and log.
+            // M6 Bundle E (T8): also surface the failure on the central health
+            // counter so a sustained audit-write outage is visible on the
+            // health dashboard rather than disappearing into the log file.
+            try
+            {
+                _failureCounter.Increment();
+            }
+            catch
+            {
+                // Counter must NEVER throw — defence in depth. Even if a
+                // misbehaving custom counter does, swallowing here keeps the
+                // best-effort contract intact.
+            }
            _logger.LogWarning(
                ex,
                "CentralAuditWriter failed for EventId {EventId} (Kind={Kind}, Status={Status})",