docs(auditlog): mark follow-ups complete in roadmap; refresh stale comments

2026-05-21 06:39:49 -04:00
parent c503df4c4c
commit 7a386a80ce
5 changed files with 44 additions and 18 deletions
--- a/docs/plans/2026-05-20-audit-log-code-roadmap.md
+++ b/docs/plans/2026-05-20-audit-log-code-roadmap.md
@@ -11,12 +11,17 @@
 >
 > **Deferred to v1.x (out of scope, intentionally not implemented):** hash-chain tamper
 > evidence (`audit verify-chain` ships as a no-op stub), Parquet export (`format=parquet`
-> returns HTTP 501), per-channel retention overrides. **Deferred follow-ups noted during
-> implementation:** the real site→central gRPC push client (M6 wired the pull RPC + a mockable
-> push seam; `NoOpSiteStreamAuditClient` remains the production binding); consolidation of the
-> 4 DTO mapper copies; Site Calls UI page + its Audit drill-in; multi-value filter dimensions
-> (`AuditLogQueryFilter` is single-value per dimension, so UI chips / CLI flags collapse to the
-> first value); audit-results-grid drag resize/reorder UX.
+> returns HTTP 501), per-channel retention overrides. **Follow-ups noted during
+> implementation — now complete:** the five follow-ups deferred above (the real
+> site→central push client; consolidation of the 4 DTO mapper copies; the Site Calls UI
+> page + its Audit drill-in; multi-value filter dimensions; audit-results-grid drag
+> resize/reorder UX) were all implemented on the `feature/audit-log-followups` branch
+> per `docs/plans/2026-05-21-audit-log-followups.md`. The site→central transport shipped
+> as a **ClusterClient-based push** (`ClusterClientSiteAuditClient`, reusing the same
+> ClusterClient command/control transport notifications use) rather than the gRPC push
+> originally sketched here — `ClusterClientSiteAuditClient` is now the production binding
+> for site roles, with `NoOpSiteStreamAuditClient` retained only for central/test
+> composition roots; and `AuditLogQueryFilter` is now multi-value per dimension.
 >
 > **For Claude:** REQUIRED SUB-SKILL FLOW per milestone: `brainstorming` → `writing-plans` → `subagent-driven-development`. Use `docs/requirements/Component-AuditLog.md` + `alog.md` as the spec; this document is the roadmap that sequences milestones and locks acceptance criteria for each. **M1 carries full TDD-level task detail; M2–M8 are milestone-shape detail and will be expanded into bite-sized plans by their own writing-plans pass when their turn comes.**

--- a/src/ScadaLink.AuditLog/Site/Telemetry/CachedCallTelemetryForwarder.cs
+++ b/src/ScadaLink.AuditLog/Site/Telemetry/CachedCallTelemetryForwarder.cs
@@ -34,15 +34,17 @@ namespace ScadaLink.AuditLog.Site.Telemetry;
 /// returns normally.
 /// </para>
 /// <para>
-/// <b>Wire push deferred to M6.</b> M3 keeps this forwarder synchronous
-/// against the local stores: there is no site→central gRPC channel yet, so
-/// the <see cref="ISiteStreamAuditClient.IngestCachedTelemetryAsync"/> RPC
-/// is registered on the interface (Bundle E1) but the production binding
-/// remains <c>NoOpSiteStreamAuditClient</c>. Once M6 wires a real client the
-/// drain pattern from <c>SiteAuditTelemetryActor</c> can be reused — the
-/// <c>AuditEvent</c> rows already live in SQLite tagged
-/// <see cref="AuditForwardState.Pending"/>, so a single drain loop sweeps
-/// both M2 and M3 emissions.
+/// <b>Local-write only — the wire push is the drain actor's job.</b> This
+/// forwarder is deliberately synchronous against the two site-local SQLite
+/// stores and never pushes to central itself. The site→central transport is
+/// now live: <c>ClusterClientSiteAuditClient</c> is the production binding of
+/// <see cref="ISiteStreamAuditClient"/> on site roles (with
+/// <c>NoOpSiteStreamAuditClient</c> retained only for central/test composition
+/// roots). The push happens out-of-band: <see cref="SiteAuditTelemetryActor"/>
+/// sweeps the <c>AuditEvent</c> rows this forwarder wrote — they live in SQLite
+/// tagged <see cref="AuditForwardState.Pending"/> — and drains them to central
+/// via that client. A single drain loop therefore covers both the audit-only
+/// emissions and the cached-call emissions this forwarder produces.
 /// </para>
 /// </remarks>
 public sealed class CachedCallTelemetryForwarder : ICachedCallTelemetryForwarder
--- a/src/ScadaLink.Communication/CommunicationService.cs
+++ b/src/ScadaLink.Communication/CommunicationService.cs
@@ -355,6 +355,14 @@ public class CommunicationService
    /// owning site and replies a <see cref="RetrySiteCallResponse"/> carrying a
    /// distinct site-unreachable outcome. Central never mutates the central
    /// <c>SiteCalls</c> mirror row.
+    /// <para>
+    /// This outer Ask uses <see cref="CommunicationOptions.QueryTimeout"/>
+    /// (default 30s), which must outlive the inner site relay Ask the
+    /// <c>SiteCallAuditActor</c> issues with <c>SiteCallAuditOptions.RelayTimeout</c>
+    /// (default 10s). The inner relay must time out first so its distinct
+    /// <c>SiteUnreachable</c> outcome reaches us; were this outer Ask to expire
+    /// first, that outcome would be lost to a generic Ask-timeout exception.
+    /// </para>
    /// </summary>
    public async Task<RetrySiteCallResponse> RetrySiteCallAsync(
        RetrySiteCallRequest request, CancellationToken cancellationToken = default)
--- a/src/ScadaLink.Host/Actors/AkkaHostedService.cs
+++ b/src/ScadaLink.Host/Actors/AkkaHostedService.cs
@@ -681,9 +681,10 @@ akka {{
        // Per Bundle E's brief: the SiteAuditTelemetryActor takes its
        // collaborators through its constructor, so we resolve them from DI
        // and pass them in via Props.Create rather than relying on a future
-        // FactoryProvider. This also lets the M6 follow-up swap the
-        // NoOpSiteStreamAuditClient registration for the real gRPC client
-        // without touching this site wiring.
+        // FactoryProvider. The real site→central client is constructed and
+        // wired immediately below: a ClusterClientSiteAuditClient (ClusterClient
+        // transport, not gRPC) replaces the DI-default NoOpSiteStreamAuditClient
+        // for site roles, without disturbing the rest of this wiring.
        var siteAuditOptions = _serviceProvider
            .GetRequiredService<IOptions<ScadaLink.AuditLog.Site.Telemetry.SiteAuditTelemetryOptions>>();
        var siteAuditQueue = _serviceProvider
--- a/src/ScadaLink.SiteCallAudit/SiteCallAuditOptions.cs
+++ b/src/ScadaLink.SiteCallAudit/SiteCallAuditOptions.cs
@@ -32,6 +32,16 @@ public class SiteCallAuditOptions
    /// reports a <c>SiteUnreachable</c> outcome. Default 10 seconds: long enough
    /// to absorb a healthy cross-cluster round-trip, short enough that an
    /// operator clicking Retry on an offline site gets a fast, honest answer.
+    /// <para>
+    /// <b>Ordering invariant:</b> <c>RelayTimeout</c> must stay below
+    /// <c>CommunicationOptions.QueryTimeout</c> (default 30s), the timeout the
+    /// outer <c>CommunicationService.RetrySiteCallAsync</c>/<c>DiscardSiteCallAsync</c>
+    /// Ask of the <c>SiteCallAuditActor</c> uses. The outer Ask must outlive this
+    /// inner site relay Ask so the inner relay times out first and yields the
+    /// distinct <c>SiteUnreachable</c> outcome; if the outer Ask expired first,
+    /// that outcome would be lost to a generic Ask-timeout exception. The
+    /// defaults (10s &lt; 30s) satisfy this — keep the gap when tuning either.
+    /// </para>
    /// </summary>
    public TimeSpan RelayTimeout { get; set; } = TimeSpan.FromSeconds(10);
 }