feat(notif): NotificationOutboxActor + CentralAuditWriter wired (#23 M4)

M4 Bundle B (B1) — add the central-only ICentralAuditWriter implementation and inject it into NotificationOutboxActor so subsequent tasks (B2/B3) can route attempt + terminal lifecycle events through the direct-write audit path. - CentralAuditWriter: thin wrapper around IAuditLogRepository.InsertIfNotExistsAsync; scope-per-call (matches AuditLogIngestActor / NotificationOutboxActor pattern); stamps IngestedAtUtc; swallows all internal failures (alog.md §13). - Registered as a singleton in AddAuditLog. - NotificationOutboxActor ctor takes ICentralAuditWriter (validated non-null). - Host wiring resolves the writer once from the root provider and passes it into the singleton's Props.Create call. - Existing TestKit fixtures updated with a NoOpCentralAuditWriter helper so tests that don't exercise audit emission still compile and pass.
2026-05-20 16:04:01 -04:00
parent e4d902753b
commit b31747a632
13 changed files with 383 additions and 4 deletions
--- a/src/ScadaLink.AuditLog/Central/CentralAuditWriter.cs
+++ b/src/ScadaLink.AuditLog/Central/CentralAuditWriter.cs
@@ -0,0 +1,82 @@
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using ScadaLink.Commons.Entities.Audit;
+using ScadaLink.Commons.Interfaces.Repositories;
+using ScadaLink.Commons.Interfaces.Services;
+
+namespace ScadaLink.AuditLog.Central;
+
+/// <summary>
+/// Central-only direct-write implementation of <see cref="ICentralAuditWriter"/>.
+/// Wraps <see cref="IAuditLogRepository.InsertIfNotExistsAsync"/> as a best-effort
+/// audit emission path for components that originate audit events ON the central
+/// node (Notification Outbox dispatch, Inbound API) — NOT for site telemetry
+/// ingest (that path is the SiteAudit → AuditLogIngestActor batched flow).
+/// </summary>
+/// <remarks>
+/// <para>
+/// <b>Best-effort contract.</b> Audit-write failures NEVER abort the user-facing
+/// action (alog.md §13). The writer catches every exception thrown by repository
+/// resolution or the insert call, logs at warning, and returns successfully.
+/// Callers may still wrap the call in their own try/catch (defensive — the writer
+/// is supposed to swallow).
+/// </para>
+/// <para>
+/// <b>Scope-per-call resolution.</b> <see cref="IAuditLogRepository"/> is a SCOPED
+/// EF Core service (registered by <c>ScadaLink.ConfigurationDatabase</c>). The
+/// writer itself is registered as a singleton (so all callers share one instance),
+/// so it cannot hold a scope across calls — it opens a fresh
+/// <see cref="IServiceScope"/> per <see cref="WriteAsync"/> invocation, mirroring
+/// the per-message scope pattern used by <c>AuditLogIngestActor</c> and
+/// <c>NotificationOutboxActor</c>.
+/// </para>
+/// <para>
+/// <b>Idempotency.</b> Persistence is via <c>InsertIfNotExistsAsync</c>, so a
+/// double-emitted event (same <see cref="AuditEvent.EventId"/>) is a silent
+/// no-op — the writer is safe to call from any number of dispatch paths.
+/// </para>
+/// </remarks>
+public sealed class CentralAuditWriter : ICentralAuditWriter
+{
+    private readonly IServiceProvider _services;
+    private readonly ILogger<CentralAuditWriter> _logger;
+
+    public CentralAuditWriter(IServiceProvider services, ILogger<CentralAuditWriter> logger)
+    {
+        _services = services ?? throw new ArgumentNullException(nameof(services));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    /// <summary>
+    /// Persists <paramref name="evt"/> into the central <c>AuditLog</c> table
+    /// idempotently on <see cref="AuditEvent.EventId"/>. Stamps
+    /// <see cref="AuditEvent.IngestedAtUtc"/> from the central-side clock.
+    /// Internal failures are logged and swallowed — never thrown.
+    /// </summary>
+    public async Task WriteAsync(AuditEvent evt, CancellationToken ct = default)
+    {
+        if (evt is null)
+        {
+            // Defensive — a null event is a programming bug at the caller and
+            // produces no meaningful audit row. Log and return.
+            _logger.LogWarning("CentralAuditWriter.WriteAsync received null event; ignoring.");
+            return;
+        }
+
+        try
+        {
+            await using var scope = _services.CreateAsyncScope();
+            var repo = scope.ServiceProvider.GetRequiredService<IAuditLogRepository>();
+            var stamped = evt with { IngestedAtUtc = DateTime.UtcNow };
+            await repo.InsertIfNotExistsAsync(stamped, ct).ConfigureAwait(false);
+        }
+        catch (Exception ex)
+        {
+            // Audit failure NEVER aborts the user-facing action — swallow and log.
+            _logger.LogWarning(
+                ex,
+                "CentralAuditWriter failed for EventId {EventId} (Kind={Kind}, Status={Status})",
+                evt.EventId, evt.Kind, evt.Status);
+        }
+    }
+}
--- a/src/ScadaLink.AuditLog/ServiceCollectionExtensions.cs
+++ b/src/ScadaLink.AuditLog/ServiceCollectionExtensions.cs
@@ -3,6 +3,7 @@ using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using ScadaLink.AuditLog.Central;
 using ScadaLink.AuditLog.Configuration;
 using ScadaLink.AuditLog.Site;
 using ScadaLink.AuditLog.Site.Telemetry;
@@ -129,6 +130,17 @@ public static class ServiceCollectionExtensions
        services.AddSingleton<ICachedCallLifecycleObserver>(
            sp => sp.GetRequiredService<CachedCallLifecycleBridge>());

+        // M4 Bundle B: central direct-write audit writer used by
+        // NotificationOutboxActor (Bundle B) and Inbound API (Bundle C/D) to
+        // emit AuditLog rows that originate ON central, not via site telemetry.
+        // Singleton — the writer is stateless; its per-call scope opens a fresh
+        // IAuditLogRepository (a SCOPED EF Core service registered by
+        // ScadaLink.ConfigurationDatabase). The interface (ICentralAuditWriter)
+        // is intentionally distinct from IAuditWriter so site composition roots
+        // do not accidentally bind it; central composition roots that include
+        // AddConfigurationDatabase get a working implementation transparently.
+        services.AddSingleton<ICentralAuditWriter, CentralAuditWriter>();
+
        return services;
    }

--- a/src/ScadaLink.Host/Actors/AkkaHostedService.cs
+++ b/src/ScadaLink.Host/Actors/AkkaHostedService.cs
@@ -275,11 +275,18 @@ akka {{
            .GetRequiredService<IOptions<ScadaLink.NotificationOutbox.NotificationOutboxOptions>>().Value;
        var outboxLogger = _serviceProvider.GetRequiredService<ILoggerFactory>()
            .CreateLogger<ScadaLink.NotificationOutbox.NotificationOutboxActor>();
+        // M4 Bundle B: central direct-write audit writer for dispatcher attempt
+        // + terminal events. Resolved once from the root provider — the writer
+        // is a singleton and stateless, opening per-call DI scopes internally
+        // to resolve the scoped IAuditLogRepository.
+        var outboxAuditWriter = _serviceProvider
+            .GetRequiredService<ScadaLink.Commons.Interfaces.Services.ICentralAuditWriter>();

        var outboxSingletonProps = ClusterSingletonManager.Props(
            singletonProps: Props.Create(() => new ScadaLink.NotificationOutbox.NotificationOutboxActor(
                _serviceProvider,
                outboxOptions,
+                outboxAuditWriter,
                outboxLogger)),
            terminationMessage: PoisonPill.Instance,
            settings: ClusterSingletonManagerSettings.Create(_actorSystem!)
--- a/src/ScadaLink.NotificationOutbox/NotificationOutboxActor.cs
+++ b/src/ScadaLink.NotificationOutbox/NotificationOutboxActor.cs
@@ -1,8 +1,10 @@
 using Akka.Actor;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
+using ScadaLink.Commons.Entities.Audit;
 using ScadaLink.Commons.Entities.Notifications;
 using ScadaLink.Commons.Interfaces.Repositories;
+using ScadaLink.Commons.Interfaces.Services;
 using ScadaLink.Commons.Messages.Notification;
 using ScadaLink.Commons.Types.Enums;
 using ScadaLink.Commons.Types.Notifications;
@@ -30,6 +32,7 @@ public class NotificationOutboxActor : ReceiveActor, IWithTimers

    private readonly IServiceProvider _serviceProvider;
    private readonly NotificationOutboxOptions _options;
+    private readonly ICentralAuditWriter _auditWriter;
    private readonly ILogger<NotificationOutboxActor> _logger;

    /// <summary>
@@ -45,11 +48,13 @@ public class NotificationOutboxActor : ReceiveActor, IWithTimers
    public NotificationOutboxActor(
        IServiceProvider serviceProvider,
        NotificationOutboxOptions options,
+        ICentralAuditWriter auditWriter,
        ILogger<NotificationOutboxActor> logger)
    {
-        _serviceProvider = serviceProvider;
-        _options = options;
-        _logger = logger;
+        _serviceProvider = serviceProvider ?? throw new ArgumentNullException(nameof(serviceProvider));
+        _options = options ?? throw new ArgumentNullException(nameof(options));
+        _auditWriter = auditWriter ?? throw new ArgumentNullException(nameof(auditWriter));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));

        Receive<NotificationSubmit>(HandleSubmit);
        Receive<InternalMessages.IngestPersisted>(HandleIngestPersisted);