lex-audit 0.1.0 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 678a76434f7d1af470a6c1302b6079dbe86f4096f5e64fff11ffe3bc80d6ab92
-  data.tar.gz: e873a54a8b05dee40f5d078f9f5c80e99a332b6479a98ee7a26f4faae6f983d8
+  metadata.gz: e06daee7efba7ee9c8f7883c2e59922baaa602e22094f28d94d05335dfa5a42d
+  data.tar.gz: 1deb7352830d90b9a2df09a73e514e5bd7149ae6b4122d3156c531db0e47e9a1
 SHA512:
-  metadata.gz: e0783cc5cc4634ad85ae9d350d05c2d40f350a180689457f2285ace36ef3f227e5a722ffb2bb5ef5596d99d03b6d015e82c3a99728d80de46ff9d0c8074bfcae
-  data.tar.gz: f45707d4627e116e12dd303bb26b85abc984a8cb9b342f9c836e89a33d2cd73839e15c2990fa1630ca4956fd01e42c260e892a224ed91b44d80a1c6d586b72c1
+  metadata.gz: 51b37ec39294af491b19f7c2ed2049b07586c5290cb37949bf435e23dd323e12a86f28c7e8996aa44c86d22c33ab6d3484b192d1b814feb9813648d1ce992a5b
+  data.tar.gz: a638436adb02bcb28da8cfc113d761c32ec157eb4759f61c50feafaa02ee630aff6b92620079d639ab7dc5f4861e7bd5d870f64a58b0dc306ee0ab1d347b8c70

data/.gitignore

@@ -0,0 +1 @@
+Gemfile.lock

data/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [0.1.2] - 2026-03-21
+
+### Added
+- context_snapshot field for working memory state capture in audit entries
+- context_snapshot included in SHA-256 hash chain for tamper evidence
+- Backward-compatible verify with mixed snapshot/non-snapshot records
+
+## [0.1.1] - 2026-03-20
+
+### Added
+- `Runners::ApprovalQueue` with submit, approve, reject, list_pending, and show_approval methods
+- Lazy Sequel model definition to avoid schema introspection at require time
+- Audit event publishing via transport messages when available
+
 ## [0.1.0] - 2026-03-16
 
 ### Added

data/CLAUDE.md

@@ -61,7 +61,7 @@ Legion::Extensions::Audit
 
 ```bash
 bundle install
-bundle exec rspec     # 29 examples, 0 failures
+bundle exec rspec     # 26 examples, 0 failures
 bundle exec rubocop   # 0 offenses
 ```
 

data/lib/legion/extensions/audit/runners/approval_queue.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Audit
+      module Runners
+        module ApprovalQueue
+          extend self
+
+          def submit(approval_type:, payload:, requester_id:, tenant_id: nil, **)
+            define_approval_queue_model
+            json_payload = if defined?(Legion::JSON)
+                             Legion::JSON.dump({ data: payload })
+                           else
+                             require 'json'
+                             ::JSON.dump({ data: payload })
+                           end
+
+            record = Legion::Extensions::Audit::Runners::ApprovalQueue::ApprovalQueue.create(
+              approval_type: approval_type,
+              payload:       json_payload,
+              requester_id:  requester_id,
+              status:        'pending',
+              tenant_id:     tenant_id,
+              created_at:    Time.now.utc
+            )
+            publish_event('approval_needed', record)
+            { success: true, approval_id: record.id, status: 'pending' }
+          end
+
+          def approve(id:, reviewer_id:, **)
+            define_approval_queue_model
+            record = Legion::Extensions::Audit::Runners::ApprovalQueue::ApprovalQueue[id]
+            return { success: false, reason: :not_found } unless record
+            return { success: false, reason: :already_decided } unless record.status == 'pending'
+
+            record.update(status: 'approved', reviewer_id: reviewer_id, reviewed_at: Time.now.utc)
+            publish_event('approval_decided', record)
+            { success: true, approval_id: id, status: 'approved' }
+          end
+
+          def reject(id:, reviewer_id:, **)
+            define_approval_queue_model
+            record = Legion::Extensions::Audit::Runners::ApprovalQueue::ApprovalQueue[id]
+            return { success: false, reason: :not_found } unless record
+            return { success: false, reason: :already_decided } unless record.status == 'pending'
+
+            record.update(status: 'rejected', reviewer_id: reviewer_id, reviewed_at: Time.now.utc)
+            publish_event('approval_decided', record)
+            { success: true, approval_id: id, status: 'rejected' }
+          end
+
+          def list_pending(tenant_id: nil, limit: 50, **)
+            define_approval_queue_model
+            dataset = Legion::Extensions::Audit::Runners::ApprovalQueue::ApprovalQueue.where(status: 'pending').order(Sequel.desc(:created_at))
+            dataset = dataset.where(tenant_id: tenant_id) if tenant_id
+            dataset = dataset.limit(limit)
+            { success: true, approvals: dataset.all.map(&:values), count: dataset.count }
+          end
+
+          def show_approval(id:, **)
+            define_approval_queue_model
+            record = Legion::Extensions::Audit::Runners::ApprovalQueue::ApprovalQueue[id]
+            return { success: false, reason: :not_found } unless record
+
+            { success: true, approval: record.values }
+          end
+
+          private
+
+          def define_approval_queue_model
+            return if Legion::Extensions::Audit::Runners::ApprovalQueue.const_defined?(:ApprovalQueue, false)
+
+            db = Legion::Data::Connection.sequel
+            return unless db&.table_exists?(:approval_queue)
+
+            Legion::Extensions::Audit::Runners::ApprovalQueue.const_set(
+              :ApprovalQueue,
+              Class.new(Sequel::Model(db[:approval_queue])) do
+                set_primary_key :id
+              end
+            )
+          end
+
+          def publish_event(event_type, record)
+            return unless defined?(Legion::Extensions::Audit::Transport::Messages::Audit)
+
+            Legion::Extensions::Audit::Transport::Messages::Audit.new(
+              event_type:   event_type,
+              principal_id: record.respond_to?(:requester_id) ? record.requester_id : record[:requester_id],
+              action:       event_type == 'approval_needed' ? 'submit' : record.status,
+              resource:     "approval_queue:#{record.id}",
+              detail:       { approval_type: record.approval_type, approval_id: record.id }
+            ).publish
+          rescue StandardError => e
+            Legion::Logging.warn "[audit] failed to publish #{event_type}: #{e.message}" if defined?(Legion::Logging)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/audit/runners/audit.rb

@@ -16,25 +16,29 @@ module Legion
             prev_hash = prev ? prev.record_hash : GENESIS_HASH
 
             created_at = opts[:created_at] ? Time.parse(opts[:created_at].to_s) : Time.now.utc
+            snapshot_json = opts[:context_snapshot] ? Legion::JSON.dump(opts[:context_snapshot]) : nil
+
             content = "#{prev_hash}|#{event_type}|#{principal_id}|#{action}|#{resource}|#{created_at.utc.iso8601}"
+            content = "#{content}|#{snapshot_json}" if snapshot_json
             record_hash = Digest::SHA256.hexdigest(content)
 
             detail_json = opts[:detail] ? Legion::JSON.dump(opts[:detail]) : nil
 
             record = Legion::Data::Model::AuditLog.create(
-              event_type:     event_type,
-              principal_id:   principal_id,
-              principal_type: opts[:principal_type] || 'system',
-              action:         action,
-              resource:       resource,
-              source:         opts[:source] || 'unknown',
-              node:           opts[:node] || 'unknown',
-              status:         opts[:status] || 'success',
-              duration_ms:    opts[:duration_ms],
-              detail:         detail_json,
-              record_hash:    record_hash,
-              prev_hash:      prev_hash,
-              created_at:     created_at
+              event_type:       event_type,
+              principal_id:     principal_id,
+              principal_type:   opts[:principal_type] || 'system',
+              action:           action,
+              resource:         resource,
+              source:           opts[:source] || 'unknown',
+              node:             opts[:node] || 'unknown',
+              status:           opts[:status] || 'success',
+              duration_ms:      opts[:duration_ms],
+              detail:           detail_json,
+              context_snapshot: snapshot_json,
+              record_hash:      record_hash,
+              prev_hash:        prev_hash,
+              created_at:       created_at
             )
 
             { success: true, audit_id: record.id, record_hash: record_hash }
@@ -50,6 +54,7 @@ module Legion
 
             dataset.each do |record|
               content = "#{prev_hash}|#{record.event_type}|#{record.principal_id}|#{record.action}|#{record.resource}|#{record.created_at.utc.iso8601}"
+              content = "#{content}|#{record.context_snapshot}" if record.respond_to?(:context_snapshot) && record.context_snapshot
               expected = Digest::SHA256.hexdigest(content)
               unless record.record_hash == expected
                 broken_at = record.id

data/lib/legion/extensions/audit/version.rb

@@ -3,7 +3,7 @@
 module Legion
   module Extensions
     module Audit
-      VERSION = '0.1.0'
+      VERSION = '0.1.2'
     end
   end
 end

data/lib/legion/extensions/audit.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'legion/extensions/audit/version'
+require 'legion/extensions/audit/runners/approval_queue'
 
 module Legion
   module Extensions

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: lex-audit
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.2
 platform: ruby
 authors:
 - Esity
@@ -102,16 +102,17 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".github/workflows/ci.yml"
+- ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
 - CHANGELOG.md
 - CLAUDE.md
 - Gemfile
-- Gemfile.lock
 - README.md
 - lex-audit.gemspec
 - lib/legion/extensions/audit.rb
 - lib/legion/extensions/audit/actors/audit_writer.rb
+- lib/legion/extensions/audit/runners/approval_queue.rb
 - lib/legion/extensions/audit/runners/audit.rb
 - lib/legion/extensions/audit/transport/exchanges/audit.rb
 - lib/legion/extensions/audit/transport/messages/audit.rb

data/Gemfile.lock

@@ -1,86 +0,0 @@
-PATH
-  remote: .
-  specs:
-    lex-audit (0.1.0)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    addressable (2.8.9)
-      public_suffix (>= 2.0.2, < 8.0)
-    ast (2.4.3)
-    bigdecimal (4.0.1)
-    diff-lcs (1.6.2)
-    json (2.19.1)
-    json-schema (6.2.0)
-      addressable (~> 2.8)
-      bigdecimal (>= 3.1, < 5)
-    language_server-protocol (3.17.0.5)
-    lint_roller (1.1.0)
-    mcp (0.8.0)
-      json-schema (>= 4.1)
-    parallel (1.27.0)
-    parser (3.3.10.2)
-      ast (~> 2.4.1)
-      racc
-    prism (1.9.0)
-    public_suffix (7.0.5)
-    racc (1.8.1)
-    rainbow (3.1.1)
-    rake (13.3.1)
-    regexp_parser (2.11.3)
-    rspec (3.13.2)
-      rspec-core (~> 3.13.0)
-      rspec-expectations (~> 3.13.0)
-      rspec-mocks (~> 3.13.0)
-    rspec-core (3.13.6)
-      rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.5)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.8)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.13.0)
-    rspec-support (3.13.7)
-    rubocop (1.85.1)
-      json (~> 2.3)
-      language_server-protocol (~> 3.17.0.2)
-      lint_roller (~> 1.1.0)
-      mcp (~> 0.6)
-      parallel (~> 1.10)
-      parser (>= 3.3.0.2)
-      rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 2.9.3, < 3.0)
-      rubocop-ast (>= 1.49.0, < 2.0)
-      ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.49.1)
-      parser (>= 3.3.7.2)
-      prism (~> 1.7)
-    rubocop-rspec (3.9.0)
-      lint_roller (~> 1.1)
-      rubocop (~> 1.81)
-    ruby-progressbar (1.13.0)
-    sequel (5.102.0)
-      bigdecimal
-    sqlite3 (2.9.2-arm64-darwin)
-    sqlite3 (2.9.2-x86_64-linux-gnu)
-    unicode-display_width (3.2.0)
-      unicode-emoji (~> 4.1)
-    unicode-emoji (4.2.0)
-
-PLATFORMS
-  arm64-darwin-25
-  x86_64-linux
-
-DEPENDENCIES
-  lex-audit!
-  rake
-  rspec
-  rubocop
-  rubocop-rspec
-  sequel
-  sqlite3
-
-BUNDLED WITH
-   2.6.9