rails_audit_log 1.1.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 26fdf8335990094a7278cbcf9921e123fbf44f6ec464b974b1c73e1f41047691
-  data.tar.gz: 9700fef384bb8f23eb929b0c62cb82880ba8217a44f64660f97823c4ffe6f1c0
+  metadata.gz: fb6120f7ce9f0f2a2fb19553a77ff4c6bf5c24a1945270e2e6393403b9ffc3a0
+  data.tar.gz: a978f7082c30a68c37344e0b819af1e70d077b3092337c5ea31c4e35473ffef6
 SHA512:
-  metadata.gz: 8c0450b8f9228ec6ea98e7e026e0554d73004accf1a284433fa6260b5acd941d8314fd33b9bf873156e214f65f8bcd1d687613077f60c310dacd2a2b4e1f98e8
-  data.tar.gz: 733c560b234f96900a760cc76b74a18bd39303179e36ae8272c0f150560139272eb3fb0de9ee435883fbd2c128bd408b373601f407818ff9e5c72cb9c465e503
+  metadata.gz: 8670a4ceb147508b45d03679eb3765c6984393c144434f4ad90b40bf69c64478ff8b92b0ab3bdb0b054cb0f64d2794f05044d546f81fa2fde17496ff65fde4de
+  data.tar.gz: 5ba060114539abc8555a5873aa7671c226cdc2c19a3bd66a4549595f68ea170372a968de324485dc0bf2eabb0bd253fa14e5c14c98b7b4ad9fe691bc15973fbb

data/README.md

@@ -25,6 +25,8 @@ Audit logging for Rails. Tracks `create`, `update`, and `destroy` events as stru
   - [Capping history per record](#capping-history-per-record)
   - [Time-based retention](#time-based-retention)
   - [Scheduled and manual pruning](#scheduled-and-manual-pruning)
+  - [Encrypting audit data](#encrypting-audit-data)
+  - [Multi-tenancy](#multi-tenancy)
   - [Selective tracking](#selective-tracking)
   - [Disabling auditing](#disabling-auditing)
   - [Object reconstruction](#object-reconstruction)
@@ -369,6 +371,112 @@ Or run it once manually via the rake task:
 bin/rails rails_audit_log:prune
 ```
 
+### Encrypting audit data
+
+Encrypt `object_changes` and `object` at write time using `ActiveRecord::Encryption` (Rails 7.1+). Pass `encrypt: true` to `audit_log` in the model:
+
+```ruby
+class Payment < ApplicationRecord
+  include RailsAuditLog::Auditable
+  audit_log encrypt: true
+end
+```
+
+The host app must configure `ActiveRecord::Encryption` with primary, deterministic, and key-derivation-salt keys — typically in `config/initializers/rails_audit_log.rb` or `config/application.rb`:
+
+```ruby
+config.active_record.encryption.primary_key        = Rails.application.credentials.ral_primary_key
+config.active_record.encryption.deterministic_key  = Rails.application.credentials.ral_deterministic_key
+config.active_record.encryption.key_derivation_salt = Rails.application.credentials.ral_kdf_salt
+```
+
+Enable encryption globally so every audited model encrypts by default:
+
+```ruby
+# config/initializers/rails_audit_log.rb
+RailsAuditLog.encrypt = true
+```
+
+Opt a specific model out when the global default is on:
+
+```ruby
+class PublicLog < ApplicationRecord
+  include RailsAuditLog::Auditable
+  audit_log encrypt: false   # plain JSON even when RailsAuditLog.encrypt = true
+end
+```
+
+Decryption is transparent — `#diff`, `#reify`, `#changed_attributes`, and all other instance methods work without any changes.
+
+> **Note:** The `touching` scope uses database-level JSON extraction (`json_extract` / `->>`) and will not match encrypted entries. All Ruby-side query methods work normally.
+
+#### Setting up encryption keys
+
+Run the Rails built-in task to generate keys and store them in `config/credentials.yml.enc`:
+
+```bash
+bin/rails db:encryption:init
+```
+
+Then run the encryption generator to produce a wired-up initializer and a re-encryption migration for existing entries:
+
+```bash
+bin/rails generate rails_audit_log:encryption
+```
+
+The generator creates:
+- `config/initializers/rails_audit_log_encryption.rb` — reads the generated keys from credentials and passes them to `ActiveRecord::Encryption`
+- `db/migrate/TIMESTAMP_encrypt_rails_audit_log_entries.rb` — re-encrypts existing plain-text audit entries; edit `ENCRYPTED_MODELS` to list your model class names, then run `bin/rails db:migrate`
+
+### Multi-tenancy
+
+Store the current tenant on every audit entry so queries are naturally isolated per tenant.
+
+Run the generator to add the `tenant_id` column:
+
+```bash
+bin/rails generate rails_audit_log:tenant
+bin/rails db:migrate
+```
+
+Set a global resolver in your initializer — the block is called at write time:
+
+```ruby
+# config/initializers/rails_audit_log.rb
+RailsAuditLog.current_tenant { Current.tenant_id }
+```
+
+Or override per model:
+
+```ruby
+class Order < ApplicationRecord
+  include RailsAuditLog::Auditable
+  audit_log tenant: -> { Current.tenant_id }
+end
+```
+
+The per-model lambda takes precedence over the global resolver. Both accept zero-argument lambdas and store whatever the block returns in the `tenant_id` string column.
+
+Scope queries to a single tenant with `for_tenant`:
+
+```ruby
+AuditLogEntry.for_tenant("acme")
+AuditLogEntry.for_tenant(Current.tenant_id).updated_events.since(1.week.ago)
+```
+
+The web dashboard (`/audit`) automatically applies `for_tenant` when `current_tenant` is configured, so entries from other tenants are never exposed.
+
+#### Acts As Tenant integration
+
+Wire the resolver to `ActsAsTenant` in one line:
+
+```ruby
+# config/initializers/rails_audit_log.rb
+RailsAuditLog.acts_as_tenant!
+```
+
+This is equivalent to `RailsAuditLog.current_tenant { ActsAsTenant.current_tenant&.id }`.
+
 ### Selective tracking
 
 Track only specific attributes, or exclude noisy ones:
@@ -754,7 +862,7 @@ bundle exec rake benchmark
 
 [↑ Table of contents](#table-of-contents)
 
-Bug reports and pull requests are welcome on [GitHub](https://github.com/eclectic-coding/rails_audit_log).
+Bug reports and pull requests are welcome on [GitHub](https://github.com/eclectic-coding/rails_audit_log). See [CONTRIBUTING.md](CONTRIBUTING.md) for setup instructions, branch workflow, and CHANGELOG conventions.
 
 ## License
 

data/app/concerns/rails_audit_log/auditable.rb

@@ -30,6 +30,8 @@ module RailsAuditLog
       class_attribute :_audit_log_version_limit,  default: nil
       class_attribute :_audit_log_retain_for,     default: nil
       class_attribute :_audit_log_async,          default: false
+      class_attribute :_audit_log_encrypt,        default: nil
+      class_attribute :_audit_log_tenant,         default: nil
 
       _warn_if_audit_table_missing
 
@@ -111,17 +113,28 @@ module RailsAuditLog
       #   {RailsAuditLog.retention_period} for this model
       # @param async [Boolean, nil] when +true+, writes are dispatched via
       #   +WriteAuditLogJob+; overrides {RailsAuditLog.async} for this model
+      # @param encrypt [Boolean, nil] when +true+, encrypts +object_changes+ and
+      #   +object+ at write time using +ActiveRecord::Encryption+; when +false+,
+      #   opts this model out even if {RailsAuditLog.encrypt} is +true+; when
+      #   +nil+ (default), falls back to {RailsAuditLog.encrypt}; requires the
+      #   host app to configure +config.active_record.encryption+; decryption is
+      #   transparent — {AuditLogEntry#diff}, {AuditLogEntry#reify}, and
+      #   {AuditLogEntry.touching} work unchanged for non-SQL access paths
+      # @param tenant [Proc, nil] zero-argument lambda evaluated at write time;
+      #   return value is stored in the +tenant_id+ column; overrides
+      #   {RailsAuditLog.current_tenant} for this model
       # @return [void]
       # @example
       #   class Article < ApplicationRecord
       #     include RailsAuditLog::Auditable
       #     audit_log only: %i[title body published_at],
-      #               meta: { tenant_id: -> { Current.tenant_id } },
+      #               tenant: -> { Current.tenant_id },
       #               associations: %i[tags],
       #               version_limit: 100,
-      #               retain_for: 30.days
+      #               retain_for: 30.days,
+      #               encrypt: true
       #   end
-      def audit_log(only: nil, ignore: nil, meta: nil, associations: nil, version_limit: nil, retain_for: nil, async: nil)
+      def audit_log(only: nil, ignore: nil, meta: nil, associations: nil, version_limit: nil, retain_for: nil, async: nil, encrypt: nil, tenant: nil)
         self._audit_log_only          = only.map(&:to_s)   if only
         self._audit_log_ignore        = ignore.map(&:to_s) if ignore
         self._audit_log_meta          = meta                if meta
@@ -129,6 +142,8 @@ module RailsAuditLog
         self._audit_log_version_limit = version_limit       unless version_limit.nil?
         self._audit_log_retain_for    = retain_for          unless retain_for.nil?
         self._audit_log_async         = async               unless async.nil?
+        self._audit_log_encrypt       = encrypt             unless encrypt.nil?
+        self._audit_log_tenant        = tenant              unless tenant.nil?
       end
     end
 
@@ -169,10 +184,11 @@ module RailsAuditLog
         event:              "update",
         item_type:          self.class.name,
         item_id:            id,
-        object_changes:     { assoc_name => [before, after] },
+        object_changes:     maybe_encrypt({ assoc_name => [before, after] }),
         object:             nil,
         reason:             RailsAuditLog.reason,
         metadata:           meta.presence,
+        tenant_id:          resolve_tenant_id,
         whodunnit_snapshot: actor ? RailsAuditLog.whodunnit_display.call(actor) : nil,
         actor_type:         actor&.class&.name,
         actor_id:           actor.respond_to?(:id) ? actor.id : nil
@@ -191,16 +207,25 @@ module RailsAuditLog
         event:               event,
         item_type:           self.class.name,
         item_id:             id,
-        object_changes:      filtered,
-        object:              snapshot,
+        object_changes:      maybe_encrypt(filtered),
+        object:              maybe_encrypt(snapshot),
         reason:              RailsAuditLog.reason,
         metadata:            meta.presence,
+        tenant_id:           resolve_tenant_id,
         whodunnit_snapshot:  actor ? RailsAuditLog.whodunnit_display.call(actor) : nil,
         actor_type:          actor&.class&.name,
         actor_id:            actor.respond_to?(:id) ? actor.id : nil
       )
     end
 
+    def maybe_encrypt(value)
+      return value unless value
+      encrypt = self.class._audit_log_encrypt.nil? ? RailsAuditLog.encrypt : self.class._audit_log_encrypt
+      return value unless encrypt
+      ciphertext = ActiveRecord::Encryption.encryptor.encrypt(value.to_json)
+      { RailsAuditLog::AuditLogEntry::ENCRYPTION_MARKER => ciphertext }
+    end
+
     def write_audit_entry(entry_attrs)
       if (buffer = RailsAuditLog.batch_audit_buffer)
         buffer << entry_attrs.stringify_keys.merge("created_at" => Time.current)
@@ -230,6 +255,11 @@ module RailsAuditLog
       end
     end
 
+    def resolve_tenant_id
+      tenant_proc = self.class._audit_log_tenant || RailsAuditLog.current_tenant
+      tenant_proc&.call
+    end
+
     def build_audit_metadata
       meta = {}
       if self.class._audit_log_meta

data/app/controllers/rails_audit_log/application_controller.rb

@@ -13,5 +13,10 @@ module RailsAuditLog
 
       instance_exec(self, &auth) || request_http_basic_authentication("Audit Log")
     end
+
+    def base_audit_scope
+      tenant_id = RailsAuditLog.current_tenant&.call
+      tenant_id ? AuditLogEntry.for_tenant(tenant_id) : AuditLogEntry.all
+    end
   end
 end

data/app/controllers/rails_audit_log/audit_log_entries_controller.rb

@@ -21,7 +21,7 @@ module RailsAuditLog
     end
 
     def filtered_scope
-      scope = AuditLogEntry.order(created_at: :desc)
+      scope = base_audit_scope.order(created_at: :desc)
       scope = scope.where(event: @event)                          if @event
       scope = scope.where(item_type: @item_type)                  if @item_type
       scope = scope.for_period(@period)                           if @period

data/app/controllers/rails_audit_log/resources_controller.rb

@@ -5,7 +5,7 @@ module RailsAuditLog
       @item_type = params[:item_type]
       @item_id   = params[:item_id]
       @pagy, @entries = pagy(
-        AuditLogEntry
+        base_audit_scope
           .where(item_type: @item_type, item_id: @item_id)
           .order(created_at: :asc)
       )

data/app/models/rails_audit_log/audit_log_entry.rb

@@ -21,9 +21,10 @@ module RailsAuditLog
   class AuditLogEntry < ApplicationRecord
     self.table_name = "audit_log_entries"
 
-    EVENTS       = %w[create update destroy].freeze
-    BLOB_COLUMNS = %w[object_changes object metadata].freeze
-    PERIODS      = { "1h" => 1.hour, "24h" => 24.hours, "7d" => 7.days }.freeze
+    EVENTS             = %w[create update destroy].freeze
+    BLOB_COLUMNS       = %w[object_changes object metadata].freeze
+    PERIODS            = { "1h" => 1.hour, "24h" => 24.hours, "7d" => 7.days }.freeze
+    ENCRYPTION_MARKER  = "__ral_enc__"
 
     # @api private
     def self.configure_connection!
@@ -90,6 +91,16 @@ module RailsAuditLog
       end
     }
 
+    # Entries belonging to a specific tenant.
+    # Composable with all other scopes.
+    #
+    # @param id [String, Integer] the tenant identifier stored in +tenant_id+
+    # @return [ActiveRecord::Relation]
+    # @example
+    #   AuditLogEntry.for_tenant("acme")
+    #   AuditLogEntry.for_tenant(Current.tenant_id).updated_events
+    scope :for_tenant, ->(id) { where(tenant_id: id) }
+
     # @!endgroup
 
     # @!group Time scopes
@@ -192,6 +203,21 @@ module RailsAuditLog
       self.class.where(item_type: item_type, item_id: item_id).where("id > ?", id).order(id: :asc).first
     end
 
+    # Returns the decrypted +object_changes+ hash. Transparent to callers —
+    # encrypted and non-encrypted entries behave identically.
+    #
+    # @return [Hash, nil]
+    def object_changes
+      decrypt_if_encrypted(super)
+    end
+
+    # Returns the decrypted +object+ snapshot hash. Transparent to callers.
+    #
+    # @return [Hash, nil]
+    def object
+      decrypt_if_encrypted(super)
+    end
+
     # Returns the list of attribute (and association) names that changed in
     # this entry, derived from the keys of +object_changes+.
     #
@@ -215,6 +241,12 @@ module RailsAuditLog
 
     private
 
+    def decrypt_if_encrypted(value)
+      return value unless value.is_a?(Hash) && value.keys == [ENCRYPTION_MARKER]
+      json = ActiveRecord::Encryption.encryptor.decrypt(value[ENCRYPTION_MARKER])
+      JSON.parse(json)
+    end
+
     def metadata_must_be_a_hash
       errors.add(:metadata, "must be a Hash") if metadata.present? && !metadata.is_a?(Hash)
     end

data/lib/generators/rails_audit_log/encryption/encryption_generator.rb

@@ -0,0 +1,41 @@
+require "rails/generators"
+require "rails/generators/active_record"
+
+module RailsAuditLog
+  module Generators
+    class EncryptionGenerator < Rails::Generators::Base
+      include ActiveRecord::Generators::Migration
+
+      source_root File.expand_path("templates", __dir__)
+
+      desc "Creates an ActiveRecord::Encryption config initializer and a data migration " \
+           "that re-encrypts existing audit entries for models using audit_log encrypt: true."
+
+      def create_initializer_file
+        template "rails_audit_log_encryption.rb",
+                 "config/initializers/rails_audit_log_encryption.rb"
+      end
+
+      def create_migration_file
+        migration_template(
+          "encrypt_rails_audit_log_entries.rb",
+          "db/migrate/encrypt_rails_audit_log_entries.rb"
+        )
+      end
+
+      def print_next_steps
+        say ""
+        say "Next steps:", :green
+        say "  1. Run `bin/rails db:encryption:init` to generate encryption keys"
+        say "     and store them in config/credentials.yml.enc."
+        say "  2. Review config/initializers/rails_audit_log_encryption.rb and wire"
+        say "     the generated keys into ActiveRecord::Encryption."
+        say "  3. Add `audit_log encrypt: true` (or set RailsAuditLog.encrypt = true)"
+        say "     on the models whose audit data you want to protect."
+        say "  4. Edit the generated migration — add your encrypted model class names"
+        say "     to ENCRYPTED_MODELS — then run `bin/rails db:migrate`."
+        say ""
+      end
+    end
+  end
+end

data/lib/generators/rails_audit_log/encryption/templates/encrypt_rails_audit_log_entries.rb

@@ -0,0 +1,85 @@
+# Data migration: re-encrypts existing plain-text audit entries for every
+# model listed in ENCRYPTED_MODELS.
+#
+# == Before running
+#
+# 1. Add the class names of every model that uses `audit_log encrypt: true`
+#    (or that will be covered by `RailsAuditLog.encrypt = true`) to the
+#    ENCRYPTED_MODELS constant below.
+#
+# 2. Ensure ActiveRecord::Encryption is configured with your production keys
+#    (config/initializers/rails_audit_log_encryption.rb).
+#
+# 3. Run: bin/rails db:migrate
+#
+# Entries that are already encrypted (detected by the internal envelope format)
+# are skipped automatically — the migration is safe to re-run.
+#
+# This migration is irreversible.
+
+class EncryptRailsAuditLogEntries < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
+  BATCH_SIZE        = 500
+  ENCRYPTION_MARKER = RailsAuditLog::AuditLogEntry::ENCRYPTION_MARKER
+
+  # Add the class names of every model whose audit entries should be encrypted:
+  ENCRYPTED_MODELS = %w[
+    # Post
+    # Payment
+    # User
+  ].freeze
+
+  # Isolated AR class — avoids coupling to host-app model overrides.
+  class Entry < ActiveRecord::Base   # @api private
+    self.table_name = "audit_log_entries"
+  end
+
+  def up
+    if ENCRYPTED_MODELS.empty?
+      say "  No ENCRYPTED_MODELS configured — nothing to re-encrypt. " \
+          "Edit the migration and add your model class names, then re-run."
+      return
+    end
+
+    ENCRYPTED_MODELS.each do |model_name|
+      say_with_time "Re-encrypting audit entries for #{model_name}" do
+        re_encrypt_for(model_name)
+      end
+    end
+  end
+
+  def down
+    raise ActiveRecord::IrreversibleMigration,
+          "Cannot reverse encryption migration — decryption would require the original " \
+          "keys and there is no way to distinguish re-encrypted rows from native ones."
+  end
+
+  private
+
+  def re_encrypt_for(item_type)
+    count = 0
+    Entry.where(item_type: item_type).find_in_batches(batch_size: BATCH_SIZE) do |batch|
+      batch.each do |entry|
+        changes = entry.read_attribute(:object_changes)
+        object  = entry.read_attribute(:object)
+
+        updates = {}
+        updates[:object_changes] = encrypt(changes) if changes && !encrypted?(changes)
+        updates[:object]         = encrypt(object)  if object  && !encrypted?(object)
+        next if updates.empty?
+
+        entry.update_columns(updates)
+        count += 1
+      end
+    end
+    count
+  end
+
+  def encrypted?(value)
+    value.is_a?(Hash) && value.keys == [ENCRYPTION_MARKER]
+  end
+
+  def encrypt(value)
+    ciphertext = ActiveRecord::Encryption.encryptor.encrypt(value.to_json)
+    { ENCRYPTION_MARKER => ciphertext }
+  end
+end

data/lib/generators/rails_audit_log/encryption/templates/rails_audit_log_encryption.rb

@@ -0,0 +1,41 @@
+# config/initializers/rails_audit_log_encryption.rb
+# Generated by `bin/rails generate rails_audit_log:encryption`
+#
+# == Setup
+#
+# 1. Run `bin/rails db:encryption:init` to generate encryption keys and store
+#    them in config/credentials.yml.enc under the :active_record_encryption key.
+#
+#    Rails adds entries like:
+#      active_record_encryption:
+#        primary_key: <generated>
+#        deterministic_key: <generated>
+#        key_derivation_salt: <generated>
+#
+# 2. Wire the keys into ActiveRecord::Encryption (already done below).
+#
+# 3. Enable encryption globally or per model:
+#
+#      # Global — every audited model encrypts by default:
+#      # RailsAuditLog.encrypt = true
+#
+#      # Per model — opt individual models in:
+#      # class Payment < ApplicationRecord
+#      #   include RailsAuditLog::Auditable
+#      #   audit_log encrypt: true
+#      # end
+#
+#      # Per model — opt a model out when the global default is on:
+#      # class PublicLog < ApplicationRecord
+#      #   include RailsAuditLog::Auditable
+#      #   audit_log encrypt: false
+#      # end
+
+Rails.application.configure do
+  config.active_record.encryption.primary_key =
+    Rails.application.credentials.dig(:active_record_encryption, :primary_key)
+  config.active_record.encryption.deterministic_key =
+    Rails.application.credentials.dig(:active_record_encryption, :deterministic_key)
+  config.active_record.encryption.key_derivation_salt =
+    Rails.application.credentials.dig(:active_record_encryption, :key_derivation_salt)
+end

data/lib/generators/rails_audit_log/initializer/templates/rails_audit_log.rb

@@ -31,6 +31,13 @@ RailsAuditLog.configure do |config|
   # Per-model `audit_log async: true` also works.
   # config.async = true
 
+  # Encrypt object_changes and object for all audited models using
+  # ActiveRecord::Encryption (Rails 7.1+). Requires config.active_record.encryption
+  # to be configured — run `bin/rails generate rails_audit_log:encryption` for the
+  # setup initializer and re-encryption migration. Default: false
+  # Per-model `audit_log encrypt: false` opts a specific model out.
+  # config.encrypt = true
+
   # Route AuditLogEntry to a dedicated database (Rails multi-DB). Default: nil
   # config.connects_to = { database: { writing: :audit_log, reading: :audit_log } }
 

data/lib/generators/rails_audit_log/tenant/templates/add_tenant_id_to_audit_log_entries.rb

@@ -0,0 +1,6 @@
+class AddTenantIdToAuditLogEntries < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
+  def change
+    add_column :audit_log_entries, :tenant_id, :string
+    add_index  :audit_log_entries, :tenant_id
+  end
+end

data/lib/generators/rails_audit_log/tenant/tenant_generator.rb

@@ -0,0 +1,33 @@
+require "rails/generators"
+require "rails/generators/active_record"
+
+module RailsAuditLog
+  module Generators
+    class TenantGenerator < Rails::Generators::Base
+      include ActiveRecord::Generators::Migration
+
+      source_root File.expand_path("templates", __dir__)
+
+      desc "Creates a migration that adds a tenant_id column and index to audit_log_entries."
+
+      def create_migration_file
+        migration_template(
+          "add_tenant_id_to_audit_log_entries.rb",
+          "db/migrate/add_tenant_id_to_audit_log_entries.rb"
+        )
+      end
+
+      def print_next_steps
+        say ""
+        say "Next steps:", :green
+        say "  1. Run `bin/rails db:migrate` to add the tenant_id column."
+        say "  2. Set a global resolver in your initializer:"
+        say "       RailsAuditLog.current_tenant { Current.tenant_id }"
+        say "     or per-model:"
+        say "       audit_log tenant: -> { Current.tenant_id }"
+        say "  3. Use AuditLogEntry.for_tenant(id) to scope queries to a tenant."
+        say ""
+      end
+    end
+  end
+end

data/lib/rails_audit_log/version.rb

@@ -1,3 +1,3 @@
 module RailsAuditLog
-  VERSION = "1.1.0"
+  VERSION = "1.3.0"
 end

data/lib/rails_audit_log.rb

@@ -69,6 +69,14 @@ module RailsAuditLog
   # @return [Boolean]
   mattr_accessor :async, default: false
 
+  # When +true+, encrypts +object_changes+ and +object+ for all audited models
+  # using +ActiveRecord::Encryption+. Requires the host app to configure
+  # +config.active_record.encryption+. Override per-model with
+  # <tt>audit_log encrypt: false</tt> to opt a specific model out.
+  #
+  # @return [Boolean]
+  mattr_accessor :encrypt, default: false
+
   # Passes +connects_to+ options directly to {AuditLogEntry} so audit entries
   # can be stored on a separate database.
   #
@@ -106,6 +114,35 @@ module RailsAuditLog
     yield self
   end
 
+  # Sets or returns the global tenant resolver block. The block is called at
+  # write time and its return value is stored in the +tenant_id+ column of each
+  # {AuditLogEntry}. Override per-model with <tt>audit_log tenant: -> { ... }</tt>.
+  #
+  # @yield block called with no arguments at write time; return the tenant id
+  # @return [Proc, nil] the stored block, or +nil+ when not configured
+  # @example
+  #   RailsAuditLog.current_tenant { Current.tenant_id }
+  def self.current_tenant(&block)
+    @current_tenant = block if block_given?
+    @current_tenant
+  end
+
+  # Wires {.current_tenant} to +ActsAsTenant.current_tenant&.id+ so audit
+  # entries are automatically scoped to the Acts As Tenant context.
+  # Call once in an initializer after the gem is loaded.
+  #
+  # @raise [RuntimeError] if the +acts_as_tenant+ gem is not loaded
+  # @return [void]
+  # @example
+  #   RailsAuditLog.acts_as_tenant!
+  def self.acts_as_tenant!
+    unless defined?(ActsAsTenant)
+      raise "ActsAsTenant is not loaded. Add the `acts_as_tenant` gem to your Gemfile."
+    end
+
+    current_tenant { ActsAsTenant.current_tenant&.id }
+  end
+
   # Sets or returns the authentication block used to gate the web dashboard.
   # The block is evaluated in controller context, so controller helpers
   # (e.g. +current_user+) are available directly.

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rails_audit_log
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.3.0
 platform: ruby
 authors:
 - Chuck Smith
@@ -109,12 +109,17 @@ files:
 - app/views/rails_audit_log/resources/show.html.erb
 - config/importmap.rb
 - config/routes.rb
+- lib/generators/rails_audit_log/encryption/encryption_generator.rb
+- lib/generators/rails_audit_log/encryption/templates/encrypt_rails_audit_log_entries.rb
+- lib/generators/rails_audit_log/encryption/templates/rails_audit_log_encryption.rb
 - lib/generators/rails_audit_log/initializer/initializer_generator.rb
 - lib/generators/rails_audit_log/initializer/templates/rails_audit_log.rb
 - lib/generators/rails_audit_log/install/install_generator.rb
 - lib/generators/rails_audit_log/install/templates/create_audit_log_entries.rb
 - lib/generators/rails_audit_log/migrate_from_paper_trail/migrate_from_paper_trail_generator.rb
 - lib/generators/rails_audit_log/migrate_from_paper_trail/templates/migrate_from_paper_trail.rb
+- lib/generators/rails_audit_log/tenant/templates/add_tenant_id_to_audit_log_entries.rb
+- lib/generators/rails_audit_log/tenant/tenant_generator.rb
 - lib/rails_audit_log.rb
 - lib/rails_audit_log/engine.rb
 - lib/rails_audit_log/matchers.rb