feat: audit vocabulary/term/authority creation, attributing the acting user (#21)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

crates/api/src/admin_authorities.rs

@@ -7,7 +7,7 @@ use axum::{
     http::StatusCode,
     routing::get,
 };
-use domain::{AuthorityKind, LocalizedLabel, NewAuthority};
+use domain::{AuditActor, AuthorityKind, LocalizedLabel, NewAuthority};
 use serde::{Deserialize, Serialize};
 use utoipa::ToSchema;
 
@@ -91,7 +91,7 @@ pub(crate) async fn list_authorities(
     )
 )]
 pub(crate) async fn create_authority(
-    _auth: Authorized<EditCatalogue>,
+    auth: Authorized<EditCatalogue>,
     State(state): State<AppState>,
     Json(req): Json<NewAuthorityRequest>,
 ) -> Result<(StatusCode, Json<CreatedId>), StatusCode> {
@@ -117,9 +117,10 @@ pub(crate) async fn create_authority(
         .await
         .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
 
-    let id = db::authority::create_authority(&mut tx, &new)
-        .await
-        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
+    let id =
+        db::authority::create_authority(&mut tx, AuditActor::User(auth.user.id.to_uuid()), &new)
+            .await
+            .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
 
     tx.commit()
         .await

crates/api/src/admin_vocab.rs

@@ -7,7 +7,7 @@ use axum::{
     http::StatusCode,
     routing::get,
 };
-use domain::{LocalizedLabel, NewTerm, VocabularyId};
+use domain::{AuditActor, LocalizedLabel, NewTerm, VocabularyId};
 use serde::{Deserialize, Serialize};
 use utoipa::ToSchema;
 
@@ -85,11 +85,23 @@ pub(crate) async fn list_vocabularies(
     )
 )]
 pub(crate) async fn create_vocabulary(
-    _auth: Authorized<EditCatalogue>,
+    auth: Authorized<EditCatalogue>,
     State(state): State<AppState>,
     Json(req): Json<NewVocabularyRequest>,
 ) -> Result<(StatusCode, Json<VocabularyView>), StatusCode> {
-    let vocab = db::vocab::create_vocabulary(state.db.pool(), &req.key)
+    let mut tx = state
+        .db
+        .pool()
+        .begin()
+        .await
+        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
+
+    let vocab =
+        db::vocab::create_vocabulary(&mut tx, AuditActor::User(auth.user.id.to_uuid()), &req.key)
+            .await
+            .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
+
+    tx.commit()
         .await
         .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
 
@@ -156,7 +168,7 @@ pub(crate) async fn list_terms(
     )
 )]
 pub(crate) async fn add_term(
-    _auth: Authorized<EditCatalogue>,
+    auth: Authorized<EditCatalogue>,
     State(state): State<AppState>,
     Path(id): Path<String>,
     Json(req): Json<NewTermRequest>,
@@ -185,15 +197,17 @@ pub(crate) async fn add_term(
         .await
         .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
 
-    let term_id = db::vocab::add_term(&mut tx, &new).await.map_err(|err| {
-        // A well-formed id for a missing vocabulary hits the FK constraint (23503).
-        if err.as_database_error().and_then(|e| e.code()).as_deref() == Some("23503") {
-            StatusCode::NOT_FOUND
-        } else {
-            tracing::error!(?err, "adding term");
-            StatusCode::INTERNAL_SERVER_ERROR
-        }
-    })?;
+    let term_id = db::vocab::add_term(&mut tx, AuditActor::User(auth.user.id.to_uuid()), &new)
+        .await
+        .map_err(|err| {
+            // A well-formed id for a missing vocabulary hits the FK constraint (23503).
+            if err.as_database_error().and_then(|e| e.code()).as_deref() == Some("23503") {
+                StatusCode::NOT_FOUND
+            } else {
+                tracing::error!(?err, "adding term");
+                StatusCode::INTERNAL_SERVER_ERROR
+            }
+        })?;
 
     tx.commit()
         .await

crates/api/tests/admin_catalog.rs

@@ -1,8 +1,8 @@
 use api::{AppState, build_app, migrate_sessions};
 use axum::body::Body;
 use axum::http::{Request, StatusCode, header};
-use db::users;
-use domain::{AuditActor, Email, NewUser, Role};
+use db::{audit, users};
+use domain::{AuditAction, AuditActor, Email, NewUser, Role};
 use http_body_util::BodyExt;
 use sqlx::PgPool;
 use tower::ServiceExt;
@@ -290,3 +290,44 @@ async fn add_term_to_missing_vocabulary_is_404(pool: PgPool) {
 
     assert_eq!(resp.status(), StatusCode::NOT_FOUND);
 }
+
+#[sqlx::test(migrations = "../db/migrations")]
+async fn creating_a_vocabulary_writes_an_audit_entry(pool: PgPool) {
+    migrate_sessions(&db::Db::from_pool(pool.clone()))
+        .await
+        .unwrap();
+
+    seed_user(&pool, "ed@example.com", "pw-editor-123", Role::Editor).await;
+
+    let app = build_app(state(pool.clone()));
+    let cookie = login(&app, "ed@example.com", "pw-editor-123").await;
+
+    let resp = app
+        .oneshot(
+            Request::builder()
+                .method("POST")
+                .uri("/api/admin/vocabularies")
+                .header(header::COOKIE, &cookie)
+                .header(header::CONTENT_TYPE, "application/json")
+                .body(Body::from(r#"{"key":"audit-test"}"#))
+                .unwrap(),
+        )
+        .await
+        .unwrap();
+    assert_eq!(resp.status(), StatusCode::CREATED);
+
+    let body: serde_json::Value =
+        serde_json::from_slice(&resp.into_body().collect().await.unwrap().to_bytes()).unwrap();
+    let vocab_id: uuid::Uuid = body["id"].as_str().unwrap().parse().unwrap();
+
+    let history = audit::history_for(&pool, "vocabulary", vocab_id)
+        .await
+        .unwrap();
+
+    assert_eq!(history.len(), 1);
+    assert_eq!(history[0].action, AuditAction::Created);
+    assert!(
+        matches!(history[0].actor, AuditActor::User(_)),
+        "expected actor to be a user"
+    );
+}