hw/app/services/audit.py


								from __future__ import annotations


								from collections.abc import Mapping


								from flask import current_app, has_request_context, request

								from sqlalchemy.exc import SQLAlchemyError


								from app.extensions import db

								from app.models import Account, AuditLog


								ANONYMOUS_ACTOR_USERNAME = "anonymous"


								def account_snapshot(account: Account | None) -> dict[str, object] | None:

								    if account is None:

								        return None


								    return {

								        "id": account.id,

								        "username": account.username,

								        "display_name": account.display_name,

								        "role": account.role,

								        "status": account.status,

								    }


								def write_audit_log(

								    *,

								    action_type: str,

								    target_type: str,

								    actor: Account | None = None,

								    actor_username: str | None = None,

								    actor_display_name: str | None = None,

								    target_id: int | None = None,

								    target_display_name: str | None = None,

								    before_data: Mapping[str, object] | list[object] | None = None,

								    after_data: Mapping[str, object] | list[object] | None = None,

								    commit: bool = True,

								) -> AuditLog | None:

								    log = AuditLog(

								        actor_user_id=actor.id if actor is not None else None,

								        actor_username=actor.username if actor is not None else (actor_username or ANONYMOUS_ACTOR_USERNAME),

								        actor_display_name=actor.display_name if actor is not None else actor_display_name,

								        action_type=action_type,

								        target_type=target_type,

								        target_id=target_id,

								        target_display_name=target_display_name,

								        before_data_json=dict(before_data) if isinstance(before_data, Mapping) else before_data,

								        after_data_json=dict(after_data) if isinstance(after_data, Mapping) else after_data,

								    )

								    _attach_request_metadata(log)

								    db.session.add(log)


								    if not commit:

								        return log


								    try:

								        db.session.commit()

								    except SQLAlchemyError:

								        db.session.rollback()

								        current_app.logger.exception("Failed to persist audit log for action '%s'.", action_type)

								        return None


								    return log


								def _attach_request_metadata(log: AuditLog) -> None:

								    if not has_request_context():

								        return


								    log.request_path = request.path

								    log.request_method = request.method

								    log.ip_address = request.headers.get("X-Forwarded-For", request.remote_addr)

								    user_agent = request.user_agent.string if request.user_agent is not None else None

								    log.user_agent = user_agent[:512] if user_agent else None