Skip to content

test: verify composed action appears in audit event#40

Merged
basauth merged 1 commit into
mainfrom
fix/audit-composition-test
Jun 22, 2026
Merged

test: verify composed action appears in audit event#40
basauth merged 1 commit into
mainfrom
fix/audit-composition-test

Conversation

@basauth

@basauth basauth commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR adds a focused regression test for the gateway action-composition audit path.

The previous action-composition PR added support for adapter-normalized requests such as:

action = read
resource_type = ahu

which the gateway composes into:

read:ahu

before invoking basis-core.

This follow-up test verifies that the emitted decision audit event records the composed action rather than the original bare action. It does not change runtime behavior.


Checklist

Step 1 — Identify affected surfaces

Check every surface this PR touches:

  • Authentication or token verification logic (src/basis_gateway/auth/)
  • Identity normalization or subject mapping (src/basis_gateway/auth/subject_mapper.py)
  • Audit event emission or gateway event vocabulary (src/basis_gateway/audit/)
  • Readiness component registration or behavior (src/basis_gateway/readiness.py)
  • API request/response schemas (src/basis_gateway/api/schemas.py)
  • Environment variable configuration (src/basis_gateway/config.py)
  • Correlation ID handling (src/basis_gateway/middleware/)
  • Public documentation (README.md, docs/)
  • None of the above — this PR does not touch any of these surfaces

Step 2 — Classify the change

  • Additive only (new behavior, new config option, new audit event — existing callers unaffected)
  • Breaking (changes API contract, removes config support, alters audit event shape, changes authentication behavior)
  • Not applicable (docs, tests, refactor only)

If the change affects authentication or audit behavior

  • New or changed behavior is covered by tests
  • Audit event emission for affected paths verified (this PR specifically verifies composed action audit behavior)
  • Security model assumptions in SECURITY.md and docs/release-readiness.md still hold

Note: this PR does not change audit emission behavior. It only adds regression coverage proving that the decision audit event records the composed action sent to basis-core.


If the change modifies basis-core integration

  • Change uses only the stable public API (basis-core/docs/public-api.md)
  • No direct imports from basis_core internals

Tests

This PR adds a regression test verifying that an adapter-normalized request:

action = read
resource_type = ahu

is composed by the gateway and emitted in the decision audit event as:

read:ahu

rather than the original bare action.

Validation:

  • pytest passes locally
  • ruff check passes
  • ruff format --check passes
  • mypy src passes

@basauth basauth merged commit 0a23cc4 into main Jun 22, 2026
3 checks passed
@basauth basauth deleted the fix/audit-composition-test branch June 22, 2026 22:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants