Mirrored from
/mnt/DATA/git/govoplan-core/docs/EVENTS_AND_AUDIT.md. Origin:repository. Active tasks and changing state belong in Gitea issues; this wiki page is durable project context.
Events And Audit
GovOPlaN uses a small kernel event contract first, not a broad command bus. Commands remain module-owned application-service methods or API endpoints until there is a concrete need for durable asynchronous command orchestration. Events are facts about completed work and are safe for audit, projections, optional module reactions, and operator diagnostics.
Production Transport Decision
The first production target is a database outbox plus in-process immediate dispatch:
- Use
govoplan_core.core.events.PlatformEventfor domain and platform events. - Use
EventBusas the in-process dispatch contract for same-process module reactions that are safe to run inline. - Persist durable integration/workflow events through a database outbox before acknowledging the state change that produced them.
- Drain the outbox through a small dispatcher process. The dispatcher may call in-process handlers in the same deployment first, but its storage contract is database-backed.
- Treat Redis/Celery as worker/job infrastructure, not as the authoritative first event transport. A Celery dispatcher can consume the outbox later.
- Keep the dispatch implementation pluggable behind the
PlatformEventenvelope so a future message broker can be added without changing event producers. - Keep commands out of the kernel until workflows need retryable, durable, operator-visible command records.
This keeps the first contract small, PostgreSQL-friendly, auditable, and recoverable after process crashes. It also avoids making Redis a correctness dependency for deployments that only need synchronous mail/tests or light background work.
Dispatch Semantics
Event producers should write their domain state and outbox event in the same database transaction wherever possible. Handlers must be idempotent because the outbox dispatcher can retry after a crash or timeout.
Recommended first outbox columns:
event_id,event_type,module_idcorrelation_id,causation_idpayload,occurred_atavailable_at,attempt_count,claimed_at,claim_tokenprocessed_at,last_error
Inline EventBus handlers are allowed only for non-critical local reactions.
Anything that must survive process failure, restart, package update, or worker
redeployment belongs in the outbox.
Trace IDs
Every PlatformEvent has:
event_id: unique ID for that event.correlation_id: stable ID for the whole request, workflow, or job.causation_id: the event ID or external operation ID that caused this event.
The FastAPI app factory creates an event context for every request. It accepts
X-Correlation-ID or X-Request-ID when the value is a compact safe trace ID,
otherwise it generates a new ID. Responses include X-Correlation-ID.
Audit logging reads the current event context and stores trace IDs in
details._trace. Callers can also pass explicit correlation_id and
causation_id to audit_event or audit_from_principal.
Admin and lifecycle code should use the compact operational detail shape
documented in govoplan-audit/docs/AUDIT_TRACE_CONTEXT.md. The core
audit_operation_context helper preserves module_id, request_id, run_id,
outcome, and _trace while applying the shared audit redaction pass to
additional detail values.
Audit MVP Boundary
govoplan-audit owns:
- the
audit_logtable and audit API routes - audit route contribution through its module manifest
- audit retention behavior in cooperation with policy/retention settings
- future audit sink/export capability implementations
govoplan-core owns:
AuditEventandAuditSinkprotocol contracts- request and event trace context
- the compatibility
audit_eventhelper while routes are still migrating - retention orchestration that calls module capabilities
Feature modules should record audit facts through a small audit API or future
audit.sink capability. They should not import audit storage internals.
Initial Domain Event Inventory
Access:
access.account.createdaccess.account.updatedaccess.membership.createdaccess.membership.updatedaccess.group.createdaccess.group.updatedaccess.role.createdaccess.role.updatedaccess.role.deletedaccess.api_key.createdaccess.api_key.revokedaccess.session.createdaccess.session.revoked
Tenancy:
tenancy.tenant.createdtenancy.tenant.updatedtenancy.tenant.suspendedtenancy.tenant.reactivatedtenancy.tenant.delete_requestedtenancy.tenant.delete_blockedtenancy.tenant.deleted
Policy:
policy.system.updatedpolicy.tenant.updatedpolicy.user.updatedpolicy.group.updatedpolicy.campaign.updatedpolicy.effective_policy.changed
Files:
files.file.uploadedfiles.file.renamedfiles.file.deletedfiles.file.frozenfiles.share.createdfiles.share.revokedfiles.connector.importedfiles.connector.access_denied
Mail:
mail.profile.createdmail.profile.updatedmail.profile.credentials_rotatedmail.profile.testedmail.message.sentmail.message.send_failedmail.imap.appendedmail.imap.append_failedmail.mailbox.message_seen
Campaign:
campaign.createdcampaign.version.createdcampaign.validatedcampaign.builtcampaign.reviewedcampaign.queuedcampaign.send_startedcampaign.recipient_attemptedcampaign.recipient_deliveredcampaign.recipient_failedcampaign.pausedcampaign.resumedcampaign.cancelledcampaign.report.exported
Event Payload Rules
- Payloads must be JSON-serializable.
- Use stable IDs, not ORM objects.
- Include tenant ID when tenant-scoped.
- Include actor/principal references only as DTOs or primitive IDs.
- Do not include secrets, raw message bodies, full recipient lists, or file content.
- Put large evidence in owning module storage and reference it by ID.