Changeset validators for audit events.
Enforces D-17..D-23 security rules:
- Action namespace regex (D-19):
^[a-z][a-z0-9_]*(\.[a-z][a-z0-9_]*)+$ - Reserved prefix guardrail (D-17, D-18):
auth.,session.,mfa.,oauth.,api.,account.,sigra.rejected unlessallow_reserved: true - Metadata size cap (D-20): JSON-encoded metadata must fit within
:max_metadata_bytes(default 8_192) - Forbidden metadata keys (D-23): passwords, tokens, and other secret material rejected in both atom and string form
Summary
Functions
Builds a validated changeset for an audit event.
Returns the canonical list of metadata keys that are forbidden from ever
being logged. Enforced by changeset/3 for both atom and string forms.
Functions
@spec changeset(struct(), map(), keyword()) :: Ecto.Changeset.t()
Builds a validated changeset for an audit event.
Options:
:allow_reserved— whentrue, skips the reserved-prefix check (used bySigra.Audit's internal__log_internal__writer only). Default:false.:max_metadata_bytes— cap on JSON-encoded metadata byte size. Default:8_192.:reserved_prefixes— override the default reserved prefix list.
@spec forbidden_keys() :: [atom()]
Returns the canonical list of metadata keys that are forbidden from ever
being logged. Enforced by changeset/3 for both atom and string forms.