Spec — audit-log (new capability)
Arova Nexus

ADDED Requirements

Requirement: 身分動作 append-only 稽核寫入

Summary: 系統 MUST 提供 append-only 稽核寫入介面;本 change 涵蓋身分相關事件(bootstrap / 密碼變更 / 鎖定 / 解鎖 / 強制改密 / 策略變更);每筆 record SHALL 含時間、操作者、動作、對象、結果、來源 IP。

The system MUST provide an append-only audit log writer accessible to all capabilities that perform write actions. For this change, the auth capability MUST emit audit records for: bootstrap_admin / password_changed / password_policy_update / account_locked / account_auto_unlocked / account_unlocked_admin / login_blocked_locked / force_password_change_set / password_expired_forced_change. Each record MUST contain a strictly-ordered timestamp, actor identity, action enum, target (when applicable), result, and source IP.

Scenario: Bootstrap 寫稽核紀錄

Scenario: 密碼策略變更寫稽核 with before/after diff

Scenario: 失敗的身分動作也寫稽核

Scenario: 稽核寫入失敗時動作必須 rollback

Edge Cases


Requirement: 稽核紀錄不可竄改且保留至少 5 年

Summary: Audit-log 表 MUST 以 DB 層 grant 限制為 INSERT only(無 UPDATE/DELETE 權限);應用層 SHALL NOT 提供修改介面;保留期間至少 5 年。

The audit-log table MUST be protected by DB-level grants that permit only INSERT (no UPDATE or DELETE for the application role). The application layer MUST NOT expose any modification or deletion API for audit records. Audit records MUST be retained for at least 5 years from creation, satisfying financial-industry compliance baselines.

Scenario: DB 層拒絕 UPDATE / DELETE

Scenario: 應用層讀取介面僅 SELECT

Scenario: 保留期間至少 5 年

Edge Cases