j UdZddlmZddlZddlZddlZddlZddlZddl Z ddl m Z ddl m Z ejeZe jZehdZded<Gd d ejZdd ZddZdS)uAudit log for dashboard-auth events. Profile-aware location: ``$HERMES_HOME/logs/dashboard-auth.log``. Format: one JSON object per line. Token-like fields are stripped before serialisation to avoid leaking refresh tokens or JWTs to disk. This module deliberately keeps a minimal dependency surface — no imports from ``hermes_constants`` or other hermes_cli modules — so it can be imported safely from middleware code that loads early in the startup sequence. ) annotationsN)Path)Any> codestatecookieticket access_token Authorization authorization code_verifier refresh_token frozenset_REDACTED_FIELDSc:eZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d S) AuditEventzmEvent types written to dashboard-auth.log. Values are the literal ``event`` field on the JSON line. login_start login_success login_failurelogoutrefresh_successrefresh_failurerevokesession_verify_failurews_ticket_mintedws_ticket_rejectedN)__name__ __module__ __qualname____doc__ LOGIN_START LOGIN_SUCCESS LOGIN_FAILURELOGOUTREFRESH_SUCCESSREFRESH_FAILUREREVOKESESSION_VERIFY_FAILUREWS_TICKET_MINTEDWS_TICKET_REJECTED>/usr/local/lib/hermes-agent/hermes_cli/dashboard_auth/audit.pyrr"sQ  K#M#M F'O'O F5)-r,rreturnrctjdp"tt jdz }t |dz dz S)a ``$HERMES_HOME/logs/dashboard-auth.log`` with the standard fallback. Mirrors ``hermes_constants.get_hermes_home`` semantics: env var wins, else ``~/.hermes``. A local copy avoids an import cycle with the middleware which lives below ``hermes_cli``. HERMES_HOMEz.hermeslogszdashboard-auth.log)osenvirongetstrrhome)r6s r-_resolve_log_pathr74sF :>>- ( ( HC i0G,H,HD :: !5 55r,eventfieldsrNonec d|D}tjtjj|jd|}tj |ddz}t} |j ddt5t|dd 5}||d d d n #1swxYwYd d d d S#1swxYwYd S#t $r&}t"d |Yd }~d Sd }~wwxYw) uAppend one event to the audit log. Token-like fields are dropped. Missing log directory is created. Write failures are logged at WARNING but never raise — auth must not fail because the audit logger broke. c,i|]\}}|tv||Sr+)r).0kvs r- zaudit_log..Fs4A $ $ $ 1 $ $ $r,)tsr8),:) separators T)parentsexist_okazutf-8)encodingNz)dashboard-auth audit log write failed: %s)items_dtdatetimenowtimezoneutc isoformatvaluejsondumpsr7parentmkdir _write_lockopenwrite Exception_logwarning)r8r9 safe_fieldsentrylinepathfes r- audit_logrb?sK ls|/00::<<    E :e 3 3 3d :D   DE $666   dC'222 a                                   EEE @!DDDDDDDDDEs`#D4DC) D)C- -D0C- 1D4 DDDD D D>D99D>)r.r)r8rr9rr.r:)r __future__rrLrKenumrRloggingr2 threadingpathlibrtypingr getLoggerrrZLockrVrr__annotations__Enumrr7rbr+r,r-rmsD   #"""""  w""in (i))) ........$6666EEEEEEr,