Implements the --audit-log FILE flag on serve, mcp --bind, and inspect subcommands.
Emits per-request NDJSON audit lines with ts, client_ip, tool, fingerprint, duration_ms,
status, and diagnostics fields. The AuditLogWriter wraps a BufWriter<File> behind a Mutex
and flushes after each line for crash safety.
Core changes:
- Added pdftract-core/src/audit.rs with AuditRecord schema and AuditLogWriter
- Added chrono dependency to pdftract-core/Cargo.toml for timestamp generation
- Added crates/pdftract-cli/src/middleware/audit.rs with axum middleware
- Integrated AuditState into ServeState, McpServerState, and InspectorState
- Added --audit-log flag to Serve, Mcp, and InspectArgs CLI structures
- Stdio MCP mode: audit goes to stderr (not stdout, which is JSON-RPC)
Acceptance criteria:
- pdftract serve --audit-log /var/log/pdftract.ndjson → per-request NDJSON lines appear
- Each line is single-line valid JSON (no embedded newlines in values)
- client_ip captured from X-Real-IP or X-Forwarded-For header
- Stdio MCP audit goes to stderr (with --audit-log /dev/stderr or implicitly)
- Concurrent requests: writes don't interleave (Mutex ensures atomic line writes)
- Crash mid-request: log line either fully present or fully absent (BufWriter flushes after each write)
Closes: pdftract-5boxq
b0c103b44f