refactor(audit): final DRY optimization and documentation pass (#425)

* docs: add comprehensive audit implementation analysis findings

Document findings from systematic analysis of async audit implementation
across 6 services. Key findings include:

- Payment-order service has full local audit implementation (DRY violation)
- Migration schema inconsistencies (record_id types, JSON storage types)
- Context key management duplication between models and audit package
- Redundant type aliases in multiple services

Prioritized recommendations for subsequent cleanup subtasks.

* feat(audit): add RecordUpdateManual helper for map-based updates

Add exported RecordUpdateManual function to the shared audit library
for use when GORM hooks cannot be used. This supports the pattern where
repositories use map-based updates with optimistic locking, which
bypasses GORM struct hooks.

The function accepts old and new entity values and records the UPDATE
operation in the audit trail, maintaining consistency with the hook-based
approach used for model updates.

* refactor(payment-order): migrate audit to shared library

Remove duplicated audit infrastructure from payment-order service
and use the shared audit library instead. This eliminates ~100 lines
of duplicated code including:

- Local AuditOutbox struct definition
- Local recordAudit function
- Local getUserIDFromContext function
- Local ErrNilTransaction error

The PaymentOrderEntity now implements the audit.Auditable interface
and uses audit.RecordCreate/RecordDelete for hook-based auditing.
The repository uses the new audit.RecordUpdateManual for its map-based
update pattern that bypasses GORM hooks.

This migration brings payment-order in line with other services
(tenant, party, financial-accounting) that already use the shared
audit library, and enables Kafka-first publishing with outbox fallback.

* refactor(tenant): remove redundant TenantAuditOutbox and TenantAuditLog types

Remove the locally-defined TenantAuditOutbox and TenantAuditLog structs
from the tenant service. These types were functionally identical to the
shared audit.AuditOutbox and audit.AuditLog types (both use string
RecordID to accommodate tenant's string IDs).

The shared types already support both UUID and string record IDs,
making these local definitions unnecessary duplication.

The service continues to use the existing type aliases (AuditOutbox,
systemUser) for backward compatibility with tests.

* test(payment-order): update audit tests for shared library types

Update audit tests to work with the shared audit library types:

- Change record_id column from UUID to VARCHAR(50) to match the shared
  AuditOutbox struct which uses string to support both UUID and string IDs
- Change old_values/new_values columns from JSONB to TEXT to match the
  shared struct and handle empty strings (JSONB rejects empty string "")
- Update assertions from pointer checks (!=nil) to string checks (Empty/NotEmpty)
- Update JSON unmarshal calls to use string values directly instead of
  dereferencing pointers

These changes align the test infrastructure with the shared audit library
types while maintaining full test coverage of audit functionality.

* feat(audit): add adaptive polling and configurable worker options

Implement performance optimizations for the audit worker:

- Add functional options pattern (WithBatchSize, WithPollInterval,
  WithMaxRetries, WithAdaptivePolling) for flexible worker configuration
- Implement adaptive polling that reduces database load during idle
  periods by exponentially backing off poll interval when outbox is
  empty, and immediately responding when entries arrive
- Add new metrics: batch_size histogram, poll_interval_seconds gauge,
  and empty_polls_consecutive gauge for monitoring adaptive behavior
- Add processBatchWithCount internal method to support adaptive polling
  decisions based on actual work performed

These changes are backward compatible - default behavior is unchanged
unless new options are explicitly used.

* refactor(audit): centralize status constants and error types

- Create status.go with exported status constants (StatusPending,
  StatusProcessing, StatusFailed, StatusCompleted)
- Add operation constants (OperationInsert, OperationUpdate, OperationDelete)
- Add table name constants (TableAuditOutbox, TableAuditLog)
- Create errors.go consolidating all audit-related errors from hooks.go,
  worker.go, and publisher.go into a single file
- Update worker.go, hooks.go, publisher.go to use centralized constants
- Update worker_test.go to use exported status constants

This improves code consistency by providing a single source of truth
for status values and error types used across the audit package and
services. Constants can now be used in SQL migrations and by consumers
of the audit package.

* refactor(audit): remove redundant type aliases and consolidate context helpers

- Remove AuditOutbox and AuditLog type aliases from service persistence
  packages (tenant, party, financial-accounting, payment-order)
- Update all test files to use audit.AuditOutbox directly instead of
  service-local aliases
- Consolidate getUserIDFromContext in shared/domain/models/base.go to
  use audit.GetUserFromContext(), reducing code duplication
- Update SystemUser constant to use audit.DefaultAuditUser

This cleanup removes ~40 lines of redundant type alias definitions
across 4 services while maintaining backward compatibility. Tests now
reference the canonical shared audit types directly.

* docs(audit): add comprehensive documentation for async audit system

- Add package-level godoc in doc.go with architecture overview,
  usage examples, and performance characteristics
- Enhance README.md with configuration options, adaptive polling
  documentation, and troubleshooting guide
- Create operations/audit-monitoring.md with Prometheus metrics
  reference, alert thresholds, Grafana queries, and failure modes
- Create development/audit-adding-new-service.md with step-by-step
  guide including migration templates, entity implementation, and
  test examples

The documentation covers the complete async audit system including
the dual-path Kafka/outbox architecture per ADR-0009.

* fix(party): update lifecycle tests to use shared audit package

Update lifecycle_integration_test.go to use audit.AuditOutbox from the
shared platform audit package instead of the removed service-specific
persistence.PartyAuditOutbox type.

* fix(audit): use TEXT instead of JSONB for audit outbox values

Change OldValues and NewValues columns in AuditOutbox and AuditLog
structs from JSONB to TEXT to match the migration compatibility fixes.
This prevents SQLSTATE 22P02 errors when tests run with GORM
auto-migration which creates columns based on struct definitions.

The JSONB type rejects empty strings as invalid JSON, but the audit
system may write empty strings for null values. TEXT columns are more
permissive and align with the migration schema changes.

* fix(payment-order): update test schemas to use TEXT for audit values

Update audit_outbox table creation in repository and integration tests
to use TEXT columns for old_values/new_values instead of JSONB. Also
change record_id from UUID to VARCHAR(50) to match shared audit infra.

This aligns with the shared audit package and migration compatibility
fixes that use TEXT to handle empty strings which JSONB rejects.

* docs(audit): align migration template with shared audit types

Update the audit adding new service guide to use TEXT columns and
VARCHAR(50) for record_id instead of JSONB/UUID. This aligns with
the shared audit package which uses TEXT to handle empty strings
that JSONB would reject as invalid JSON.

Also update the change_summary view to safely cast TEXT to JSONB
only when the content is valid JSON format.

* fix(audit): address CodeRabbit review feedback

- Align record_id type with shared package (VARCHAR(50) instead of UUID)
  in party service test schemas for consistency
- Add validation to WithAdaptivePolling to swap inverted min/max intervals
- Add TODO for future improvement: use updated_at instead of created_at
  for more accurate stuck entry detection (requires schema migration)

---------

Co-authored-by: Ben Coombs <[email protected]>

Author: bjcoombs

docs/audit-analysis-findings.md

@@ -0,0 +1,314 @@
+# Async Audit Implementation Analysis Findings
+
+**Date**: 2024-12-24
+**Task**: 19.1 - Analysis phase for final optimization and DRY review
+**Scope**: 6 services (tenant, payment-order, party, position-keeping, financial-accounting, current-account)
+
+## Executive Summary
+
+The async audit implementation is largely well-structured, with a shared library in
+`shared/platform/audit/` that most services correctly use. However, there is one significant
+duplication issue (payment-order service), several schema inconsistencies across migrations,
+and minor code patterns that could be consolidated.
+
+---
+
+## 1. Code Duplication Findings
+
+### 1.1 Critical: Payment-Order Service Has Full Local Implementation
+
+**Location**: `services/payment-order/adapters/persistence/payment_order_entity.go`
+
+The payment-order service maintains a **complete local copy** of the audit infrastructure instead of using the shared library:
+
+| Component | Shared Library | Payment-Order Local |
+|-----------|----------------|---------------------|
+| `ErrNilTransaction` | `shared/platform/audit/hooks.go:19` | `payment_order_entity.go:84` |
+| `AuditOutbox` struct | `shared/platform/audit/hooks.go:38-54` | `payment_order_entity.go:94-109` |
+| `recordAudit()` function | `shared/platform/audit/hooks.go:252-295` | `payment_order_entity.go:130-184` |
+| `getUserIDFromContext()` | `shared/platform/audit/context.go:19` | `payment_order_entity.go:188-204` |
+
+**Impact**:
+
+- Maintenance burden (changes must be made in two places)
+- Inconsistent behavior (local version uses `uuid.UUID` for RecordID, shared uses `string`)
+- Missed Kafka integration (local version writes directly to outbox, shared version attempts Kafka first)
+
+**Recommendation**: Migrate payment-order to use shared audit library. This requires:
+
+1. Implementing `audit.Auditable` interface on `PaymentOrderEntity`
+2. Replacing local `recordAudit()` calls with `audit.RecordCreate/Update/Delete`
+3. Removing local `AuditOutbox`, `ErrNilTransaction`, `getUserIDFromContext`
+
+### 1.2 Context Key Management Duplication
+
+Two implementations of `getUserIDFromContext()` exist:
+
+1. **shared/domain/models/base.go:105-122** - Uses `auth.UserIDContextKey` directly
+2. **shared/platform/audit/context.go:19-30** - Uses `auth.GetUserIDFromContext()`
+
+Both achieve the same goal but via different methods. The audit library's version is more abstracted.
+
+**Recommendation**: Consolidate to use `audit.GetUserFromContext()` everywhere, or extract to a single shared utility.
+
+### 1.3 Error Type Duplication
+
+`ErrNilTransaction` is defined in multiple places:
+
+| Location | Package |
+|----------|---------|
+| `shared/platform/audit/hooks.go:19` | audit |
+| `shared/platform/events/outbox.go:35` | events |
+| `services/payment-order/adapters/persistence/payment_order_entity.go:84` | persistence |
+
+**Recommendation**: Consider a shared errors package for common transaction-related errors, or
+document that each package intentionally defines its own error for proper `errors.Is()` matching.
+
+---
+
+## 2. Migration Schema Inconsistencies
+
+### 2.1 Record ID Type Inconsistency
+
+| Service | `record_id` Type in audit_log/audit_outbox |
+|---------|-------------------------------------------|
+| tenant | `VARCHAR(50)` (string IDs) |
+| position-keeping | `UUID` |
+| party | `UUID` |
+| current-account | `UUID` |
+| financial-accounting | `UUID` |
+| payment-order | `UUID` |
+
+**Note**: Tenant uses string IDs intentionally (tenant IDs are alphanumeric). The shared
+`audit.AuditOutbox` struct uses `string` for `RecordID` to accommodate both.
+
+### 2.2 JSON Storage Type Inconsistency
+
+| Service | `old_values`/`new_values` Type |
+|---------|-------------------------------|
+| party | `TEXT` (contains JSON strings) |
+| All others | `JSONB` |
+
+**Location**: `services/party/migrations/20251217000001_audit_system.sql:22-24`
+
+**Impact**:
+
+- Party service stores JSON as text, requiring cast to JSONB for queries
+- The `change_summary` view handles this with explicit `::jsonb` casts
+- Shared `audit.AuditLog` struct uses `string` type which works with both
+
+**Recommendation**: Consider a migration to standardize party to JSONB for consistency, though functionally equivalent.
+
+### 2.3 Client IP Type Inconsistency
+
+| Service | `client_ip` Type |
+|---------|------------------|
+| tenant | `INET` |
+| position-keeping | `INET` |
+| current-account | `INET` |
+| financial-accounting | `INET` |
+| party | `VARCHAR(45)` |
+| payment-order | `VARCHAR(45)` |
+
+**Impact**: Minor - both work for storing IP addresses. `INET` provides validation and supports IPv6.
+
+### 2.4 Status Constraint Inconsistency (RESOLVED)
+
+Current-account originally had a constraint missing `'completed'` status:
+
+- Original: `CHECK (status IN ('pending', 'processing', 'failed'))`
+- Fixed in: `20251217000001_fix_audit_status_constraint.sql`
+
+All services now correctly include `'completed'` status.
+
+---
+
+## 3. Service Integration Analysis
+
+### 3.1 Services Using Shared Audit Library Correctly
+
+| Service | Entity | Uses Shared Library |
+|---------|--------|---------------------|
+| tenant | TenantEntity | Yes - `audit.RecordCreate/Update/Delete` |
+| party | PartyEntity | Yes - `audit.RecordCreate/Update/Delete` |
+| financial-accounting | FinancialBookingLogEntity | Yes - `audit.RecordCreate/Update/Delete` |
+| financial-accounting | LedgerPostingEntity | Yes - `audit.RecordCreate/Update/Delete` |
+
+### 3.2 Services with Custom/Mixed Implementation
+
+| Service | Entity | Implementation |
+|---------|--------|----------------|
+| payment-order | PaymentOrderEntity | **Local** - full local copy |
+| position-keeping | N/A | Uses `audit.GetUserFromContext()` but has custom audit logic in repository |
+| current-account | N/A | Uses `audit.GetUserFromContext()` but has custom audit logic in repository |
+
+### 3.3 Shared Domain Models with Audit Hooks
+
+The following models in `shared/domain/models/` implement audit hooks using the shared library:
+
+- `FinancialPositionLog`
+- `TransactionLogEntry`
+- `TransactionLineage`
+- `AuditTrailEntry`
+- `Customer`
+- `Account`
+
+These all correctly use `audit.RecordCreate/Update/Delete`.
+
+---
+
+## 4. Performance Bottleneck Analysis
+
+### 4.1 Worker Metrics Review
+
+`shared/platform/audit/metrics.go` provides comprehensive metrics:
+
+**Outbox Processing Metrics:**
+
+- `meridian_audit_worker_outbox_depth` (gauge by schema)
+- `meridian_audit_worker_outbox_processed_total` (counter)
+- `meridian_audit_worker_outbox_failed_total` (counter)
+- `meridian_audit_worker_processing_duration_seconds` (histogram)
+- `meridian_audit_worker_entry_age_seconds` (histogram)
+
+**Kafka Metrics:**
+
+- `meridian_audit_kafka_events_published_total` (counter)
+- `meridian_audit_kafka_events_consumed_total` (counter)
+- `meridian_audit_kafka_publish_duration_seconds` (histogram)
+- `meridian_audit_kafka_consume_duration_seconds` (histogram)
+- `meridian_audit_kafka_consumer_lag_messages` (gauge)
+- `meridian_audit_kafka_fallback_used_total` (counter by reason)
+- `meridian_audit_kafka_dlq_messages_total` (counter)
+
+**Potential Bottleneck Indicators:**
+
+1. `kafkaPublishDuration` histogram buckets extend to 5s - may need alerting on p99
+2. `kafkaFallbackUsed` counter tracks fallback reasons - good for diagnosing issues
+3. No explicit batch size metrics for consumer throughput
+
+**Recommendation**: Add `batch_size` label to `processing_duration_seconds` histogram to correlate
+processing time with batch sizes.
+
+### 4.2 Worker Configuration
+
+Default worker configuration in `shared/platform/audit/worker.go:28-33`:
+
+- `defaultBatchSize = 100`
+- `defaultPollInterval = 5 * time.Second`
+- `defaultMaxRetries = 3`
+- `defaultProcessingAge = 5 * time.Minute` (stuck entry threshold)
+
+These defaults appear reasonable. No configuration exposure mechanism exists for tuning per-service.
+
+**Recommendation**: Consider exposing these as configurable options in `NewAuditWorker()`.
+
+---
+
+## 5. Dead Code Candidates
+
+### 5.1 Unused Type Aliases
+
+Several services define type aliases for backward compatibility:
+
+```go
+// services/tenant/adapters/persistence/audit.go:99-101
+const systemUser = audit.DefaultAuditUser
+type AuditOutbox = audit.AuditOutbox
+
+// services/party/adapters/persistence/party_entity.go:90
+type PartyAuditOutbox = audit.AuditOutbox
+
+// services/financial-accounting/adapters/persistence/booking_log_entity.go:61-65
+type AuditOutbox = audit.AuditOutbox
+type AuditLog = audit.AuditLog
+```
+
+**Recommendation**: Audit tests to determine if these aliases are still needed. If only for test
+compatibility, consider updating tests to use the shared types directly.
+
+### 5.2 Tenant-Specific Audit Types (Potentially Redundant)
+
+`services/tenant/adapters/persistence/audit.go` defines:
+
+- `TenantAuditOutbox` - nearly identical to `audit.AuditOutbox`
+- `TenantAuditLog` - nearly identical to `audit.AuditLog`
+
+The only difference is these use `string` for RecordID (tenant compatibility). However, the shared
+`audit.AuditOutbox` **already uses `string`** for RecordID.
+
+**Recommendation**: These types appear redundant and can likely be removed.
+
+---
+
+## 6. TODO/FIXME Comments (Non-Audit Related)
+
+No TODO/FIXME comments exist in `shared/platform/audit/` directory.
+
+Audit-adjacent TODOs found in services (for reference):
+
+- `services/financial-accounting/service/financial_accounting_service.go:1176` - "TODO: Extract from auth context when available"
+
+---
+
+## 7. Prioritized Recommendations
+
+### High Priority (DRY Violations)
+
+1. **Migrate payment-order to shared audit library** (Est: 2-3 hours)
+   - Implement `Auditable` interface on `PaymentOrderEntity`
+   - Update hooks to use `audit.RecordCreate/Update/Delete`
+   - Remove local `recordAudit()`, `AuditOutbox`, `ErrNilTransaction`
+   - Update repository audit handling to use shared patterns
+
+### Medium Priority (Consistency)
+
+1. **Standardize migration schemas** (Est: 1-2 hours)
+   - Create migrations to align `old_values`/`new_values` types (TEXT -> JSONB for party)
+   - Consider aligning `client_ip` types (VARCHAR -> INET)
+
+2. **Remove redundant tenant audit types** (Est: 30 min)
+   - Remove `TenantAuditOutbox` and `TenantAuditLog` if truly unused
+   - Update any tests using these types
+
+### Low Priority (Nice to Have)
+
+1. **Consolidate `getUserIDFromContext`** (Est: 30 min)
+   - Update `shared/domain/models/base.go` to use `audit.GetUserFromContext()`
+
+2. **Add worker configuration options** (Est: 1 hour)
+   - Allow customizing batch size, poll interval, max retries per-service
+
+3. **Add batch size metrics** (Est: 30 min)
+   - Add label to processing duration histogram
+
+---
+
+## 8. Files Reference
+
+### Shared Library
+
+- `/shared/platform/audit/hooks.go` - Core audit recording functions
+- `/shared/platform/audit/context.go` - User context extraction
+- `/shared/platform/audit/worker.go` - Background processing
+- `/shared/platform/audit/metrics.go` - Prometheus metrics
+- `/shared/platform/audit/publisher.go` - Kafka publishing
+- `/shared/platform/audit/consumer.go` - Kafka consumption
+
+### Service Implementations
+
+- `/services/tenant/adapters/persistence/audit.go`
+- `/services/party/adapters/persistence/party_entity.go`
+- `/services/payment-order/adapters/persistence/payment_order_entity.go` (needs migration)
+- `/services/financial-accounting/adapters/persistence/booking_log_entity.go`
+- `/services/financial-accounting/adapters/persistence/ledger_posting_entity.go`
+
+### Migration Files
+
+- `/services/tenant/migrations/20251216000001_initial.sql`
+- `/services/position-keeping/migrations/20251217000001_audit_system.sql`
+- `/services/party/migrations/20251217000001_audit_system.sql`
+- `/services/current-account/migrations/20251216000002_audit_system.sql`
+- `/services/current-account/migrations/20251217000001_fix_audit_status_constraint.sql`
+- `/services/financial-accounting/migrations/20251217000001_audit_system.sql`
+- `/services/payment-order/migrations/20251217000001_audit_system.sql`