fix: audit middleware logs after auth to capture identity fields (#4502)

## Summary

- **Fix broken audit data**: The audit middleware was logging *before*
auth ran, so `sub`, `account`, and `scopes` were always empty (`"not set
in context"`). Restructured to use a shared `*AuditData` struct in
context — audit injects it, auth populates it after JWT validation,
audit reads it after the response completes.
- **Exclude health checks**: `/healthz` is now excluded from audit
logging, eliminating high-volume K8s probe noise with useless
empty-identity entries.
- **Capture response status**: Audit entries now include the HTTP status
code, improving the trail for security review.

## Changes

### `go/audit/main.go` — Core middleware rewrite
- Removed direct reads of `auth.CurrentSubjectContextKey{}` etc. (which
were always empty at the outer middleware layer)
- Added `AuditData` struct and `AuditDataFromContext()` for
cross-middleware communication via a shared mutable pointer in context
- Moved log emission to **after** `next.ServeHTTP` so auth has populated
the data
- Added `statusRecorder` wrapper to capture HTTP response status
- Added `WithExcludePaths()` option for skipping paths like `/healthz`
- Removed import of `go/auth` — dependency direction is now `auth →
audit`

### `go/auth/middleware.go` — Populate audit data
- Added audit data population in `processOverrides`, which is the final
handler before the route handler runs (covers JWT-validated, bypass, and
override paths)
- When `*AuditData` is present in context, writes `Subject`,
`AccountName`, and `Scopes` from the finalized auth context

### Service files (api-server, gateway, revlink)
- Added `audit.WithExcludePaths("/healthz")` to all three services

### Tests and docs
- Rewrote `go/audit/main_test.go` with 7 focused tests covering:
authenticated requests, unauthenticated requests, path exclusion, status
code capture, implicit 200, and nil-safety
- Updated `go/audit/README.md` to document the new architecture

## Deviations from Approved Plan

> No approved plan is associated with this PR.

Made with [Cursor](https://cursor.com)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Touches cross-middleware auth/audit interaction and wraps
`http.ResponseWriter`, which can affect request handling
(streaming/WebSocket) if edge cases are missed, though behavior is
well-covered by new tests.
>
> **Overview**
> Fixes audit logging to capture authenticated identity by having
`audit.NewAuditMiddleware` inject a shared `*AuditData` into request
context, letting `auth.NewAuthMiddleware` populate
`sub`/`account`/`scopes` after JWT validation, and emitting the audit
log **after** the handler completes.
>
> Audit logs now include the HTTP response `status` (via a
`ResponseWriter` recorder that preserves `Hijacker`/`Flusher` behavior)
and support `WithExcludePaths` to skip noisy endpoints like `/healthz`;
services are updated to exclude health checks, and tests/docs are
expanded to cover these behaviors.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
24c0ae98b56bc362e471137ab7cdc14ee5a0a9bb. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

GitOrigin-RevId: a0424a1d86901cfd20f938291e1874b100408a63

Author: DavidS-ovm

go/auth/middleware.go

@@ -15,6 +15,7 @@ import (
 	"github.com/auth0/go-jwt-middleware/v3/jwks"
 	"github.com/auth0/go-jwt-middleware/v3/validator"
 	"github.com/getsentry/sentry-go"
+	"github.com/overmindtech/workspace/go/audit"
 	log "github.com/sirupsen/logrus"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/codes"
@@ -192,6 +193,18 @@ func NewAuthMiddleware(config MiddlewareConfig, next http.Handler) http.Handler
 			ctx = OverrideAuth(r.Context(), options...)
 		}
 
+		if ad := audit.AuditDataFromContext(ctx); ad != nil {
+			if sub, ok := ctx.Value(CurrentSubjectContextKey{}).(string); ok {
+				ad.Subject = sub
+			}
+			if account, ok := ctx.Value(AccountNameContextKey{}).(string); ok {
+				ad.AccountName = account
+			}
+			if claims, ok := ctx.Value(CustomClaimsContextKey{}).(*CustomClaims); ok {
+				ad.Scopes = claims.Scope
+			}
+		}
+
 		r = r.Clone(ctx)
 
 		next.ServeHTTP(w, r)

go/auth/middleware_test.go

@@ -6,6 +6,7 @@ import (
 	"crypto/rsa"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 	"net/http/httptest"
 	"regexp"
@@ -15,6 +16,7 @@ import (
 	"github.com/auth0/go-jwt-middleware/v3/validator"
 	"github.com/go-jose/go-jose/v4"
 	"github.com/go-jose/go-jose/v4/jwt"
+	"github.com/overmindtech/workspace/go/audit"
 	log "github.com/sirupsen/logrus"
 )
 
@@ -671,7 +673,6 @@ func BenchmarkAuthMiddleware(b *testing.B) {
 		// Create a request to pass to our handler. We don't have any query parameters for now, so we'll
 		// pass 'nil' as the third parameter.
 		req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "/", nil)
-
 		if err != nil {
 			b.Fatal(err)
 		}
@@ -713,7 +714,6 @@ func NewTestJWTServer() (*TestJWTServer, error) {
 		Key:       jwk,
 	}
 	signer, err := jose.NewSigner(signingKey, &jose.SignerOptions{})
-
 	if err != nil {
 		return nil, err
 	}
@@ -995,3 +995,141 @@ func TestConnectErrorHandling(t *testing.T) {
 		})
 	}
 }
+
+func TestAuthMiddleware_PopulatesAuditData(t *testing.T) {
+	server, err := NewTestJWTServer()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	jwksURL := server.Start(t.Context())
+
+	discardLogger := log.New()
+	discardLogger.SetOutput(io.Discard)
+
+	t.Run("populates audit data from JWT", func(t *testing.T) {
+		var capturedAD *audit.AuditData
+
+		inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			capturedAD = audit.AuditDataFromContext(r.Context())
+			w.WriteHeader(http.StatusOK)
+		})
+
+		handler := audit.NewAuditMiddleware(discardLogger)(
+			NewAuthMiddleware(MiddlewareConfig{
+				IssuerURL:     jwksURL,
+				Auth0Audience: "https://api.overmind.tech",
+			}, inner),
+		)
+
+		token, err := server.GenerateJWT(&TestTokenOptions{
+			Audience: []string{"https://api.overmind.tech"},
+			Expiry:   time.Now().Add(time.Hour),
+			CustomClaims: CustomClaims{
+				AccountName: "acme-corp",
+				Scope:       "read:items write:items",
+			},
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		rr := httptest.NewRecorder()
+		req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/api/test", nil)
+		req.Header.Set("Authorization", "Bearer "+token)
+		handler.ServeHTTP(rr, req)
+
+		if rr.Code != http.StatusOK {
+			t.Fatalf("expected 200, got %d", rr.Code)
+		}
+		if capturedAD == nil {
+			t.Fatal("expected audit data to be present in context")
+		}
+		if capturedAD.Subject != "test" {
+			t.Errorf("expected subject 'test', got %q", capturedAD.Subject)
+		}
+		if capturedAD.AccountName != "acme-corp" {
+			t.Errorf("expected account 'acme-corp', got %q", capturedAD.AccountName)
+		}
+		if capturedAD.Scopes != "read:items write:items" {
+			t.Errorf("expected scopes 'read:items write:items', got %q", capturedAD.Scopes)
+		}
+	})
+
+	t.Run("populates audit data with account override", func(t *testing.T) {
+		var capturedAD *audit.AuditData
+
+		override := "override-acme"
+		inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			capturedAD = audit.AuditDataFromContext(r.Context())
+			w.WriteHeader(http.StatusOK)
+		})
+
+		handler := audit.NewAuditMiddleware(discardLogger)(
+			NewAuthMiddleware(MiddlewareConfig{
+				IssuerURL:       jwksURL,
+				Auth0Audience:   "https://api.overmind.tech",
+				AccountOverride: &override,
+			}, inner),
+		)
+
+		token, err := server.GenerateJWT(&TestTokenOptions{
+			Audience: []string{"https://api.overmind.tech"},
+			Expiry:   time.Now().Add(time.Hour),
+			CustomClaims: CustomClaims{
+				AccountName: "original-acme",
+				Scope:       "read:items",
+			},
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		rr := httptest.NewRecorder()
+		req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/api/test", nil)
+		req.Header.Set("Authorization", "Bearer "+token)
+		handler.ServeHTTP(rr, req)
+
+		if rr.Code != http.StatusOK {
+			t.Fatalf("expected 200, got %d", rr.Code)
+		}
+		if capturedAD == nil {
+			t.Fatal("expected audit data to be present in context")
+		}
+		if capturedAD.AccountName != "override-acme" {
+			t.Errorf("expected overridden account 'override-acme', got %q", capturedAD.AccountName)
+		}
+	})
+
+	t.Run("works without audit context", func(t *testing.T) {
+		inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		})
+
+		handler := NewAuthMiddleware(MiddlewareConfig{
+			IssuerURL:     jwksURL,
+			Auth0Audience: "https://api.overmind.tech",
+		}, inner)
+
+		token, err := server.GenerateJWT(&TestTokenOptions{
+			Audience: []string{"https://api.overmind.tech"},
+			Expiry:   time.Now().Add(time.Hour),
+			CustomClaims: CustomClaims{
+				AccountName: "acme-corp",
+				Scope:       "read:items",
+			},
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		rr := httptest.NewRecorder()
+		req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/api/test", nil)
+		req.Header.Set("Authorization", "Bearer "+token)
+		handler.ServeHTTP(rr, req)
+
+		if rr.Code != http.StatusOK {
+			t.Fatalf("expected 200 (no panic without audit context), got %d", rr.Code)
+		}
+	})
+}