feat: Structured audit layer middleware

[HatemMn]

Specs :

• PCI-DSS compliance : 🚜 working on it 🚜 important, won't drop it ( source : check PCI-DSS v4.0.1 Req. 10 )
• HIPPA Compliance : 🚜 working on it 🚜 ( Source : https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-66r2.pdf - section 5.3.2. Audit Controls (§ 164.312(b)) )

Storage backend

• Simple file storage (should always exist): check crate/server/src/core/audit/file_store.rs
• Postgres
• Sqlite

Note: this PR needs some time to understand different requirements and plan accordingly then develop
Note2: this PR is for phase 1, follow the cannonical issue here : github.com//issues/881

---

Artifacts :

For testing purposes, these debug artifacts are shared :

no_auth_audit.toml

default_username = "admin"

[http]
port = 9998
hostname = "0.0.0.0"

[db]
database_type = "sqlite"
sqlite_path = "/tmp/kms-data"
clear_database = false
unwrapped_cache_max_age = 15

[logging]
rust_log = "info,cosmian_kms=info"
ansi_colors = false

[ui_config]
ui_index_html_folder = "/usr/local/cosmian/ui/dist"

[audit]
enabled = true

[audit.file]
path = "/tmp/kms-audit-e2e.jsonl"

The following commands (all assume you already ran a KMS) :

# Terminal 2 (while server is running)
cargo run -p ckms --features non-fips -- --url http://127.0.0.1:9998 sym keys create --algorithm aes --number-of-bits 256 --tag audit-e2e-key
cargo run -p ckms --features non-fips -- --url http://127.0.0.1:9998 sym encrypt -k d5d986ac-ff6c-472c-904e-0b0bf6bfaa92 /tmp/audit-plain.txt
curl -s -o /tmp/kmip-empty.json -w "KMIP_EMPTY_HTTP=%{http_code}\n" -X POST -H "Content-Type: application/json" -d '{}' http://127.0.0.1:9998/kmip/2_1

cargo run -p ckms --features non-fips -- --url http://127.0.0.1:9998 sym keys create --algorithm aes --number-of-bits 256 --tag audit-e2e-key-r2
cargo run -p ckms --features non-fips -- --url http://127.0.0.1:9998 sym encrypt -k 417fe2de-827d-48d0-8d51-851bec315b76 /tmp/audit-plain.txt
cargo run -p ckms --features non-fips -- --url http://127.0.0.1:9998 sym decrypt -k 417fe2de-827d-48d0-8d51-851bec315b76 /tmp/audit-plain.enc
cargo run -p ckms --features non-fips -- --url http://127.0.0.1:9998 sym decrypt -k 00000000-0000-0000-0000-000000000000 /tmp/audit-plain.enc
curl -s -o /tmp/kmip-empty-2.json -w "KMIP_EMPTY_HTTP=%{http_code}\n" -X POST -H "Content-Type: application/json" -d '{}' http://127.0.0.1:9998/kmip/2_1

Normally produce kms-audit.jsonl :

{"id":0,"timestamp":"2026-05-06T20:31:15.453584007Z","operation":"Create","user":"admin","object_uid":null,"algorithm":null,"client_ip":"127.0.0.1","result":"Success","duration_ms":2,"prev_hash":"0000000000000000000000000000000000000000000000000000000000000000","row_hash":"f4c16f738a3a7a68039a9149e85953fe86954a44e9f5d61e3932e2a8858f16c1"}
{"id":1,"timestamp":"2026-05-06T20:31:15.873374899Z","operation":"Encrypt","user":"admin","object_uid":null,"algorithm":null,"client_ip":"127.0.0.1","result":"Success","duration_ms":2,"prev_hash":"f4c16f738a3a7a68039a9149e85953fe86954a44e9f5d61e3932e2a8858f16c1","row_hash":"5ac3d9fc82a226f70cdfb010c879e82b21dfc9d3f494363b961d426ed871d56f"}
{"id":2,"timestamp":"2026-05-06T20:31:16.725357675Z","operation":"KMIP","user":"admin","object_uid":null,"algorithm":null,"client_ip":"127.0.0.1","result":{"Failure":"422 Unprocessable Entity"},"duration_ms":0,"prev_hash":"5ac3d9fc82a226f70cdfb010c879e82b21dfc9d3f494363b961d426ed871d56f","row_hash":"4fd9c87b59041f4d52d993460342cba37df9420bb3742285605f48e4ca9c978b"}
{"id":3,"timestamp":"2026-05-06T20:31:41.978144291Z","operation":"Create","user":"admin","object_uid":null,"algorithm":null,"client_ip":"127.0.0.1","result":"Success","duration_ms":1,"prev_hash":"4fd9c87b59041f4d52d993460342cba37df9420bb3742285605f48e4ca9c978b","row_hash":"e492c0f02860bc6c428259d44414651eda3aaaee2f48eb857144c940ac0fe909"}
{"id":4,"timestamp":"2026-05-06T20:31:42.321328507Z","operation":"Encrypt","user":"admin","object_uid":null,"algorithm":null,"client_ip":"127.0.0.1","result":"Success","duration_ms":1,"prev_hash":"e492c0f02860bc6c428259d44414651eda3aaaee2f48eb857144c940ac0fe909","row_hash":"699a2837830af4a26fe79aeb48509fc707507e514da5850d953366a14e730c38"}
{"id":5,"timestamp":"2026-05-06T20:31:42.643638722Z","operation":"Decrypt","user":"admin","object_uid":null,"algorithm":null,"client_ip":"127.0.0.1","result":"Success","duration_ms":1,"prev_hash":"699a2837830af4a26fe79aeb48509fc707507e514da5850d953366a14e730c38","row_hash":"d365586ae21efd0d2f347c250f32eb0a9c6a4a713f227ee9f2411d091fd1bd55"}
{"id":6,"timestamp":"2026-05-06T20:31:54.49626321Z","operation":"Decrypt","user":"admin","object_uid":null,"algorithm":null,"client_ip":"127.0.0.1","result":{"Failure":"422 Unprocessable Entity"},"duration_ms":0,"prev_hash":"d365586ae21efd0d2f347c250f32eb0a9c6a4a713f227ee9f2411d091fd1bd55","row_hash":"720a88d294dfc78d1556ff161f9066c00d3ff8b80561c54e32ee7cf81e0aaf4f"}
{"id":7,"timestamp":"2026-05-06T20:31:54.504398214Z","operation":"KMIP","user":"admin","object_uid":null,"algorithm":null,"client_ip":"127.0.0.1","result":{"Failure":"422 Unprocessable Entity"},"duration_ms":0,"prev_hash":"720a88d294dfc78d1556ff161f9066c00d3ff8b80561c54e32ee7cf81e0aaf4f","row_hash":"74bdd3f143d26dfe971d401aa0f169a61847b9249bd34bfc0991eabe31260ad5"}
{"id":8,"timestamp":"2026-05-06T20:32:52.777397706Z","operation":"Encrypt","user":"admin","object_uid":null,"algorithm":null,"client_ip":"127.0.0.1","result":"Success","duration_ms":2,"prev_hash":"74bdd3f143d26dfe971d401aa0f169a61847b9249bd34bfc0991eabe31260ad5","row_hash":"d495af8a7197799d04a13352eecb22469f6897128250445437164d1e60439770"}

Then you can run :

cargo run -p ckms --features non-fips -- audit verify --path #your file