feat: add ports and adapters for auths-telemetry

crates/auths-cli/Cargo.toml

@@ -39,7 +39,7 @@ auths-index.workspace = true
 auths-crypto.workspace = true
 auths-sdk.workspace = true
 auths-pairing-protocol.workspace = true
-auths-telemetry.workspace = true
+auths-telemetry = { workspace = true, features = ["sink-http"] }
 auths-verifier = { workspace = true, features = ["native"] }
 auths-infra-git.workspace = true
 auths-infra-http.workspace = true

crates/auths-cli/src/factories/mod.rs

@@ -7,8 +7,12 @@ use std::time::Duration;
 use anyhow::Result;
 
 use auths_core::config::EnvironmentConfig;
+use auths_core::paths::auths_home;
 use auths_core::signing::{CachedPassphraseProvider, PassphraseProvider};
 use auths_sdk::ports::agent::AgentSigningPort;
+use auths_telemetry::TelemetryShutdown;
+use auths_telemetry::config::{build_sinks_from_config, load_audit_config};
+use auths_telemetry::sinks::composite::CompositeSink;
 
 use crate::cli::AuthsCli;
 use crate::config::{CliConfig, OutputFormat};
@@ -64,6 +68,29 @@ pub fn build_config(cli: &AuthsCli) -> Result<CliConfig> {
     })
 }
 
+/// Loads audit sinks from `~/.auths/audit.toml` and initialises the global
+/// telemetry pipeline.
+///
+/// Returns `None` when no sinks are configured — zero overhead in that case.
+///
+/// Usage:
+/// ```ignore
+/// let _telemetry = auths_cli::factories::init_audit_sinks();
+/// ```
+pub fn init_audit_sinks() -> Option<TelemetryShutdown> {
+    let audit_path = match auths_home() {
+        Ok(h) => h.join("audit.toml"),
+        Err(_) => return None,
+    };
+    let config = load_audit_config(&audit_path);
+    let sinks = build_sinks_from_config(&config, |name| std::env::var(name).ok());
+    if sinks.is_empty() {
+        return None;
+    }
+    let composite = Arc::new(CompositeSink::new(sinks));
+    Some(auths_telemetry::init_telemetry_with_sink(composite))
+}
+
 /// Build the platform-appropriate agent signing provider.
 ///
 /// Returns `CliAgentAdapter` on Unix, `NoopAgentProvider` elsewhere.

crates/auths-cli/src/main.rs

@@ -11,7 +11,7 @@ use clap::Parser;
 use auths_cli::cli::{AuthsCli, RootCommand};
 use auths_cli::commands::executable::ExecutableCommand;
 use auths_cli::config::OutputFormat;
-use auths_cli::factories::build_config;
+use auths_cli::factories::{build_config, init_audit_sinks};
 use auths_cli::ux::format::set_json_mode;
 
 fn main() {
@@ -21,9 +21,24 @@ fn main() {
     }
 }
 
+/// Maps auditable commands to their action name. Returns `None` for commands
+/// that don't emit audit events.
+fn audit_action(command: &RootCommand) -> Option<&'static str> {
+    match command {
+        RootCommand::Init(_) => Some("identity_created"),
+        RootCommand::Pair(_) => Some("device_paired"),
+        RootCommand::Device(_) => Some("device_command"),
+        RootCommand::Verify(_) => Some("commit_verified"),
+        RootCommand::Signers(_) => Some("signers_command"),
+        _ => None,
+    }
+}
+
 fn run() -> Result<()> {
     env_logger::init();
 
+    let _telemetry = init_audit_sinks();
+
     let cli = AuthsCli::parse();
 
     if cli.help_all {
@@ -58,7 +73,9 @@ fn run() -> Result<()> {
         }
     };
 
-    match command {
+    let action = audit_action(&command);
+
+    let result = match command {
         RootCommand::Init(cmd) => cmd.execute(&ctx),
         RootCommand::Sign(cmd) => cmd.execute(&ctx),
         RootCommand::Verify(cmd) => cmd.execute(&ctx),
@@ -86,5 +103,14 @@ fn run() -> Result<()> {
         RootCommand::Config(cmd) => cmd.execute(&ctx),
         RootCommand::Commit(cmd) => cmd.execute(&ctx),
         RootCommand::Debug(cmd) => cmd.execute(&ctx),
+    };
+
+    if let Some(action) = action {
+        let status = if result.is_ok() { "success" } else { "failed" };
+        let now = chrono::Utc::now().timestamp();
+        let event = auths_telemetry::build_audit_event("unknown", action, status, now);
+        auths_telemetry::emit_telemetry(&event);
     }
+
+    result
 }

crates/auths-telemetry/Cargo.toml

@@ -18,17 +18,23 @@ path = "src/lib.rs"
 chrono = { version = "0.4", features = ["serde"] }
 metrics = "0.24"
 metrics-exporter-prometheus = "0.18.1"
+reqwest = { version = "0.13.2", features = ["json"], optional = true }
 schemars.workspace = true
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
+tokio = { workspace = true, optional = true }
+toml = "1.0"
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
 
 [features]
 test-utils = []
+sink-http = ["dep:reqwest", "dep:tokio"]
 
 [dev-dependencies]
+tempfile = "3"
 tokio = { workspace = true, features = ["full"] }
+wiremock = "0.6"
 
 [lints]
 workspace = true