refactor: remove obsolete code

Author: evansims

Cargo.lock

@@ -139,7 +139,7 @@ unicode-width = "0.2"
 validator = { version = "0.20", features = ["derive"] }
 
 # Caching
-moka = { version = "0.12", features = ["sync"] }
+moka = { version = "0.12", features = ["future", "sync"] }
 
 # NTP client
 rsntp = { version = "4", default-features = false, features = ["chrono", "async"] }

Cargo.toml

@@ -29,6 +29,7 @@ chrono = { workspace = true }
 ed25519-dalek = { workspace = true }
 jsonwebtoken = { workspace = true }
 metrics-exporter-prometheus = { workspace = true }
+moka = { workspace = true }
 pem = { workspace = true }
 rand = { workspace = true }
 serde = { workspace = true }

crates/api/Cargo.toml

@@ -1,21 +1,21 @@
 //! Audit log handlers.
 //!
 //! Audit logs are managed by Ledger's event system. The `list_audit_logs`
-//! handler serves paginated events for an organization, while `create_audit_log`
-//! is an internal endpoint for ingesting Control-originated events.
+//! handler serves paginated events for an organization. Event ingestion
+//! is handled directly by Ledger.
 
-use std::collections::HashMap;
+use std::{collections::HashMap, time::Instant};
 
 use axum::{
     Extension, Json,
     extract::{Path, Query, State},
-    http::StatusCode,
 };
-use inferadb_control_core::service;
+use inferadb_control_core::SdkResultExt;
 use inferadb_control_types::Error as CoreError;
-use inferadb_ledger_sdk::{EventFilter, EventOutcome, OrganizationSlug, SdkIngestEventEntry};
+use inferadb_ledger_sdk::{EventFilter, EventOutcome, OrganizationSlug};
 use serde::{Deserialize, Serialize};
 
+use super::common::require_ledger;
 use crate::{
     handlers::auth::{AppState, Result},
     middleware::UserClaims,
@@ -26,8 +26,8 @@ use crate::{
 /// Query parameters for listing audit logs.
 #[derive(Debug, Deserialize)]
 pub struct ListAuditLogsQuery {
-    /// Maximum entries per page (1..=1000, default 100).
-    pub limit: Option<u32>,
+    /// Number of items per page (default 50, max 100).
+    pub page_size: Option<u32>,
     /// Opaque cursor for the next page.
     pub page_token: Option<String>,
     /// Filter by event type prefix (e.g., `"ledger.vault"`).
@@ -61,42 +61,8 @@ pub struct ListAuditLogsResponse {
     pub total_estimate: Option<u64>,
 }
 
-/// Request body for creating an audit log entry (internal endpoint).
-#[derive(Debug, Deserialize)]
-pub struct CreateAuditLogRequest {
-    /// Organization slug (external identifier).
-    pub organization: u64,
-    /// Hierarchical dot-separated event type (e.g., `"control.user.created"`).
-    pub event_type: String,
-    /// Who performed the action.
-    pub principal: String,
-    /// Outcome: `"success"`, `"failed"`, or `"denied"`.
-    #[serde(default = "default_outcome")]
-    pub outcome: String,
-    /// Action-specific key-value context.
-    #[serde(default)]
-    pub details: HashMap<String, String>,
-}
-
-fn default_outcome() -> String {
-    "success".to_string()
-}
-
-/// Response from creating an audit log entry.
-#[derive(Debug, Serialize)]
-pub struct CreateAuditLogResponse {
-    pub accepted_count: u32,
-    pub rejected_count: u32,
-}
-
 // ── Helpers ─────────────────────────────────────────────────────────
 
-fn require_ledger(
-    state: &AppState,
-) -> std::result::Result<&inferadb_ledger_sdk::LedgerClient, CoreError> {
-    state.ledger.as_deref().ok_or_else(|| CoreError::internal("Ledger client not configured"))
-}
-
 fn format_outcome(outcome: &inferadb_ledger_sdk::EventOutcome) -> String {
     match outcome {
         EventOutcome::Success => "success".to_string(),
@@ -148,45 +114,41 @@ fn build_event_filter(query: &ListAuditLogsQuery) -> std::result::Result<EventFi
     Ok(filter)
 }
 
-fn parse_request_outcome(
-    outcome: &str,
-    details: &HashMap<String, String>,
-) -> std::result::Result<EventOutcome, CoreError> {
-    match outcome {
-        "success" => Ok(EventOutcome::Success),
-        "failed" => Ok(EventOutcome::Failed {
-            code: details.get("error_code").cloned().unwrap_or_default(),
-            detail: details.get("error_detail").cloned().unwrap_or_default(),
-        }),
-        "denied" => Ok(EventOutcome::Denied {
-            reason: details.get("denial_reason").cloned().unwrap_or_default(),
-        }),
-        _ => Err(CoreError::validation(format!(
-            "invalid outcome '{outcome}': expected 'success', 'failed', or 'denied'"
-        ))),
-    }
-}
-
 // ── Handlers ────────────────────────────────────────────────────────
 
 /// List audit logs for an organization.
 ///
 /// GET /control/v1/organizations/{org}/audit-logs
 pub async fn list_audit_logs(
     State(state): State<AppState>,
-    Extension(_claims): Extension<UserClaims>,
+    Extension(claims): Extension<UserClaims>,
     Path(org): Path<u64>,
     Query(query): Query<ListAuditLogsQuery>,
 ) -> Result<Json<ListAuditLogsResponse>> {
     let ledger = require_ledger(&state)?;
     let organization = OrganizationSlug::new(org);
 
+    // Verify the caller is a member of this organization.
+    let start = Instant::now();
+    ledger
+        .get_organization(organization, claims.user_slug)
+        .await
+        .map_sdk_err_instrumented("get_organization", start)?;
+
     let page = if let Some(ref page_token) = query.page_token {
-        service::audit::list_events_next(ledger, organization, page_token).await?
+        let start = Instant::now();
+        ledger
+            .list_events_next(organization, page_token)
+            .await
+            .map_sdk_err_instrumented("list_events_next", start)?
     } else {
         let filter = build_event_filter(&query)?;
-        let limit = query.limit.unwrap_or(100).clamp(1, 1000);
-        service::audit::list_events(ledger, organization, filter, limit).await?
+        let limit = query.page_size.unwrap_or(50).clamp(1, 100);
+        let start = Instant::now();
+        ledger
+            .list_events(organization, filter, limit)
+            .await
+            .map_sdk_err_instrumented("list_events", start)?
     };
 
     let entries = page.entries.into_iter().map(sdk_entry_to_response).collect();
@@ -197,28 +159,3 @@ pub async fn list_audit_logs(
         total_estimate: page.total_estimate,
     }))
 }
-
-/// Record an audit log event (internal endpoint).
-///
-/// POST /internal/audit
-pub async fn create_audit_log(
-    State(state): State<AppState>,
-    Json(req): Json<CreateAuditLogRequest>,
-) -> Result<(StatusCode, Json<CreateAuditLogResponse>)> {
-    let ledger = require_ledger(&state)?;
-    let organization = OrganizationSlug::new(req.organization);
-    let outcome = parse_request_outcome(&req.outcome, &req.details)?;
-
-    let event =
-        SdkIngestEventEntry::new(&req.event_type, &req.principal, outcome).details(req.details);
-
-    let result = service::audit::ingest_events(ledger, organization, vec![event]).await?;
-
-    Ok((
-        StatusCode::CREATED,
-        Json(CreateAuditLogResponse {
-            accepted_count: result.accepted_count,
-            rejected_count: result.rejected_count,
-        }),
-    ))
-}

crates/api/src/audit.rs

@@ -24,7 +24,6 @@ pub struct AppState {
     #[builder(default = std::time::SystemTime::now())]
     pub start_time: std::time::SystemTime,
     pub email_service: Option<Arc<inferadb_control_core::EmailService>>,
-    pub control_identity: Option<Arc<inferadb_control_types::ControlIdentity>>,
     #[builder(default)]
     pub rate_limits: crate::middleware::RateLimitConfig,
     /// Ledger SDK client for direct service calls.
@@ -33,9 +32,15 @@ pub struct AppState {
     pub blinding_key: Option<Arc<inferadb_ledger_types::EmailBlindingKey>>,
     /// WebAuthn instance for passkey ceremony validation.
     pub webauthn: Option<Arc<webauthn_rs::Webauthn>>,
-    /// In-memory challenge store for WebAuthn begin/finish ceremonies.
+    /// Stateless challenge store for WebAuthn begin/finish ceremonies.
     #[builder(default)]
     pub challenge_store: inferadb_control_core::webauthn::ChallengeStore,
+    /// Application-level rate limiter for auth endpoints.
+    #[builder(default = Arc::new(inferadb_control_core::in_memory_rate_limiter()))]
+    pub rate_limiter: Arc<inferadb_control_core::InMemoryRateLimiter>,
+    /// JWKS cache for local JWT validation on read routes.
+    #[builder(default)]
+    pub jwks_cache: crate::middleware::JwksCache,
 }
 
 impl AppState {

crates/api/src/handlers/audit_logs.rs

@@ -4,10 +4,12 @@
 //! Ledger's token service. These coexist with the old auth handlers
 //! during migration.
 
+use std::time::Instant;
+
 use axum::{Json, extract::State};
 use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite};
 use inferadb_control_const::auth::{ACCESS_TOKEN_COOKIE_NAME, REFRESH_TOKEN_COOKIE_NAME};
-use inferadb_control_core::service;
+use inferadb_control_core::SdkResultExt;
 use inferadb_control_types::Error as CoreError;
 use serde::{Deserialize, Serialize};
 use time;
@@ -57,12 +59,21 @@ pub fn set_token_cookies(
     jar: CookieJar,
     token_pair: &inferadb_ledger_sdk::token::TokenPair,
 ) -> CookieJar {
+    // Derive access cookie max-age from token expiry when available,
+    // falling back to the default constant.
+    let access_max_age_secs = token_pair
+        .access_expires_at
+        .and_then(|expires_at| {
+            expires_at.duration_since(std::time::SystemTime::now()).ok().map(|d| d.as_secs() as i64)
+        })
+        .unwrap_or(ACCESS_COOKIE_MAX_AGE_SECS);
+
     let access_cookie = Cookie::build((ACCESS_TOKEN_COOKIE_NAME, token_pair.access_token.clone()))
         .path("/")
         .http_only(true)
         .secure(true)
         .same_site(SameSite::Lax)
-        .max_age(time::Duration::seconds(ACCESS_COOKIE_MAX_AGE_SECS))
+        .max_age(time::Duration::seconds(access_max_age_secs))
         .build();
 
     let refresh_cookie =
@@ -94,16 +105,22 @@ pub async fn refresh(
     jar: CookieJar,
     Json(body): Json<RefreshTokenRequest>,
 ) -> Result<(CookieJar, Json<TokenPairResponse>), ApiError> {
-    let ledger =
-        state.ledger.as_ref().ok_or_else(|| CoreError::internal("Ledger client not configured"))?;
+    let ledger = state
+        .ledger
+        .as_deref()
+        .ok_or_else(|| CoreError::internal("Ledger client not configured"))?;
 
     // Extract refresh token from body or cookie
     let refresh_token = body
         .refresh_token
         .or_else(|| jar.get(REFRESH_TOKEN_COOKIE_NAME).map(|c| c.value().to_string()))
         .ok_or_else(|| CoreError::auth("no refresh token provided"))?;
 
-    let token_pair = service::session::refresh_token(ledger, &refresh_token).await?;
+    let start = Instant::now();
+    let token_pair = ledger
+        .refresh_token(&refresh_token)
+        .await
+        .map_sdk_err_instrumented("refresh_token", start)?;
 
     let response = TokenPairResponse {
         access_token: token_pair.access_token.clone(),
@@ -122,15 +139,22 @@ pub async fn logout(
     State(state): State<AppState>,
     jar: CookieJar,
 ) -> Result<(CookieJar, Json<LogoutResponse>), ApiError> {
-    let ledger =
-        state.ledger.as_ref().ok_or_else(|| CoreError::internal("Ledger client not configured"))?;
+    let ledger = state
+        .ledger
+        .as_deref()
+        .ok_or_else(|| CoreError::internal("Ledger client not configured"))?;
 
     // Try to revoke the refresh token if present
     if let Some(cookie) = jar.get(REFRESH_TOKEN_COOKIE_NAME) {
         let refresh_token = cookie.value();
         if !refresh_token.is_empty() {
             // Best-effort revocation — don't fail the logout if revocation fails
-            if let Err(e) = service::session::revoke_token(ledger, refresh_token).await {
+            let start = Instant::now();
+            if let Err(e) = ledger
+                .revoke_token(refresh_token)
+                .await
+                .map_sdk_err_instrumented("revoke_token", start)
+            {
                 tracing::warn!(error = %e, "Failed to revoke refresh token during logout");
             }
         }
@@ -148,11 +172,16 @@ pub async fn revoke_all(
     axum::Extension(claims): axum::Extension<UserClaims>,
     jar: CookieJar,
 ) -> Result<(CookieJar, Json<RevokeAllResponse>), ApiError> {
-    let ledger =
-        state.ledger.as_ref().ok_or_else(|| CoreError::internal("Ledger client not configured"))?;
-
-    let revoked_count =
-        service::session::revoke_all_user_sessions(ledger, claims.user_slug).await?;
+    let ledger = state
+        .ledger
+        .as_deref()
+        .ok_or_else(|| CoreError::internal("Ledger client not configured"))?;
+
+    let start = Instant::now();
+    let revoked_count = ledger
+        .revoke_all_user_sessions(claims.user_slug)
+        .await
+        .map_sdk_err_instrumented("revoke_all_user_sessions", start)?;
 
     let jar = clear_token_cookies(jar);
     Ok((jar, Json(RevokeAllResponse { revoked_count })))