feat: per-key audit log dialog (opt-in) + AuditPinnedFilter primitive

[poxet]

Summary

Three connected pieces that together let an admin click an API-key row and see the audit history scoped to that specific key — without juggling filters in /developer/audit.

The reusable middle piece (AuditPinnedFilter on <AuditLogView />) also unblocks future audit-for-team / audit-for-user dialogs without further plumbing.

Stack changes

1. Stable per-API-key identifier (Tharga.Team / Tharga.Team.Service)

• New AuditEntry.CallerKeyId (Guid string of IApiKey.Key)
• New TeamClaimTypes.ApiKeyId claim emitted by ApiKeyAuthenticationHandler for both team and system keys
• AuditHelper.BuildEntry reads the claim and populates the entry
• ApiKeyAuthenticationHandler.LogAuthEvent writes it directly from IApiKey.Key
• AuditEntryEntity (Mongo) round-trips the field
• New AuditQuery.CallerKeyId filter applied as Eq in MongoDbAuditLogger.QueryAsync

2. AuditPinnedFilter primitive (Tharga.Team.Blazor)

New public record with the dimensions worth pinning:

public sealed record AuditPinnedFilter
{
    public string CallerKeyId { get; init; }
    public AuditCallerType? CallerType { get; init; }
    public string TeamKey { get; init; }
    public string CallerIdentity { get; init; }
    public string Feature { get; init; }
    public string Action { get; init; }
}

<AuditLogView PinnedFilter=... />:

• Force-injects pinned values into the AuditQuery (overrides any local filter state)
• Disables the matching top-bar RadzenSelectBar controls
• Renders an info banner above the filters showing the pinned scope

3. Opt-in row button (Tharga.Team.Blazor)

<ApiKeyView ShowAuditLogButton="true" />
<SystemApiKeyView ShowAuditLogButton="true" />

[Parameter] bool ShowAuditLogButton defaults to false — existing consumers see no UI change. When on, each row gets a manage_search icon button that opens a wide draggable Radzen dialog (90vw × 85vh, Draggable=true, Resizable=true) hosting <AuditLogView PinnedFilter="@pinned" /> with CallerKeyId + CallerType=ApiKey pinned. Actions column auto-widens by 40px when the button is shown.

4. Sample wiring

Tharga.Platform.Sample enables ShowAuditLogButton="true" on both /api-keys and /system-api-keys so the feature is testable end-to-end.

Tests

8 new (4 service-level — ApiKeyId claim emission for team + system keys, plus shape checks; 4 component-shape — AuditPinnedFilter public surface, [Parameter] declarations on the views and AuditLogView). Full suite: 263 tests passing.

Test plan

• Build + security checks pass
• On the sample, click the audit-log button on a row → dialog opens centered, shows the pinned-scope banner, and lists only entries for that key
• Drag and resize the dialog
• Disabled top-bar controls show the pinned values

[codecov]

Codecov Report

❌ Patch coverage is 17.56757% with 61 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
Tharga.Team.Blazor/Features/Api/ApiKeyView.razor	0.00%	21 Missing ⚠️
...a.Team.Blazor/Features/Audit/AuditLogView.razor.cs	0.00%	16 Missing ⚠️
...ga.Team.Blazor/Features/Api/SystemApiKeyView.razor	0.00%	11 Missing ⚠️
...arga.Team.Blazor/Features/Audit/AuditLogView.razor	0.00%	7 Missing ⚠️
Tharga.Team.Service/Audit/MongoDbAuditLogger.cs	0.00%	4 Missing ⚠️
Tharga.Team.Service/ApiKeyAuthenticationHandler.cs	80.00%	0 Missing and 1 partial ⚠️
Tharga.Team.Service/Audit/AuditEntryEntity.cs	0.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!