Add local decision log

internal/decision/engine_test.go

@@ -9,6 +9,7 @@ import (
 
 	"gopkg.in/yaml.v3"
 
+	"github.com/netkingdom/flex-auth/internal/audit"
 	"github.com/netkingdom/flex-auth/internal/decision"
 	"github.com/netkingdom/flex-auth/internal/policy"
 	"github.com/netkingdom/flex-auth/internal/registry"
@@ -188,6 +189,40 @@ func TestExplainUsesRecordedDecision(t *testing.T) {
 	}
 }
 
+func TestCheckWritesDecisionLog(t *testing.T) {
+	engine := newTestEngine(t)
+	log := audit.NewJSONLDecisionLog(filepath.Join(t.TempDir(), "decisions.jsonl"))
+	engine.SetDecisionLog(log)
+
+	got, err := engine.Check(context.Background(), api.CheckRequest{
+		ID:      "check:logged-deny",
+		Subject: api.SubjectRef{ID: "user:alice"},
+		Action:  "read",
+		Resource: api.ResourceRef{
+			ID:     "document:missing",
+			Type:   "document",
+			System: "markitect-tool",
+		},
+	})
+	if err != nil {
+		t.Fatalf("Check: %v", err)
+	}
+	if got.Effect != api.DecisionEffectDeny {
+		t.Fatalf("got.Effect = %q; want deny", got.Effect)
+	}
+
+	decisions, err := log.ReadAll()
+	if err != nil {
+		t.Fatalf("ReadAll: %v", err)
+	}
+	if len(decisions) != 1 {
+		t.Fatalf("len(decisions) = %d; want 1", len(decisions))
+	}
+	if decisions[0].ID != got.ID || decisions[0].Effect != api.DecisionEffectDeny {
+		t.Fatalf("logged decision = %+v; want logged deny %s", decisions[0], got.ID)
+	}
+}
+
 func newTestEngine(t *testing.T) *decision.Engine {
 	t.Helper()