Add missing audit events for metadata updates and verification status

[unmultimedio]

No description provided.

[github-actions]

The latest Buf updates on your PR. Results from workflow Buf CI / buf (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	✅ passed	✅ passed	✅ passed	Dec 12, 2024, 9:01 PM

[unmultimedio]

This is in a similar spot like this other conversation, the definition of these verification statuses live in registry-proto here, so we don't have a way to reference the right value here.

The options I see are:

1. Log the string value of that enum in registry-proto here; that doesn't feel right.
2. Add an equivalent enum in this pkg, and a parser in the audit log writer that converts from that registry-proto's enum to the one in here; it's duplication of types but that doesn't sound too bad I think.
3. Punt auditing this event until we move this pkg to be colocated in registry-proto.

This same scenario happens with PayloadUserVerificationStatusChanged.

[mfridman]

I could be wrong, but it feels like this over-indexes on "audit logging" everything available. Do users really care what user changed the description and to what?

Where do we draw the line on what we audit and not?

[unmultimedio]

In general terms we're leaning on auditing any write operation. Even the original proposal was thinking how we could expand on read operations too, but we haven't gone that far yet.

This PR adds metadata (true it may be not super important, just URLs and descriptions), and verification status changes (they sound pretty important to me, and they're not being audited yet).

Let's chat about it.

[bufdev]

approving from my side but you both resolve this

[unmultimedio]

Chatted internally with the team, closing this PR until/if we decide these events are worth auditing.