Centralize FileAccess audit logging in DFS with structured format

[Copilot]

FileAccess audit logging was scattered across 6+ components with inconsistent CSV-style formats and missing DFS-side metadata (file sizes, clusters). This refactor moves all audit emission into DFS, standardizes to JSON Lines format, and enriches records with compressed/uncompressed sizes.

Changes

Audit Context Infrastructure

• IDFSAuditContext interface with required fields (user, peer, component, instance) and optional fields (wuid, graph, jobId)
• Thread-local context storage via setDFSAuditContext() / queryDFSAuditContext()
• DFSAuditScope RAII helper for scoped context management
• emitDFSAuditLog() exported for components that bypass DFS operations

DFS Audit Emission

• lookup(): emits READ audit only for content access (skips AccessMode::readMeta)
• removeEntry(): emits DELETED audit
• rename() / renamePhysical(): emit RENAMED audit
• All audits enriched with file sizes and cluster info from DFS

Caller Refactoring

• ESP services (WS_DFU, WS_DFS): extract context from IEspContext, use DFSAuditScope
• Thor: extract context from job/workunit, use scoped context for file operations
• FileServices: updated AuditMessage() to use JSON format
• DFU Plus / ECL Agent: updated audit helpers to use JSON format

Example

// Caller creates audit context once per request/job
Owned<IDFSAuditContext> ctx = createDFSAuditContext(
    userID, peerIP, "WS_DFU", "EspProcess", wuid, graph, jobId
);

// Set for DFS operations in scope
DFSAuditScope scope(ctx.getClear());

// DFS emits audit automatically on content access
Owned<IDistributedFile> df = queryDistributedFileDirectory().lookup(
    fileName, userDesc, AccessMode::tbdRead, ...
);
// → Emits: {"type":"FileAccess","action":"READ","component":"WS_DFU",...}

Format Migration

Before:

,FileAccess,Thor,READ,nodegroup,user,file.dat,W20240101-120000,graph1,1024,512,2,cluster1,cluster2

After:

{"type":"FileAccess","action":"READ","component":"Thor","instance":"nodegroup","user":"user","peer":"","logicalName":"file.dat","wuid":"W20240101-120000","graph":"graph1","compressedSize":512,"uncompressedSize":1024,"cluster":"cluster1","numClusters":2}

Notes

• Backward compatible: audit context is optional, non-audited paths unchanged
• No DFS API signature changes
• Metadata-only lookups (readMeta) correctly skip auditing

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.