Just a suggestion here: Not that this is super cryptic, but I'd still prefer a more straightforward approach of defining the 3 methods explicitly, and then DRYing up repetition by having them delegate their implementation to a private method that does most of the work. Lmk if that isn't clear, but I think you'll know what I mean. Two advantages would be:

1. Less likely to violate the principle of least surprise: If I see one of these methods being used in client code, I'd expect there to be a def <method_name> somewhere.
2. For IDEs like rubymine (I don't use it atm, but I sometimes do...) I believe this will break that autolookup / jump to definition type features.

You're probably right, however I'll leave this as is for now.

Add a note clarifying the reasons you inheritied from String here, since it's an choice and might confuse:

Yeah, that's a funny thing. I wanted to make it compatible with Ruby's built-in log formatter and it actually checks if a message is a String and uses #inspect if it isn't. I'm not very happy with that solution and I might actually end up ditching the compatibility on some refactor, but that's how it is for now.
So in short it's a workaround for a bug in Logger::Formatter or whatever it's called. Which is also duplicated by ActiveSupport's formatter.

I'll add it, thanks.

I'd like to see some more comments about what this SDID is used for.

I'm not sure what you mean. The SD-IDs are documented in audit.md.

After your experience with my code, I now believe that any time something in code needs an explanation, having it documented elsewhere is not enough. Either repeat the explanation directly in the code comments, or include a link to the explanation in the code comments.

Fair :) Could you say more about what do you feel needs explanation?

Confusing to me why this is here as part of audit. If there is a good reason, I'd add a comment explaining it.

There is no specific reason. It'll be moved out at some point.

I'd move the whole RFC5424Formatter class to its own file, as it stands independently.

Yeah, I'll probably do that eventually.

I like to put constants at top per ruby style guide

If they'd been meant for external use, I would. But since these are in a way only local, I like to keep them near the code that uses them.

Currently the interface for this class is only implicit: you have to read through every method to figure out what attribute assignments must be made before it can be used. It must be made explicit one way or the other. My preference would be:

1. Write a normal intializer which accepts the member variables. This has the advantage of not only being explicit, but also making the client code interface clear and consistent. There's really no reason anyone should be using attr setters with this object. Also, you can enforce immutability.
2. If you don't want to do 1. right now, please at least document the intended interface in comments.

Good point, I'll make it clearer.

I'd prefer not to rely on Rails methods in our domain code. I'd like to see a require active_support if you want to keep it (just to make that dep clear) or else service.id rescue nil

I understand where you're coming from, but I like the expressiveness of some of ActiveSupport utilities and this code is unlikely to be moved out.

You don't need to fix this, but there's something confusing to me about the naming. we have an "event" emitting a "success" (a "success event"). so an event is emitting an event, which reads oddly.

There's also a kind of strange inversion in the design, in that this object delegates to the thing that actually writes the log. Ie, we have an Event with an Audit (the actually log writer) inside of it, and the event calls its own emit_success which then calls Audit, passing the events own structured data to Audit.info.

I think a simpler, clearer design would be to just have pass events to Audit's writer methods, and allow client code to use Audit. But that's a larger (though not very large) refactor -- just food for thought.

Spent some time thinking about it actually. Maybe it'll get refactored at some point.

Just a note for later (not specific to your code), but just to make you aware: we have similar logic to this in multiple places in our code base (and others I believe) including my rotator code. At some point we should DRY it all up.

Agreed. That's why I added this method in lieu of copying the same functionality again, even though I didn't go the one step further and found all the places where it could be used.

I don't understand you what you mean, this does copy the same functionality again. It can't be reused beause here it exists in a very specific context (inside an audit event object), whereas in the codebase in general it's used in many different contexts. I'm not saying this because I want you to change anything atm, just want to clarify my initial point.

What prevents this method from being used in all the other different contexts?

After your experience with my code, I now believe that any time something in code needs an explanation, having it documented elsewhere is not enough. Either repeat the explanation directly in the code comments, or include a link to the explanation in the code comments.

I don't understand you what you mean, this does copy the same functionality again. It can't be reused beause here it exists in a very specific context (inside an audit event object), whereas in the codebase in general it's used in many different contexts. I'm not saying this because I want you to change anything atm, just want to clarify my initial point.

Thank you! I was just about to add this :)

No worries. I think we need to start building our own utility containers for stuff like this....

I don't think it's worth the effort for one-tool containers like that. I do think, however, that we ought to start pinning known good versions. Even better, actually review the images to make sure there are no backdoors or surprises of some sort, and then pin by specific SHA that we reviewed.