feat(authz): audit logs should properly handle obligations (#2824)

### Proposed Changes

* audit logs report on:
   * overall fulfillable obligations
   * required obligations at the resource decision level
   * whether or not obligations were satisfied
* adds unit test that entitlements related to the decision come back
from pdp call to populate audit log
* update audit logs to clarify decision audit logs only contain
entitlements relevant to decisioning (not all entitlements)

Single resource success log:
```json
{
  "time": "2025-10-21T19:42:59.465451-07:00",
  "level": "AUDIT",
  "msg": "decision",
  "namespace": "authorization",
  "version": "v2",
  "audit": {
    "object": {
      "type": "entity_object",
      "id": "jwtentity-1-clientid-opentdf-read",
      "name": "decisionRequest-read",
      "attributes": { "assertions": null, "attrs": null, "permissions": null }
    },
    "action": { "type": "read", "result": "success" },
    "actor": {
      "id": "jwtentity-1-clientid-opentdf",
      "attributes": [
        {
          "entitlements_relevant_to_decision": {
            "https://example.com/attr/class/value/topsecret": [
              {
                "id": "a1bb9ff7-74a1-4c30-a5c2-7067a1d84aef",
                "Value": null,
                "name": "read"
              }
            ]
          }
        }
      ]
    },
    "eventMetaData": {
      "resource_decisions": [
        {
          "passed": true,
          "obligations_satisfied": true,
          "entitled": true,
          "resource_id": "resource-0",
          "resource_name": "https://reg_res/testing/value/secret",
          "data_rule_results": [
            {
              "passed": true,
              "resource_value_fqns": [
                "https://example.com/attr/class/value/secret"
              ],
              "attribute": {
                "id": "70e2949e-8a15-4b4d-ab2a-a1a9bfa415a9",
                "rule": 3,
                "fqn": "https://example.com/attr/class"
              },
              "entitlement_failures": null
            }
          ],
          "required_obligation_value_fqns": [
            "https://example.com/obl/drm/value/mask"
          ]
        }
      ],
      "fulfillable_obligation_value_fqns": [
        "https://example.com/obl/drm/value/mask"
      ],
      "obligations_satisfied": true
    },
    "clientInfo": {
      "userAgent": "grpc-go/1.61.0",
      "platform": "authorization.v2",
      "requestIP": "None"
    },
    "original": null,
    "updated": null,
    "requestID": "17a49c85-8a0c-4996-8804-d91d0b77e501",
    "timestamp": "2025-10-21T19:42:59-07:00"
  }
}
```

single resource failure log:
```json
{
  "time": "2025-10-21T19:42:18.829716-07:00",
  "level": "AUDIT",
  "msg": "decision",
  "namespace": "authorization",
  "version": "v2",
  "audit": {
    "object": {
      "type": "entity_object",
      "id": "jwtentity-1-clientid-opentdf-read",
      "name": "decisionRequest-read",
      "attributes": { "assertions": null, "attrs": null, "permissions": null }
    },
    "action": { "type": "read", "result": "failure" },
    "actor": {
      "id": "jwtentity-1-clientid-opentdf",
      "attributes": [
        {
          "entitlements_relevant_to_decision": {
            "https://example.com/attr/class/value/topsecret": [
              {
                "id": "a1bb9ff7-74a1-4c30-a5c2-7067a1d84aef",
                "Value": null,
                "name": "read"
              }
            ]
          }
        }
      ]
    },
    "eventMetaData": {
      "resource_decisions": [
        {
          "passed": false,
          "obligations_satisfied": false,
          "entitled": true,
          "resource_id": "resource-0",
          "resource_name": "https://reg_res/testing/value/secret",
          "data_rule_results": [
            {
              "passed": true,
              "resource_value_fqns": [
                "https://example.com/attr/class/value/secret"
              ],
              "attribute": {
                "id": "70e2949e-8a15-4b4d-ab2a-a1a9bfa415a9",
                "rule": 3,
                "fqn": "https://example.com/attr/class"
              },
              "entitlement_failures": null
            }
          ],
          "required_obligation_value_fqns": [
            "https://example.com/obl/drm/value/mask"
          ]
        }
      ],
      "fulfillable_obligation_value_fqns": [],
      "obligations_satisfied": false
    },
    "clientInfo": {
      "userAgent": "grpc-go/1.61.0",
      "platform": "authorization.v2",
      "requestIP": "None"
    },
    "original": null,
    "updated": null,
    "requestID": "eb3681fc-96e5-4328-be1b-3b4da9deab19",
    "timestamp": "2025-10-21T19:42:18-07:00"
  }
}
```

multi-resource success log:
```json
{
  "time": "2025-10-21T19:40:00.00347-07:00",
  "level": "AUDIT",
  "msg": "decision",
  "namespace": "authorization",
  "version": "v2",
  "audit": {
    "object": {
      "type": "entity_object",
      "id": "jwtentity-1-clientid-opentdf-read",
      "name": "decisionRequest-read",
      "attributes": { "assertions": null, "attrs": null, "permissions": null }
    },
    "action": { "type": "read", "result": "success" },
    "actor": {
      "id": "jwtentity-1-clientid-opentdf",
      "attributes": [
        {
          "entitlements_relevant_to_decision": {
            "https://example.com/attr/class/value/topsecret": [
              {
                "id": "a1bb9ff7-74a1-4c30-a5c2-7067a1d84aef",
                "Value": null,
                "name": "read"
              }
            ]
          }
        }
      ]
    },
    "eventMetaData": {
      "resource_decisions": [
        {
          "passed": true,
          "obligations_satisfied": true,
          "entitled": true,
          "resource_id": "resource-0",
          "resource_name": "https://reg_res/testing/value/secret",
          "data_rule_results": [
            {
              "passed": true,
              "resource_value_fqns": [
                "https://example.com/attr/class/value/secret"
              ],
              "attribute": {
                "id": "70e2949e-8a15-4b4d-ab2a-a1a9bfa415a9",
                "rule": 3,
                "fqn": "https://example.com/attr/class"
              },
              "entitlement_failures": null
            }
          ],
          "required_obligation_value_fqns": [
            "https://example.com/obl/drm/value/mask"
          ]
        },
        {
          "passed": true,
          "obligations_satisfied": true,
          "entitled": true,
          "resource_id": "resource-1",
          "data_rule_results": [
            {
              "passed": true,
              "resource_value_fqns": [
                "https://example.com/attr/class/value/secret"
              ],
              "attribute": {
                "id": "70e2949e-8a15-4b4d-ab2a-a1a9bfa415a9",
                "rule": 3,
                "fqn": "https://example.com/attr/class"
              },
              "entitlement_failures": null
            }
          ],
          "required_obligation_value_fqns": [
            "https://example.com/obl/drm/value/mask"
          ]
        }
      ],
      "fulfillable_obligation_value_fqns": [
        "https://example.com/obl/drm/value/mask"
      ],
      "obligations_satisfied": true
    },
    "clientInfo": {
      "userAgent": "grpc-go/1.61.0",
      "platform": "authorization.v2",
      "requestIP": "None"
    },
    "original": null,
    "updated": null,
    "requestID": "f87d7480-20b5-4e2e-b08a-0e4608e43c9e",
    "timestamp": "2025-10-21T19:40:00-07:00"
  }
}

```

Multi resource failure log:
```json
{
  "time": "2025-10-21T19:40:06.710929-07:00",
  "level": "AUDIT",
  "msg": "decision",
  "namespace": "authorization",
  "version": "v2",
  "audit": {
    "object": {
      "type": "entity_object",
      "id": "jwtentity-1-clientid-opentdf-read",
      "name": "decisionRequest-read",
      "attributes": { "assertions": null, "attrs": null, "permissions": null }
    },
    "action": { "type": "read", "result": "failure" },
    "actor": {
      "id": "jwtentity-1-clientid-opentdf",
      "attributes": [
        {
          "entitlements_relevant_to_decision": {
            "https://example.com/attr/class/value/topsecret": [
              {
                "id": "a1bb9ff7-74a1-4c30-a5c2-7067a1d84aef",
                "Value": null,
                "name": "read"
              }
            ]
          }
        }
      ]
    },
    "eventMetaData": {
      "resource_decisions": [
        {
          "passed": false,
          "obligations_satisfied": false,
          "entitled": true,
          "resource_id": "resource-0",
          "resource_name": "https://reg_res/testing/value/secret",
          "data_rule_results": [
            {
              "passed": true,
              "resource_value_fqns": [
                "https://example.com/attr/class/value/secret"
              ],
              "attribute": {
                "id": "70e2949e-8a15-4b4d-ab2a-a1a9bfa415a9",
                "rule": 3,
                "fqn": "https://example.com/attr/class"
              },
              "entitlement_failures": null
            }
          ],
          "required_obligation_value_fqns": [
            "https://example.com/obl/drm/value/mask"
          ]
        },
        {
          "passed": false,
          "obligations_satisfied": false,
          "entitled": true,
          "resource_id": "resource-1",
          "data_rule_results": [
            {
              "passed": true,
              "resource_value_fqns": [
                "https://example.com/attr/class/value/secret"
              ],
              "attribute": {
                "id": "70e2949e-8a15-4b4d-ab2a-a1a9bfa415a9",
                "rule": 3,
                "fqn": "https://example.com/attr/class"
              },
              "entitlement_failures": null
            }
          ],
          "required_obligation_value_fqns": [
            "https://example.com/obl/drm/value/mask"
          ]
        }
      ],
      "fulfillable_obligation_value_fqns": [],
      "obligations_satisfied": false
    },
    "clientInfo": {
      "userAgent": "grpc-go/1.61.0",
      "platform": "authorization.v2",
      "requestIP": "None"
    },
    "original": null,
    "updated": null,
    "requestID": "6561c969-f169-4e16-84a6-f378f481b28d",
    "timestamp": "2025-10-21T19:40:06-07:00"
  }
}
```

Author: jakedoublev

service/authorization/v2/authorization_test.go

@@ -1374,7 +1374,7 @@ func Test_RollupSingleResourceDecision(t *testing.T) {
 			permitted: true,
 			decisions: []*access.Decision{
 				{
-					Access: true,
+					AllPermitted: true,
 					Results: []access.ResourceDecision{
 						{
 							ResourceID: "resource-123",
@@ -1395,7 +1395,7 @@ func Test_RollupSingleResourceDecision(t *testing.T) {
 			permitted: true,
 			decisions: []*access.Decision{
 				{
-					Access: true,
+					AllPermitted: true,
 					Results: []access.ResourceDecision{
 						{
 							ResourceID: "resource-123",
@@ -1422,7 +1422,7 @@ func Test_RollupSingleResourceDecision(t *testing.T) {
 			permitted: false,
 			decisions: []*access.Decision{
 				{
-					Access: true, // Verify permitted takes precedence
+					AllPermitted: true, // Verify permitted takes precedence
 					Results: []access.ResourceDecision{
 						{
 							ResourceID: "resource-123",
@@ -1443,7 +1443,7 @@ func Test_RollupSingleResourceDecision(t *testing.T) {
 			permitted: false,
 			decisions: []*access.Decision{
 				{
-					Access: true, // Verify permitted takes precedence
+					AllPermitted: true, // Verify permitted takes precedence
 					Results: []access.ResourceDecision{
 						{
 							ResourceID:                  "resource-123",
@@ -1473,8 +1473,8 @@ func Test_RollupSingleResourceDecision(t *testing.T) {
 			permitted: true,
 			decisions: []*access.Decision{
 				{
-					Access:  true,
-					Results: []access.ResourceDecision{},
+					AllPermitted: true,
+					Results:      []access.ResourceDecision{},
 				},
 			},
 			expectedResult: nil,
@@ -1509,7 +1509,7 @@ func Test_RollupMultiResourceDecisions(t *testing.T) {
 			name: "should return multiple permit decisions",
 			decisions: []*access.Decision{
 				{
-					Access: true,
+					AllPermitted: true,
 					Results: []access.ResourceDecision{
 						{
 							Passed:     true,
@@ -1518,7 +1518,7 @@ func Test_RollupMultiResourceDecisions(t *testing.T) {
 					},
 				},
 				{
-					Access: true,
+					AllPermitted: true,
 					Results: []access.ResourceDecision{
 						{
 							Passed:     true,
@@ -1542,7 +1542,7 @@ func Test_RollupMultiResourceDecisions(t *testing.T) {
 			name: "should return mix of permit and deny decisions",
 			decisions: []*access.Decision{
 				{
-					Access: true,
+					AllPermitted: true,
 					Results: []access.ResourceDecision{
 						{
 							Passed:     true,
@@ -1551,7 +1551,7 @@ func Test_RollupMultiResourceDecisions(t *testing.T) {
 					},
 				},
 				{
-					Access: false,
+					AllPermitted: false,
 					Results: []access.ResourceDecision{
 						{
 							Passed:     false,
@@ -1575,7 +1575,7 @@ func Test_RollupMultiResourceDecisions(t *testing.T) {
 			name: "should rely on results and default to false decisions",
 			decisions: []*access.Decision{
 				{
-					Access: true,
+					AllPermitted: true,
 					Results: []access.ResourceDecision{
 						{
 							Passed:     true,
@@ -1588,7 +1588,7 @@ func Test_RollupMultiResourceDecisions(t *testing.T) {
 					},
 				},
 				{
-					Access: false,
+					AllPermitted: false,
 					Results: []access.ResourceDecision{
 						{
 							Passed:     false,
@@ -1616,7 +1616,7 @@ func Test_RollupMultiResourceDecisions(t *testing.T) {
 			name: "should ignore global access and care about resource decisions predominantly",
 			decisions: []*access.Decision{
 				{
-					Access: false,
+					AllPermitted: false,
 					Results: []access.ResourceDecision{
 						{
 							Passed:     false,
@@ -1629,7 +1629,7 @@ func Test_RollupMultiResourceDecisions(t *testing.T) {
 					},
 				},
 				{
-					Access: false,
+					AllPermitted: false,
 					Results: []access.ResourceDecision{
 						{
 							Passed:     true,
@@ -1657,7 +1657,7 @@ func Test_RollupMultiResourceDecisions(t *testing.T) {
 			name: "should return obligations whenever found on a resource",
 			decisions: []*access.Decision{
 				{
-					Access: true,
+					AllPermitted: true,
 					Results: []access.ResourceDecision{
 						{
 							Passed:     true,
@@ -1678,7 +1678,7 @@ func Test_RollupMultiResourceDecisions(t *testing.T) {
 					},
 				},
 				{
-					Access: false,
+					AllPermitted: false,
 					Results: []access.ResourceDecision{
 						{
 							Passed:     false,
@@ -1728,8 +1728,8 @@ func Test_RollupMultiResourceDecisions(t *testing.T) {
 			name: "should return error when decision has no results",
 			decisions: []*access.Decision{
 				{
-					Access:  true,
-					Results: []access.ResourceDecision{},
+					AllPermitted: true,
+					Results:      []access.ResourceDecision{},
 				},
 			},
 			expectedError: ErrDecisionMustHaveResults,
@@ -1794,8 +1794,8 @@ func Test_RollupMultiResourceDecisions_WithNilChecks(t *testing.T) {
 	t.Run("nil Results field", func(t *testing.T) {
 		decisions := []*access.Decision{
 			{
-				Access:  true,
-				Results: nil,
+				AllPermitted: true,
+				Results:      nil,
 			},
 		}
 		_, err := rollupMultiResourceDecisions(decisions)
@@ -1822,8 +1822,8 @@ func Test_RollupSingleResourceDecision_WithNilChecks(t *testing.T) {
 	t.Run("nil Results field", func(t *testing.T) {
 		decisions := []*access.Decision{
 			{
-				Access:  true,
-				Results: nil,
+				AllPermitted: true,
+				Results:      nil,
 			},
 		}
 		_, err := rollupSingleResourceDecision(true, decisions)

service/internal/access/v2/evaluate.go

@@ -85,7 +85,7 @@ func getResourceDecision(
 		// indicates a failure before attribute definition rule evaluation
 		if len(resourceAttributeValues.GetFqns()) == 0 {
 			failure := &ResourceDecision{
-				Passed:       false,
+				Entitled:     false,
 				ResourceID:   resourceID,
 				ResourceName: registeredResourceValueFQN,
 			}
@@ -151,7 +151,7 @@ func evaluateResourceAttributeValues(
 
 	// Return results in the appropriate structure
 	result := &ResourceDecision{
-		Passed:          passed,
+		Entitled:        passed,
 		ResourceID:      resourceID,
 		DataRuleResults: dataRuleResults,
 	}

service/internal/access/v2/evaluate_test.go

@@ -785,7 +785,7 @@ func (s *EvaluateTestSuite) TestEvaluateResourceAttributeValues() {
 			} else {
 				s.Require().NoError(err)
 				s.NotNil(resourceDecision)
-				s.Equal(tc.expectAccessible, resourceDecision.Passed)
+				s.Equal(tc.expectAccessible, resourceDecision.Entitled)
 
 				// Check results array has the correct length based on grouping by definition
 				definitions := make(map[string]bool)
@@ -937,7 +937,7 @@ func (s *EvaluateTestSuite) TestGetResourceDecision() {
 			} else {
 				s.Require().NoError(err)
 				s.NotNil(decision)
-				s.Equal(tc.expectPass, decision.Passed, "Decision pass status didn't match")
+				s.Equal(tc.expectPass, decision.Entitled, "Decision entitlement status didn't match")
 				s.Equal(tc.resource.GetEphemeralId(), decision.ResourceID, "Resource ID didn't match")
 			}
 		})

service/internal/access/v2/just_in_time_pdp.go

@@ -19,6 +19,7 @@ import (
 
 	"github.com/opentdf/platform/service/internal/access/v2/obligations"
 	"github.com/opentdf/platform/service/logger"
+	"github.com/opentdf/platform/service/logger/audit"
 )
 
 var (
@@ -141,7 +142,7 @@ func (p *JustInTimePDP) GetDecision(
 	)
 
 	// Because there are three possible types of entities, check obligations first to more easily handle decisioning logic
-	allTriggeredObligationsCanBeFulfilled, requiredObligationsPerResource, err := p.obligationsPDP.GetAllTriggeredObligationsAreFulfilled(
+	obligationDecision, err := p.obligationsPDP.GetAllTriggeredObligationsAreFulfilled(
 		ctx,
 		resources,
 		action,
@@ -165,26 +166,22 @@ func (p *JustInTimePDP) GetDecision(
 	case *authzV2.EntityIdentifier_RegisteredResourceValueFqn:
 		regResValueFQN := strings.ToLower(entityIdentifier.GetRegisteredResourceValueFqn())
 		// Registered resources do not have entity representations, so only one decision is made
-		decision, err := p.pdp.GetDecisionRegisteredResource(ctx, regResValueFQN, action, resources)
+		decision, entitlements, err := p.pdp.GetDecisionRegisteredResource(ctx, regResValueFQN, action, resources)
 		if err != nil {
 			return nil, false, fmt.Errorf("failed to get decision for registered resource value FQN [%s]: %w", regResValueFQN, err)
 		}
 		if decision == nil {
 			return nil, false, fmt.Errorf("decision is nil for registered resource value FQN [%s]", regResValueFQN)
 		}
 
-		// If not entitled, obligations are not considered
-		if !decision.Access {
-			return []*Decision{decision}, decision.Access, nil
-		}
-
-		// Access should only be granted if entitled AND obligations fulfilled
-		decision.Access = allTriggeredObligationsCanBeFulfilled
-		for idx, required := range requiredObligationsPerResource {
-			decision.Results[idx].RequiredObligationValueFQNs = required
-		}
+		// Update resource decisions with obligations and set final access decision
+		hasRequiredObligations := len(obligationDecision.RequiredObligationValueFQNs) > 0
+		entitledWithAnyObligationsSatisfied := decision.AllPermitted && (!hasRequiredObligations || obligationDecision.AllObligationsSatisfied)
+		decision.AllPermitted = entitledWithAnyObligationsSatisfied
+		decision = setResourceDecisionsWithObligations(decision, obligationDecision)
 
-		return []*Decision{decision}, decision.Access, nil
+		p.auditDecision(ctx, regResValueFQN, action, decision, entitlements, fulfillableObligationValueFQNs, obligationDecision)
+		return []*Decision{decision}, decision.AllPermitted, nil
 
 	default:
 		return nil, false, ErrInvalidEntityType
@@ -195,38 +192,69 @@ func (p *JustInTimePDP) GetDecision(
 
 	// Make initial entitlement decisions
 	entityDecisions := make([]*Decision, len(entityRepresentations))
+	entityEntitlements := make([]map[string][]*policy.Action, len(entityRepresentations))
 	allPermitted := true
 	for idx, entityRep := range entityRepresentations {
-		d, err := p.pdp.GetDecision(ctx, entityRep, action, resources)
+		d, entitlements, err := p.pdp.GetDecision(ctx, entityRep, action, resources)
 		if err != nil {
 			return nil, false, fmt.Errorf("failed to get decision for entityRepresentation with original id [%s]: %w", entityRep.GetOriginalId(), err)
 		}
 		if d == nil {
 			return nil, false, fmt.Errorf("decision is nil: %w", err)
 		}
-		if !d.Access {
+		// If any entity lacks access to any resource, update overall decision denial
+		if !d.AllPermitted {
 			allPermitted = false
 		}
 		entityDecisions[idx] = d
+		entityEntitlements[idx] = entitlements
 	}
 
-	// If even one entity was denied access, obligations are not considered or returned
-	if !allPermitted {
-		return entityDecisions, allPermitted, nil
-	}
+	// Update resource decisions with obligations and set final access decision
+	hasRequiredObligations := len(obligationDecision.RequiredObligationValueFQNs) > 0
+	allEntitledWithAnyObligationsSatisfied := allPermitted && (!hasRequiredObligations || obligationDecision.AllObligationsSatisfied)
+	allPermitted = allEntitledWithAnyObligationsSatisfied
 
-	// Access should only be granted if entitled AND obligations fulfilled
-	allPermitted = allTriggeredObligationsCanBeFulfilled
-	// Obligations are not entity-specific at this time so will be the same across every entity
-	for _, decision := range entityDecisions {
-		for idx, required := range requiredObligationsPerResource {
-			decision.Results[idx].RequiredObligationValueFQNs = required
-		}
+	// Propagate obligations within policy on each resource decision object
+	for entityIdx, decision := range entityDecisions {
+		// TODO: figure out this multi-entity response?
+		// entitledWithAnyObligationsSatisfied := decision.AllPermitted && (!hasRequiredObligations || obligationDecision.AllObligationsSatisfied)
+		// decision.AllPermitted = entitledWithAnyObligationsSatisfied
+		decision = setResourceDecisionsWithObligations(decision, obligationDecision)
+		decision.AllPermitted = allPermitted
+		entityRepID := entityRepresentations[entityIdx].GetOriginalId()
+		p.auditDecision(ctx, entityRepID, action, decision, entityEntitlements[entityIdx], fulfillableObligationValueFQNs, obligationDecision)
 	}
 
 	return entityDecisions, allPermitted, nil
 }
 
+// setResourceDecisionsWithObligations updates all resource decisions with obligation
+// information and sets each resource passed state
+func setResourceDecisionsWithObligations(
+	decision *Decision,
+	obligationDecision obligations.ObligationPolicyDecision,
+) *Decision {
+	hasRequiredObligations := len(obligationDecision.RequiredObligationValueFQNs) > 0
+
+	for idx := range decision.Results {
+		resourceDecision := &decision.Results[idx]
+
+		if hasRequiredObligations {
+			// Update with specific obligation data from the obligations PDP
+			perResource := obligationDecision.RequiredObligationValueFQNsPerResource[idx]
+			resourceDecision.ObligationsSatisfied = perResource.ObligationsSatisfied
+			resourceDecision.RequiredObligationValueFQNs = perResource.RequiredObligationValueFQNs
+		} else {
+			// No required obligations means all obligations are satisfied
+			resourceDecision.ObligationsSatisfied = true
+		}
+
+		resourceDecision.Passed = resourceDecision.Entitled && resourceDecision.ObligationsSatisfied
+	}
+	return decision
+}
+
 // GetEntitlements retrieves the entitlements for the provided entity chain.
 // It resolves the entity chain to get the entity representations and then calls the embedded PDP to get the entitlements.
 func (p *JustInTimePDP) GetEntitlements(
@@ -287,8 +315,6 @@ func (p *JustInTimePDP) GetEntitlements(
 func (p *JustInTimePDP) getMatchedSubjectMappings(
 	ctx context.Context,
 	entityRepresentations []*entityresolutionV2.EntityRepresentation,
-	// updated with the results, attrValue FQN to attribute and value with subject mappings
-	// entitleableAttributes map[string]*attrs.GetAttributeValuesByFqnsResponse_AttributeAndValue,
 ) ([]*policy.SubjectMapping, error) {
 	// Break the entity down the entities into their properties/selectors and retrieve only those subject mappings
 	subjectProperties := make([]*policy.SubjectProperty, 0)
@@ -400,3 +426,30 @@ func (p *JustInTimePDP) resolveEntitiesFromRequestToken(
 
 	return p.resolveEntitiesFromToken(ctx, token, skipEnvironmentEntities)
 }
+
+// auditDecision logs a GetDecisionV2 audit event with obligation information
+func (p *JustInTimePDP) auditDecision(
+	ctx context.Context,
+	entityID string,
+	action *policy.Action,
+	decision *Decision,
+	entitlements map[string][]*policy.Action,
+	fulfillableObligationValueFQNs []string,
+	obligationDecision obligations.ObligationPolicyDecision,
+) {
+	// Determine audit decision result
+	auditDecision := audit.GetDecisionResultDeny
+	if decision.AllPermitted {
+		auditDecision = audit.GetDecisionResultPermit
+	}
+
+	p.logger.Audit.GetDecisionV2(ctx, audit.GetDecisionV2EventParams{
+		EntityID:                       entityID,
+		ActionName:                     action.GetName(),
+		Decision:                       auditDecision,
+		Entitlements:                   entitlements,
+		FulfillableObligationValueFQNs: fulfillableObligationValueFQNs,
+		ObligationsSatisfied:           obligationDecision.AllObligationsSatisfied,
+		ResourceDecisions:              decision.Results,
+	})
+}