feat(audit): close P-H2 — server-side since / until time-range filters

Closes frontend-design-audit finding P-H2 (High):

  AuditPage filters time-range *client-side*; comment says "server
  may not support time params" — fetches the entire event window,
  throws 99% away in JS

Ground-truth recon found the closure is much smaller than the
audit's "1 day backend + 2 hours frontend" estimate:

  • repository AuditFilter.From / .To: ALREADY exist in
    internal/repository/filters.go:57-58
  • postgres.AuditRepository.List: ALREADY pushes
    `timestamp >= since` + `timestamp <= until` predicates into the
    SQL query (internal/repository/postgres/audit.go:107-116)
  • Composite index idx_audit_events_category_timestamp on
    (event_category, timestamp DESC) added in migration 000032
    makes the new query hit an index scan
  • MCP `certctl_audit_list_with_category` tool's docstring already
    advertises `since` / `until` (internal/mcp/tools_audit_fix.go:174)
    — but the server silently ignored them, making the published
    contract a lie

The only missing piece was the handler exposing the params + the
frontend porting from client-side filtering. ~150 lines total.

═══════════════════════════ CHANGES ═══════════════════════════════

Service (internal/service/audit.go):
  • New ListAuditEventsByFilter(ctx, since, until, category, page,
    perPage) threads time bounds into the existing repository.
    AuditFilter.From / .To fields.
  • Existing ListAuditEvents + ListAuditEventsByCategory become
    thin wrappers around the new method with zero times.

Handler (internal/api/handler/audit.go):
  • Interface gains ListAuditEventsByFilter signature.
  • ListAuditEvents handler parses `since` + `until` RFC3339 query
    params; 400 on malformed input or `until` not after `since`.
  • Single dispatch via ListAuditEventsByFilter for ALL request
    shapes (with or without time bounds, with or without category).

Tests (internal/api/handler/audit_handler_test.go):
  • mockAuditService gains listByFiltFunc + lastFilterSince/Until/
    Category trace fields.
  • 5 new subtests:
    - TestListAuditEvents_WithSinceUntil — happy path, both bounds
    - TestListAuditEvents_SinceOnly — one-sided open-ended
    - TestListAuditEvents_InvalidSince — 400 on garbage
    - TestListAuditEvents_UntilBeforeSince — 400 on reversed range
    - TestListAuditEvents_TimeRangePlusCategory — composes with
      auditor-role category=auth filter

Frontend (web/src/pages/AuditPage.tsx):
  • TIME_RANGES dropdown now sends `since` as RFC3339 (now − N hours)
    via the existing useQuery params object instead of filtering
    client-side after the fact.
  • Pre-P-H2 `filtered = data.data.filter(e => now-ts<N)` block
    deleted (replaced by `filtered = data?.data || []`); comment
    documents why for the diff reader.

OpenAPI (api/openapi.yaml):
  • listAuditEvents gains `since` + `until` query-param specs
    (format: date-time, description, P-H2 closure date).
  • Description block explains the `since`/`until` vs `from`/`to`
    naming divergence from the sibling /audit/export endpoint
    (different param semantics: list = open-ended bounds, export =
    required ≤ 90-day compliance window).

═══════════════════════════ VERIFICATION ═══════════════════════════

Backend (Go toolchain now wired in sandbox — go1.25.10 ARM64 from
.gomodcache, GOCACHE on /tmp partition):
  • gofmt -l on all touched files: clean
  • go vet ./... — exit 0
  • go test -short -count=1 ./internal/api/handler/... — ok 4.195s
    (existing 14 subtests + 5 new = 19/19 pass)
  • go test -short -count=1 ./internal/service/... — ok 4.733s
  • staticcheck ./internal/api/handler/... ./internal/service/...:
    zero findings

Frontend:
  • npm ci — 634 packages, exit 0 (resolves cleanly post-Hotfix #9)
  • npx tsc --noEmit — exit 0
  • npx vitest run src/pages/AuditPage.test.tsx — 4/4 pass
  • npx vite build — built in 3.49s

Ground-truth: origin/master tip b22cdb3 verified via GitHub API
BEFORE commit per the operating rule.

═══════════════════════════ RELATED NOTES ════════════════════════

  • AuditPage's `resource_type` / `actor` / `action` query params
    are ALSO silently ignored by the server today — the handler
    doesn't parse them. That's a separate latent gap (the audit
    only flagged the time filter); tracked as a follow-up for the
    next audit-handler pass. Not scope-creeping into this commit.
  • The `total` returned by ListAuditEventsByFilter is len(result),
    not a separate COUNT(*) query — same limitation as before;
    when the page ports to server-side cursoring the repository
    will need a CountAuditEvents(filter) method. Documented in
    the service comment.

api/openapi.yaml

@@ -4110,6 +4110,21 @@ paths:
         (cert/agent/deployment events), `auth` (role/key/bootstrap
         mutations), `config` (issuer/target/settings edits). Omitting
         the parameter returns every category.
+
+        P-H2 closure (frontend-design-audit 2026-05-14) adds the
+        optional `since` / `until` time-range query parameters. Both
+        accept RFC3339 timestamps (e.g. `2026-04-01T00:00:00Z`).
+        Either bound can be omitted to leave that side open-ended.
+        Combined with `category`, they let auditor-role clients query
+        "auth events from yesterday" without a separate endpoint.
+
+        Note on naming: this endpoint uses `since` / `until` to match
+        the existing MCP `certctl_audit_list_with_category` tool's
+        published contract. The sibling `/api/v1/audit/export`
+        endpoint uses `from` / `to` for compliance-window semantics
+        (required, ≤ 90-day range, NDJSON streaming); the two
+        endpoints share data but the names reflect the different
+        param semantics.
       operationId: listAuditEvents
       parameters:
         - $ref: "#/components/parameters/page"
@@ -4120,6 +4135,23 @@ paths:
             type: string
             enum: [cert_lifecycle, auth, config]
           description: Filter to events of this event_category. (Bundle 1 Phase 8)
+        - in: query
+          name: since
+          schema:
+            type: string
+            format: date-time
+          description: |
+            Lower bound on `timestamp` (RFC3339). Inclusive.
+            Open-ended when omitted. (P-H2 2026-05-14)
+        - in: query
+          name: until
+          schema:
+            type: string
+            format: date-time
+          description: |
+            Upper bound on `timestamp` (RFC3339). Inclusive.
+            Open-ended when omitted. Must be after `since` if both
+            are set. (P-H2 2026-05-14)
       responses:
         "200":
           description: Paginated list of audit events
@@ -4135,7 +4167,9 @@ paths:
                         items:
                           $ref: "#/components/schemas/AuditEvent"
         "400":
-          description: Invalid `category` value
+          description: |
+            Invalid `category` value, malformed RFC3339 `since`/`until`,
+            or `until` not after `since`.
         "500":
           $ref: "#/components/responses/InternalError"