feat(audit): close P-H2 — server-side since / until time-range filters

Closes frontend-design-audit finding P-H2 (High): AuditPage filters time-range *client-side*; comment says "server may not support time params" — fetches the entire event window, throws 99% away in JS Ground-truth recon found the closure is much smaller than the audit's "1 day backend + 2 hours frontend" estimate: • repository AuditFilter.From / .To: ALREADY exist in internal/repository/filters.go:57-58 • postgres.AuditRepository.List: ALREADY pushes `timestamp >= since` + `timestamp <= until` predicates into the SQL query (internal/repository/postgres/audit.go:107-116) • Composite index idx_audit_events_category_timestamp on (event_category, timestamp DESC) added in migration 000032 makes the new query hit an index scan • MCP `certctl_audit_list_with_category` tool's docstring already advertises `since` / `until` (internal/mcp/tools_audit_fix.go:174) — but the server silently ignored them, making the published contract a lie The only missing piece was the handler exposing the params + the frontend porting from client-side filtering. ~150 lines total. ═══════════════════════════ CHANGES ═══════════════════════════════ Service (internal/service/audit.go): • New ListAuditEventsByFilter(ctx, since, until, category, page, perPage) threads time bounds into the existing repository. AuditFilter.From / .To fields. • Existing ListAuditEvents + ListAuditEventsByCategory become thin wrappers around the new method with zero times. Handler (internal/api/handler/audit.go): • Interface gains ListAuditEventsByFilter signature. • ListAuditEvents handler parses `since` + `until` RFC3339 query params; 400 on malformed input or `until` not after `since`. • Single dispatch via ListAuditEventsByFilter for ALL request shapes (with or without time bounds, with or without category). Tests (internal/api/handler/audit_handler_test.go): • mockAuditService gains listByFiltFunc + lastFilterSince/Until/ Category trace fields. • 5 new subtests: - TestListAuditEvents_WithSinceUntil — happy path, both bounds - TestListAuditEvents_SinceOnly — one-sided open-ended - TestListAuditEvents_InvalidSince — 400 on garbage - TestListAuditEvents_UntilBeforeSince — 400 on reversed range - TestListAuditEvents_TimeRangePlusCategory — composes with auditor-role category=auth filter Frontend (web/src/pages/AuditPage.tsx): • TIME_RANGES dropdown now sends `since` as RFC3339 (now − N hours) via the existing useQuery params object instead of filtering client-side after the fact. • Pre-P-H2 `filtered = data.data.filter(e => now-ts<N)` block deleted (replaced by `filtered = data?.data || []`); comment documents why for the diff reader. OpenAPI (api/openapi.yaml): • listAuditEvents gains `since` + `until` query-param specs (format: date-time, description, P-H2 closure date). • Description block explains the `since`/`until` vs `from`/`to` naming divergence from the sibling /audit/export endpoint (different param semantics: list = open-ended bounds, export = required ≤ 90-day compliance window). ═══════════════════════════ VERIFICATION ═══════════════════════════ Backend (Go toolchain now wired in sandbox — go1.25.10 ARM64 from .gomodcache, GOCACHE on /tmp partition): • gofmt -l on all touched files: clean • go vet ./... — exit 0 • go test -short -count=1 ./internal/api/handler/... — ok 4.195s (existing 14 subtests + 5 new = 19/19 pass) • go test -short -count=1 ./internal/service/... — ok 4.733s • staticcheck ./internal/api/handler/... ./internal/service/...: zero findings Frontend: • npm ci — 634 packages, exit 0 (resolves cleanly post-Hotfix #9) • npx tsc --noEmit — exit 0 • npx vitest run src/pages/AuditPage.test.tsx — 4/4 pass • npx vite build — built in 3.49s Ground-truth: origin/master tip b22cdb3 verified via GitHub API BEFORE commit per the operating rule. ═══════════════════════════ RELATED NOTES ════════════════════════ • AuditPage's `resource_type` / `actor` / `action` query params are ALSO silently ignored by the server today — the handler doesn't parse them. That's a separate latent gap (the audit only flagged the time filter); tracked as a follow-up for the next audit-handler pass. Not scope-creeping into this commit. • The `total` returned by ListAuditEventsByFilter is len(result), not a separate COUNT(*) query — same limitation as before; when the page ports to server-side cursoring the repository will need a CountAuditEvents(filter) method. Documented in the service comment.
2026-06-10 04:28:56 +00:00 · 2026-05-14 19:35:51 +00:00
parent b22cdb3405
commit fc237de357
5 changed files with 327 additions and 29 deletions
@@ -28,6 +28,18 @@ type AuditService interface {
 	// empty string returns all categories. Used by the auditor role
 	// (filtered to "auth" via /v1/audit?category=auth).
 	ListAuditEventsByCategory(ctx context.Context, eventCategory string, page, perPage int) ([]domain.AuditEvent, int64, error)
+	// ListAuditEventsByFilter (P-H2 closure, frontend-design-audit
+	// 2026-05-14) returns audit rows constrained by an optional time
+	// range AND optional category. Zero time.Time on either bound
+	// disables that bound. The repository already pushes the
+	// predicate into SQL (timestamp >=/<= since/until); this method
+	// just threads handler-parsed `since` / `until` query params
+	// through to the filter. Frontend (AuditPage) drops the pre-P-H2
+	// client-side time filter ("fetches the entire event window,
+	// throws 99% away in JS") and sends since/until directly. MCP's
+	// certctl_audit_list_with_category tool already advertised these
+	// params; this closure makes that advertised contract truthful.
+	ListAuditEventsByFilter(ctx context.Context, since, until time.Time, eventCategory string, page, perPage int) ([]domain.AuditEvent, int64, error)
 	// ExportEventsByFilter returns audit events matching a
 	// (from, to, eventCategory) filter, capped at maxRows. Audit
 	// 2026-05-10 HIGH-11 closure — backs the new
@@ -53,12 +65,29 @@ func NewAuditHandler(svc AuditService) AuditHandler {
 }

 // ListAuditEvents lists audit events.
-// GET /api/v1/audit?page=1&per_page=50&category=auth
+// GET /api/v1/audit?page=1&per_page=50&category=auth&since=<RFC3339>&until=<RFC3339>
 //
-// Bundle 1 Phase 8 adds the optional `category` query parameter for
+// Bundle 1 Phase 8 added the optional `category` query parameter for
 // auditor-role filtering. Allowed values: cert_lifecycle, auth, config.
 // Unknown values surface 400 so misuse is caught loud (instead of
 // silently returning all rows).
+//
+// P-H2 closure (frontend-design-audit 2026-05-14) adds the optional
+// `since` / `until` time-range query parameters. Both accept RFC3339
+// (e.g. "2026-04-01T00:00:00Z"). Either bound can be omitted to leave
+// that side open-ended. The repository already pushes the timestamp
+// predicate into the SQL query, and migration 000032's
+// (event_category, timestamp DESC) composite index makes the
+// predicate hit an index scan rather than a sequential scan.
+//
+// Note on naming: this endpoint uses `since` / `until` to match the
+// existing MCP `certctl_audit_list_with_category` tool's published
+// contract (internal/mcp/tools_audit_fix.go:174) and the audit-text
+// framing of the P-H2 finding. The sibling /api/v1/audit/export
+// endpoint uses `from` / `to` for compliance-window semantics
+// (required, ≤ 90-day range, NDJSON streaming); the two endpoints
+// share data but have different param semantics and the names were
+// chosen to reflect that.
 func (h AuditHandler) ListAuditEvents(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
@@ -93,16 +122,39 @@ func (h AuditHandler) ListAuditEvents(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	var (
-		events []domain.AuditEvent
-		total  int64
-		err    error
-	)
-	if category != "" {
-		events, total, err = h.svc.ListAuditEventsByCategory(r.Context(), category, page, perPage)
-	} else {
-		events, total, err = h.svc.ListAuditEvents(r.Context(), page, perPage)
+	// P-H2: optional time-range bounds. RFC3339 parse with explicit
+	// 400 on malformed input — silently dropping a malformed `since`
+	// would be worse than rejecting it (operator gets unfiltered
+	// results when they thought they were filtering).
+	var since, until time.Time
+	if s := query.Get("since"); s != "" {
+		parsed, err := time.Parse(time.RFC3339, s)
+		if err != nil {
+			ErrorWithRequestID(w, http.StatusBadRequest,
+				"`since` must be RFC3339 (e.g. 2026-04-01T00:00:00Z)",
+				requestID)
+			return
+		}
+		since = parsed
 	}
+	if u := query.Get("until"); u != "" {
+		parsed, err := time.Parse(time.RFC3339, u)
+		if err != nil {
+			ErrorWithRequestID(w, http.StatusBadRequest,
+				"`until` must be RFC3339 (e.g. 2026-05-01T00:00:00Z)",
+				requestID)
+			return
+		}
+		until = parsed
+	}
+	if !since.IsZero() && !until.IsZero() && !until.After(since) {
+		ErrorWithRequestID(w, http.StatusBadRequest,
+			"`until` must be after `since`",
+			requestID)
+		return
+	}
+
+	events, total, err := h.svc.ListAuditEventsByFilter(r.Context(), since, until, category, page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list audit events", requestID)
 		return