feat(audit): close P-H2 — server-side since / until time-range filters

Closes frontend-design-audit finding P-H2 (High): AuditPage filters time-range *client-side*; comment says "server may not support time params" — fetches the entire event window, throws 99% away in JS Ground-truth recon found the closure is much smaller than the audit's "1 day backend + 2 hours frontend" estimate: • repository AuditFilter.From / .To: ALREADY exist in internal/repository/filters.go:57-58 • postgres.AuditRepository.List: ALREADY pushes `timestamp >= since` + `timestamp <= until` predicates into the SQL query (internal/repository/postgres/audit.go:107-116) • Composite index idx_audit_events_category_timestamp on (event_category, timestamp DESC) added in migration 000032 makes the new query hit an index scan • MCP `certctl_audit_list_with_category` tool's docstring already advertises `since` / `until` (internal/mcp/tools_audit_fix.go:174) — but the server silently ignored them, making the published contract a lie The only missing piece was the handler exposing the params + the frontend porting from client-side filtering. ~150 lines total. ═══════════════════════════ CHANGES ═══════════════════════════════ Service (internal/service/audit.go): • New ListAuditEventsByFilter(ctx, since, until, category, page, perPage) threads time bounds into the existing repository. AuditFilter.From / .To fields. • Existing ListAuditEvents + ListAuditEventsByCategory become thin wrappers around the new method with zero times. Handler (internal/api/handler/audit.go): • Interface gains ListAuditEventsByFilter signature. • ListAuditEvents handler parses `since` + `until` RFC3339 query params; 400 on malformed input or `until` not after `since`. • Single dispatch via ListAuditEventsByFilter for ALL request shapes (with or without time bounds, with or without category). Tests (internal/api/handler/audit_handler_test.go): • mockAuditService gains listByFiltFunc + lastFilterSince/Until/ Category trace fields. • 5 new subtests: - TestListAuditEvents_WithSinceUntil — happy path, both bounds - TestListAuditEvents_SinceOnly — one-sided open-ended - TestListAuditEvents_InvalidSince — 400 on garbage - TestListAuditEvents_UntilBeforeSince — 400 on reversed range - TestListAuditEvents_TimeRangePlusCategory — composes with auditor-role category=auth filter Frontend (web/src/pages/AuditPage.tsx): • TIME_RANGES dropdown now sends `since` as RFC3339 (now − N hours) via the existing useQuery params object instead of filtering client-side after the fact. • Pre-P-H2 `filtered = data.data.filter(e => now-ts<N)` block deleted (replaced by `filtered = data?.data || []`); comment documents why for the diff reader. OpenAPI (api/openapi.yaml): • listAuditEvents gains `since` + `until` query-param specs (format: date-time, description, P-H2 closure date). • Description block explains the `since`/`until` vs `from`/`to` naming divergence from the sibling /audit/export endpoint (different param semantics: list = open-ended bounds, export = required ≤ 90-day compliance window). ═══════════════════════════ VERIFICATION ═══════════════════════════ Backend (Go toolchain now wired in sandbox — go1.25.10 ARM64 from .gomodcache, GOCACHE on /tmp partition): • gofmt -l on all touched files: clean • go vet ./... — exit 0 • go test -short -count=1 ./internal/api/handler/... — ok 4.195s (existing 14 subtests + 5 new = 19/19 pass) • go test -short -count=1 ./internal/service/... — ok 4.733s • staticcheck ./internal/api/handler/... ./internal/service/...: zero findings Frontend: • npm ci — 634 packages, exit 0 (resolves cleanly post-Hotfix #9) • npx tsc --noEmit — exit 0 • npx vitest run src/pages/AuditPage.test.tsx — 4/4 pass • npx vite build — built in 3.49s Ground-truth: origin/master tip b22cdb3 verified via GitHub API BEFORE commit per the operating rule. ═══════════════════════════ RELATED NOTES ════════════════════════ • AuditPage's `resource_type` / `actor` / `action` query params are ALSO silently ignored by the server today — the handler doesn't parse them. That's a separate latent gap (the audit only flagged the time filter); tracked as a follow-up for the next audit-handler pass. Not scope-creeping into this commit. • The `total` returned by ListAuditEventsByFilter is len(result), not a separate COUNT(*) query — same limitation as before; when the page ports to server-side cursoring the repository will need a CountAuditEvents(filter) method. Documented in the service comment.
2026-06-11 09:19:24 +00:00 · 2026-05-14 19:35:51 +00:00
parent b22cdb3405
commit fc237de357
5 changed files with 327 additions and 29 deletions
@@ -212,12 +212,34 @@ func (s *AuditService) ListByAction(ctx context.Context, action string, from, to

 // ListAuditEvents returns paginated audit events (handler interface method).
 func (s *AuditService) ListAuditEvents(ctx context.Context, page, perPage int) ([]domain.AuditEvent, int64, error) {
-	return s.ListAuditEventsByCategory(ctx, "", page, perPage)
+	return s.ListAuditEventsByFilter(ctx, time.Time{}, time.Time{}, "", page, perPage)
 }

 // ListAuditEventsByCategory is the Bundle 1 Phase 8 categorized variant.
-// Empty eventCategory disables the filter.
+// Empty eventCategory disables the filter. Kept as a thin wrapper around
+// ListAuditEventsByFilter so existing callers don't need to thread zero
+// time values.
 func (s *AuditService) ListAuditEventsByCategory(ctx context.Context, eventCategory string, page, perPage int) ([]domain.AuditEvent, int64, error) {
+	return s.ListAuditEventsByFilter(ctx, time.Time{}, time.Time{}, eventCategory, page, perPage)
+}
+
+// ListAuditEventsByFilter is the P-H2 closure (frontend-design-audit
+// 2026-05-14) — handler-facing list that supports server-side
+// time-range filtering on top of the existing category filter. The
+// repository (internal/repository/postgres/audit.go) has always
+// pushed `timestamp >= since` and `timestamp <= until` predicates
+// into the SQL query when AuditFilter.From / .To are set; this method
+// just threads the operator-supplied bounds from the handler into
+// the filter struct. The (event_category, timestamp DESC) composite
+// index added in migration 000032 makes the predicate push-down hit
+// an index scan rather than a sequential scan on the audit_events
+// table.
+//
+// Zero time.Time values for since OR until disable the bound (i.e.
+// "open-ended on that side"). Both zero ≡ no time filter ≡ the
+// pre-P-H2 list behavior, which is what the two delegating wrappers
+// above rely on for backward compatibility.
+func (s *AuditService) ListAuditEventsByFilter(ctx context.Context, since, until time.Time, eventCategory string, page, perPage int) ([]domain.AuditEvent, int64, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -227,6 +249,8 @@ func (s *AuditService) ListAuditEventsByCategory(ctx context.Context, eventCateg

 	filter := &repository.AuditFilter{
 		EventCategory: eventCategory,
+		From:          since,
+		To:            until,
 		Page:          page,
 		PerPage:       perPage,
 	}
@@ -247,10 +271,13 @@ func (s *AuditService) ListAuditEventsByCategory(ctx context.Context, eventCateg
 	// see #audit-pagination-count — the repository currently returns
 	// the full filtered slice and we surface len(result) as total. This
 	// works for the audit page's current shape (server-side filter +
-	// client-side pagination over a bounded window) but is wrong when the
-	// frontend ports to server-side cursoring (Phase 9 P-H2). At that
-	// point the repository must add a CountAuditEvents(filter) method and
-	// this line becomes total, _ := s.repo.CountAuditEvents(ctx, filter).
+	// client-side pagination over a bounded window) but is wrong when
+	// the frontend ports to server-side cursoring. At that point the
+	// repository must add a CountAuditEvents(filter) method and this
+	// line becomes total, _ := s.repo.CountAuditEvents(ctx, filter).
+	// P-H2 (this method) didn't introduce server-side cursoring — it
+	// only added the time-range predicate — so the same limitation
+	// applies. Tracked separately.
 	total := int64(len(result))

 	return result, total, nil