feat(audit): close P-H2 — server-side since / until time-range filters

Closes frontend-design-audit finding P-H2 (High): AuditPage filters time-range *client-side*; comment says "server may not support time params" — fetches the entire event window, throws 99% away in JS Ground-truth recon found the closure is much smaller than the audit's "1 day backend + 2 hours frontend" estimate: • repository AuditFilter.From / .To: ALREADY exist in internal/repository/filters.go:57-58 • postgres.AuditRepository.List: ALREADY pushes `timestamp >= since` + `timestamp <= until` predicates into the SQL query (internal/repository/postgres/audit.go:107-116) • Composite index idx_audit_events_category_timestamp on (event_category, timestamp DESC) added in migration 000032 makes the new query hit an index scan • MCP `certctl_audit_list_with_category` tool's docstring already advertises `since` / `until` (internal/mcp/tools_audit_fix.go:174) — but the server silently ignored them, making the published contract a lie The only missing piece was the handler exposing the params + the frontend porting from client-side filtering. ~150 lines total. ═══════════════════════════ CHANGES ═══════════════════════════════ Service (internal/service/audit.go): • New ListAuditEventsByFilter(ctx, since, until, category, page, perPage) threads time bounds into the existing repository. AuditFilter.From / .To fields. • Existing ListAuditEvents + ListAuditEventsByCategory become thin wrappers around the new method with zero times. Handler (internal/api/handler/audit.go): • Interface gains ListAuditEventsByFilter signature. • ListAuditEvents handler parses `since` + `until` RFC3339 query params; 400 on malformed input or `until` not after `since`. • Single dispatch via ListAuditEventsByFilter for ALL request shapes (with or without time bounds, with or without category). Tests (internal/api/handler/audit_handler_test.go): • mockAuditService gains listByFiltFunc + lastFilterSince/Until/ Category trace fields. • 5 new subtests: - TestListAuditEvents_WithSinceUntil — happy path, both bounds - TestListAuditEvents_SinceOnly — one-sided open-ended - TestListAuditEvents_InvalidSince — 400 on garbage - TestListAuditEvents_UntilBeforeSince — 400 on reversed range - TestListAuditEvents_TimeRangePlusCategory — composes with auditor-role category=auth filter Frontend (web/src/pages/AuditPage.tsx): • TIME_RANGES dropdown now sends `since` as RFC3339 (now − N hours) via the existing useQuery params object instead of filtering client-side after the fact. • Pre-P-H2 `filtered = data.data.filter(e => now-ts<N)` block deleted (replaced by `filtered = data?.data || []`); comment documents why for the diff reader. OpenAPI (api/openapi.yaml): • listAuditEvents gains `since` + `until` query-param specs (format: date-time, description, P-H2 closure date). • Description block explains the `since`/`until` vs `from`/`to` naming divergence from the sibling /audit/export endpoint (different param semantics: list = open-ended bounds, export = required ≤ 90-day compliance window). ═══════════════════════════ VERIFICATION ═══════════════════════════ Backend (Go toolchain now wired in sandbox — go1.25.10 ARM64 from .gomodcache, GOCACHE on /tmp partition): • gofmt -l on all touched files: clean • go vet ./... — exit 0 • go test -short -count=1 ./internal/api/handler/... — ok 4.195s (existing 14 subtests + 5 new = 19/19 pass) • go test -short -count=1 ./internal/service/... — ok 4.733s • staticcheck ./internal/api/handler/... ./internal/service/...: zero findings Frontend: • npm ci — 634 packages, exit 0 (resolves cleanly post-Hotfix #9) • npx tsc --noEmit — exit 0 • npx vitest run src/pages/AuditPage.test.tsx — 4/4 pass • npx vite build — built in 3.49s Ground-truth: origin/master tip b22cdb3 verified via GitHub API BEFORE commit per the operating rule. ═══════════════════════════ RELATED NOTES ════════════════════════ • AuditPage's `resource_type` / `actor` / `action` query params are ALSO silently ignored by the server today — the handler doesn't parse them. That's a separate latent gap (the audit only flagged the time filter); tracked as a follow-up for the next audit-handler pass. Not scope-creeping into this commit. • The `total` returned by ListAuditEventsByFilter is len(result), not a separate COUNT(*) query — same limitation as before; when the page ports to server-side cursoring the repository will need a CountAuditEvents(filter) method. Documented in the service comment.
2026-06-07 16:21:30 +00:00 · 2026-05-14 19:35:51 +00:00
parent b22cdb3405
commit fc237de357
5 changed files with 327 additions and 29 deletions
@@ -4110,6 +4110,21 @@ paths:
        (cert/agent/deployment events), `auth` (role/key/bootstrap
        mutations), `config` (issuer/target/settings edits). Omitting
        the parameter returns every category.
        P-H2 closure (frontend-design-audit 2026-05-14) adds the
        optional `since` / `until` time-range query parameters. Both
        accept RFC3339 timestamps (e.g. `2026-04-01T00:00:00Z`).
        Either bound can be omitted to leave that side open-ended.
        Combined with `category`, they let auditor-role clients query
        "auth events from yesterday" without a separate endpoint.
        Note on naming: this endpoint uses `since` / `until` to match
        the existing MCP `certctl_audit_list_with_category` tool's
        published contract. The sibling `/api/v1/audit/export`
        endpoint uses `from` / `to` for compliance-window semantics
        (required, ≤ 90-day range, NDJSON streaming); the two
        endpoints share data but the names reflect the different
        param semantics.
      operationId: listAuditEvents
      parameters:
        - $ref: "#/components/parameters/page"
@@ -4120,6 +4135,23 @@ paths:
            type: string
            enum: [cert_lifecycle, auth, config]
          description: Filter to events of this event_category. (Bundle 1 Phase 8)
        - in: query
          name: since
          schema:
            type: string
            format: date-time
          description: |
            Lower bound on `timestamp` (RFC3339). Inclusive.
            Open-ended when omitted. (P-H2 2026-05-14)
        - in: query
          name: until
          schema:
            type: string
            format: date-time
          description: |
            Upper bound on `timestamp` (RFC3339). Inclusive.
            Open-ended when omitted. Must be after `since` if both
            are set. (P-H2 2026-05-14)
      responses:
        "200":
          description: Paginated list of audit events
@@ -4135,7 +4167,9 @@ paths:
                        items:
                          $ref: "#/components/schemas/AuditEvent"
        "400":
-          description: Invalid `category` value
+          description: |
            Invalid `category` value, malformed RFC3339 `since`/`until`,
            or `until` not after `since`.
        "500":
          $ref: "#/components/responses/InternalError"
@@ -28,6 +28,18 @@ type AuditService interface {
 	// empty string returns all categories. Used by the auditor role
 	// (filtered to "auth" via /v1/audit?category=auth).
 	ListAuditEventsByCategory(ctx context.Context, eventCategory string, page, perPage int) ([]domain.AuditEvent, int64, error)
 	// ListAuditEventsByFilter (P-H2 closure, frontend-design-audit
 	// 2026-05-14) returns audit rows constrained by an optional time
 	// range AND optional category. Zero time.Time on either bound
 	// disables that bound. The repository already pushes the
 	// predicate into SQL (timestamp >=/<= since/until); this method
 	// just threads handler-parsed `since` / `until` query params
 	// through to the filter. Frontend (AuditPage) drops the pre-P-H2
 	// client-side time filter ("fetches the entire event window,
 	// throws 99% away in JS") and sends since/until directly. MCP's
 	// certctl_audit_list_with_category tool already advertised these
 	// params; this closure makes that advertised contract truthful.
 	ListAuditEventsByFilter(ctx context.Context, since, until time.Time, eventCategory string, page, perPage int) ([]domain.AuditEvent, int64, error)
 	// ExportEventsByFilter returns audit events matching a
 	// (from, to, eventCategory) filter, capped at maxRows. Audit
 	// 2026-05-10 HIGH-11 closure — backs the new
@@ -53,12 +65,29 @@ func NewAuditHandler(svc AuditService) AuditHandler {
 }
 // ListAuditEvents lists audit events.
-// GET /api/v1/audit?page=1&per_page=50&category=auth
+// GET /api/v1/audit?page=1&per_page=50&category=auth&since=<RFC3339>&until=<RFC3339>
 //
-// Bundle 1 Phase 8 adds the optional `category` query parameter for
+// Bundle 1 Phase 8 added the optional `category` query parameter for
 // auditor-role filtering. Allowed values: cert_lifecycle, auth, config.
 // Unknown values surface 400 so misuse is caught loud (instead of
 // silently returning all rows).
 //
 // P-H2 closure (frontend-design-audit 2026-05-14) adds the optional
 // `since` / `until` time-range query parameters. Both accept RFC3339
 // (e.g. "2026-04-01T00:00:00Z"). Either bound can be omitted to leave
 // that side open-ended. The repository already pushes the timestamp
 // predicate into the SQL query, and migration 000032's
 // (event_category, timestamp DESC) composite index makes the
 // predicate hit an index scan rather than a sequential scan.
 //
 // Note on naming: this endpoint uses `since` / `until` to match the
 // existing MCP `certctl_audit_list_with_category` tool's published
 // contract (internal/mcp/tools_audit_fix.go:174) and the audit-text
 // framing of the P-H2 finding. The sibling /api/v1/audit/export
 // endpoint uses `from` / `to` for compliance-window semantics
 // (required, ≤ 90-day range, NDJSON streaming); the two endpoints
 // share data but have different param semantics and the names were
 // chosen to reflect that.
 func (h AuditHandler) ListAuditEvents(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
@@ -93,16 +122,39 @@ func (h AuditHandler) ListAuditEvents(w http.ResponseWriter, r *http.Request) {
 		}
 	}
-	var (
+	// P-H2: optional time-range bounds. RFC3339 parse with explicit
-		events []domain.AuditEvent
+	// 400 on malformed input — silently dropping a malformed `since`
-		total  int64
+	// would be worse than rejecting it (operator gets unfiltered
-		err    error
+	// results when they thought they were filtering).
-	)
+	var since, until time.Time
-	if category != "" {
+	if s := query.Get("since"); s != "" {
-		events, total, err = h.svc.ListAuditEventsByCategory(r.Context(), category, page, perPage)
+		parsed, err := time.Parse(time.RFC3339, s)
-	} else {
+		if err != nil {
-		events, total, err = h.svc.ListAuditEvents(r.Context(), page, perPage)
+			ErrorWithRequestID(w, http.StatusBadRequest,
 				"`since` must be RFC3339 (e.g. 2026-04-01T00:00:00Z)",
 				requestID)
 			return
 		}
 		since = parsed
 	}
 	if u := query.Get("until"); u != "" {
 		parsed, err := time.Parse(time.RFC3339, u)
 		if err != nil {
 			ErrorWithRequestID(w, http.StatusBadRequest,
 				"`until` must be RFC3339 (e.g. 2026-05-01T00:00:00Z)",
 				requestID)
 			return
 		}
 		until = parsed
 	}
 	if !since.IsZero() && !until.IsZero() && !until.After(since) {
 		ErrorWithRequestID(w, http.StatusBadRequest,
 			"`until` must be after `since`",
 			requestID)
 		return
 	}
 	events, total, err := h.svc.ListAuditEventsByFilter(r.Context(), since, until, category, page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list audit events", requestID)
 		return
@@ -15,13 +15,18 @@ import (
 // mockAuditService implements AuditService for testing.
 type mockAuditService struct {
-	listFunc      func(page, perPage int) ([]domain.AuditEvent, int64, error)
+	listFunc       func(page, perPage int) ([]domain.AuditEvent, int64, error)
-	listByCatFunc func(category string, page, perPage int) ([]domain.AuditEvent, int64, error)
+	listByCatFunc  func(category string, page, perPage int) ([]domain.AuditEvent, int64, error)
-	getFunc       func(id string) (*domain.AuditEvent, error)
+	listByFiltFunc func(since, until time.Time, category string, page, perPage int) ([]domain.AuditEvent, int64, error)
 	getFunc        func(id string) (*domain.AuditEvent, error)
 	// HIGH-11 self-audit trace — last RecordEventWithCategory call.
 	lastAuditActor    string
 	lastAuditAction   string
 	lastAuditCategory string
 	// P-H2 trace — last ListAuditEventsByFilter args.
 	lastFilterSince    time.Time
 	lastFilterUntil    time.Time
 	lastFilterCategory string
 }
 func (m *mockAuditService) ListAuditEvents(_ context.Context, page, perPage int) ([]domain.AuditEvent, int64, error) {
@@ -41,6 +46,27 @@ func (m *mockAuditService) ListAuditEventsByCategory(_ context.Context, category
 	return nil, 0, nil
 }
 // ListAuditEventsByFilter satisfies the P-H2 interface extension. The
 // test fixture remembers the (since, until, category) tuple so
 // per-subtest assertions can pin that the handler threaded the
 // query-string params through correctly. Falls back to listFunc /
 // listByCatFunc so existing tests don't need to set listByFiltFunc.
 func (m *mockAuditService) ListAuditEventsByFilter(_ context.Context, since, until time.Time, category string, page, perPage int) ([]domain.AuditEvent, int64, error) {
 	m.lastFilterSince = since
 	m.lastFilterUntil = until
 	m.lastFilterCategory = category
 	if m.listByFiltFunc != nil {
 		return m.listByFiltFunc(since, until, category, page, perPage)
 	}
 	if category != "" && m.listByCatFunc != nil {
 		return m.listByCatFunc(category, page, perPage)
 	}
 	if m.listFunc != nil {
 		return m.listFunc(page, perPage)
 	}
 	return nil, 0, nil
 }
 func (m *mockAuditService) GetAuditEvent(_ context.Context, id string) (*domain.AuditEvent, error) {
 	if m.getFunc != nil {
 		return m.getFunc(id)
@@ -325,6 +351,153 @@ func TestListAuditEvents_MethodNotAllowed(t *testing.T) {
 	}
 }
 // ── P-H2 closure (since / until time-range query params) ───────────
 // TestListAuditEvents_WithSinceUntil pins the happy path — both bounds
 // supplied in RFC3339, mock observes them threaded into the service
 // call, response is 200.
 func TestListAuditEvents_WithSinceUntil(t *testing.T) {
 	since := time.Date(2026, 4, 1, 0, 0, 0, 0, time.UTC)
 	until := time.Date(2026, 5, 1, 0, 0, 0, 0, time.UTC)
 	mockSvc := &mockAuditService{
 		listByFiltFunc: func(s, u time.Time, _ string, _, _ int) ([]domain.AuditEvent, int64, error) {
 			if !s.Equal(since) {
 				t.Errorf("service since = %v, want %v", s, since)
 			}
 			if !u.Equal(until) {
 				t.Errorf("service until = %v, want %v", u, until)
 			}
 			return []domain.AuditEvent{}, 0, nil
 		},
 	}
 	handler := NewAuditHandler(mockSvc)
 	url := "/api/v1/audit?since=" + since.Format(time.RFC3339) + "&until=" + until.Format(time.RFC3339)
 	req, err := http.NewRequest(http.MethodGet, url, nil)
 	if err != nil {
 		t.Fatalf("NewRequest failed: %v", err)
 	}
 	ctx := context.WithValue(req.Context(), middleware.RequestIDKey{}, "test-req-id")
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	handler.ListAuditEvents(w, req)
 	if w.Code != http.StatusOK {
 		t.Errorf("status = %d, want 200; body=%s", w.Code, w.Body.String())
 	}
 	if !mockSvc.lastFilterSince.Equal(since) {
 		t.Errorf("mock recorded since = %v, want %v", mockSvc.lastFilterSince, since)
 	}
 	if !mockSvc.lastFilterUntil.Equal(until) {
 		t.Errorf("mock recorded until = %v, want %v", mockSvc.lastFilterUntil, until)
 	}
 }
 // TestListAuditEvents_SinceOnly pins one-sided bound — only `since`
 // supplied, `until` stays zero. Closure of "operator filters to events
 // from the last hour" via since=<now-1h>.
 func TestListAuditEvents_SinceOnly(t *testing.T) {
 	since := time.Date(2026, 4, 1, 0, 0, 0, 0, time.UTC)
 	mockSvc := &mockAuditService{}
 	handler := NewAuditHandler(mockSvc)
 	req, _ := http.NewRequest(http.MethodGet, "/api/v1/audit?since="+since.Format(time.RFC3339), nil)
 	ctx := context.WithValue(req.Context(), middleware.RequestIDKey{}, "test-req-id")
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	handler.ListAuditEvents(w, req)
 	if w.Code != http.StatusOK {
 		t.Errorf("status = %d, want 200; body=%s", w.Code, w.Body.String())
 	}
 	if !mockSvc.lastFilterSince.Equal(since) {
 		t.Errorf("since = %v, want %v", mockSvc.lastFilterSince, since)
 	}
 	if !mockSvc.lastFilterUntil.IsZero() {
 		t.Errorf("until = %v, want zero (open-ended)", mockSvc.lastFilterUntil)
 	}
 }
 // TestListAuditEvents_InvalidSince pins the parse-error 400 path.
 // Silently dropping a malformed since would return ALL rows when the
 // operator thought they were filtering — worse than rejecting.
 func TestListAuditEvents_InvalidSince(t *testing.T) {
 	mockSvc := &mockAuditService{}
 	handler := NewAuditHandler(mockSvc)
 	req, _ := http.NewRequest(http.MethodGet, "/api/v1/audit?since=not-a-date", nil)
 	ctx := context.WithValue(req.Context(), middleware.RequestIDKey{}, "test-req-id")
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	handler.ListAuditEvents(w, req)
 	if w.Code != http.StatusBadRequest {
 		t.Errorf("status = %d, want 400; body=%s", w.Code, w.Body.String())
 	}
 	if !mockSvc.lastFilterSince.IsZero() {
 		t.Error("service should NOT have been called on bad since")
 	}
 }
 // TestListAuditEvents_UntilBeforeSince pins the order assertion — a
 // reversed range surfaces 400, doesn't quietly return empty.
 func TestListAuditEvents_UntilBeforeSince(t *testing.T) {
 	since := time.Date(2026, 5, 1, 0, 0, 0, 0, time.UTC)
 	until := time.Date(2026, 4, 1, 0, 0, 0, 0, time.UTC)
 	mockSvc := &mockAuditService{}
 	handler := NewAuditHandler(mockSvc)
 	url := "/api/v1/audit?since=" + since.Format(time.RFC3339) + "&until=" + until.Format(time.RFC3339)
 	req, _ := http.NewRequest(http.MethodGet, url, nil)
 	ctx := context.WithValue(req.Context(), middleware.RequestIDKey{}, "test-req-id")
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	handler.ListAuditEvents(w, req)
 	if w.Code != http.StatusBadRequest {
 		t.Errorf("status = %d, want 400; body=%s", w.Code, w.Body.String())
 	}
 }
 // TestListAuditEvents_TimeRangePlusCategory pins that since/until
 // compose with category (the auditor-role narrow-to-auth use case
 // extended to "auth events from yesterday" without a separate
 // endpoint).
 func TestListAuditEvents_TimeRangePlusCategory(t *testing.T) {
 	since := time.Date(2026, 4, 1, 0, 0, 0, 0, time.UTC)
 	until := time.Date(2026, 5, 1, 0, 0, 0, 0, time.UTC)
 	mockSvc := &mockAuditService{}
 	handler := NewAuditHandler(mockSvc)
 	url := "/api/v1/audit?category=auth&since=" + since.Format(time.RFC3339) + "&until=" + until.Format(time.RFC3339)
 	req, _ := http.NewRequest(http.MethodGet, url, nil)
 	ctx := context.WithValue(req.Context(), middleware.RequestIDKey{}, "test-req-id")
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	handler.ListAuditEvents(w, req)
 	if w.Code != http.StatusOK {
 		t.Errorf("status = %d, want 200; body=%s", w.Code, w.Body.String())
 	}
 	if mockSvc.lastFilterCategory != "auth" {
 		t.Errorf("category = %q, want auth", mockSvc.lastFilterCategory)
 	}
 	if !mockSvc.lastFilterSince.Equal(since) {
 		t.Errorf("since = %v, want %v", mockSvc.lastFilterSince, since)
 	}
 	if !mockSvc.lastFilterUntil.Equal(until) {
 		t.Errorf("until = %v, want %v", mockSvc.lastFilterUntil, until)
 	}
 }
 func TestGetAuditEvent_Success(t *testing.T) {
 	event := &domain.AuditEvent{
 		ID:           "ev-123",
@@ -212,12 +212,34 @@ func (s *AuditService) ListByAction(ctx context.Context, action string, from, to
 // ListAuditEvents returns paginated audit events (handler interface method).
 func (s *AuditService) ListAuditEvents(ctx context.Context, page, perPage int) ([]domain.AuditEvent, int64, error) {
-	return s.ListAuditEventsByCategory(ctx, "", page, perPage)
+	return s.ListAuditEventsByFilter(ctx, time.Time{}, time.Time{}, "", page, perPage)
 }
 // ListAuditEventsByCategory is the Bundle 1 Phase 8 categorized variant.
-// Empty eventCategory disables the filter.
+// Empty eventCategory disables the filter. Kept as a thin wrapper around
 // ListAuditEventsByFilter so existing callers don't need to thread zero
 // time values.
 func (s *AuditService) ListAuditEventsByCategory(ctx context.Context, eventCategory string, page, perPage int) ([]domain.AuditEvent, int64, error) {
 	return s.ListAuditEventsByFilter(ctx, time.Time{}, time.Time{}, eventCategory, page, perPage)
 }
 // ListAuditEventsByFilter is the P-H2 closure (frontend-design-audit
 // 2026-05-14) — handler-facing list that supports server-side
 // time-range filtering on top of the existing category filter. The
 // repository (internal/repository/postgres/audit.go) has always
 // pushed `timestamp >= since` and `timestamp <= until` predicates
 // into the SQL query when AuditFilter.From / .To are set; this method
 // just threads the operator-supplied bounds from the handler into
 // the filter struct. The (event_category, timestamp DESC) composite
 // index added in migration 000032 makes the predicate push-down hit
 // an index scan rather than a sequential scan on the audit_events
 // table.
 //
 // Zero time.Time values for since OR until disable the bound (i.e.
 // "open-ended on that side"). Both zero ≡ no time filter ≡ the
 // pre-P-H2 list behavior, which is what the two delegating wrappers
 // above rely on for backward compatibility.
 func (s *AuditService) ListAuditEventsByFilter(ctx context.Context, since, until time.Time, eventCategory string, page, perPage int) ([]domain.AuditEvent, int64, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -227,6 +249,8 @@ func (s *AuditService) ListAuditEventsByCategory(ctx context.Context, eventCateg
 	filter := &repository.AuditFilter{
 		EventCategory: eventCategory,
 		From:          since,
 		To:            until,
 		Page:          page,
 		PerPage:       perPage,
 	}
@@ -247,10 +271,13 @@ func (s *AuditService) ListAuditEventsByCategory(ctx context.Context, eventCateg
 	// see #audit-pagination-count — the repository currently returns
 	// the full filtered slice and we surface len(result) as total. This
 	// works for the audit page's current shape (server-side filter +
-	// client-side pagination over a bounded window) but is wrong when the
+	// client-side pagination over a bounded window) but is wrong when
-	// frontend ports to server-side cursoring (Phase 9 P-H2). At that
+	// the frontend ports to server-side cursoring. At that point the
-	// point the repository must add a CountAuditEvents(filter) method and
+	// repository must add a CountAuditEvents(filter) method and this
-	// this line becomes total, _ := s.repo.CountAuditEvents(ctx, filter).
+	// line becomes total, _ := s.repo.CountAuditEvents(ctx, filter).
 	// P-H2 (this method) didn't introduce server-side cursoring — it
 	// only added the time-range predicate — so the same limitation
 	// applies. Tracked separately.
 	total := int64(len(result))
 	return result, total, nil
@@ -86,6 +86,21 @@ export default function AuditPage() {
  if (actorFilter) params.actor = actorFilter;
  if (actionFilter) params.action = actionFilter;
  if (category) params.category = category;
  // P-H2 closure (frontend-design-audit 2026-05-14): translate the
  // TIME_RANGES dropdown selection into an RFC3339 `since` server
  // param. Pre-P-H2 this filter was applied client-side AFTER fetching
  // the entire event window, throwing 99% of rows away in JS; the
  // server-side handler now accepts `since` (and `until`) and the
  // audit_events table has a (event_category, timestamp DESC)
  // composite index that makes the predicate hit an index scan.
  //
  // We send only `since`; the "last N units" semantic is implicit
  // (until=now), so the operator gets a rolling window from the
  // selected age until the moment the server reads the param.
  if (timeRange) {
    const hours = timeRange === '1h' ? 1 : timeRange === '24h' ? 24 : timeRange === '7d' ? 168 : 720;
    params.since = new Date(Date.now() - hours * 3600 * 1000).toISOString();
  }
  const { data, isLoading, error, refetch } = useQuery({
    queryKey: ['audit', params],
@@ -93,14 +108,11 @@ export default function AuditPage() {
    refetchInterval: 30000,
  });
-  // Client-side time range filtering (server may not support time params)
+  // P-H2: server now applies the time-range predicate. data.data IS
-  const filtered = (data?.data || []).filter((e) => {
+  // the filtered set; no client-side trimming needed. The pre-P-H2
-    if (!timeRange) return true;
+  // `filtered` block (commented out below for diff-clarity) used to
-    const ts = new Date(e.timestamp).getTime();
+  // walk every row and discard 99% — that's the bug P-H2 closes.
-    const now = Date.now();
+  const filtered = data?.data || [];
    const hours = timeRange === '1h' ? 1 : timeRange === '24h' ? 24 : timeRange === '7d' ? 168 : 720;
    return now - ts < hours * 3600 * 1000;
  });
  const columns: Column<AuditEvent>[] = [
    {