Add audit-logs search command#193
Merged
Merged
Conversation
9b5efcf to
d42172a
Compare
449aa47 to
2586c32
Compare
2586c32 to
4694bf2
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 4694bf2. Configure here.
7bf3a66 to
51bf31a
Compare
New `kernel audit-logs search` wrapping GET /audit-logs: 24h default window (RFC3339 or YYYY-MM-DD bounds), filter flags mapping to the API, GET requests excluded by default with --include-get to opt back in and --exclude-method stacking on top, table/json output, and page-token pagination capped by --limit. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
51bf31a to
0bc09c9
Compare
sjmiller609
approved these changes
Jul 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

Summary
Adds a new
kernel audit-logs searchcommand wrapping theGET /audit-logsAPI.--start(default: 24 hours ago) and--end(default: now), accepting RFC3339 timestamps orYYYY-MM-DDdates. A date-only--endis inclusive (covers the whole day), so--start 2026-07-06 --end 2026-07-06searches that full day--include-getopts back in.--exclude-methodstacks on top of the default (e.g.--exclude-method POSThides both GETs and POSTs) — since the API accepts a singleexclude_method, GET is excluded server-side (it drops the most rows) and the user's method is filtered client-side. Setting--methoddisables the default exclusion so--method GETworks as expected--search,--method,--exclude-method,--service,--auth-strategy,--user-id(repeatable)--output json/ table output following existing CLI conventions. JSON output is intentionally the bare entry array (no cursor envelope) — pagination is abstracted behind--limit; scripted callers resume by narrowing the time window--limit(default 100). The "Showing first N results" notice only appears when more matching rows actually exist — the peek past the limit applies the client-side exclusion and is capped at one page, so a long excluded tail can't trigger unbounded fetching (hitting the cap assumes more may match). No bulk-export mode — the API is explicitly not intended for thataudit-logsis a command group so future subcommands (chunk downloads, S3 exports) can slot in alongsidesearchExample
Real run against the dev API (default window: last 24h, GETs excluded); emails and IPs redacted.
--output jsonemits the raw API entries instead.Test plan
make build,make test(unit tests cover param mapping, default window, default GET exclusion, exclude-method stacking and its overrides, date-only end handling, time validation, limit truncation and exact-limit footer suppression, empty results, error propagation)go vet ./...,gofmtclean on new filesapi.dev.onkernel.com): basic search, JSON output, all filters verified against returned data, same-day date search, default 24h window, default GET exclusion and stacking overrides, multi-page pagination (1000 unique entries across 10 pages, no dupes), empty-result message, error paths (>30d window, invalid times, bad limit/output, bad key) all exit 1Follow-up (not in this PR): consider removing
x-cli-skip: truefrom/audit-logsin the API's openapi.yaml after merge so the CLI-coverage bot tracks new params; docs page for the command.Note:
golangci-lintisn't installed in this environment, somake lintwas not run.🤖 Generated with Claude Code
Note
Low Risk
Read-only CLI feature with local validation and tests; no changes to auth, persistence, or existing commands beyond registering the new command.
Overview
Adds
kernel audit-logs search, a new command group that queries the audit-logs API with a bounded time window (default last 24h), table or--output json, and--limit-capped pagination via the SDK auto-pager.Time and filters:
--start/--endaccept RFC3339 or dates; date-only--endis treated as inclusive for the full day. Flags map to API filters (--search,--method,--service,--auth-strategy, repeatable--user-id). GET is excluded by default; because the API only supports oneexclude_method, stacking with--exclude-methodsends GET server-side and applies the user’s method client-side.--include-getor--methodturns off the default GET exclusion.UX details: Truncation hint (“Showing first N…”) uses a capped
peekForMorepast the limit so client-side exclusions don’t cause unbounded fetches. Unit tests cover param mapping, validation, exclusion stacking, limits, and errors.Reviewed by Cursor Bugbot for commit 8b81c9a. Bugbot is set up for automated code reviews on this repo. Configure here.