Skip to content

Add audit-logs search command#193

Merged
yummybomb merged 2 commits into
mainfrom
hypeship/audit-logs-search
Jul 8, 2026
Merged

Add audit-logs search command#193
yummybomb merged 2 commits into
mainfrom
hypeship/audit-logs-search

Conversation

@yummybomb

@yummybomb yummybomb commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds a new kernel audit-logs search command wrapping the GET /audit-logs API.

  • --start (default: 24 hours ago) and --end (default: now), accepting RFC3339 timestamps or YYYY-MM-DD dates. A date-only --end is inclusive (covers the whole day), so --start 2026-07-06 --end 2026-07-06 searches that full day
  • GET requests are excluded by default to keep the signal on mutations; --include-get opts back in. --exclude-method stacks on top of the default (e.g. --exclude-method POST hides both GETs and POSTs) — since the API accepts a single exclude_method, GET is excluded server-side (it drops the most rows) and the user's method is filtered client-side. Setting --method disables the default exclusion so --method GET works as expected
  • filter flags mapping to the API: --search, --method, --exclude-method, --service, --auth-strategy, --user-id (repeatable)
  • --output json / table output following existing CLI conventions. JSON output is intentionally the bare entry array (no cursor envelope) — pagination is abstracted behind --limit; scripted callers resume by narrowing the time window
  • pagination via the SDK's page-token auto-pager, capped by --limit (default 100). The "Showing first N results" notice only appears when more matching rows actually exist — the peek past the limit applies the client-side exclusion and is capped at one page, so a long excluded tail can't trigger unbounded fetching (hitting the cap assumes more may match). No bulk-export mode — the API is explicitly not intended for that
  • audit-logs is a command group so future subcommands (chunk downloads, S3 exports) can slot in alongside search

Example

$ kernel audit-logs search --limit 8

Timestamp               | Method | Status | Path                                            | User            | Duration (ms) | Client IP
2026-07-08 16:00:45 UTC | POST   | 502    | /browser/kernel/process/exec                    | dev@example.com | 12010         | 203.0.113.7
2026-07-08 16:00:36 UTC | POST   | 499    | /browsers/xao22uvpynedrhp03upqqi2p/process/exec | dev@example.com | 12017         | 198.51.100.23
2026-07-08 16:00:36 UTC | POST   | 499    | /browsers/uvrttd6c9orj6jggz5seg8yt/process/exec | dev@example.com | 12012         | 198.51.100.23
2026-07-08 16:00:36 UTC | POST   | 502    | /browser/kernel/process/exec                    | dev@example.com | 11995         | 203.0.113.9
2026-07-08 16:00:32 UTC | POST   | 200    | /browser/kernel/process/exec                    | dev@example.com | 310           | 203.0.113.7
2026-07-08 16:00:31 UTC | POST   | 200    | /browser/kernel/process/exec                    | dev@example.com | 353           | 203.0.113.7
2026-07-08 16:00:24 UTC | POST   | 200    | /browsers/ypcqt1fr1d92z6oncj2bh2i9/process/exec | dev@example.com | 348           | 198.51.100.4
2026-07-08 16:00:24 UTC | POST   | 200    | /browser/kernel/process/exec                    | dev@example.com | 328           | 203.0.113.7
INFO: Showing first 8 results; increase --limit or narrow the search window

Real run against the dev API (default window: last 24h, GETs excluded); emails and IPs redacted. --output json emits the raw API entries instead.

Test plan

  • make build, make test (unit tests cover param mapping, default window, default GET exclusion, exclude-method stacking and its overrides, date-only end handling, time validation, limit truncation and exact-limit footer suppression, empty results, error propagation)
  • go vet ./..., gofmt clean on new files
  • e2e against the dev API (api.dev.onkernel.com): basic search, JSON output, all filters verified against returned data, same-day date search, default 24h window, default GET exclusion and stacking overrides, multi-page pagination (1000 unique entries across 10 pages, no dupes), empty-result message, error paths (>30d window, invalid times, bad limit/output, bad key) all exit 1
  • e2e smoke against production: table render + 200-entry paged fetch, all unique

Follow-up (not in this PR): consider removing x-cli-skip: true from /audit-logs in the API's openapi.yaml after merge so the CLI-coverage bot tracks new params; docs page for the command.

Note: golangci-lint isn't installed in this environment, so make lint was not run.

🤖 Generated with Claude Code


Note

Low Risk
Read-only CLI feature with local validation and tests; no changes to auth, persistence, or existing commands beyond registering the new command.

Overview
Adds kernel audit-logs search, a new command group that queries the audit-logs API with a bounded time window (default last 24h), table or --output json, and --limit-capped pagination via the SDK auto-pager.

Time and filters: --start / --end accept RFC3339 or dates; date-only --end is treated as inclusive for the full day. Flags map to API filters (--search, --method, --service, --auth-strategy, repeatable --user-id). GET is excluded by default; because the API only supports one exclude_method, stacking with --exclude-method sends GET server-side and applies the user’s method client-side. --include-get or --method turns off the default GET exclusion.

UX details: Truncation hint (“Showing first N…”) uses a capped peekForMore past the limit so client-side exclusions don’t cause unbounded fetches. Unit tests cover param mapping, validation, exclusion stacking, limits, and errors.

Reviewed by Cursor Bugbot for commit 8b81c9a. Bugbot is set up for automated code reviews on this repo. Configure here.

@yummybomb yummybomb force-pushed the hypeship/audit-logs-search branch from 9b5efcf to d42172a Compare July 7, 2026 21:16
@yummybomb yummybomb marked this pull request as ready for review July 8, 2026 14:01
@yummybomb yummybomb force-pushed the hypeship/audit-logs-search branch 3 times, most recently from 449aa47 to 2586c32 Compare July 8, 2026 14:13
Comment thread cmd/audit_logs.go
Comment thread cmd/audit_logs.go
Comment thread cmd/audit_logs.go Outdated
@yummybomb yummybomb force-pushed the hypeship/audit-logs-search branch from 2586c32 to 4694bf2 Compare July 8, 2026 14:26

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 4694bf2. Configure here.

Comment thread cmd/audit_logs.go
@yummybomb yummybomb force-pushed the hypeship/audit-logs-search branch 2 times, most recently from 7bf3a66 to 51bf31a Compare July 8, 2026 15:30
New `kernel audit-logs search` wrapping GET /audit-logs: 24h default
window (RFC3339 or YYYY-MM-DD bounds), filter flags mapping to the API,
GET requests excluded by default with --include-get to opt back in and
--exclude-method stacking on top, table/json output, and page-token
pagination capped by --limit.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@yummybomb yummybomb force-pushed the hypeship/audit-logs-search branch from 51bf31a to 0bc09c9 Compare July 8, 2026 15:54
@yummybomb yummybomb requested a review from sjmiller609 July 8, 2026 16:00
@yummybomb yummybomb merged commit 767c02e into main Jul 8, 2026
7 checks passed
@yummybomb yummybomb deleted the hypeship/audit-logs-search branch July 8, 2026 17:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants