Add audit-logs download command#195
Open
yummybomb wants to merge 19 commits into
Open
Conversation
Wraps GET /audit-logs/export/chunk (kernel-go-sdk v0.75.0). Chunks are verified against X-Content-Sha256 before being appended to the output file, and a sidecar state file persists the cursor and committed byte offset so an interrupted download resumes without duplicating rows. Ranges over the API's 30-day cap fail fast with ready-to-run per-window commands. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
--include-get lifts the exclusion. Because chunks are appended verbatim, a second exclusion can't stack client-side the way search filters, so --exclude-method with the GET default active is rejected with guidance rather than silently replacing it. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Bind resume state to a credential identity (hashed API key or OAuth org ID) so switching credentials can't mix organizations in one archive - Validate the output file against recorded progress on resume; a missing or shortened file now fails instead of being zero-extended and reported complete - Fail closed on missing X-Has-More and X-Content-Sha256 headers, and validate pagination headers before any bytes are written - Commit initial state before the first fetch so an early failure retries without --force; --force removes stale state immediately - Write state via os.CreateTemp and use 0600/0700 modes for outputs - Cap buffered chunk responses at 256 MiB - Fix stale -o references in errors; document that resume needs explicit --start/--end Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The server controls chunk sizing and every chunk is checksum-verified, so the client-side byte ceiling only added a failure mode. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The params fingerprint already invalidates stale state files, and the state is too short-lived to need format versioning. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 3 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit ee8ccd4. Configure here.
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

Summary
Adds
kernel audit-logs downloadfor verified chunked audit-log exports.[start, end)range of at most 30 days.--exclude-methodtogether to the API..partialfile and publishes the final.jsonl.gzonly after all chunks complete.--forceis passed; forced replacement happens only during the final rename.Test plan
go test ./...go vet ./...Note
Medium Risk
Touches audit-log export and local file handling (permissions, partial/final paths) but is isolated CLI logic with strong validation and test coverage; no server auth changes.
Overview
Adds
kernel audit-logs downloadfor bulk export of gzip-compressed JSONL over the chunked export API.The command requires an explicit
[start, end)window (max 30 days), reusesaudit-logs searchfilter flags (including default GET exclusion stacked with--exclude-method), and walksX-Next-CursoruntilX-Has-Moreis false. Each chunk is verified againstX-Content-Sha256before any bytes are written.Output is streamed to a
.partialfile with restrictive permissions; the final.jsonl.gzis published only after a successful rename. Failed transfers drop the partial file; a completed partial is kept if finalization fails. Existing output is blocked unless--force.AuditLogsServicegainsExportChunk; tests cover multi-chunk assembly, checksum/header validation, overwrite behavior, and param building.Reviewed by Cursor Bugbot for commit 17fc709. Bugbot is set up for automated code reviews on this repo. Configure here.