From 6c140b2dae67f25c33fe5b531c02b33300ca4c01 Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Sat, 2 May 2026 07:55:45 -0700 Subject: [PATCH 1/2] fix: correct audit list field documentation in --ai-help The --ai-help text for `audit list` listed fields (who, action, target, details) that don't exist in the API response, leading callers to write filters like `[].action` that silently return empty results. Replace with the actual response fields (ts, time, etype, ident, msg, oid, origin, entity, mtd). Co-Authored-By: Claude Opus 4.7 (1M context) --- limacharlie/commands/audit.py | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/limacharlie/commands/audit.py b/limacharlie/commands/audit.py index 2b6fddd3..8b9bc15c 100644 --- a/limacharlie/commands/audit.py +++ b/limacharlie/commands/audit.py @@ -58,11 +58,15 @@ def group() -> None: sensor operations, and API key usage. Each audit entry contains: - ts - Timestamp of the action - who - Email or API key hash of the actor - action - Action performed (e.g. dr.set, sensor.del) - target - Resource affected - details - Action-specific context + ts - Timestamp of the action (string, UTC) + time - Timestamp of the action (Unix milliseconds) + etype - Event type (e.g. hive_set, send_task, remove_sensor) + ident - Actor identity (email, API key hash, or extension ID) + msg - Human-readable description of the action + oid - Organization ID + origin - Origin of the action (e.g. DR rule, extension) + entity - Affected entity (object, often containing sid) + mtd - Action-specific metadata Time range is specified with --start and --end as Unix timestamps in seconds. If not provided, defaults to the last 24 hours. From 225690034ba283c938ec5a16b68f5bfb6ac2515c Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Sat, 2 May 2026 08:10:36 -0700 Subject: [PATCH 2/2] audit: distinguish V1/V2 fields per CloudAudit struct Align the --ai-help field listing with the canonical CloudAudit struct in go-essentials (lc/message.go), which explicitly groups fields into "Audit Message" (V1) and "Audit V2 Fields". V2 added time/ident/entity/ mtd; origin is the legacy V1 actor field that ident supersedes. Co-Authored-By: Claude Opus 4.7 (1M context) --- limacharlie/commands/audit.py | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/limacharlie/commands/audit.py b/limacharlie/commands/audit.py index 8b9bc15c..11079b61 100644 --- a/limacharlie/commands/audit.py +++ b/limacharlie/commands/audit.py @@ -58,15 +58,21 @@ def group() -> None: sensor operations, and API key usage. Each audit entry contains: - ts - Timestamp of the action (string, UTC) - time - Timestamp of the action (Unix milliseconds) + oid - Organization ID + ts - Timestamp of the action (UTC string, "YYYY-MM-DD HH:MM:SS") etype - Event type (e.g. hive_set, send_task, remove_sensor) - ident - Actor identity (email, API key hash, or extension ID) msg - Human-readable description of the action - oid - Organization ID - origin - Origin of the action (e.g. DR rule, extension) - entity - Affected entity (object, often containing sid) - mtd - Action-specific metadata + +V2 fields (preferred for new callers): + time - Timestamp (Unix milliseconds) + ident - Identity performing the action (email, API key hash, + extension ID, or DR rule) + entity - Object the action is performed on (e.g. {sid: ...}) + mtd - Characteristics of the action (action-specific metadata) + +Legacy field (V1, retained for backward compatibility): + origin - Pre-V2 actor identity; superseded by ident. When ident + is empty, origin holds the actor. Time range is specified with --start and --end as Unix timestamps in seconds. If not provided, defaults to the last 24 hours.