From ea12986c0e8c9e0fa2cb0d2d9ecdb385909730b9 Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Sat, 2 May 2026 08:51:54 -0700 Subject: [PATCH] audit: expose --event-type and --sid filter flags on `audit list` The SDK's get_audit_logs() and the API endpoint both accept event_type and sid filters, but the CLI didn't expose them. Without server-side filtering, callers have to pull the full audit stream and grep client- side, which is expensive on busy orgs (e.g. one weekly window contained ~5,000 entries dominated by a single extension's hive_set traffic). Co-Authored-By: Claude Opus 4.7 (1M context) --- limacharlie/commands/audit.py | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/limacharlie/commands/audit.py b/limacharlie/commands/audit.py index 2b6fddd3..217a2e61 100644 --- a/limacharlie/commands/audit.py +++ b/limacharlie/commands/audit.py @@ -69,10 +69,15 @@ def group() -> None: Use --limit to cap the number of results returned. +Filter results server-side with --event-type (e.g. hive_set, send_task, +remove_sensor) or --sid (limit to events relating to a specific sensor). + Examples: limacharlie audit list limacharlie audit list --start 1700000000 --end 1700100000 limacharlie audit list --limit 50 + limacharlie audit list --event-type hive_set + limacharlie audit list --sid 37270c5f-53b5-4215-b1ed-d4f60e818a7f """ register_explain("audit.list", _EXPLAIN_LIST) @@ -87,8 +92,16 @@ def group() -> None: help="End time (Unix seconds). Defaults to now.", ) @click.option("--limit", default=None, type=int, help="Maximum number of results.") +@click.option( + "--event-type", "event_type", default=None, + help="Server-side filter: only return events of this type (e.g. hive_set, send_task).", +) +@click.option( + "--sid", default=None, + help="Server-side filter: only return events relating to this sensor ID.", +) @pass_context -def list_audit(ctx, start, end, limit) -> None: +def list_audit(ctx, start, end, limit, event_type, sid) -> None: validate_epoch_seconds(start, "start") validate_epoch_seconds(end, "end") @@ -99,5 +112,8 @@ def list_audit(ctx, start, end, limit) -> None: start = now - 86400 # 24 hours ago org = _get_org(ctx) - data = list(org.get_audit_logs(start=start, end=end, limit=limit)) + data = list(org.get_audit_logs( + start=start, end=end, limit=limit, + event_type=event_type, sid=sid, + )) _output(ctx, data)