Skip to content

feat(api): unfiltered per-PR audit-events query#4041

Merged
JSONbored merged 3 commits into
mainfrom
feat/audit-events-unfiltered-query-v2
Jul 7, 2026
Merged

feat(api): unfiltered per-PR audit-events query#4041
JSONbored merged 3 commits into
mainfrom
feat/audit-events-unfiltered-query-v2

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Summary

Closes #4006.

  • The maintainer audit-feed (GET /v1/repos/{owner}/{repo}/agent/audit-feed) only ever exposed the agent.action.%/agent.pending_action.% event-type subset, repo-scoped. Debugging what actually happened to a single PR meant manually correlating that narrow feed against raw logs, since ~140 other recorded event types (label decisions, visibility skips, notification failures, etc.) were invisible through this endpoint.
  • Adds ?pull=N: an unfiltered sibling query (listAuditEventsForTarget, src/db/repositories.ts) scoped to one PR's exact targetKey, with no eventType restriction. Same maintainer gate and detail sanitization as the existing feed.
  • Also records a github_app.type_label_decision audit event (applied/error/denied outcomes) at the same three sites in src/queue/processors.ts that already log the label decision to console, so it's now visible through this feed too.
  • OpenAPI spec updated (src/openapi/spec.ts) to document the new query param and the ?pull= response shape.

Test plan

  • npm run typecheck — clean
  • npm run ui:openapi / ui:openapi:check — regenerated, clean
  • npx vitest run test/unit/routes-agent-approval.test.ts test/unit/skipped-pr-audit.test.ts — 27/27 passed, including 5 new tests covering the ?pull= branch (event-type-unfiltered listing, since/limit, invalid input, auth, detail redaction)

@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 7, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
gittensory-ui 08c4297 Commit Preview URL

Branch Preview URL
Jul 07 2026, 01:54 PM

@gittensory-orb gittensory-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.5x multiplier. label Jul 7, 2026
@gittensory-orb

gittensory-orb Bot commented Jul 7, 2026

Copy link
Copy Markdown

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

Review updated: 2026-07-07 13:58:27 UTC

7 files · no blockers · readiness 100/100 · CI pending · blocked

⏸️ Suggested Action - Manual Review

Signal Result Evidence
Code review ✅ No blockers No AI review summary
Linked issue ✅ Linked #4006
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (1 linked issue).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 51 registered-repo PR(s), 43 merged, 560 issue(s).
Contributor context ✅ Confirmed Gittensor contributor JSONbored; Gittensor profile; 51 PR(s), 560 issue(s).
Gate result ✅ Passing No configured blocker found.
Review context
  • Author: JSONbored
  • Role context: owner (maintainer lane)
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: Python, TypeScript, JavaScript, Ruby, Go, Kotlin, MDX, Shell
  • Official Gittensor activity: 51 PR(s), 560 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Treat this as maintainer-lane context rather than normal contributor-lane activity.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@codecov

codecov Bot commented Jul 7, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.56%. Comparing base (39cc958) to head (08c4297).
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #4041   +/-   ##
=======================================
  Coverage   93.56%   93.56%           
=======================================
  Files         378      378           
  Lines       35448    35469   +21     
  Branches    13000    13006    +6     
=======================================
+ Hits        33167    33188   +21     
  Misses       1618     1618           
  Partials      663      663           
Files with missing lines Coverage Δ
src/api/routes.ts 93.96% <100.00%> (+0.02%) ⬆️
src/db/repositories.ts 96.63% <100.00%> (+0.01%) ⬆️
src/openapi/spec.ts 99.42% <ø> (ø)
src/queue/processors.ts 94.87% <100.00%> (+0.01%) ⬆️
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@gittensory-orb gittensory-orb Bot added the manual-review Gittensor contributor context label Jul 7, 2026
JSONbored added 3 commits July 7, 2026 06:49
The maintainer audit-feed only ever exposed the agent.action.%/agent.pending_action.%
event-type subset, repo-scoped. Debugging what actually happened to a single PR meant
manually correlating that narrow feed against logs, since ~140 other recorded event
types (label decisions, visibility skips, notification failures, etc.) were invisible
through this endpoint.

Adds `?pull=N` to GET /v1/repos/{owner}/{repo}/agent/audit-feed: an unfiltered sibling
query (listAuditEventsForTarget) scoped to one PR's exact targetKey, no eventType
restriction. Same maintainer gate and detail sanitization as the existing feed.

Also records a github_app.type_label_decision audit event (applied/error/denied) at
the same three sites that already log the label decision, so it shows up in this feed.
The three new recordAuditEvent calls added alongside the existing type_label
console logs were unguarded, unlike every other audit write in this codebase.
A failing audit write (D1 blip) would propagate and abort maybePublishPrPublicSurface
mid-flight, which REGRESSION (#orb-ci-stuck-repeat, fail-open) tests specifically
guard against — caught by that existing test once it exercised the new code path.
Codecov flagged uncovered lines/branches: a null detail on the ?pull= branch,
and two type_label_decision outcomes (completed/denied) whose new fail-open
.catch() handler was never exercised, plus an unreachable applyLabels-empty
fallback marked v8-ignore with an explanation.
@JSONbored JSONbored force-pushed the feat/audit-events-unfiltered-query-v2 branch from d46ed50 to 08c4297 Compare July 7, 2026 13:52
@JSONbored JSONbored merged commit 3cd0b2a into main Jul 7, 2026
11 checks passed
@JSONbored JSONbored deleted the feat/audit-events-unfiltered-query-v2 branch July 7, 2026 14:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:bug Gittensor-scored bug fix — scores a 0.5x multiplier. manual-review Gittensor contributor context

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(api): unfiltered per-PR audit-event query + type-label audit row

1 participant