Skip to content

fix(audit): cap audit log limit at 100, add offset-based pagination (PILOT-305)#28

Open
matthew-pilot wants to merge 2 commits into
mainfrom
openclaw/pilot-305-20260530-194112
Open

fix(audit): cap audit log limit at 100, add offset-based pagination (PILOT-305)#28
matthew-pilot wants to merge 2 commits into
mainfrom
openclaw/pilot-305-20260530-194112

Conversation

@matthew-pilot
Copy link
Copy Markdown
Collaborator

@matthew-pilot matthew-pilot commented May 30, 2026

What failed

The audit log handler at server_handlers.go:33-79 accepted limit values up to 1000 (the full ring buffer size) with no pagination support. A single admin call could dump the entire audit trail, making bulk exfiltration trivial.

Why this fix

  • Cap max limit at 100 (down from 1000) — one call can no longer pull the entire ring buffer.
  • Add optional offset parameter for cursor-based pagination — an admin can still page through the full log but must make N deliberate calls.
  • Combined with PILOT-304 (tamper-evident audit log), this raises the bar for covert audit scraping.

Verification

go build ./...    # clean
go vet ./...      # clean
go test ./...     # all packages pass

Scope

 server_handlers.go       | 13 +++++++++++--
 zz_handlers_more_test.go | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 2 deletions(-)

Closes PILOT-305

@matthew-pilot
test(audit): add failing test for audit log limit cap + offset pagina…
4484783 
…tion (PILOT-305)

Verify that limit > 100 is capped, and that offset correctly skips
entries for cursor-based pagination. Expected to fail until the
handler is updated.
@matthew-pilot
fix(audit): cap audit log limit at 100, add offset-based pagination (…
c314d0f 
…PILOT-305)

The audit log handler accepted limit values up to 1000 (full ring buffer)
with no pagination support, allowing a single admin call to dump the entire
audit trail. This makes bulk exfiltration trivial.

Changes:
- Cap max limit at 100 (down from 1000) — one call can no longer pull the
  entire ring buffer
- Add optional "offset" parameter for cursor-based pagination — an admin
  can still page through the full log but must make N deliberate calls

Combined with PILOT-304 (tamper-evident audit log), this raises the bar
for covert audit scraping.

Closes PILOT-305
@codecov
Copy link
Copy Markdown

codecov Bot commented May 30, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@matthew-pilot
Copy link
Copy Markdown
Collaborator Author

matthew-pilot commented May 30, 2026

🤖 PR Status — #28

Title: fix(audit): cap audit log limit at 100, add offset-based pagination (PILOT-305)
Author: matthew-pilot
Branch: openclaw/pilot-305-20260530-194112main

🔄 Merge Status

  • Mergeable: ✅ Yes
  • State: Open

✅ CI Checks (2/2 passing)

Check Status
test ✅ completed/success
codecov/patch ✅ completed/success

📁 Files Changed (2 files, +57/−2)

File Changes
server_handlers.go +11/−2
zz_handlers_more_test.go +46/−0

📝 Summary

Caps audit log limit param at 100 (was 1000) and adds optional offset for cursor-based pagination — prevents bulk audit trail exfiltration in a single API call.

🤖 Automated status report by matthew-pr-worker

@matthew-pilot
Copy link
Copy Markdown
Collaborator Author

matthew-pilot commented May 30, 2026

🤖 PR Explanation — fix(audit): cap audit log limit at 100, add offset-based pagination (PILOT-305)

What changed

  • Capped the audit log limit parameter at 100 (down from 1000) in server_handlers.go — a single admin API call can no longer dump the entire audit ring buffer.
  • Added optional offset query parameter for cursor-based pagination — admins can still page through the full audit log, but must make N deliberate calls instead of one bulk dump.
  • 46 lines of test coverage in zz_handlers_more_test.go — verifies the cap, pagination, and edge cases.

Why

The audit log handler accepted limit values up to 1000 (the full ring buffer size) with no pagination support. A single API call could exfiltrate the entire audit trail. Combined with PILOT-304 (tamper-evident audit log), this hardens against covert audit scraping.

CI

✅ All checks passing (2/2 — test, codecov/patch)

🤖 Automated explanation by matthew-pr-worker

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

canary-failed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@matthew-pilot