fix(copilot-review): address all 10 Copilot PR comments

- nexus-cli: use X-API-Key header (was Authorization: Bearer)
- nexus-cli: add 30s timeout to shared http.Client
- nexus-cli: diff-based update detection via providerDrifted() — skip
  no-op UPDATEs and print '= OK' for providers with no changes
- nexus-cli/go.mod: align go directive to 1.21 (matches CI)
- .github/workflows/nexus-cli.yml: guard plan step for forked PRs where
  secrets are unavailable (no-op with info message instead of failing)
- audit/service.go: validate extracted IP with net.ParseIP before storing
  to prevent INSERT failures on arbitrary X-Forwarded-For values
- handlers/providers.go: log audit errors with log.Printf instead of
  discarding with _ =
- handlers/callback.go: log audit errors in logAuditEvent wrapper
- handlers/audit_test.go: add unit tests for AuditHandler.List covering
  no filters, event_type filter, invalid since param (400), custom limit,
  and out-of-range limit clamping
- docs/reference/audit-log.md: correct endpoint path to /audit (no /v1
  prefix) with note explaining the Broker is currently unversioned

Author: sangalo20

.github/workflows/nexus-cli.yml

@@ -33,12 +33,18 @@ jobs:
         run: go build -o nexus-cli
 
       - name: Plan (Pull Request)
-        if: github.event_name == 'pull_request'
+        # Only run plan when BROKER_BASE_URL is set (not available for forked PRs).
+        # This prevents the job from failing with "connection refused" for external contributors.
+        if: github.event_name == 'pull_request' && secrets.BROKER_BASE_URL != ''
         env:
           BROKER_BASE_URL: ${{ secrets.BROKER_BASE_URL }}
           API_KEY: ${{ secrets.BROKER_API_KEY }}
         run: ./nexus-cli plan
 
+      - name: Plan skipped (no Broker secret)
+        if: github.event_name == 'pull_request' && secrets.BROKER_BASE_URL == ''
+        run: echo "ℹ️ Skipping live plan — BROKER_BASE_URL secret not available (forked PR)."
+
       - name: Apply (Push to Main)
         if: github.event_name == 'push' && github.ref == 'refs/heads/main'
         env:

docs/reference/audit-log.md

@@ -21,11 +21,13 @@ This provides a queryable history of who changed what and when, which is essenti
 ## Query the Audit Log
 
 ```
-GET /v1/audit
+GET /audit
 ```
 
 Returns recent audit events in descending chronological order. This endpoint is protected by `ApiKeyMiddleware`.
 
+> **Note:** The Nexus Broker API is unversioned — all routes are mounted at the root (e.g., `/providers`, `/audit`). The `/v1/audit` path referenced elsewhere is aspirational and will apply if/when the Broker adopts a versioned API prefix.
+
 ### Query Parameters
 
 | Parameter | Type | Description |

nexus-broker/internal/audit/service.go

@@ -23,16 +23,16 @@ func (s *Service) Log(eventType string, connectionID *uuid.UUID, data map[string
 	var userAgent *string
 
 	if r != nil {
-		// Extract IP
+		// Extract IP — validate with net.ParseIP to avoid storing arbitrary text in the inet column.
 		if fwd := r.Header.Get("X-Forwarded-For"); fwd != "" {
 			ip := strings.TrimSpace(strings.Split(fwd, ",")[0])
-			ipVal = &ip
+			if net.ParseIP(ip) != nil {
+				ipVal = &ip
+			}
 		} else {
 			host, _, err := net.SplitHostPort(r.RemoteAddr)
-			if err == nil {
+			if err == nil && net.ParseIP(host) != nil {
 				ipVal = &host
-			} else {
-				ipVal = &r.RemoteAddr
 			}
 		}
 

nexus-broker/pkg/handlers/audit_test.go

@@ -0,0 +1,174 @@
+package handlers_test
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/Prescott-Data/nexus-framework/nexus-broker/pkg/handlers"
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+	sqlmock "gopkg.in/DATA-DOG/go-sqlmock.v1"
+)
+
+// newSqlxDB wraps a sqlmock connection in a sqlx.DB so handlers can use it.
+func newSqlxDB(t *testing.T) (*sqlx.DB, sqlmock.Sqlmock) {
+	t.Helper()
+	db, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	return sqlx.NewDb(db, "postgres"), mock
+}
+
+func TestAuditList_NoFilters_ReturnsDefaultLimit(t *testing.T) {
+	db, mock := newSqlxDB(t)
+	defer db.Close()
+
+	id := uuid.New()
+	connID := uuid.New()
+	now := time.Now()
+
+	rows := sqlmock.NewRows([]string{
+		"id", "connection_id", "event_type", "event_data", "ip_address", "user_agent", "created_at",
+	}).AddRow(
+		id, &connID, "provider.created", `{"name":"google"}`, "127.0.0.1", "curl/7.88", now,
+	)
+
+	mock.ExpectQuery(`SELECT id, connection_id, event_type, event_data, ip_address, user_agent, created_at`).
+		WithArgs(50). // default limit
+		WillReturnRows(rows)
+
+	handler := handlers.NewAuditHandler(db)
+	req := httptest.NewRequest(http.MethodGet, "/audit", nil)
+	w := httptest.NewRecorder()
+
+	handler.List(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d", w.Code)
+	}
+
+	var result []map[string]interface{}
+	if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
+		t.Fatalf("failed to decode response: %v", err)
+	}
+	if len(result) != 1 {
+		t.Fatalf("expected 1 event, got %d", len(result))
+	}
+	if result[0]["event_type"] != "provider.created" {
+		t.Errorf("expected event_type provider.created, got %v", result[0]["event_type"])
+	}
+
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestAuditList_EventTypeFilter(t *testing.T) {
+	db, mock := newSqlxDB(t)
+	defer db.Close()
+
+	rows := sqlmock.NewRows([]string{
+		"id", "connection_id", "event_type", "event_data", "ip_address", "user_agent", "created_at",
+	}) // empty result
+
+	mock.ExpectQuery(`SELECT id, connection_id, event_type, event_data, ip_address, user_agent, created_at`).
+		WithArgs("provider.deleted", 50).
+		WillReturnRows(rows)
+
+	handler := handlers.NewAuditHandler(db)
+	req := httptest.NewRequest(http.MethodGet, "/audit?event_type=provider.deleted", nil)
+	w := httptest.NewRecorder()
+
+	handler.List(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d", w.Code)
+	}
+
+	// Empty result should return [] not null
+	var result []map[string]interface{}
+	if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
+		t.Fatalf("failed to decode response: %v", err)
+	}
+	if result == nil {
+		t.Error("expected empty array, got null")
+	}
+
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestAuditList_InvalidSinceParam_Returns400(t *testing.T) {
+	db, _ := newSqlxDB(t)
+	defer db.Close()
+
+	handler := handlers.NewAuditHandler(db)
+	req := httptest.NewRequest(http.MethodGet, "/audit?since=not-a-date", nil)
+	w := httptest.NewRecorder()
+
+	handler.List(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400 for invalid since param, got %d", w.Code)
+	}
+}
+
+func TestAuditList_CustomLimit(t *testing.T) {
+	db, mock := newSqlxDB(t)
+	defer db.Close()
+
+	rows := sqlmock.NewRows([]string{
+		"id", "connection_id", "event_type", "event_data", "ip_address", "user_agent", "created_at",
+	})
+
+	mock.ExpectQuery(`SELECT id, connection_id, event_type, event_data, ip_address, user_agent, created_at`).
+		WithArgs(10).
+		WillReturnRows(rows)
+
+	handler := handlers.NewAuditHandler(db)
+	req := httptest.NewRequest(http.MethodGet, "/audit?limit=10", nil)
+	w := httptest.NewRecorder()
+
+	handler.List(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d", w.Code)
+	}
+
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestAuditList_LimitAboveMax_ClampedTo1000(t *testing.T) {
+	db, mock := newSqlxDB(t)
+	defer db.Close()
+
+	rows := sqlmock.NewRows([]string{
+		"id", "connection_id", "event_type", "event_data", "ip_address", "user_agent", "created_at",
+	})
+
+	// limit=9999 should be clamped to 50 (default, since > 1000 is rejected)
+	mock.ExpectQuery(`SELECT id, connection_id, event_type, event_data, ip_address, user_agent, created_at`).
+		WithArgs(50).
+		WillReturnRows(rows)
+
+	handler := handlers.NewAuditHandler(db)
+	req := httptest.NewRequest(http.MethodGet, "/audit?limit=9999", nil)
+	w := httptest.NewRecorder()
+
+	handler.List(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d", w.Code)
+	}
+
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}

nexus-broker/pkg/handlers/callback.go

@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"log"
 	"net/http"
 	"net/url"
 	"strings"
@@ -844,7 +845,9 @@ func (h *CallbackHandler) logAuditEvent(connectionID *uuid.UUID, eventType strin
 		auditData[k] = v
 	}
 
-	_ = h.audit.Log(eventType, connectionID, auditData, r)
+	if err := h.audit.Log(eventType, connectionID, auditData, r); err != nil {
+		log.Printf("audit: failed to log %s (connection_id=%v): %v", eventType, connectionID, err)
+	}
 }
 
 // handleError handles OAuth errors

nexus-broker/pkg/handlers/providers.go

@@ -3,6 +3,7 @@ package handlers
 import (
 	"encoding/json"
 	"fmt"
+	"log"
 	"net/http"
 	"strings"
 
@@ -64,7 +65,9 @@ func (h *ProvidersHandler) Update(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if h.audit != nil {
-		_ = h.audit.Log("provider.updated", nil, map[string]interface{}{"provider_id": profile.ID, "name": profile.Name}, r)
+		if err := h.audit.Log("provider.updated", nil, map[string]interface{}{"provider_id": profile.ID, "name": profile.Name}, r); err != nil {
+			log.Printf("audit: failed to log provider.updated for provider_id=%s: %v", profile.ID, err)
+		}
 	}
 
 	w.WriteHeader(http.StatusOK)
@@ -91,7 +94,9 @@ func (h *ProvidersHandler) Patch(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if h.audit != nil {
-		_ = h.audit.Log("provider.updated", nil, map[string]interface{}{"provider_id": id.String(), "updates": updates}, r)
+		if err := h.audit.Log("provider.updated", nil, map[string]interface{}{"provider_id": id.String(), "updates": updates}, r); err != nil {
+			log.Printf("audit: failed to log provider.updated for provider_id=%s: %v", id, err)
+		}
 	}
 
 	w.WriteHeader(http.StatusOK)
@@ -112,7 +117,9 @@ func (h *ProvidersHandler) Delete(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if h.audit != nil {
-		_ = h.audit.Log("provider.deleted", nil, map[string]interface{}{"provider_id": id.String()}, r)
+		if err := h.audit.Log("provider.deleted", nil, map[string]interface{}{"provider_id": id.String()}, r); err != nil {
+			log.Printf("audit: failed to log provider.deleted for provider_id=%s: %v", id, err)
+		}
 	}
 
 	w.WriteHeader(http.StatusOK)
@@ -165,7 +172,9 @@ func (h *ProvidersHandler) Register(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if h.audit != nil {
-		_ = h.audit.Log("provider.created", nil, map[string]interface{}{"provider_id": profile.ID, "name": profile.Name}, r)
+		if err := h.audit.Log("provider.created", nil, map[string]interface{}{"provider_id": profile.ID, "name": profile.Name}, r); err != nil {
+			log.Printf("audit: failed to log provider.created for provider_id=%s: %v", profile.ID, err)
+		}
 	}
 
 	httputil.WriteJSON(w, http.StatusCreated, map[string]interface{}{
@@ -224,7 +233,9 @@ func (h *ProvidersHandler) DeleteByName(w http.ResponseWriter, r *http.Request)
 	}
 
 	if h.audit != nil {
-		_ = h.audit.Log("provider.deleted", nil, map[string]interface{}{"provider_name": name, "rows_affected": rowsAffected}, r)
+		if err := h.audit.Log("provider.deleted", nil, map[string]interface{}{"provider_name": name, "rows_affected": rowsAffected}, r); err != nil {
+			log.Printf("audit: failed to log provider.deleted for provider_name=%s: %v", name, err)
+		}
 	}
 
 	httputil.WriteJSON(w, http.StatusOK, map[string]string{"message": fmt.Sprintf("Deleted %d provider(s)", rowsAffected)})

nexus-cli/go.mod

@@ -1,5 +1,5 @@
 module github.com/Prescott-Data/nexus-framework/nexus-cli
 
-go 1.26.2
+go 1.21
 
 require gopkg.in/yaml.v3 v3.0.1 // indirect