feat(web): Add pagination and time range filtering to audit endpoint (#949)

msukkari · claude · web-flow · commit e3691997c140 · 2026-02-26T16:38:50.000-08:00
* feat(web): Add pagination and time range filtering to audit GET endpoint The audit API now supports pagination with page and perPage query parameters (max 100 items), and time range filtering with since and until parameters in UTC. Returns X-Total-Count header and RFC 5988 Link header for pagination, matching the commits API pattern. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * chore: Update CHANGELOG for audit pagination feature (#949) * chore: Shorten CHANGELOG entry * fix(web): validate inverted time ranges and add deterministic audit pagination Reject requests where 'since' >= 'until' with a 400 error, and add 'id' as a tiebreaker to the orderBy clause so paginated results are deterministic. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+- Added pagination and UTC time range filtering to the audit GET endpoint. [#949](https://github.com/sourcebot-dev/sourcebot/pull/949)
+
 ### Fixed
 - Fixed search query parser rejecting parenthesized regex alternation in filter values (e.g. `file:(test|spec)`, `-file:(test|spec)`). [#946](https://github.com/sourcebot-dev/sourcebot/pull/946)
 - Fixed `content:` filter ignoring the regex toggle. [#947](https://github.com/sourcebot-dev/sourcebot/pull/947)
diff --git a/packages/web/src/app/api/(server)/ee/audit/route.ts b/packages/web/src/app/api/(server)/ee/audit/route.ts
@@ -3,12 +3,27 @@
 import { fetchAuditRecords } from "@/ee/features/audit/actions";
 import { apiHandler } from "@/lib/apiHandler";
 import { ErrorCode } from "@/lib/errorCodes";
-import { serviceErrorResponse } from "@/lib/serviceError";
+import { buildLinkHeader } from "@/lib/pagination";
+import { serviceErrorResponse, queryParamsSchemaValidationError } from "@/lib/serviceError";
 import { isServiceError } from "@/lib/utils";
 import { getEntitlements } from "@sourcebot/shared";
 import { StatusCodes } from "http-status-codes";
+import { NextRequest } from "next/server";
+import { z } from "zod";
 
-export const GET = apiHandler(async () => {
+const auditQueryParamsBaseSchema = z.object({
+    since: z.string().datetime().optional(),
+    until: z.string().datetime().optional(),
+    page: z.coerce.number().int().positive().default(1),
+    perPage: z.coerce.number().int().positive().max(100).default(50),
+});
+
+const auditQueryParamsSchema = auditQueryParamsBaseSchema.refine(
+    (data) => !(data.since && data.until && new Date(data.since) >= new Date(data.until)),
+    { message: "'since' must be before 'until'", path: ["since"] }
+);
+
+export const GET = apiHandler(async (request: NextRequest) => {
     const entitlements = getEntitlements();
     if (!entitlements.includes('audit')) {
         return serviceErrorResponse({
@@ -18,9 +33,49 @@ export const GET = apiHandler(async () => {
         });
     }
 
-    const result = await fetchAuditRecords();
+    const rawParams = Object.fromEntries(
+        Object.keys(auditQueryParamsBaseSchema.shape).map(key => [
+            key,
+            request.nextUrl.searchParams.get(key) ?? undefined
+        ])
+    );
+    const parsed = auditQueryParamsSchema.safeParse(rawParams);
+
+    if (!parsed.success) {
+        return serviceErrorResponse(
+            queryParamsSchemaValidationError(parsed.error)
+        );
+    }
+
+    const { page, perPage, since, until } = parsed.data;
+    const skip = (page - 1) * perPage;
+
+    const result = await fetchAuditRecords({
+        skip,
+        take: perPage,
+        since: since ? new Date(since) : undefined,
+        until: until ? new Date(until) : undefined,
+    });
+
     if (isServiceError(result)) {
         return serviceErrorResponse(result);
     }
-    return Response.json(result);
-}); 
+
+    const { auditRecords, totalCount } = result;
+
+    const headers = new Headers({ 'Content-Type': 'application/json' });
+    headers.set('X-Total-Count', totalCount.toString());
+
+    const linkHeader = buildLinkHeader(request, {
+        page,
+        perPage,
+        totalCount,
+        extraParams: {
+            ...(since ? { since } : {}),
+            ...(until ? { until } : {}),
+        },
+    });
+    if (linkHeader) headers.set('Link', linkHeader);
+
+    return new Response(JSON.stringify(auditRecords), { status: 200, headers });
+});
diff --git a/packages/web/src/ee/features/audit/actions.ts b/packages/web/src/ee/features/audit/actions.ts
@@ -25,18 +25,39 @@ export const createAuditAction = async (event: Omit<AuditEvent, 'sourcebotVersio
     })
 );
 
-export const fetchAuditRecords = async () => sew(() =>
+export interface FetchAuditRecordsParams {
+    skip: number;
+    take: number;
+    since?: Date;
+    until?: Date;
+}
+
+export const fetchAuditRecords = async (params: FetchAuditRecordsParams) => sew(() =>
     withAuthV2(async ({ user, org, role }) =>
         withMinimumOrgRole(role, OrgRole.OWNER, async () => {
             try {
-                const auditRecords = await prisma.audit.findMany({
-                    where: {
-                        orgId: org.id,
-                    },
-                    orderBy: {
-                        timestamp: 'desc'
-                    }
-                });
+                const where = {
+                    orgId: org.id,
+                    ...(params.since || params.until ? {
+                        timestamp: {
+                            ...(params.since ? { gte: params.since } : {}),
+                            ...(params.until ? { lte: params.until } : {}),
+                        }
+                    } : {}),
+                };
+
+                const [auditRecords, totalCount] = await Promise.all([
+                    prisma.audit.findMany({
+                        where,
+                        orderBy: [
+                            { timestamp: 'desc' },
+                            { id: 'desc' },
+                        ],
+                        skip: params.skip,
+                        take: params.take,
+                    }),
+                    prisma.audit.count({ where }),
+                ]);
 
                 await auditService.createAudit({
                     action: "audit.fetch",
@@ -51,7 +72,7 @@ export const fetchAuditRecords = async () => sew(() =>
                     orgId: org.id
                 })
 
-                return auditRecords;
+                return { auditRecords, totalCount };
             } catch (error) {
                 logger.error('Error fetching audit logs', { error });
                 return {
