Module audit_query 

Audit log query / replay helpers.

Backs the GET /admin/audit endpoint. Reads the active .audit.log plus rotated siblings (.audit.log.<ms>.zst), parses each line into AuditEvent, and applies the request filters in memory. The audit volume on a typical RedDB deploy is orders of magnitude smaller than the data plane (admin actions, auth events, lease transitions) so a linear scan over the rotated tail is acceptable. If the volume ever justifies it, a real index lives one refactor away — slot a sled / parquet sidecar in here without touching the public surface.

Structs

AuditQuery

Query filters. All fields are optional; an empty Query returns the entire window up to limit.

Functions

events_to_json_array

Render a list of events as a JSON array (returned by the HTTP query handler). Stable field set so dashboards stay locked.

parse_rfc3339_ms

Tiny RFC 3339 -> ms parser. Accepts YYYY-MM-DDTHH:MM:SSZ and YYYY-MM-DDTHH:MM:SS.mmmZ. Rejects anything with a non-Z offset — the audit log writes UTC and we want callers to pass UTC too.

parse_time_arg

Parse RFC-3339 with second precision OR an integer ms epoch. The query endpoint accepts either form per the spec; we keep the parser tiny so we don’t pull chrono.

run_query

Run query against the audit log rooted at active_path (the current .audit.log). Walks the active file plus every sibling rotated archive (.audit.log.<ms>.zst), oldest-first by filename. Returns the matching events in chronological order, capped at query.limit.