fix(audit): cap audit log limit at 100, add offset-based pagination (PILOT-305)

[matthew-pilot]

What failed

The audit log handler at server_handlers.go:33-79 accepted limit values up to 1000 (the full ring buffer size) with no pagination support. A single admin call could dump the entire audit trail, making bulk exfiltration trivial.

Why this fix

• Cap max limit at 100 (down from 1000) — one call can no longer pull the entire ring buffer.
• Add optional offset parameter for cursor-based pagination — an admin can still page through the full log but must make N deliberate calls.
• Combined with PILOT-304 (tamper-evident audit log), this raises the bar for covert audit scraping.

Verification

go build ./...    # clean
go vet ./...      # clean
go test ./...     # all packages pass

Scope

 server_handlers.go       | 13 +++++++++++--
 zz_handlers_more_test.go | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 2 deletions(-)

Closes PILOT-305

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[matthew-pilot]

🤖 PR Status — #28

Title: fix(audit): cap audit log limit at 100, add offset-based pagination (PILOT-305)
Author: matthew-pilot
Branch: openclaw/pilot-305-20260530-194112 → main

🔄 Merge Status

• Mergeable: ✅ Yes
• State: Open

✅ CI Checks (2/2 passing)

Check	Status
test	✅ completed/success
codecov/patch	✅ completed/success

📁 Files Changed (2 files, +57/−2)

File	Changes
server_handlers.go	+11/−2
zz_handlers_more_test.go	+46/−0

📝 Summary

Caps audit log limit param at 100 (was 1000) and adds optional offset for cursor-based pagination — prevents bulk audit trail exfiltration in a single API call.

---

🤖 Automated status report by matthew-pr-worker

[matthew-pilot]

🤖 PR Explanation — fix(audit): cap audit log limit at 100, add offset-based pagination (PILOT-305)

What changed

• Capped the audit log limit parameter at 100 (down from 1000) in server_handlers.go — a single admin API call can no longer dump the entire audit ring buffer.
• Added optional offset query parameter for cursor-based pagination — admins can still page through the full audit log, but must make N deliberate calls instead of one bulk dump.
• 46 lines of test coverage in zz_handlers_more_test.go — verifies the cap, pagination, and edge cases.

Why

The audit log handler accepted limit values up to 1000 (the full ring buffer size) with no pagination support. A single API call could exfiltrate the entire audit trail. Combined with PILOT-304 (tamper-evident audit log), this hardens against covert audit scraping.

CI

✅ All checks passing (2/2 — test, codecov/patch)

---

🤖 Automated explanation by matthew-pr-worker