Add log export for audit logs and SCIM events

[gearnode]

Summary

• Add async log export system for audit log entries and SCIM events, processed by a background worker and delivered via email as JSONL files
• Expose the feature across all three API surfaces: GraphQL (console + connect), MCP tools, and CLI commands (probod audit-log export, probod scim-event export)
• Add cursor-based streaming (ForEach* with DECLARE CURSOR) for memory-efficient iteration over large datasets
• Add export button with date range dialog to the audit log settings page in the console UI
• Include IAM authorization policies, database migration, email template, and end-to-end tests

Test plan

• Run make test-e2e to validate audit log and SCIM event export e2e tests
• Verify the export button appears on the audit log settings page for authorized users
• Trigger an export and confirm the background worker processes it and sends the email

---

Summary by cubic

Adds async export for audit logs and SCIM events, processed by a background worker and emailed as a JSONL download link. Exposed in Console, GraphQL, MCP tools, and CLI.

• New Features

  • Background worker streams large exports with database cursors and recovers stale jobs; emails a 24h download link.
  • Console: Export button and date range dialog on Audit Log settings (shown only if authorized).
  • API: GraphQL mutations in console/connect to request exports; MCP tools added; CLI commands prb audit-log export and prb scim-event export.
  • Email: New "Your log export is ready" templates and presenter.
  • RBAC: New actions iam:audit-log:export and iam:scim-event:export; owners/admins allowed, viewers blocked; e2e tests added.
  • Fixes: Close pipe reader after S3 upload to avoid deadlock; add partial index on pending exports for faster worker polling; export dialog uses UTC timestamps, includes the full “To” day, and blocks invalid ranges.

• Migration

  • Apply DB migration creating the log_exports table and partial index on pending rows.
  • Deploy with the IAM log export worker (auto-starts); ensure file storage bucket and base URL are configured.

^{Written for commit 6143986. Summary will update on new commits.}

[cubic-dev-ai]

4 issues found across 30 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="pkg/coredata/migrations/20260325T120000Z.sql">

<violation number="1" location="pkg/coredata/migrations/20260325T120000Z.sql:16">
P2: Add an index for the pending-job lookup path (`status` + `created_at`) to avoid repeated full scans in `FOR UPDATE SKIP LOCKED` polling.</violation>
</file>

<file name="pkg/iam/log_export_worker.go">

<violation number="1" location="pkg/iam/log_export_worker.go:212">
P1: Deadlock if S3 upload fails: `pr` is never closed after `PutFile` returns, so `streamJSONL` blocks forever on the next write to `pw`. Close `pr` with the upload error so the writer side gets unblocked.</violation>
</file>

<file name="apps/console/src/pages/iam/organizations/settings/AuditLogSettingsPage.tsx">

<violation number="1" location="apps/console/src/pages/iam/organizations/settings/AuditLogSettingsPage.tsx:201">
P2: The selected “To” date is converted to midnight and sent as an exclusive upper bound, which drops all log entries from that day.</violation>

<violation number="2" location="apps/console/src/pages/iam/organizations/settings/AuditLogSettingsPage.tsx:271">
P2: The dialog allows submitting a date range where From is after To, which the backend always rejects.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[gearnode]

Review complete — 1 issue found.

[gearnode]

Speculative index on a new table

This partial index is added on a brand-new table with no observed production query latency to justify it. Per contrib/claude/coredata.md:

No indexes by default. Only add indexes when justified by observed query latency in production environments. Do not speculatively create indexes on new tables or columns. This rule does not apply to indexes that enforce constraints, such as unique indexes.

This is a non-unique partial index for worker polling, so the constraint exception does not apply. Consider removing it and adding it later if query latency warrants it.