import * as audit from '../../../../db/repos/audit.js';

// Yerin's window into the audit trail. Read-only. The audit repo already
// redacts sensitive diff keys (token/password/api_key/secret/authorization)
// at write time, so entries are safe to surface.
export const auditLogTool = {
  name: 'audit_log',
  description: 'Review the security audit trail: who (which actor) did what, newest first. Filter by actor_kind (user/agent/cron/worker/system) and/or actor_id to investigate a specific principal.',
  input_schema: {
    type: 'object',
    properties: {
      actor_kind: {
        type: 'string',
        enum: ['user', 'agent', 'cron', 'worker', 'system'],
        description: 'optional: only entries from this kind of actor'
      },
      actor_id: { type: 'string', description: 'optional: only entries from this actor id (uuid)' },
      limit: { type: 'integer', description: 'max entries (default 50, max 200)' }
    }
  },
  async handler({ actor_kind, actor_id, limit } = {}, _ctx) {
    const capped = Math.min(Math.max(Number(limit) || 50, 1), 200);
    const entries = await audit.listByActor({ actor_kind, actor_id, limit: capped });
    return { entries };
  }
};