fix(sublime): apply default base URL and use server-side time filter#301
Open
maximelb wants to merge 2 commits into
Open
fix(sublime): apply default base URL and use server-side time filter#301maximelb wants to merge 2 commits into
maximelb wants to merge 2 commits into
Conversation
Two bugs made the Sublime audit-log adapter unusable in production: 1. `unsupported protocol scheme ""` when no base URL was configured. The North America default was only applied in Validate(), which the general adapter runner never calls -- it constructs the adapter directly. The constructor already backfilled the poll interval for this reason but not the base URL, so an unset base_url produced a schemeless request URL. Backfill defaultBaseURL in the constructor alongside the poll interval. 2. `context deadline exceeded` on busy tenants. Every poll re-paginated the entire audit log from offset 0 (offset 0, 500, 1000, ... hundreds of pages), discarding old events client-side. On a tenant with a large backlog a single request eventually exceeded the HTTP timeout. Use the API's created_at[gte] filter (documented, inclusive, ISO 8601 UTC) to fetch only the recent window; the overlap is still re-fetched and the dedupe map suppresses re-shipping, so shipping semantics are unchanged. Also: return an explicit error on a non-200 (previously the returned error was the nil from the preceding successful Do call), and cap pagination depth per poll as a backstop against a misbehaving API. Tests: mock now honours created_at[gte]; added regressions for the base URL backfill and for the high-volume path (a 100k-event pre-start backlog must not be walked by offset). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01NThfoB4tBLPk7SqABt7GPR
lcbill
previously approved these changes
Jul 2, 2026
A base URL copied from the dashboard with a trailing slash produced a `//v0/...` request path. Trim trailing slashes when normalizing the config. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01NThfoB4tBLPk7SqABt7GPR
lcbill
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The Sublime Security audit-log adapter had two bugs that made it unusable in production. Both were reproduced from a user report and verified against Sublime's official API docs.
1.
unsupported protocol scheme ""when no base URL is setThe North America default base URL (
https://platform.sublime.security) was only applied inSublimeConfig.Validate(), but the general adapter runner constructs the adapter directly and never callsValidate(). The constructor already backfilled the poll interval for exactly this reason — it just forgot the base URL. So an unsetbase_urlproduced a schemeless request URL and every poll failed.Fix: backfill
defaultBaseURLin the constructor next to the poll-interval default.2.
context deadline exceededon high-volume tenantsEvery poll re-paginated the entire audit log from
offset=0(offset 0, 500, 1000, … — hundreds of pages), pulling every page and discarding old events client-side. On a tenant with a large backlog, a single request eventually exceeded the 30s HTTP timeout. The adapter never used the API's time filter.Fix: send the documented
created_at[gte]filter (inclusive, ISO 8601 UTC) so each poll only fetches the recent window. The overlap is still re-fetched and the dedupe map suppresses re-shipping, so shipping semantics are unchanged — the fetched set just shrinks from the whole history to the recent window.Minor
nilerror from the preceding successfulDo()call).Tests
created_at[gte].TestBaseURLDefaultBackfilled: constructing with an empty base URL yields the default.TestMockHighVolumeUsesTimeFilter: a 100k-event pre-start backlog must not be walked by offset — the adapter stays atoffset=0and sends the time filter.TestMakeOneRequestNon200to expect the explicit error.All
./sublime/tests pass;go vetand thecontainers/generalbuild are clean.🤖 Generated with Claude Code
https://claude.ai/code/session_01NThfoB4tBLPk7SqABt7GPR