feat: Add support for sensitive query

Author: abhisek

cli/query.go

@@ -29,6 +29,7 @@ func NewQueryCmd() *cobra.Command {
 		limit       int
 		offset      int
 		count       bool
+		sensitive   bool
 	)
 
 	cmd := &cobra.Command{
@@ -136,6 +137,10 @@ through the audit history.`,
 				filter = filter.WithCommandPattern(cmdPattern)
 			}
 
+			if sensitive {
+				filter = filter.WithSensitive(true)
+			}
+
 			// Handle count-only mode
 			if count {
 				n, err := app.Store.CountEvents(ctx, filter)
@@ -181,6 +186,7 @@ through the audit history.`,
 	cmd.Flags().IntVar(&limit, "limit", 100, "maximum results")
 	cmd.Flags().IntVar(&offset, "offset", 0, "skip first n results")
 	cmd.Flags().BoolVar(&count, "count", false, "show count only")
+	cmd.Flags().BoolVar(&sensitive, "sensitive", false, "filter to events involving sensitive file access")
 
 	return cmd
 }

core/events/filter.go

@@ -24,6 +24,8 @@ type EventFilter struct {
 	FilePattern string
 	// CommandPattern is a glob pattern to filter by command.
 	CommandPattern string
+	// Sensitive filters to events involving sensitive file access when non-nil.
+	Sensitive *bool
 	// Limit is the maximum number of results.
 	Limit int
 	// Offset is the number of results to skip.
@@ -85,6 +87,12 @@ func (f *EventFilter) WithCommandPattern(pattern string) *EventFilter {
 	return f
 }
 
+// WithSensitive sets the Sensitive filter.
+func (f *EventFilter) WithSensitive(sensitive bool) *EventFilter {
+	f.Sensitive = &sensitive
+	return f
+}
+
 // WithLimit sets the Limit.
 func (f *EventFilter) WithLimit(limit int) *EventFilter {
 	f.Limit = limit

storage/sqlite.go

@@ -854,6 +854,9 @@ func buildEventPredicates(filter *events.EventFilter) []predicate.AuditEvent {
 			}))
 		}))
 	}
+	if filter.Sensitive != nil {
+		predicates = append(predicates, auditevent.IsSensitiveEQ(*filter.Sensitive))
+	}
 	if filter.CommandPattern != "" {
 		pattern := filter.CommandPattern
 		predicates = append(predicates, predicate.AuditEvent(func(s *entsql.Selector) {

storage/sqlite_test.go

@@ -948,6 +948,70 @@ func TestSQLiteStore_QueryEventsWithStatusFilter(t *testing.T) {
 	}
 }
 
+func TestSQLiteStore_QueryEventsWithSensitiveFilter(t *testing.T) {
+	store, cleanup := setupTestStore(t)
+	defer cleanup()
+
+	ctx := context.Background()
+	sessionID := uuid.New()
+	now := time.Now().UTC()
+
+	createTestSession(t, store, sessionID, "claude-code")
+
+	for i, sensitive := range []bool{false, true, false, true, true} {
+		payload, _ := json.Marshal(events.FileReadPayload{Path: "/some/file"})
+		event := &events.Event{
+			ID:           uuid.New(),
+			SessionID:    sessionID,
+			Sequence:     i + 1,
+			Timestamp:    now.Add(time.Duration(i) * time.Minute),
+			AgentName:    "claude-code",
+			ActionType:   events.ActionFileRead,
+			ResultStatus: events.ResultSuccess,
+			Payload:      payload,
+			IsSensitive:  sensitive,
+		}
+		err := store.SaveEvent(ctx, event)
+		require.NoError(t, err)
+	}
+
+	boolPtr := func(b bool) *bool { return &b }
+
+	tests := []struct {
+		name      string
+		sensitive *bool
+		want      int
+	}{
+		{
+			name:      "no filter returns all",
+			sensitive: nil,
+			want:      5,
+		},
+		{
+			name:      "filter sensitive only",
+			sensitive: boolPtr(true),
+			want:      3,
+		},
+		{
+			name:      "filter non-sensitive only",
+			sensitive: boolPtr(false),
+			want:      2,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			filter := events.NewEventFilter()
+			if tt.sensitive != nil {
+				filter = filter.WithSensitive(*tt.sensitive)
+			}
+			results, err := store.QueryEvents(ctx, filter)
+			require.NoError(t, err)
+			assert.Len(t, results, tt.want)
+		})
+	}
+}
+
 func TestQueryEventsAfterCompoundCursor(t *testing.T) {
 	store, cleanup := setupTestStore(t)
 	defer cleanup()