fix(api): AIN-119 wire event_type + agent filters on /v1/audit/public

[varda-elentari]

Summary

/v1/audit/public?event_type=X was returning all latest events ignoring the filter. Root cause: the param did not exist on the public_feed handler. FastAPI silently accepts unknown query params; the handler returned latest events ordered by created_at desc.

Fix

Add 2 optional query params to public_feed:

• event_type: AuditEventType | None — enum-validated, 422 on bad value
• agent: str | None — exact match on AgentORM.name

Both translate to conditional .where() clauses on the existing select stmt. Backward compatible: nil filter when None preserves existing untyped/un-agent-scoped behavior.

Tests (4 new)

• test_public_feed_event_type_filter_returns_only_matching_type
• test_public_feed_event_type_filter_invalid_value_returns_422 (falsifiable; AIN-119 acceptance build(deps): Bump astral-sh/setup-uv from 5 to 7 #1)
• test_public_feed_agent_filter_returns_only_matching_agent
• test_public_feed_combined_event_type_and_agent_filters

Refs

Closes AIN-119. Surfaced during Sprint v1.7 close (Phase 5) probe — filter still broken at sprint-close window.

[linear-code]

AIN-119 api: /v1/audit/public event filter ignored — returns latest events regardless of `event=` / `event_type=` query param

Repro

# Filter by event=inference.rejected_cap_violation
curl -sS "https://api.ainfera.ai/v1/audit/public?event=inference.rejected_cap_violation&limit=1"
# Returns: {"events":[{"event_type":"ledger.refunded", ...}]}  ← NOT cap_violation

# Same with event_type= param
curl -sS "https://api.ainfera.ai/v1/audit/public?event_type=inference.rejected_cap_violation&limit=1"
# Returns: same ledger.refunded event

# Unfiltered (proves cap_violation events DO exist in the chain)
curl -sS "https://api.ainfera.ai/v1/audit/public?limit=20" | jq '.events[].event_type'
# Returns: includes "inference.rejected_cap_violation"

Impact

• Per SPRINT-V1.7-RECONCILED.md §P3 acceptance and §P1 acceptance, the verification curls depend on this filter working (event=inference.rejected_cap_violation&agent=varda&limit=1).
• Without the filter, founders/SDK consumers must client-side-filter the full event stream — broken UX + unscalable as chain grows.
• Also breaks /vs page comparisons that show "filter audit events by type" capability.

Suspected cause

• Query-param coercion likely accepts the param but silently drops to None if the enum value doesn't parse exactly (e.g. case-sensitivity, prefix matching).
• OR: filter wired into ORM select() but conditional where() clause guarded by a check that always fails (if event is not None with event always None due to FastAPI parsing).

Acceptance

• curl ".../v1/audit/public?event_type=inference.rejected_cap_violation&limit=1" returns ONLY events with that exact type (or 422 if the param shape is wrong — at minimum, falsifiable behavior).
• Other valid event_type values (ledger.refunded, receipt.created, provider.responded, inference.routed, inference.requested, ledger.debited) also filter correctly.
• Integration test in api/tests/integration/test_audit.py covering the filter.

Found

During Phase 2 substrate rename smoke verification on 2026-05-17 (ainfera-os PR #2 + api PR #15 era). Surfaced when validating §6 test 4 of docs/PHASE-2-RENAME-PLAN.md.

Priority

Medium — not blocking launch (manual any-event probe still works), but blocks Sprint v1.7 P3 + P1 acceptance curls + clean dashboard UX.

Review in Linear