From edae8625519e0c6f0b271be63f9d0193570b1286 Mon Sep 17 00:00:00 2001
From: Catherine <whitequark@whitequark.org>
Date: Sun, 3 May 2026 12:01:33 +0000
Subject: [PATCH] Surface detached status of audit records in diagnostic
 output.

---
 src/audit.go |  8 ++++++++
 src/main.go  | 30 +++++++++++++++++++++---------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/audit.go b/src/audit.go
index 48a1406..13c4fc0 100644
--- a/src/audit.go
+++ b/src/audit.go
@@ -132,6 +132,14 @@ func (record *AuditRecord) DescribeResource() string {
 	return desc
 }
 
+func (record *AuditRecord) IsDetachable() bool {
+	return record.GetEvent() == AuditEvent_CommitManifest
+}
+
+func (record *AuditRecord) IsDetached() bool {
+	return record.IsDetachable() && record.Manifest == nil
+}
+
 type AuditRecordScope int
 
 const (
diff --git a/src/main.go b/src/main.go
index 805c481..2abf8ca 100644
--- a/src/main.go
+++ b/src/main.go
@@ -506,13 +506,19 @@ func Main(versionInfo string) {
 		})
 
 		for _, record := range records {
-			fmt.Fprintf(color.Output, "%s %s %s %s %s\n",
+			parts := []string{
 				record.GetAuditID().String(),
 				color.HiWhiteString(record.GetTimestamp().AsTime().UTC().Format(time.RFC3339)),
 				color.HiMagentaString(record.DescribePrincipal()),
 				color.HiGreenString(record.DescribeResource()),
-				record.GetEvent(),
-			)
+				fmt.Sprint(record.GetEvent()),
+			}
+			if record.IsDetached() {
+				parts = append(parts,
+					color.HiYellowString("(detached)"),
+				)
+			}
+			fmt.Println(color.Output, strings.Join(parts, " "))
 		}
 
 	case *auditRead != "":
@@ -578,17 +584,23 @@ func Main(versionInfo string) {
 				logc.Fatalln(ctx, err)
 			}
 			if record.GetDomain() == domain && (project == "*" || record.GetProject() == project) {
-				logc.Printf(ctx, "detaching audit record %s\n", record.GetAuditID())
-				err = backend.DetachAuditRecord(ctx, record.GetAuditID())
-				if err != nil {
-					logc.Fatalln(ctx, err)
+				if !record.IsDetachable() {
+					continue
+				} else if !record.IsDetached() {
+					logc.Printf(ctx, "detaching audit record %s\n", record.GetAuditID())
+					err = backend.DetachAuditRecord(ctx, record.GetAuditID())
+					if err != nil {
+						logc.Fatalln(ctx, err)
+					}
+					count++
+				} else {
+					logc.Printf(ctx, "audit record %s already detached\n", record.GetAuditID())
 				}
-				count++
 			}
 		}
 
 		if count == 0 {
-			logc.Printf(ctx, "no audit records found for %s/%s", domain, project)
+			logc.Printf(ctx, "no detachable audit records found for %s/%s", domain, project)
 		}
 
 	case *auditServer != "":