feat: merge gh aw audit report into gh aw logs --format (#24396)

Author: Copilot

docs/src/content/docs/blog/2026-03-30-weekly-update.md

@@ -34,14 +34,14 @@ Security fixes:
 
 ### [v0.64.2](https://github.com/github/gh-aw/releases/tag/v0.64.2) — March 26
 
-The `gh aw audit` command got a powerful new subcommand:
+The `gh aw logs` command gained cross-run report generation via the new `--format` flag:
 
-**`gh aw audit report`** aggregates firewall behavior across multiple workflow runs and produces an executive summary, domain inventory, and per-run breakdown:
+**`gh aw logs --format`** aggregates firewall behavior across multiple workflow runs and produces an executive summary, domain inventory, and per-run breakdown:
 
 ```bash
-gh aw audit report --workflow "agent-task" --last 10       # Markdown
-gh aw audit report --last 5 --json                         # JSON for dashboards
-gh aw audit report --format pretty                         # Console output
+gh aw logs agent-task --format markdown --count 10    # Markdown
+gh aw logs --format markdown --json                   # JSON for dashboards
+gh aw logs --format pretty                            # Console output
 ```
 
 This release also includes a **YAML env injection security fix** ([#23055](https://github.com/github/gh-aw/pull/23055)): all `env:` emission sites in the compiler now use `%q`-escaped YAML scalars, preventing newlines or quote characters in frontmatter values from injecting sibling env variables into `.lock.yml` files.

docs/src/content/docs/reference/audit.md

@@ -89,18 +89,20 @@ gh aw audit diff 12345 12346 --json
 gh aw audit diff 12345 12346 --repo owner/repo
 ```
 
-## `gh aw audit report`
+## `gh aw logs --format <fmt>`
 
 Generate a cross-run security and performance audit report across multiple recent workflow runs.
+This feature is built into the `gh aw logs` command via the `--format` flag.
 
 **Flags:**
 
 | Flag | Default | Description |
 |------|---------|-------------|
-| `-w, --workflow <name>` | all | Filter by workflow name or filename |
-| `--last <n>` | 20 | Number of recent runs to analyze (max 50) |
-| `--format <fmt>` | `markdown` | Output format: `markdown` or `pretty` |
-| `--json` | off | Output report as JSON |
+| `[workflow]` | all workflows | Filter by workflow name or filename (positional argument) |
+| `-c, --count <n>` | 10 | Number of recent runs to analyze |
+| `--last <n>` | — | Alias for `--count` |
+| `--format <fmt>` | — | Output format: `markdown` or `pretty` (generates cross-run audit report) |
+| `--json` | off | Output cross-run report as JSON (when combined with `--format`) |
 | `--repo <owner/repo>` | auto | Specify repository |
 | `-o, --output <dir>` | `./logs` | Directory for downloaded artifacts |
 | `--verbose` | off | Print detailed progress |
@@ -110,11 +112,11 @@ The report output includes an executive summary, domain inventory, metrics trend
 **Examples:**
 
 ```bash
-gh aw audit report
-gh aw audit report --workflow "daily-repo-status" --last 10
-gh aw audit report --workflow "agent-task" --last 5 --json
-gh aw audit report --format pretty
-gh aw audit report --repo owner/repo --last 10
+gh aw logs --format markdown
+gh aw logs daily-repo-status --format markdown --count 10
+gh aw logs agent-task --format markdown --last 5 --json
+gh aw logs --format pretty
+gh aw logs --format markdown --repo owner/repo --count 10
 ```
 
 ## Related Documentation

docs/src/content/docs/reference/cost-management.md

@@ -218,7 +218,7 @@ These are rough estimates to help with budgeting. Actual costs vary by prompt si
 | On-demand via slash command | User-controlled | Varies | Varies |
 
 > [!TIP]
-> Use `gh aw audit <run-id>` to deep-dive into token usage and cost for a single run. Use `gh aw audit report --workflow <name>` to analyze cost trends across multiple runs. Create separate `COPILOT_GITHUB_TOKEN` service accounts per repository or team to attribute spend by workflow.
+> Use `gh aw audit <run-id>` to deep-dive into token usage and cost for a single run. Use `gh aw logs --format markdown [workflow]` to analyze cost trends across multiple runs. Create separate `COPILOT_GITHUB_TOKEN` service accounts per repository or team to attribute spend by workflow.
 
 ## Related Documentation
 

docs/src/content/docs/reference/glossary.md

@@ -361,9 +361,9 @@ An interactive web-based editor for authoring, compiling, and previewing agentic
 
 A `gh aw audit` subcommand that compares firewall behavior across two workflow runs. Reports domain additions and removals, allowed/denied status changes, request volume drift, and anomaly flags. Outputs results in pretty, markdown, or JSON format. Useful for spotting regressions and behavioral drift between runs. See [CLI Reference](/gh-aw/setup/cli/#audit-diff).
 
-### Audit Report (`gh aw audit report`)
+### Cross-Run Audit Report (`gh aw logs --format`)
 
-A `gh aw audit` subcommand that aggregates firewall data across multiple workflow runs to produce a cross-run security report. The report includes an executive summary, domain inventory, and per-run breakdown. Designed for security reviews, compliance checks, and feeding debugging or optimization agents. Outputs markdown by default (suitable for `$GITHUB_STEP_SUMMARY`), or pretty/JSON format. See [CLI Reference](/gh-aw/setup/cli/#audit-report).
+A feature of `gh aw logs` that aggregates firewall data across multiple workflow runs to produce a cross-run security report. The report includes an executive summary, domain inventory, and per-run breakdown. Designed for security reviews, compliance checks, and feeding debugging or optimization agents. Outputs markdown by default (suitable for `$GITHUB_STEP_SUMMARY`), or pretty/JSON format. See [CLI Reference](/gh-aw/setup/cli/#logs).
 
 ### Frontmatter Hash
 

pkg/cli/audit.go

@@ -117,7 +117,6 @@ Examples:
 
 	// Add subcommands
 	cmd.AddCommand(NewAuditDiffSubcommand())
-	cmd.AddCommand(NewAuditReportSubcommand())
 
 	return cmd
 }

pkg/cli/audit_cross_run.go

@@ -9,10 +9,6 @@ import (
 
 var auditCrossRunLog = logger.New("cli:audit_cross_run")
 
-// maxAuditReportRuns is the upper bound on runs to analyze in a single report
-// to bound download time and memory usage.
-const maxAuditReportRuns = 50
-
 // mcpErrorRateThreshold is the error-rate above which an MCP server is flagged as unreliable.
 const mcpErrorRateThreshold = 0.10
 

pkg/cli/audit_cross_run_test.go

@@ -311,149 +311,94 @@ func TestRenderCrossRunReportMarkdown(t *testing.T) {
 	assert.Contains(t, output, "api.github.com:443", "Should contain the domain")
 }
 
-func TestNewAuditReportSubcommand(t *testing.T) {
-	cmd := NewAuditReportSubcommand()
-
-	assert.Equal(t, "report", cmd.Use, "Command Use should be 'report'")
-	assert.NotEmpty(t, cmd.Short, "Short description should not be empty")
-	assert.NotEmpty(t, cmd.Long, "Long description should not be empty")
-
-	// Check flags exist
-	workflowFlag := cmd.Flags().Lookup("workflow")
-	require.NotNil(t, workflowFlag, "Should have --workflow flag")
-	assert.Equal(t, "w", workflowFlag.Shorthand, "Workflow flag shorthand should be 'w'")
-
-	lastFlag := cmd.Flags().Lookup("last")
-	require.NotNil(t, lastFlag, "Should have --last flag")
-	assert.Equal(t, "20", lastFlag.DefValue, "Default value for --last should be 20")
-
-	jsonFlag := cmd.Flags().Lookup("json")
-	require.NotNil(t, jsonFlag, "Should have --json flag")
-
-	repoFlag := cmd.Flags().Lookup("repo")
-	require.NotNil(t, repoFlag, "Should have --repo flag")
-
-	outputFlag := cmd.Flags().Lookup("output")
-	require.NotNil(t, outputFlag, "Should have --output flag")
+func TestNewLogsCommand_HasFormatFlag(t *testing.T) {
+	cmd := NewLogsCommand()
 
+	// Check that the --format flag exists
 	formatFlag := cmd.Flags().Lookup("format")
 	require.NotNil(t, formatFlag, "Should have --format flag")
-	assert.Equal(t, "markdown", formatFlag.DefValue, "Default value for --format should be markdown")
-}
-
-func TestNewAuditReportSubcommand_RejectsExtraArgs(t *testing.T) {
-	cmd := NewAuditReportSubcommand()
-	cmd.SetArgs([]string{"extra-arg"})
-	err := cmd.Execute()
-	require.Error(t, err, "Should reject extra positional arguments")
-	assert.Contains(t, err.Error(), "unknown command", "Error should indicate unknown command")
-}
+	assert.Empty(t, formatFlag.DefValue, "Default value for --format should be empty (console output)")
 
-func TestRunAuditReportConfig_LastClampBounds(t *testing.T) {
-	tests := []struct {
-		name     string
-		inputCfg RunAuditReportConfig
-		wantLast int
-	}{
-		{
-			name:     "negative last defaults to 20",
-			inputCfg: RunAuditReportConfig{Last: -5},
-			wantLast: 20,
-		},
-		{
-			name:     "zero last defaults to 20",
-			inputCfg: RunAuditReportConfig{Last: 0},
-			wantLast: 20,
-		},
-		{
-			name:     "over max clamped to max",
-			inputCfg: RunAuditReportConfig{Last: 100},
-			wantLast: maxAuditReportRuns,
-		},
-		{
-			name:     "within bounds unchanged",
-			inputCfg: RunAuditReportConfig{Last: 10},
-			wantLast: 10,
-		},
-	}
+	// Check that the --last flag exists as an alias for --count
+	lastFlag := cmd.Flags().Lookup("last")
+	require.NotNil(t, lastFlag, "Should have --last flag")
+	assert.Equal(t, "0", lastFlag.DefValue, "Default value for --last should be 0 (uses --count default)")
 
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			cfg := tt.inputCfg
-			// Apply the same clamping logic as RunAuditReport
-			if cfg.Last <= 0 {
-				cfg.Last = 20
-			}
-			if cfg.Last > maxAuditReportRuns {
-				cfg.Last = maxAuditReportRuns
-			}
-			assert.Equal(t, tt.wantLast, cfg.Last, "Last should be clamped correctly")
-		})
-	}
+	// Other expected flags still present
+	require.NotNil(t, cmd.Flags().Lookup("json"), "Should have --json flag")
+	require.NotNil(t, cmd.Flags().Lookup("repo"), "Should have --repo flag")
+	require.NotNil(t, cmd.Flags().Lookup("output"), "Should have --output flag")
+	require.NotNil(t, cmd.Flags().Lookup("count"), "Should have --count flag")
 }
 
-func TestRunAuditReportConfig_FormatPrecedence(t *testing.T) {
+func TestLogsCommand_FormatPrecedence(t *testing.T) {
 	tests := []struct {
 		name       string
 		jsonOutput bool
 		format     string
-		wantFormat string // "json", "markdown", or "pretty"
+		wantMode   string // "crossrun-json", "crossrun-markdown", "crossrun-pretty", "default-json", "default-console"
 	}{
 		{
-			name:       "json flag takes precedence over format",
-			jsonOutput: true,
-			format:     "markdown",
-			wantFormat: "json",
+			name:       "no format uses default console",
+			jsonOutput: false,
+			format:     "",
+			wantMode:   "default-console",
 		},
 		{
-			name:       "json flag with format=pretty still uses json",
+			name:       "json flag without format uses default json",
 			jsonOutput: true,
-			format:     "pretty",
-			wantFormat: "json",
+			format:     "",
+			wantMode:   "default-json",
 		},
 		{
-			name:       "format=json without json flag",
+			name:       "format=markdown triggers cross-run markdown report",
 			jsonOutput: false,
-			format:     "json",
-			wantFormat: "json",
+			format:     "markdown",
+			wantMode:   "crossrun-markdown",
 		},
 		{
-			name:       "format=pretty selects pretty",
+			name:       "format=pretty triggers cross-run pretty report",
 			jsonOutput: false,
 			format:     "pretty",
-			wantFormat: "pretty",
+			wantMode:   "crossrun-pretty",
 		},
 		{
-			name:       "format=markdown selects markdown",
-			jsonOutput: false,
+			name:       "format=markdown with json flag triggers cross-run json report",
+			jsonOutput: true,
 			format:     "markdown",
-			wantFormat: "markdown",
+			wantMode:   "crossrun-json",
 		},
 		{
-			name:       "default format is markdown",
-			jsonOutput: false,
-			format:     "",
-			wantFormat: "markdown",
+			name:       "format=pretty with json flag triggers cross-run json report",
+			jsonOutput: true,
+			format:     "pretty",
+			wantMode:   "crossrun-json",
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			// Apply the same format selection logic as RunAuditReport
+			// Apply the same format selection logic as DownloadWorkflowLogs
 			var selected string
-			if tt.jsonOutput || tt.format == "json" {
-				selected = "json"
-			} else if tt.format == "pretty" {
-				selected = "pretty"
+			if tt.format == "markdown" || tt.format == "pretty" {
+				if tt.jsonOutput {
+					selected = "crossrun-json"
+				} else if tt.format == "pretty" {
+					selected = "crossrun-pretty"
+				} else {
+					selected = "crossrun-markdown"
+				}
+			} else if tt.jsonOutput {
+				selected = "default-json"
 			} else {
-				selected = "markdown"
+				selected = "default-console"
 			}
-			assert.Equal(t, tt.wantFormat, selected, "Format should be selected correctly")
+			assert.Equal(t, tt.wantMode, selected, "Output mode should be selected correctly for format=%q jsonOutput=%v", tt.format, tt.jsonOutput)
 		})
 	}
 }
 
-func TestNewAuditReportSubcommand_RepoParsingWithHost(t *testing.T) {
+func TestLogsCommand_RepoParsingWithHost(t *testing.T) {
 	tests := []struct {
 		name      string
 		repoFlag  string
@@ -492,7 +437,7 @@ func TestNewAuditReportSubcommand_RepoParsingWithHost(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			// Apply the same repo parsing logic
+			// Apply the same repo parsing logic used in audit commands
 			parts := strings.Split(tt.repoFlag, "/")
 			if len(parts) < 2 {
 				assert.True(t, tt.wantErr, "Should expect error for: %s", tt.repoFlag)