feat: logging#9
Merged
Merged
Conversation
Fill in all ~148 logging TODOs and the stray println!s with `tracing`, completing the server-side half of the generic-error design: the client still gets a generic event while the discarded error becomes the log payload.
Conventions (src/logging.rs is the single source of truth):
- Levels: server faults -> error!; security denials & failed logins -> warn!; lifecycle, admin actions & reaper summaries -> info!; client-caused noise (bad JSON, undersized frames) -> debug!.
- Client-input constraint violations (duplicate username/room name, empty content, malformed attachment, empty emoji) -> warn!, not error!.
- Dedicated `relay::audit` target for security events: authn outcomes, authz/owner-gated denials, admin actions (promote/demote/delete/reset, account/room creation, ownership, invites, server control).
- Per-connection span ("conn") carrying `who` and, post-auth, `user_id`, so dispatch-side events are attributable; actors run as separate tasks and carry the relevant ids explicitly.
- Never log secrets: Password/PasswordHash already redact in Debug.
Config & output:
- Add Config.log_level (RUST_LOG still wins) and Config.log_format (pretty | json | journald); main.rs builds the subscriber accordingly.
- Native systemd journald via tracing-journald (proper PRIORITY + indexed fields), falling back to stdout when no journal socket.
Other changes:
- AuthResult gains an Error variant so a server-side auth fault is no longer audited as a "login failed".
- Account-creation audit is centralized in the user actor (covers both the open-signup and authenticated paths).
- gate_room's `Ok(None) | Err(_)` arms are split so a real DB fault logs at error! while an existence-hidden "no room" stays debug!.
- reap() logs a per-run summary with per-table delete counts.
Logs go to stdout/journald, never the DB, so they are not subject to the reaper; retention is a platform concern (see src/logging.rs).
Tests: 174 pass, 0 failures; clippy + fmt clean.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds structured logging across the server with
tracing, filling in all ~148 logging TODOs and replacing the strayprintln!s. This completes the server-side half of the generic-error design: the client still receives a generic event while the discarded error becomes the log payload.Conventions
src/logging.rsis the single source of truth (levels, targets, fields, redaction, retention).error!; security denials & failed logins →warn!; lifecycle, admin actions & reaper summaries →info!; client-caused noise (bad JSON, undersized frames) →debug!.warn!, noterror!.relay::audittarget for security events — authn outcomes, authz / owner-gated denials, and admin actions (promote/demote/delete/reset, account & room creation, ownership grants, invites, server control). Routable separately, e.g.RUST_LOG=relay::audit=info.connspan carrieswhoand, after auth,user_id, so dispatch-side events are attributable. Actors run as separate tasks and carry the relevant ids explicitly.Password/PasswordHashalready redact inDebug.Config & output
Config.log_level(RUST_LOGstill takes precedence) andConfig.log_format(pretty|json|journald);main.rsbuilds the subscriber accordingly.tracing-journald(properPRIORITYand indexed fields), falling back to stdout when there's no journal socket.Notable behavior changes
AuthResultgains anErrorvariant so a server-side auth fault is no longer audited as a "login failed".gate_room'sOk(None) | Err(_)arms are split so a real DB fault logs aterror!while an existence-hidden "no room" staysdebug!.reap()logs a per-run summary with per-table delete counts.Retention
Logs go to stdout/journald, never the database, so they are not subject to the reaper; retention is a platform concern (documented in
src/logging.rs).Testing
cargo clippyandcargo fmt --checkclean.