discadmin/disclosure-bureau
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
disclosure-bureau/web/lib/logger.ts

78 lines
3.1 KiB
TypeScript
Raw Normal View History

W0+W1+W1.2: security hardening, observability, autocomplete, glitchtip, forgejo CI W0 — security hardening (5 fixes verified live on disclosure.top) - middleware: gate /api/admin/* same as /admin/* (F1) - imgproxy: tighten LOCAL_FILESYSTEM_ROOT from / to /var/lib/storage (F2) - studio: real basic-auth label (bcrypt hash, middleware reference) (F3) - relations: ENABLE ROW LEVEL SECURITY + public SELECT policy (F4) - migration 0003: fold is_searchable + hybrid_search update into canonical (TD#2) W1 — observability + resilience + autocomplete - studio: HOSTNAME=0.0.0.0 so Next.js binds on loopback for healthcheck - compose: PG_POOL_MAX=20, CLAUDE_CODE_OAUTH_TOKEN gated by separate env - claude-code.ts: subprocess timeout configurable (CLAUDE_CODE_TIMEOUT_MS) - openrouter.ts: retry with exponential backoff + Retry-After + in-memory circuit breaker (promotes FALLBACK after CB_THRESHOLD failures) - lib/logger.ts: pino logger (NDJSON prod / pretty dev) + withRequest helper - middleware: mints correlation_id, stamps x-correlation-id response header, emits structured http_request log per /api/* call - messages/route.ts: switch to structured logger - 60_meili_index.py: push documents + chunks into Meilisearch - /api/search/autocomplete: parallel meili search (docs + chunks), 5-8ms p50 - search-autocomplete.tsx: debounced dropdown wired into search-panel W1.2 — Glitchtip + Forgejo self-hosted - compose: glitchtip-redis + glitchtip-web + glitchtip-worker (v4.2) - compose: forgejo + forgejo-runner (server v9, runner v6) with group_add=988 - @sentry/nextjs SDK wired (instrumentation.ts + sentry.{client,server}.config.ts) - /api/admin/throw smoke endpoint (gated by W0-F1 middleware) - Synthetic event ingestion verified at glitchtip.disclosure.top - forgejo.disclosure.top up, repo discadmin/disclosure-bureau created, runner registered (labels: ubuntu-latest, docker) - .forgejo/workflows/ci.yml: typecheck + lint + build + npm audit + python syntax + compose validation Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-23 21:18:42 +00:00
/**
* Structured logger pino with JSON output in production, pretty in dev.
*
* Use as:
* import { log, withRequest } from "@/lib/logger";
* log.info({ doc_id, page }, "rendering page");
* log.error({ err }, "embed-service down");
*
* For request-scoped logging:
* const reqLog = withRequest(request);
* reqLog.info({ duration_ms: dt }, "hybrid_search done");
*
* Edge runtime falls back to a console adapter (pino requires node).
*/
import pino from "pino";
// Edge runtime doesn't support pino's worker thread; detect and fall back.
const isEdge = typeof process === "undefined" || process.env.NEXT_RUNTIME === "edge";
function build(): pino.Logger {
if (isEdge) {
// Minimal adapter so middleware can call log.* without crashing.
const noop = () => undefined;
return {
info: (o: unknown, m?: string) => console.log(JSON.stringify({ level: "info", msg: m, ...(typeof o === "object" ? o : { v: o }) })),
warn: (o: unknown, m?: string) => console.warn(JSON.stringify({ level: "warn", msg: m, ...(typeof o === "object" ? o : { v: o }) })),
error: (o: unknown, m?: string) => console.error(JSON.stringify({ level: "error", msg: m, ...(typeof o === "object" ? o : { v: o }) })),
debug: noop,
trace: noop,
fatal: (o: unknown, m?: string) => console.error(JSON.stringify({ level: "fatal", msg: m, ...(typeof o === "object" ? o : { v: o }) })),
child: () => build(),
} as unknown as pino.Logger;
}
return pino({
level: process.env.LOG_LEVEL || "info",
base: {
app: "disclosure-web",
env: process.env.NODE_ENV || "development",
},
timestamp: pino.stdTimeFunctions.isoTime,
// Production: NDJSON (one JSON per line). Dev: pretty-printed.
transport: process.env.NODE_ENV === "production" ? undefined : {
target: "pino-pretty",
options: { colorize: true, translateTime: "SYS:HH:MM:ss.l" },
},
});
}
export const log: pino.Logger = build();
/** Create a child logger bound to a request's correlation id. */
export function withRequest(req: Request | { headers: Headers }): pino.Logger {
const id = req.headers.get("x-correlation-id") ||
req.headers.get("x-request-id") ||
cryptoRandomId();
return log.child({ correlation_id: id });
}
/** Get-or-mint a correlation id for a request. */
export function correlationId(req: Request | { headers: Headers }): string {
return req.headers.get("x-correlation-id") ||
req.headers.get("x-request-id") ||
cryptoRandomId();
}
function cryptoRandomId(): string {
// 16 hex chars — short enough for logs, enough entropy for non-security uses.
// Both edge runtime and Node 19+ expose globalThis.crypto; older Node falls
// back to Math.random (acceptable: this is correlation, not security).
const g = globalThis as { crypto?: { getRandomValues?: (a: Uint8Array) => void } };
if (g.crypto?.getRandomValues) {
const buf = new Uint8Array(8);
g.crypto.getRandomValues(buf);
return Array.from(buf, (b) => b.toString(16).padStart(2, "0")).join("");
}
return Math.random().toString(36).slice(2, 18);
}
Reference in a new issue Copy permalink