316c2c4275
check-and-test / check-and-test (pull_request) Has been cancelled
Closes #13. Today GITEA_DEBUG=true only flips the zap level to debug, dumps a contextless `Text Result:` blob per tool call, and enables the gitea SDK's own debug stream (which doesn't merge with our log file). That is not enough to diagnose a misbehaving tool call in production. This change introduces: - A `pkg/middleware.ToolLogging` ToolHandlerMiddleware that logs each tool invocation on entry and exit with structured fields: tool name, redacted args, request_id, token source, duration_ms, and status. The request_id is stashed in the context so downstream layers can correlate. - A `loggingRoundTripper` in `pkg/gitea` that wraps the shared HTTP transport and emits one structured line per upstream Gitea API call (method, token-stripped URL, status, duration_ms, bytes). This replaces — and is far more useful than — `gitea.SetDebugMode()`. - An effective-config dump at startup (`logEffectiveConfig`) when debug+config scope is on, so "did my env var get picked up?" becomes answerable from the log file. - Token source tracking. CLI flag / GITEA_ACCESS_TOKEN / GITEA_ACCESS_TOKEN_FILE / per-request Authorization header are now distinguished in logs as flag/env/env-file/header. - A baseline redactor in `pkg/debug` that masks args / query params whose keys look like secrets (token, password, secret, api_key, authorization, …). This is the placeholder for issue #5's shared redactor; once that lands, callers here should defer to it. - `GITEA_DEBUG_SCOPES` env var to scope debug output to any subset of `tools,http,config`. Default (unset) is "everything". Test coverage was added for the redactor, scope flag, request-id helpers, preview truncation (multibyte-safe), and the middleware's context wiring + error propagation. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
41 lines
1.1 KiB
Go
41 lines
1.1 KiB
Go
package flag
|
|
|
|
var (
|
|
Host string
|
|
Port int
|
|
Token string
|
|
Version string
|
|
Mode string
|
|
|
|
Insecure bool
|
|
ReadOnly bool
|
|
Debug bool
|
|
AllowedTools map[string]struct{}
|
|
|
|
// TokenSource records where flag.Token was loaded from when the process
|
|
// started: "flag", "env", "env-file", or "" if no startup token was set.
|
|
// Per-request tokens from the Authorization header bypass this and are
|
|
// labelled "header" in the context value instead.
|
|
TokenSource string
|
|
|
|
// DebugScopes restricts what categories of debug output are emitted when
|
|
// Debug is true. An empty set means "everything" (the default). Known
|
|
// scopes: "tools", "http", "config". Parsed from GITEA_DEBUG_SCOPES.
|
|
DebugScopes map[string]struct{}
|
|
)
|
|
|
|
// DebugScopeEnabled reports whether a given debug scope should be logged.
|
|
// Returns true if Debug is off (so callers don't accidentally activate logs
|
|
// they shouldn't), false. When Debug is on and DebugScopes is empty, all
|
|
// scopes are enabled.
|
|
func DebugScopeEnabled(scope string) bool {
|
|
if !Debug {
|
|
return false
|
|
}
|
|
if len(DebugScopes) == 0 {
|
|
return true
|
|
}
|
|
_, ok := DebugScopes[scope]
|
|
return ok
|
|
}
|