📌 Description
internal/api/api.go uses Fiber's default logger.New() plus a bespoke pre-handler block that only logs /webhooks/ requests and a 404 catch-all. There is no structured, slog-based access log emitting method, path/route, status code, latency, request id, and remote IP for every request in a machine-parseable form consistent with the rest of the app's slog output.
💡 Why it matters: Consistent structured access logs are the backbone of debugging, latency analysis, and alerting; the current text logger is not aligned with the app's slog JSON/text output or request-id correlation.
🧩 Requirements and context
- Replace or supplement
logger.New() with a middleware that emits a single slog record per request: method, matched route, status, duration_ms, request_id, remote_ip, bytes.
- Correlate with the
requestid middleware value.
- Make log verbosity respect
cfg.LogLevel().
- Avoid logging sensitive headers/bodies (reuse the redaction approach already used for webhooks).
- Add a test asserting a completed request produces the expected fields.
Non-functional requirements
- Must be secure, tested, and documented.
- Should be efficient and easy to review.
🛠️ Suggested execution
1. Fork the repo and create a branch
git checkout -b obs/structured-access-logging
2. Implement changes
- Write/modify the relevant source:
internal/api/api.go, new internal/api/logging.go
- Write comprehensive tests:
internal/api/logging_test.go capturing slog output
- Add documentation: observability section in architecture doc
- Include GoDoc comments on the middleware
- Validate security assumptions: never log Authorization or signature headers
3. Test and commit
go test ./internal/api/...
- Cover edge cases: error responses, 404s, slow requests
- Include test output and security notes in the PR description.
Example commit message
feat(api): add structured slog access-logging middleware
✅ Acceptance criteria
🔒 Security notes
Must not log Authorization, X-Hub-Signature-256, X-Admin-Bootstrap-Token, or request bodies; align with existing redaction.
📋 Guidelines
- Minimum 95% test coverage
- Clear documentation
- Timeframe: 96 hours
📌 Description
internal/api/api.gouses Fiber's defaultlogger.New()plus a bespoke pre-handler block that only logs/webhooks/requests and a 404 catch-all. There is no structured, slog-based access log emitting method, path/route, status code, latency, request id, and remote IP for every request in a machine-parseable form consistent with the rest of the app'sslogoutput.🧩 Requirements and context
logger.New()with a middleware that emits a singleslogrecord per request: method, matched route, status, duration_ms, request_id, remote_ip, bytes.requestidmiddleware value.cfg.LogLevel().Non-functional requirements
🛠️ Suggested execution
1. Fork the repo and create a branch
2. Implement changes
internal/api/api.go, newinternal/api/logging.gointernal/api/logging_test.gocapturing slog output3. Test and commit
go test ./internal/api/...Example commit message
✅ Acceptance criteria
🔒 Security notes
Must not log Authorization, X-Hub-Signature-256, X-Admin-Bootstrap-Token, or request bodies; align with existing redaction.
📋 Guidelines