Update observability docs and task utilities

- Add Observability.md documentation - Standardize task logging with correlation_id support - Add log_sanitizer utility for PII masking - Update Tasks.md tracking - Update geo_cache tasks and other task modules with correlation_id Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-05-03 11:52:09 +02:00
parent 7b93499551
commit 0133489920
17 changed files with 582 additions and 124 deletions
--- a/Docs/Observability.md
+++ b/Docs/Observability.md
@@ -62,6 +62,40 @@ log.info("password_check", password=password_hash)  # Never!

 Structlog provides context variable filtering to prevent accidental logging of sensitive data. Code reviews must verify compliance with this rule.

+### Log Sanitization
+
+All external output (subprocess results, API responses, config file contents) passed to structlog **must** be sanitized first using `sanitize_for_logging()` from `app.utils.log_sanitizer`.
+
+This prevents sensitive data — passwords, API keys, tokens, private keys — from leaking into logs.
+
+```python
+from app.utils.log_sanitizer import sanitize_for_logging
+
+# ✓ Correct: Sanitize before logging
+log.error(
+    "fail2ban_start_failed",
+    command=" ".join(start_cmd_parts),
+    returncode=process.returncode,
+    stdout=sanitize_for_logging(stdout.decode("utf-8", errors="replace")),
+    stderr=sanitize_for_logging(stderr.decode("utf-8", errors="replace")),
+)
+
+# ✗ Wrong: Raw output may contain secrets
+log.error("fail2ban_start_failed", stdout=stdout_raw, stderr=stderr_raw)  # Never!
+```
+
+`sanitize_for_logging()` redacts the following patterns:
+
+| Pattern | Example match | Replacement |
+|---------|---------------|-------------|
+| `password=X` | `password=Secret123` | `password=***` |
+| `api_key=X` / `api-key=X` | `api_key=key123` | `api_key=***` |
+| `token=X` | `token=eyJhbG...` | `token=***` |
+| `Authorization: Bearer X` | `Authorization: Bearer tok...` | `Authorization: ***` |
+| `secret=X` | `secret=myvalue` | `secret=***` |
+| `-----BEGIN RSA PRIVATE KEY-----` | (key header) | `*** PRIVATE KEY ***` |
+| `AKIA...` | `AKIAIOSFODNN7EXAMPLE` | `AKIA***` |
+
 ---

 ## Structured Logging Best Practices
@@ -102,6 +136,35 @@ log.info("user_action", action="create_jail")  # Automatically includes correlat
 structlog.contextvars.clear_contextvars()
 ```

+### Background Task Correlation
+
+Background tasks (APScheduler jobs) run outside the HTTP request context.
+Use :mod:`app.utils.correlation` to propagate correlation IDs through tasks:
+
+```python
+from app.utils.correlation import get_correlation_id, reset_correlation_id, set_correlation_id
+
+async def my_background_task(correlation_id: str | None = None) -> None:
+    # Generate a new ID if not provided (scheduled tasks have no parent request)
+    if correlation_id is None:
+        import uuid
+        correlation_id = str(uuid.uuid4())
+
+    # Set the correlation ID for all logs in this task
+    token = set_correlation_id(correlation_id)
+    try:
+        log.info("task_started")  # Now includes correlation_id
+        # ... task logic ...
+    finally:
+        reset_correlation_id(token)
+
+# When scheduling, optionally pass the current correlation ID:
+# scheduler.add_job(my_background_task, kwargs={"correlation_id": get_correlation_id()})
+```
+
+Scheduled tasks (no parent request) generate a fresh UUID for each run.
+Tasks triggered by a request inherit the request's correlation ID.
+
 ### Event Naming Convention

 Use snake_case for event names, prefixed with the component or module name: