tenseleyflow/shithub / b22a29e

+# Configuration

+

+shithub uses a layered configuration loader. Sources, in increasing-precedence order:

+

+1. **Built-in defaults.** Encoded in `internal/infra/config/Defaults()`.

+2. **TOML file.** Path comes from `SHITHUB_CONFIG` env var, falling back to `/etc/shithub/config.toml`. Absence is fine; bad syntax is a hard error.

+3. **Environment variables.** `SHITHUB_<area>__<key>` (double-underscore separates nested keys). Examples below.

+4. **CLI flag overrides.** Passed in by the caller (mostly `--addr` from `shithubd web`).

+

+After all four merge, `config.Load` applies a small set of named **aliases** (e.g. `SHITHUB_DATABASE_URL` → `db.url`) for backward compatibility, then runs `Validate`. Any validation failure causes `shithubd` to exit non-zero with a one-line error pointing at the offending key.

+

+## Inspecting the active configuration

+

+```sh

+shithubd config print     # writes the resolved config as TOML, with secrets redacted

+shithubd config validate  # exits non-zero if the resolved config is invalid

+shithubd version          # includes a one-line summary of which sinks are configured

+```

+

+`config print` redacts any field whose name contains `password`, `pass`, `secret`, `key`, `token`, `dsn`, or `url` (URL fields are redacted because they often carry credentials in the userinfo component).

+

+## Reference

+

+| Key | Type | Default | Notes |

+|---|---|---|---|

+| `env` | string | `dev` | One of `dev | staging | prod`. Drives default log format and Sentry environment. |

+| `web.addr` | string | `:8080` | Listen address. |

+| `web.read_timeout` | duration | `30s` | Per-request read timeout. |

+| `web.write_timeout` | duration | `30s` | Per-request write timeout. |

+| `web.shutdown_timeout` | duration | `10s` | Graceful drain on SIGTERM. |

+| `db.url` | string | `""` | Postgres DSN. Aliased by `SHITHUB_DATABASE_URL`. |

+| `db.max_conns` | int | `10` | pgxpool max conns. |

+| `db.min_conns` | int | `0` | pgxpool min conns. |

+| `db.connect_timeout` | duration | `5s` | |

+| `log.level` | string | `info` | One of `debug | info | warn | error`. |

+| `log.format` | string | `text` | One of `text | json`. |

+| `metrics.enabled` | bool | `true` | Mounts `/metrics`. |

+| `metrics.basic_auth_user` | string | `""` | When set together with `pass`, gate `/metrics` behind HTTP Basic. |

+| `metrics.basic_auth_pass` | string | `""` | |

+| `tracing.enabled` | bool | `false` | When true, `tracing.endpoint` is required. |

+| `tracing.endpoint` | string | `""` | OTLP HTTP endpoint, e.g. `http://otel-collector:4318`. |

+| `tracing.sample_rate` | float | `0.05` | Parent-based ratio sampler in [0, 1]. |

+| `tracing.service_name` | string | `shithubd` | OTel resource attribute. |

+| `error_reporting.dsn` | string | `""` | Sentry-protocol DSN (works against GlitchTip). Empty disables. |

+| `error_reporting.environment` | string | `""` | Tag for filtering events. |

+| `error_reporting.release` | string | `""` | Tag for filtering events. |

+| `session.key_b64` | string | `""` | Base64 32-byte AEAD key. Aliased by `SHITHUB_SESSION_KEY`. |

+| `session.max_age` | duration | `720h` | Cookie session lifetime (30 days). |

+| `session.secure` | bool | `false` | Set `Secure` cookie attribute. Enable under TLS (S37 deploy). |

+

+## Env-var examples

+

+```sh

+# Listen elsewhere

+export SHITHUB_WEB__ADDR=:9090

+

+# Connect to Postgres

+export SHITHUB_DATABASE_URL=postgres://shithub:dev@127.0.0.1:5432/shithub?sslmode=disable

+# (equivalent: export SHITHUB_DB__URL=...)

+

+# JSON logs for prod

+export SHITHUB_LOG__FORMAT=json

+export SHITHUB_LOG__LEVEL=info

+

+# Enable tracing

+export SHITHUB_TRACING__ENABLED=true

+export SHITHUB_TRACING__ENDPOINT=http://otel-collector.bare-metal:4318

+export SHITHUB_TRACING__SAMPLE_RATE=0.05

+

+# Error reporting via GlitchTip

+export SHITHUB_ERROR_REPORTING__DSN=https://glitchtip.bare-metal/<project-id>

+

+# Session signing key (deterministic across restarts in prod)

+export SHITHUB_SESSION_KEY=$(openssl rand -base64 32)

+

+# Gate /metrics behind Basic auth

+export SHITHUB_METRICS__BASIC_AUTH_USER=prom

+export SHITHUB_METRICS__BASIC_AUTH_PASS=<long-random>

+```

+

+## Secrets

+

+- **Never** commit secrets. `.env` is gitignored; production keys live in a systemd `EnvironmentFile=` with mode `0600`.

+- The redaction behavior of `config print` is documented above and tested in `internal/infra/config/config_test.go`. If you add a new secret-bearing field, name it so the redactor matches it (containing `pass`, `secret`, `key`, `token`, `dsn`, `password`, or `url`) — or extend `secretFieldNames` in `internal/infra/config/redact.go`.

+- Log-line redaction is independent (see `docs/internal/observability.md`). Both layers exist on purpose; secrets in env-loaded config and in handler-emitted logs travel different paths.

+

+## Adding a new key

+

+1. Add the field to the appropriate config struct in `internal/infra/config/config.go` with a `toml:` tag.

+2. Set its default in `Defaults()`.

+3. Add validation in `Validate()` if it has invariants.

+4. If it's secret-bearing, confirm its name matches the redactor.

+5. Document it in this file.

+6. Update `.env.example` if the env-var form is the typical usage.

+# Observability

+

+shithub ships four sinks: structured logging, Prometheus metrics, OpenTelemetry tracing, and a Sentry-protocol error reporter. All four are governed by the layered config loader (`docs/internal/config.md`) and degrade to no-ops when not configured.

+

+## Logging

+

+- Library: `log/slog` (stdlib).

+- Format: `text` (default in dev, human-friendly key=value) or `json` (default in prod, one object per line).

+- Level: `debug | info | warn | error` (config: `log.level`).

+- Standard fields on every line:

+  - `time`, `level`, `msg`

+  - `request_id` — when a request is in flight (set by the request_id middleware).

+  - `user_id` — when known (post-S05).

+  - `component` — set by the package emitting the line.

+  - `error`, `stack` — on error-level lines, where applicable.

+- **Redaction.** `internal/infra/log` wraps the chosen handler so each record passes through a redactor before output:

+  - Attribute keys matching `password|pass|secret|key|token|authorization|dsn|otpauth` are redacted to `***`.

+  - Attribute string values containing `shithub_pat_`, `otpauth://`, `Bearer `, or `Basic ` are redacted to `***` regardless of the key.

+  - Tested in `internal/infra/log/log_test.go`.

+

+## Metrics

+

+- Library: `github.com/prometheus/client_golang`.

+- Endpoint: `GET /metrics` (Prometheus text exposition).

+- Access control: HTTP Basic auth when `metrics.basic_auth_user`/`metrics.basic_auth_pass` are set; otherwise unauthenticated. S35 will tighten further (IP allow-list + per-deployment policy).

+- Standard metrics:

+  - `shithub_http_requests_total{route,method,status}` (counter)

+  - `shithub_http_request_duration_seconds{route,method}` (histogram, exponential buckets)

+  - `shithub_http_in_flight` (gauge)

+  - `shithub_panics_total` (counter, incremented by the recover middleware)

+  - `shithub_db_pool_acquired`, `shithub_db_pool_idle`, `shithub_db_pool_total` (gauges)

+  - `shithub_db_pool_acquire_wait_seconds_total` (counter)

+  - Standard Go runtime + process metrics (registered automatically).

+- **Cardinality discipline.** Route labels come from chi's `RoutePattern()` so we get `/owner/{repo}` instead of per-repo concrete paths. Never label by `user_id` or `repo_id`.

+- Per-domain metrics (added in later sprints) MUST register against `metrics.Registry` so a single `/metrics` scrape sees everything.

+

+## Tracing

+

+- Library: OpenTelemetry SDK with the OTLP-HTTP exporter.

+- Disabled by default. To enable:

+  ```toml

+  [tracing]

+  enabled = true

+  endpoint = "http://otel-collector.bare-metal:4318"

+  sample_rate = 0.05

+  service_name = "shithubd"

+  ```

+- The HTTP middleware (`tracing.Middleware`) emits one span per request when enabled.

+- pgx tracer hook lands when domain queries arrive (post-S05); the bare DB Open does not yet attach it.

+- Sample rate is parent-based with `TraceIDRatioBased(sample_rate)` — incoming traces with parent context honor the parent decision.

+

+## Error reporting

+

+- Library: `github.com/getsentry/sentry-go`. The wire format is Sentry-protocol-compatible, so a self-hosted GlitchTip works as a drop-in receiver (the lean per S03's sprint spec).

+- DSN comes from `error_reporting.dsn`. When empty, the package is a no-op.

+- Two integration points:

+  1. **Recover middleware** calls `errrep.CapturePanic(recovered, requestID)` for every recovered panic. The request_id is attached as a tag for forensic correlation with logs.

+  2. **`errrep.SlogHandler`** wraps the slog handler so any record at error level is also reported as a Sentry event. Tags: `request_id`, `user_id`, `component`, `route`. Other attrs land under the `shithub` context.

+- Flush: `errrep.Init` returns a `flush(ctx)` callback the server invokes on shutdown (drains queued events).

+

+## Request ID flow

+

+The `request_id` is the correlation key tying logs, metrics, traces, and error reports together:

+

+1. `middleware.RequestID` accepts an inbound `X-Request-Id` if it matches a strict whitelist; otherwise generates a 16-byte hex value.

+2. The id is stored in the request context and echoed in the response `X-Request-Id` header.

+3. `middleware.AccessLog` includes it as `request_id` on the per-request log line.

+4. `middleware.Recover` includes it on panic logs and on the Sentry/GlitchTip event.

+5. The styled error pages (`errors/{404,403,429,500}.html`) display it for end-user support reference.

+

+## Operational notes

+

+- `pg_stat_statements` is loaded by the dev compose Postgres (S01) and required in prod (S37).

+- GlitchTip and the OTLP collector run on bare metal in our prod topology (S37); the droplet's `/metrics` is scraped by Prometheus over WireGuard.

+- Configuration documented in `docs/internal/config.md`.