Skip to content

[INFRA 6] Add observability layer for API and scan worker#167

Merged
Vishnu2707 merged 1 commit into
openshield-org:devfrom
SHAURYAKSHARMA24:infra/issue-159-observability
Jul 8, 2026
Merged

[INFRA 6] Add observability layer for API and scan worker#167
Vishnu2707 merged 1 commit into
openshield-org:devfrom
SHAURYAKSHARMA24:infra/issue-159-observability

Conversation

@SHAURYAKSHARMA24

@SHAURYAKSHARMA24 SHAURYAKSHARMA24 commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

What does this PR do?

Implements the observability layer requested in #159.

Adds:

  • Structured JSON logging for API and worker processes
  • Request correlation via X-Request-ID (client-supplied ID echoed; generated UUID when absent)
  • request_id included in auth-failure and error responses
  • Worker scan-lifecycle logs with structured scan_id
  • Prometheus /metrics endpoint
  • HTTP request count and latency metrics
  • Scan status counter and scan duration histogram
  • Pending scan queue-depth gauge
  • Per-rule scanner error counter
  • NVD request latency metric
  • LLM provider latency metric
  • Split probes:
    • /health for liveness only (no DB dependency)
    • /ready for database readiness (200 {"status": "ready"}; 503 {"status": "not_ready", "error": "database_unreachable"} when the DB is unreachable)
  • Optional Sentry initialization behind SENTRY_DSN (no-op when unset)

Prometheus metrics are intentionally kept low-cardinality: no request_id, scan_id, subscription_id, resource_id, error text, or user input is used as a label.

/ready and /metrics are treated as always-public probe/scrape endpoints and are exempt from the JWT middleware.

Scope control

This PR does not change:

  • scanner rule detection logic
  • frontend behavior
  • /api/score
  • rate limiting
  • Azure credentials or deployment secrets

Testing

This branch has been rebased onto the latest dev.

pytest tests/ -v --tb=short:

  • 118 passed
  • 2 skipped
  • 1 failed

The single failure is pre-existing and environmental — test_ai_hallucination_guard::test_vector_store_purity fails because chromadb is not installed in the local environment. It is unrelated to this change and reproduces on a clean dev checkout.

pytest tests/test_observability.py -v: 10 passed (all new observability tests).

Lint gate (enforced by CI):

  • ruff check . — passes.
  • ruff format --check . — passes; all files formatted.

Closes #159

@SHAURYAKSHARMA24 SHAURYAKSHARMA24 self-assigned this Jul 7, 2026
@SHAURYAKSHARMA24 SHAURYAKSHARMA24 force-pushed the infra/issue-159-observability branch from 2b12cff to d7307dd Compare July 7, 2026 14:15
Comment thread api/app.py Fixed
…ics, readiness probe

Implements issue openshield-org#159 (INFRA 6).

- api/observability.py: shared module with JSON logging (python-json-logger),
  optional Sentry init (only when SENTRY_DSN set), request-ID middleware,
  Prometheus metrics, and the /metrics endpoint.
- api/app.py: wire observability middleware first; split /health (liveness,
  no DB) from /ready (DB connectivity → 200/503); echo X-Request-ID; include
  request_id in JSON error responses and auth failures; /ready + /metrics public.
- api/models/finding.py: add DatabaseManager.ping() for the readiness probe.
- scanner/worker.py: shared JSON logging, conditional Sentry, scan_id as a
  structured log field, scan success/failure counters, scan duration, queue depth.
- scanner/engine.py: increment per-rule error counter when a rule raises.
- scanner/nvd_client.py, api/services/ai_provider.py: record external-call latency.
- requirements.txt: add prometheus-client, python-json-logger, sentry-sdk.
- tests/test_observability.py: probes, /metrics, request IDs, auth request_id,
  conditional Sentry, worker metrics.

No metric is labelled with request_id, scan_id, subscription_id, resource_id,
error_message or user input.
@SHAURYAKSHARMA24 SHAURYAKSHARMA24 force-pushed the infra/issue-159-observability branch from d7307dd to 5e4906f Compare July 7, 2026 14:37

@Vishnu2707 Vishnu2707 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

exactly what we needed at this stage, logging, metrics and health probes all done right. approving!

@Vishnu2707 Vishnu2707 merged commit 82cf855 into openshield-org:dev Jul 8, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[INFRA 6] Observability layer: structured logs, request IDs, Prometheus metrics, error tracking, readiness probe

3 participants