core/go
8
0
Fork 0
generated from lthn/LEM
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions 4
go/pkg/cli/log.go
Snider b819b9432a
Add logging for security events (authentication, access) (#320) 
* feat(log): add security events logging for authentication and access control

- Added `Security` method to `log.Logger` with `[SEC]` prefix at `LevelWarn`.
- Added `SecurityStyle` (purple) to `pkg/cli` and `LogSecurity` helper.
- Added security logging for GitHub CLI authentication checks.
- Added security logging for Agentic configuration loading and token validation.
- Added security logging for sandbox escape detection in `local.Medium`.
- Updated MCP service to support logger injection and log tool executions and connections.
- Ensured all security logs include `user` context for better auditability.

* feat(log): add security events logging for authentication and access control

- Added `Security` method to `log.Logger` with `[SEC]` prefix at `LevelWarn`.
- Added `SecurityStyle` (purple) to `pkg/cli` and `LogSecurity` helper.
- Added security logging for GitHub CLI authentication checks.
- Added security logging for Agentic configuration loading and token validation.
- Added security logging for sandbox escape detection in `local.Medium`.
- Updated MCP service to support logger injection and log tool executions and connections.
- Ensured all security logs include `user` context for better auditability.
- Fixed code formatting issues identified by CI.

* feat(log): refine security logging and fix auto-merge CI

- Moved `Security` log level to `LevelError` for better visibility.
- Added robust `log.Username()` helper using `os/user`.
- Differentiated high-risk (Security) and low-risk (Info) MCP tool executions.
- Ensured consistent `user` context in all security-related logs.
- Fixed merge conflict and missing repository context in `auto-merge` CI.
- Fixed comment positioning in `pkg/mcp/mcp.go`.
- Downgraded MCP TCP accept errors to standard `Error` log level.
- Fixed code formatting in `internal/cmd/setup/cmd_github.go`.

* feat(log): finalize security logging and address CI/CodeQL alerts

- Refined `Security` logging: moved to `LevelError` and consistently include `user` context using `os/user`.
- Differentiated MCP tool executions: write/delete are `Security` level, others are `Info`.
- Fixed CodeQL alert: made UniFi TLS verification configurable (defaults to verify).
- Updated UniFi CLI with `--verify-tls` flag and config support.
- Fixed `auto-merge` CI failure by setting `GH_REPO` env var.
- Fixed formatting and unused imports.
- Added tests for UniFi config resolution.

* fix: handle MustServiceFor return values correctly

MustServiceFor returns (T, error), not just T. This was causing build
failures after the rebase.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude <developers@lethean.io>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 10:26:48 +00:00

115 lines
3.1 KiB
Go
Raw Blame History

package cli
import (
"github.com/host-uk/core/pkg/framework"
"github.com/host-uk/core/pkg/log"
)
// LogLevel aliases for backwards compatibility.
type LogLevel = log.Level
// Log level constants aliased from the log package.
const (
// LogLevelQuiet suppresses all output.
LogLevelQuiet = log.LevelQuiet
// LogLevelError shows only error messages.
LogLevelError = log.LevelError
// LogLevelWarn shows warnings and errors.
LogLevelWarn = log.LevelWarn
// LogLevelInfo shows info, warnings, and errors.
LogLevelInfo = log.LevelInfo
// LogLevelDebug shows all messages including debug.
LogLevelDebug = log.LevelDebug
)
// LogService wraps log.Service with CLI styling.
type LogService struct {
*log.Service
}
// LogOptions configures the log service.
type LogOptions = log.Options
// NewLogService creates a log service factory with CLI styling.
func NewLogService(opts LogOptions) func(*framework.Core) (any, error) {
return func(c *framework.Core) (any, error) {
// Create the underlying service
factory := log.NewService(opts)
svc, err := factory(c)
if err != nil {
return nil, err
}
logSvc := svc.(*log.Service)
// Apply CLI styles
logSvc.StyleTimestamp = func(s string) string { return DimStyle.Render(s) }
logSvc.StyleDebug = func(s string) string { return DimStyle.Render(s) }
logSvc.StyleInfo = func(s string) string { return InfoStyle.Render(s) }
logSvc.StyleWarn = func(s string) string { return WarningStyle.Render(s) }
logSvc.StyleError = func(s string) string { return ErrorStyle.Render(s) }
logSvc.StyleSecurity = func(s string) string { return SecurityStyle.Render(s) }
return &LogService{Service: logSvc}, nil
}
}
// --- Package-level convenience ---
// Log returns the CLI's log service, or nil if not available.
func Log() *LogService {
if instance == nil {
return nil
}
svc, err := framework.ServiceFor[*LogService](instance.core, "log")
if err != nil {
return nil
}
return svc
}
// LogDebug logs a debug message with optional key-value pairs if log service is available.
func LogDebug(msg string, keyvals ...any) {
if l := Log(); l != nil {
l.Debug(msg, keyvals...)
}
}
// LogInfo logs an info message with optional key-value pairs if log service is available.
func LogInfo(msg string, keyvals ...any) {
if l := Log(); l != nil {
l.Info(msg, keyvals...)
}
}
// LogWarn logs a warning message with optional key-value pairs if log service is available.
func LogWarn(msg string, keyvals ...any) {
if l := Log(); l != nil {
l.Warn(msg, keyvals...)
}
}
// LogError logs an error message with optional key-value pairs if log service is available.
func LogError(msg string, keyvals ...any) {
if l := Log(); l != nil {
l.Error(msg, keyvals...)
}
}
// LogSecurity logs a security message if log service is available.
func LogSecurity(msg string, keyvals ...any) {
if l := Log(); l != nil {
// Ensure user context is included if not already present
hasUser := false
for i := 0; i < len(keyvals); i += 2 {
if keyvals[i] == "user" {
hasUser = true
break
}
}
if !hasUser {
keyvals = append(keyvals, "user", log.Username())
}
l.Security(msg, keyvals...)
}
}
Reference in a new issue View git blame Copy permalink