docs: design spec for /healthz and structured JSON logs (#26, #27)

Part of the platform-contract intake (#25). Covers both pieces of work that must land before first deploy to home-ctr-onyx. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 11:15:40 -06:00 · 2026-04-19 11:15:40 -06:00 · 88e68ea2f9
commit 88e68ea2f9
parent 3b4b34a84c
1 changed files with 174 additions and 0 deletions
--- a/docs/superpowers/specs/2026-04-19-healthz-and-json-logs-design.md
+++ b/docs/superpowers/specs/2026-04-19-healthz-and-json-logs-design.md
@ -0,0 +1,174 @@
+# Healthcheck endpoint and structured JSON logs
+
+**Date:** 2026-04-19
+**Issues:** #26 (healthz), #27 (JSON logs), part of #25 (platform contract intake)
+
+## Background
+
+The homelab platform contract for Quartermaster (#25) requires two
+things the codebase does not have today:
+
+1. A Docker `HEALTHCHECK` so `container_health_status` is visible to
+   cAdvisor/Prometheus, which in turn drives the container-down alert
+   planned at launch. That requires an in-app endpoint to target.
+2. Structured JSON logs on stdout with `level` and `event` fields so
+   Promtail indexes them as Loki labels.
+
+Both block the first deploy to `home-ctr-onyx`. This spec covers both
+so the work can land as one coherent change.
+
+## /healthz
+
+### Endpoint
+
+`GET /healthz`, unauthenticated.
+
+- Success: `200 {"status": "ok"}`.
+- Failure: `503 {"status": "error", "detail": "<exception class name>"}`.
+  The class name goes in so operators can tell from the response body
+  what tripped the check; no traceback or message is leaked.
+
+The check opens a session via the standard `SessionLocal` factory,
+runs `SELECT 1`, and closes. Any exception surfaces as a 503.
+
+### Placement
+
+New module `src/quartermaster/routes_health.py` with its own
+`APIRouter`, included from `main.create_app()` alongside the existing
+routers. Keeping it on a dedicated router means any future middleware
+(basic-auth, rate-limit bypass) applied to the main routers can leave
+`/healthz` alone — the Docker healthcheck runs inside the container
+and must not need credentials.
+
+### Tests
+
+`tests/test_health.py`:
+
+- Success: FastAPI `TestClient` hits `/healthz`, asserts 200 and
+  `{"status": "ok"}`.
+- Failure: monkey-patch the session factory to raise on `.execute()`,
+  assert 503 and `{"status": "error", "detail": "<class-name>"}`.
+
+## Structured JSON logs
+
+### Dependency
+
+Add `python-json-logger` to `[project].dependencies` in
+`pyproject.toml`. One small, single-purpose dep; no transitive
+surprises. `structlog` is explicitly out of scope (#27).
+
+### Config module
+
+New `src/quartermaster/logging_config.py` exposing `LOG_CONFIG`, a
+`logging.config.dictConfig`-compatible dict:
+
+- One formatter using `pythonjsonlogger.jsonlogger.JsonFormatter`
+  emitting `timestamp` (ISO-8601 UTC), `level`, `event`, `logger`,
+  `message`. `extra={...}` kwargs passed to logger calls flatten into
+  the JSON body.
+- One handler writing to `sys.stdout`.
+- Loggers: the root app logger and `uvicorn.access` both route
+  through the JSON handler. `uvicorn.error` also gets the handler so
+  startup / shutdown lines are captured in the same format.
+
+A Python dict (rather than YAML) is the source of truth because
+tests can import it and apply `dictConfig` in-process. The uvicorn
+CLI consumes it via a small `logconfig.yaml` shim at repo root that
+references the dict module.
+
+### Access log filter
+
+Uvicorn's access logger emits a record whose message is the raw
+access line; the fields we care about live on the record's positional
+args. A small `logging.Filter` subclass in `logging_config.py` unpacks
+those args and sets:
+
+- `event = "http_request"`
+- `method`, `path`, `status`, `client_ip`
+- `duration_ms` (uvicorn doesn't expose this natively; computed via
+  the `extra` injected by a small middleware if straightforward,
+  otherwise deferred — the filter already gives Loki status + path,
+  which is the main thing)
+
+If the duration cannot be obtained cheaply from uvicorn's access
+record, landing the rest is still a win; the `duration_ms` field can
+come in a follow-up without changing the log schema (it's an extra
+field, not a label).
+
+### Seed application events
+
+Five events added as single-line `logger.info(..., extra={"event":
+"..."})` calls at the matching code paths (names aligned with the
+existing function names):
+
+| Event | Site |
+|---|---|
+| `month_created` | `month_service.create_month` |
+| `month_closed` | `month_service.close_month` |
+| `template_entry_updated` | `service.update_entry` |
+| `posting_added` | `month_service.add_posting` |
+| `posting_deleted` | `month_service.delete_posting` |
+
+One module-scoped logger at the top of each file that touches these
+paths. No broader instrumentation in this change.
+
+### Tests
+
+`tests/test_logging.py`:
+
+- Apply `LOG_CONFIG` via `logging.config.dictConfig`, emit a record
+  with `extra={"event": "smoke"}`, capture stdout via `capsys`,
+  `json.loads` the captured line, assert `level` / `event` /
+  `logger` / `message` / `timestamp` all present and correct.
+- Feed a synthetic uvicorn access record through the filter, assert
+  resulting fields include `event="http_request"`, `method`, `path`,
+  `status`.
+
+No end-to-end uvicorn-subprocess test. Formatter and filter
+correctness at the handler level is enough for the launch contract.
+
+### Dev flow
+
+`uv run uvicorn quartermaster.main:app --log-config logconfig.yaml
+--reload` — `--reload` keeps working. README gets a short "Logs"
+section with two LogQL examples mirroring the Archon contract style.
+
+## File additions / changes
+
+New:
+- `src/quartermaster/routes_health.py`
+- `src/quartermaster/logging_config.py`
+- `logconfig.yaml` (YAML shim for uvicorn CLI)
+- `tests/test_health.py`
+- `tests/test_logging.py`
+
+Changed:
+- `pyproject.toml` — add `python-json-logger`
+- `src/quartermaster/main.py` — include the health router
+- `src/quartermaster/service.py` — add one `logger.info` seed call
+  in `update_entry`
+- `src/quartermaster/month_service.py` — add four `logger.info` seed
+  calls in `create_month`, `close_month`, `add_posting`,
+  `delete_posting`
+- `README.md` — add the "Logs" section and mention `--log-config` in
+  the Run block
+
+Not touched:
+- Dockerfile / Compose: owned by later issues under #25.
+- Alembic / DB layer: the healthcheck uses the existing session
+  factory; no migration.
+
+## Order of work
+
+Logging before healthz. Once `LOG_CONFIG` exists the healthz handler
+can emit `event="healthz_check"` for free; the reverse order doesn't
+give logging anything useful. Not load-bearing.
+
+## Out of scope
+
+- `/readyz` vs. `/livez` split — one endpoint covers this single-
+  container app.
+- `/metrics` or any Prometheus exposition (5.2 in #25 is "not needed").
+- Adding `structlog` (#27 explicitly excludes).
+- Log-shipping configuration — Promtail on the host handles it.
+- Broad app instrumentation beyond the five seed events.