Evidence slice for #92. Adds a defer'd log line to the gRPC UnaryInterceptor so every call emits:

[REQ] transport=grpc method=<full_method> peer=<addr> key_id=<id|none>

Why this shape

• Auth-success and auth-failure both log. Unauthenticated probes (port scanners, broken consumers) still constitute external traffic for the :10000-vs-:11000 question that gates Replace deprecated grpc.DialContext / WithBlock / WithInsecure in the gateway #94/Spitball: drop gRPC, rewrite as plain net/http + huma JSON service #95.
• Peer disambiguates gateway from external. The HTTP gateway's intra-process dial shows peer=127.0.0.1; external traffic reaching gRPC via nginx shows the nginx container IP. Filter loopback out of the log to find the external set.
• key_id (not raw token, not user) is the actionable identifier. Bounded, ACP-managed, lets the operator cross-reference owner.

Scope intentionally narrow — no HTTP gateway counter, no Redis persistence, no stack choice. Probe is throwaway; the long-term analytics surface gets picked when #94/#95 close.

Test plan

• go test ./... — passes; two new tests in auth_test.go cover the success and auth-failure log paths.

• go build -v ./...

• make lint

• make generate (no drift)

• go mod tidy (no drift)

• Local-stack smoke (CLAUDE.md manual review gate, auth touch). Observed on local API + xenforo-db + dev-redis:

  • HTTP gateway hit → [REQ] transport=grpc method=/proto.MilpacService/GetRoster peer=127.0.0.1:62807 key_id=3
  • Direct grpcurl with valid bearer → ... peer=127.0.0.1:62870 key_id=3 (distinct port from gateway dial)
  • Direct grpcurl with no bearer → ... peer=127.0.0.1:62873 key_id=none + Unauthenticated
  • Direct grpcurl with bogus bearer → ... peer=127.0.0.1:62874 key_id=none + Unauthenticated

  Local stack has no nginx so all peers are 127.0.0.1; in prod the gateway dial will be loopback and external traffic will show the nginx container IP — that's the disambiguation.

🤖 Generated with Claude Code