relay: structured-log compliance test — assert log calls never carry forbidden fields

[ilmoniemi]

User Story

As a relay maintainer, I want a Go test that fails when any structured-log call carries a key outside an explicit allowlist, so that the docs/threat-model.md § Log hygiene rule is enforced at go test time rather than during production-log review.

Context

docs/threat-model.md § Log hygiene (lines 42–55) enumerates fields the relay must NEVER log — token values, raw inner-frame payloads, full request headers, full URL paths that may carry tokens — and the fields it MAY log. Today this is enforced by code review only. A single drift in a future PR can reintroduce a leak that nobody notices until production logs are audited. docs/lessons.md:45 captures the existing "defence is layered: spec, code review, structural absence" posture; this ticket adds the missing fourth layer: a deterministic test.

The relay currently has 14 logger.{Info,Warn,Error,Debug} call sites across internal/relay/client_endpoint.go, internal/relay/forward.go, and internal/relay/server_endpoint.go. Keys appear both inline with the message argument and on subsequent lines (multi-line calls are common).

Acceptance Criteria

• A new test under internal/relay/ walks every non-test .go file in the package, locates each slog.Logger call (Info, Warn, Error, Debug) — including multi-line calls with keys on subsequent lines — extracts the string-literal keys, and fails if any key is absent from the allowlist.
• An allowlist source (e.g. internal/relay/log_allowlist.go) holds the canonical set of permitted keys; the test reads from it so adding a key forces editing this file in the same commit.
• The test passes against the current main codebase — every existing key is added to the allowlist as part of this ticket.
• On failure, the message names file path, line number, and the offending key, so a developer sees exactly what to fix without rerunning under -v.
• docs/threat-model.md § Log hygiene gains a one-line cross-reference pointing readers to the allowlist source as the canonical enforcement point.

Technical Notes

Two viable approaches; architect picks:

1. AST walk (go/ast + go/parser) — precise; handles multi-line calls cleanly and can also flag non-literal key arguments as suspect (a slog.String(dynamicKey, v) call defeats an allowlist).
2. Regex / structural search — cheap to write, brittle on multi-line calls. Listed for completeness; AST is the expected pick.

The allowlist is the canonical rule source; the threat-model entry becomes a pointer. This is deliberate: the allowlist sits next to the log call sites, so the friction of touching it lands on the developer adding a key — exactly as the threat model intends.

The architect should also decide how the test treats non-string-literal keys (fail loud vs. skip with a TODO) and whether the allowlist lives in a normal .go source or a _test.go fixture; the body's log_allowlist.go suggestion is illustrative, not binding.

Out of Scope

• Runtime log redaction middleware (fix at the call site, not after the fact).
• Multi-instance log aggregation (deployment concern, not source-code concern).
• Extending the test to cmd/pyrycode-relay/ — that surface has handler construction only, no log call sites worth gating; revisit if it grows.

Size Estimate

S. One new test file (AST walk + assertions, ~100–150 lines), one new allowlist source (~30 lines), one-line doc cross-reference. Three files touched, 5 AC, single package — within S limits.

[ilmoniemi]

🤖 Product Owner — creates structured issues

po agent has completed work on this ticket.

Agent output (click to expand)

Refined #36: added User Story, 5 testable AC (multi-line call detection folded into AC1, failure-message specificity as its own AC), Context grounded in `threat-model.md:42–55` + `lessons.md:45` + the 14 current call sites, Technical Notes preserving the AST-vs-regex architect choice and flagging the non-literal-key edge case for the spec. Sized **S** (3 files, single package, ≤150 LOC) and labelled `size:s` + `security-sensitive` (log hygiene gate on an internet-exposed surface). Body intentionally left filename suggestions illustrative-not-binding so the architect owns layout decisions.

Ready for human review. Move to the next column when approved.

[ilmoniemi]

🤖 System Architect — defines Go interfaces, data flows, concurrency patterns

architect agent has completed work on this ticket.

Agent output (click to expand)

Spec committed at `docs/specs/architecture/36-log-key-allowlist-test.md`.

**Design summary:**
- `internal/relay/log_allowlist.go` — unexported `allowedLogKeys` map with 7 keys (`server_id`, `conn_id`, `binary_conn_id`, `device_name`, `remote`, `binary_version`, `err`) covering every existing call site on `main`.
- `internal/relay/log_keys_test.go` — `TestLogKeysAreAllowlisted` AST-walks every non-test `.go` in the package, matches `*ast.SelectorExpr` with `Sel.Name ∈ {Info,Warn,Error,Debug}`, extracts string-literal keys, fails on (a) keys absent from allowlist, (b) non-literal key args (dynamic-key bypass), (c) `With`/`LogAttrs`/`Log` selectors (alternate-method bypass).
- `docs/threat-model.md` § Log hygiene — one new "Enforcement:" paragraph pointing at the allowlist file as the canonical key set.

**Security review verdict:** PASS. Two viable bypass classes (dynamic key, alternate slog method) get deterministic structural checks; value-side leaks remain out-of-scope by design and stay on the existing "Future hardening: runtime redaction middleware" track.

Ready for human review. Move to the next column when approved.