§9 trace all fetch + ENV service name + leveled logging (todo §9 follow-up); route every outbound fetch through the request logger, make the OTLP service name implementer-configurable, and add proper leveled logging throughout. An AsyncLocalStorage<Log> makes the per-request logger ambient (runWithLog/currentLog), so all outbound fetch traces with no signature churn: tracedFetch (a typeof fetch) routes through the active request log (client span + propagated W3C traceparent) for string/URL inputs, else plain fetch; server.ts wires it under the Ory timeout into every Kratos/Keto/Hydra + JWKS call (timeout still honoured — log.fetch spreads {...init,headers}). RequestContext gained ctx.log (request logger; additive/contract-stable, silent default) so a handler/plugin logs in-trace and ctx.log.fetch(url) traces upstream calls; the reference plugin's createUpstream defaults to tracedFetch and its handlers log via ctx.log; plugin-api.ts exports tracedFetch + the Log class. SERVICE_NAME (config + createLogger({serviceName})) brands the OTLP service.name. Leveled logging: who-did-what audit info lines on every admin write (user/group/role/client create·delete·assign — actor/target, no secrets), info on login (session mint) + logout, warn on missing-role 403 + CSRF rejections + Ory-unreachable, debug on a JWKS kid-miss reload. app.ts's handler body was extracted to handleRequest run inside runWithLog; end() now fires exactly once after BOTH the handler unwinds AND the response closes, so a client abort mid-handler can't end the log out from under a still-running ctx.log/tracedFetch (regression-tested) and the happy-path access line is never dropped. bootstrap.ts wraps main in runWithLog + traces the seed calls. Tests extended (logger: serviceName/runWithLog/currentLog/tracedFetch-continues-trace; config: SERVICE_NAME; context: ctx.log default+passthrough; app: ctx.log in-trace + ctx.log.fetch propagation + the abort race; plugin-api: tracedFetch+Log). Stability-reviewer: APPROVE, no Critical/High (fixed the abort-race end(); green nits addressed). docs/plugin-contract.md (ctx.log/ctx.log.fetch/tracedFetch) + README (config, Observability tracing/serviceName, plugin note, Layout) updated. typecheck + 333 units + the full scripts/ci.sh E2E gate green (326 → 333).

src/bootstrap.ts

@@ -10,7 +10,7 @@ import { existsSync, writeFileSync } from "node:fs";
 import { fileURLToPath } from "node:url";
 import { discoverPlugins } from "./discovery.ts";
 import { generateJwks, type JwkSet } from "./gen-jwks.ts";
-import { createLogger } from "./logger.ts";
+import { createLogger, runWithLog, tracedFetch } from "./logger.ts";
 
 // --- Pure payload builders (the Kratos/Keto request contracts) -----------------------
 
@@ -134,26 +134,34 @@ export function firstRunBanner(opts: { appUrl: string; email: string; password:
 
 async function main() {
   const env = process.env;
-  // Structured like the web app (§9) so prod logs stay uniform; honour LOG_FORMAT, default text.
-  const log = createLogger({ format: env["LOG_FORMAT"] === "json" ? "json" : "text" });
-  if (ensureJwks(env["JWKS_FILE"] ?? "/etc/config/kratos/tokenizer/jwks.json")) log.info("generated a JWKS signing key");
-
-  // Seed `admin` (or ADMIN_ROLES) + every discovered plugin's declared permission tokens, so the
-  // shipped example — and any dropped-in plugin — works for the demo admin without a host edit.
-  const declared = (await discoverPlugins()).flatMap((p) => (p.permissions ?? []).map((d) => d.token));
-  const roles = seedRoles(env["ADMIN_ROLES"], declared);
-  const email = env["ADMIN_EMAIL"] ?? "admin@plainpages.local";
-  const password = env["ADMIN_PASSWORD"] ?? "admin";
-  const result = await seedAdmin({
-    email,
-    ketoWriteUrl: env["KETO_WRITE_URL"] ?? "http://keto:4467",
-    kratosAdminUrl: env["KRATOS_ADMIN_URL"] ?? "http://kratos:4434",
-    password,
-    roles,
+  // Structured like the web app (§9) so prod logs stay uniform; honour LOG_FORMAT/SERVICE_NAME.
+  const log = createLogger({
+    format: env["LOG_FORMAT"] === "json" ? "json" : "text",
+    ...(env["SERVICE_NAME"] ? { serviceName: env["SERVICE_NAME"] } : {}),
   });
-  log.info("admin seeded", { created: result.created, id: result.id, roles: result.roles.join(", ") });
-  // The banner is human-facing UX (the first-run "you're ready" block), not a log event — print raw.
-  console.log(firstRunBanner({ appUrl: env["APP_URL"] ?? "http://localhost:3000", email, password }));
+  // runWithLog makes `log` ambient so seedAdmin's tracedFetch traces the Kratos/Keto seed calls.
+  await runWithLog(log, async () => {
+    if (ensureJwks(env["JWKS_FILE"] ?? "/etc/config/kratos/tokenizer/jwks.json")) log.info("generated a JWKS signing key");
+
+    // Seed `admin` (or ADMIN_ROLES) + every discovered plugin's declared permission tokens, so the
+    // shipped example — and any dropped-in plugin — works for the demo admin without a host edit.
+    const declared = (await discoverPlugins()).flatMap((p) => (p.permissions ?? []).map((d) => d.token));
+    const roles = seedRoles(env["ADMIN_ROLES"], declared);
+    const email = env["ADMIN_EMAIL"] ?? "admin@plainpages.local";
+    const password = env["ADMIN_PASSWORD"] ?? "admin";
+    const result = await seedAdmin({
+      email,
+      fetchImpl: tracedFetch,
+      ketoWriteUrl: env["KETO_WRITE_URL"] ?? "http://keto:4467",
+      kratosAdminUrl: env["KRATOS_ADMIN_URL"] ?? "http://kratos:4434",
+      password,
+      roles,
+    });
+    log.info("admin seeded", { created: result.created, id: result.id, roles: result.roles.join(", ") });
+    // The banner is human-facing UX (the first-run "you're ready" block), not a log event — print raw.
+    console.log(firstRunBanner({ appUrl: env["APP_URL"] ?? "http://localhost:3000", email, password }));
+  });
+  await log.end(); // flush any pending OTLP spans/logs before the one-shot exits
 }
 
 if (process.argv[1] === fileURLToPath(import.meta.url)) await main();