refactor: rename log events to snake_case

Switch to conventional event naming (noun_verb_state) so logs can be
queried by event type in structured log tooling.

Author: babs

handlers/authorize.go

@@ -114,7 +114,7 @@ func Authorize(tm *token.Manager, logger *zap.Logger, baseURL string, oauth2Cfg
 
 		internalState, err := tm.SealJSON(session)
 		if err != nil {
-			logger.Error("failed to seal session", zap.Error(err))
+			logger.Error("session_seal_failed", zap.Error(err))
 			writeOAuthError(w, http.StatusInternalServerError, "server_error", "internal error")
 			return
 		}
@@ -124,7 +124,7 @@ func Authorize(tm *token.Manager, logger *zap.Logger, baseURL string, oauth2Cfg
 			oauth2.SetAuthURLParam("response_mode", "query"),
 		)
 
-		logger.Debug("redirecting to IdP", zap.String("internal_client_id", client.ID))
+		logger.Debug("idp_redirect", zap.String("internal_client_id", client.ID))
 		http.Redirect(w, r, authURL, http.StatusFound)
 	}
 }

handlers/callback.go

@@ -82,7 +82,7 @@ func callbackHandler(tm *token.Manager, logger *zap.Logger, audience string, oau
 
 		oauth2Token, err := oauth2Cfg.Exchange(exchangeCtx, upstreamCode)
 		if err != nil {
-			logger.Error("upstream token exchange failed", zap.Error(err))
+			logger.Error("upstream_token_exchange_failed", zap.Error(err))
 			writeOAuthError(w, http.StatusBadGateway, "server_error", "upstream authentication failed")
 			return
 		}
@@ -95,8 +95,8 @@ func callbackHandler(tm *token.Manager, logger *zap.Logger, audience string, oau
 
 		idToken, err := verify(r.Context(), rawIDToken)
 		if err != nil {
-			logger.Error("id_token verification failed", zap.Error(err))
-			writeOAuthError(w, http.StatusBadGateway, "server_error", "id_token verification failed")
+			logger.Error("id_token_verification_failed", zap.Error(err))
+			writeOAuthError(w, http.StatusBadGateway, "server_error", "id_token_verification_failed")
 			return
 		}
 
@@ -106,7 +106,7 @@ func callbackHandler(tm *token.Manager, logger *zap.Logger, audience string, oau
 			Name  string `json:"name"`
 		}
 		if err := idToken.Claims(&claims); err != nil {
-			logger.Error("failed to parse id_token claims", zap.Error(err))
+			logger.Error("id_token_claims_parse_failed", zap.Error(err))
 			writeOAuthError(w, http.StatusInternalServerError, "server_error", "failed to parse claims")
 			return
 		}
@@ -124,7 +124,7 @@ func callbackHandler(tm *token.Manager, logger *zap.Logger, audience string, oau
 
 		// Enforce group allowlist if configured
 		if len(cbCfg.AllowedGroups) > 0 && !hasOverlap(groups, cbCfg.AllowedGroups) {
-			logger.Warn("access denied: user not in allowed groups",
+			logger.Warn("access_denied_group",
 				zap.String("subject", claims.Sub),
 				zap.Strings("user_groups", groups),
 				zap.Strings("allowed_groups", cbCfg.AllowedGroups),
@@ -147,7 +147,7 @@ func callbackHandler(tm *token.Manager, logger *zap.Logger, audience string, oau
 
 		code, err := tm.SealJSON(sc)
 		if err != nil {
-			logger.Error("failed to seal authorization code", zap.Error(err))
+			logger.Error("authorization_code_seal_failed", zap.Error(err))
 			writeOAuthError(w, http.StatusInternalServerError, "server_error", "internal error")
 			return
 		}
@@ -166,7 +166,7 @@ func callbackHandler(tm *token.Manager, logger *zap.Logger, audience string, oau
 		redirectParsed.RawQuery = q2.Encode()
 		redirectURL := redirectParsed.String()
 
-		logger.Info("callback successful", zap.String("subject", claims.Sub))
+		logger.Info("callback_success", zap.String("subject", claims.Sub))
 		http.Redirect(w, r, redirectURL, http.StatusFound)
 	}
 }

handlers/register.go

@@ -73,12 +73,12 @@ func Register(tm *token.Manager, logger *zap.Logger, audience string) http.Handl
 
 		clientID, err := tm.SealJSON(sc)
 		if err != nil {
-			logger.Error("failed to seal client", zap.Error(err))
+			logger.Error("client_seal_failed", zap.Error(err))
 			writeOAuthError(w, http.StatusInternalServerError, "server_error", "failed to register client")
 			return
 		}
 
-		logger.Info("client registered", zap.String("internal_id", sc.ID), zap.String("client_name", req.ClientName))
+		logger.Info("client_registered", zap.String("internal_id", sc.ID), zap.String("client_name", req.ClientName))
 
 		writeJSON(w, http.StatusCreated, registerResponse{
 			ClientID:                clientID,

handlers/token.go

@@ -115,8 +115,8 @@ func handleAuthorizationCode(w http.ResponseWriter, r *http.Request, tm *token.M
 
 	accessToken, _, err := tm.Issue(audience, code.Subject, code.Email, client.ID, code.Groups, accessTokenTTL)
 	if err != nil {
-		logger.Error("failed to issue token", zap.Error(err))
-		writeOAuthError(w, http.StatusInternalServerError, "server_error", "failed to issue token")
+		logger.Error("token_issue_failed", zap.Error(err))
+		writeOAuthError(w, http.StatusInternalServerError, "server_error", "token_issue_failed")
 		return
 	}
 
@@ -132,12 +132,12 @@ func handleAuthorizationCode(w http.ResponseWriter, r *http.Request, tm *token.M
 	}
 	refreshToken, err := tm.SealJSON(refresh)
 	if err != nil {
-		logger.Error("failed to seal refresh token", zap.Error(err))
+		logger.Error("refresh_token_seal_failed", zap.Error(err))
 		writeOAuthError(w, http.StatusInternalServerError, "server_error", "internal error")
 		return
 	}
 
-	logger.Info("token issued", zap.String("subject", code.Subject), zap.String("client_id", client.ID))
+	logger.Info("token_issued", zap.String("subject", code.Subject), zap.String("client_id", client.ID))
 
 	// RFC 6749 §5.1: token responses must not be cached
 	w.Header().Set("Cache-Control", "no-store")
@@ -173,7 +173,7 @@ func handleRefreshToken(w http.ResponseWriter, r *http.Request, tm *token.Manage
 	// Without this check, REVOKE_BEFORE only invalidates access tokens and a
 	// compromised refresh token would silently mint fresh ones past the cutoff.
 	if !revokeBefore.IsZero() && refresh.IssuedAt.Before(revokeBefore) {
-		logger.Debug("refresh token revoked by iat cutoff",
+		logger.Debug("refresh_token_revoked_iat_cutoff",
 			zap.Time("issued_at", refresh.IssuedAt),
 			zap.Time("revoke_before", revokeBefore),
 		)
@@ -209,8 +209,8 @@ func handleRefreshToken(w http.ResponseWriter, r *http.Request, tm *token.Manage
 
 	accessToken, _, err := tm.Issue(audience, refresh.Subject, refresh.Email, client.ID, refresh.Groups, accessTokenTTL)
 	if err != nil {
-		logger.Error("failed to issue token on refresh", zap.Error(err))
-		writeOAuthError(w, http.StatusInternalServerError, "server_error", "failed to issue token")
+		logger.Error("token_refresh_issue_failed", zap.Error(err))
+		writeOAuthError(w, http.StatusInternalServerError, "server_error", "token_issue_failed")
 		return
 	}
 
@@ -226,12 +226,12 @@ func handleRefreshToken(w http.ResponseWriter, r *http.Request, tm *token.Manage
 	}
 	newRefreshToken, err := tm.SealJSON(newRefresh)
 	if err != nil {
-		logger.Error("failed to seal new refresh token", zap.Error(err))
+		logger.Error("refresh_token_reseal_failed", zap.Error(err))
 		writeOAuthError(w, http.StatusInternalServerError, "server_error", "internal error")
 		return
 	}
 
-	logger.Info("token refreshed", zap.String("subject", refresh.Subject), zap.String("client_id", client.ID))
+	logger.Info("token_refreshed", zap.String("subject", refresh.Subject), zap.String("client_id", client.ID))
 
 	// RFC 6749 §5.1: token responses must not be cached
 	w.Header().Set("Cache-Control", "no-store")

main.go

@@ -54,7 +54,7 @@ func main() {
 	defer discoveryCancel()
 	oidcProvider, err := oidc.NewProvider(discoveryCtx, cfg.OIDCIssuerURL)
 	if err != nil {
-		logger.Fatal("oidc discovery failed", zap.String("issuer", cfg.OIDCIssuerURL), zap.Error(err))
+		logger.Fatal("oidc_discovery_failed", zap.String("issuer", cfg.OIDCIssuerURL), zap.Error(err))
 	}
 
 	oauth2Cfg := &oauth2.Config{
@@ -69,12 +69,12 @@ func main() {
 
 	tm, err := token.NewManager(cfg.TokenSigningSecret)
 	if err != nil {
-		logger.Fatal("token manager init failed", zap.Error(err))
+		logger.Fatal("token_manager_init_failed", zap.Error(err))
 	}
 
 	proxyHandler, err := proxy.Handler(cfg.UpstreamMCPURL, logger)
 	if err != nil {
-		logger.Fatal("proxy handler init failed", zap.Error(err))
+		logger.Fatal("proxy_handler_init_failed", zap.Error(err))
 	}
 
 	authMW := middleware.NewAuth(tm, logger, cfg.ProxyBaseURL, cfg.RevokeBefore)
@@ -128,30 +128,30 @@ func main() {
 	defer stop()
 
 	go func() {
-		logger.Info("metrics listening", zap.String("addr", cfg.MetricsAddr))
+		logger.Info("metrics_listening", zap.String("addr", cfg.MetricsAddr))
 		if err := metricsSrv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
-			logger.Error("metrics listen error", zap.Error(err))
+			logger.Error("metrics_listen_error", zap.Error(err))
 		}
 	}()
 
 	go func() {
 		logger.Info("listening", zap.String("addr", cfg.ListenAddr))
 		if err := srv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
-			logger.Fatal("listen error", zap.Error(err))
+			logger.Fatal("listen_error", zap.Error(err))
 		}
 	}()
 
 	<-ctx.Done()
-	logger.Info("shutting down", zap.Duration("timeout", cfg.ShutdownTimeout))
+	logger.Info("shutting_down", zap.Duration("timeout", cfg.ShutdownTimeout))
 
 	shutdownCtx, cancel := context.WithTimeout(context.Background(), cfg.ShutdownTimeout)
 	defer cancel()
 
 	if err := srv.Shutdown(shutdownCtx); err != nil {
-		logger.Error("shutdown error", zap.Error(err))
+		logger.Error("shutdown_error", zap.Error(err))
 	}
 	if err := metricsSrv.Shutdown(shutdownCtx); err != nil {
-		logger.Error("metrics shutdown error", zap.Error(err))
+		logger.Error("metrics_shutdown_error", zap.Error(err))
 	}
 }
 

middleware/auth.go

@@ -45,7 +45,7 @@ func (a *Auth) Validate(next http.Handler) http.Handler {
 
 		claims, err := a.tokenManager.Validate(tokenStr)
 		if err != nil {
-			a.logger.Debug("token validation failed", zap.Error(err))
+			a.logger.Debug("token_validation_failed", zap.Error(err))
 			a.writeAuthError(w, "invalid_token")
 			return
 		}
@@ -54,7 +54,7 @@ func (a *Auth) Validate(next http.Handler) http.Handler {
 		// proxy base URL that issued it. Two deployments accidentally sharing
 		// the same TOKEN_SIGNING_SECRET would otherwise be a confused deputy.
 		if claims.Audience != a.baseURL {
-			a.logger.Debug("token audience mismatch",
+			a.logger.Debug("token_audience_mismatch",
 				zap.String("got", claims.Audience),
 				zap.String("want", a.baseURL),
 			)
@@ -64,7 +64,7 @@ func (a *Auth) Validate(next http.Handler) http.Handler {
 
 		// Bulk revocation: reject tokens issued before the cutoff
 		if !a.revokeBefore.IsZero() && claims.IssuedAt.Before(a.revokeBefore) {
-			a.logger.Debug("token revoked by iat cutoff",
+			a.logger.Debug("token_revoked_iat_cutoff",
 				zap.Time("issued_at", claims.IssuedAt),
 				zap.Time("revoke_before", a.revokeBefore),
 			)

proxy/proxy.go

@@ -119,7 +119,7 @@ func Handler(upstreamURL string, logger *zap.Logger) (http.Handler, error) {
 		Transport:     &redirectFollowingTransport{base: http.DefaultTransport},
 		FlushInterval: -1, // Immediate flush for SSE/streaming
 		ErrorHandler: func(w http.ResponseWriter, r *http.Request, err error) {
-			logger.Error("proxy error", zap.Error(err))
+			logger.Error("proxy_error", zap.Error(err))
 			http.Error(w, "Bad Gateway", http.StatusBadGateway)
 		},
 	}