feat: migrate from stdlib logging to structlog with structured context

Replace plain `import logging` / `logging.getLogger(__name__)` across
41 backend files with structlog for structured, context-rich logging.

Foundation:
- Add structlog>=24.0 dependency
- New logging_config.py: processor pipeline with dev (pretty) / prod (JSON) renderers
- New ASGI middleware binding request_id + X-Request-Id header per request
- EDICTUM_LOG_LEVEL and EDICTUM_LOG_FORMAT settings in config.py
- tenant_id/auth_type/agent_id/user_id auto-bound after auth resolves
- worker=<name> context bound in background workers

New security-relevant logging wired in 12 files:
- routes/auth.py: login success/failure, rate limit hits
- auth/csrf.py: CSRF rejections with method/path/client_ip
- routes/discord.py: signature failures, tenant mismatch (S3), approval decisions
- routes/stream.py: agent SSE connect/disconnect, env scope rejection
- routes/notifications.py: channel create/update/delete audit trail
- security/body_limit.py: 413 rejections (header + streaming phases)
- notifications/webhook.py: HTTP delivery failures (domain only)
- notifications/email.py: SMTP success/failure
- ai/agent_loop.py: tool call limit reached
- ai/openai_compat.py + anthropic.py: JSON decode errors in tool calls
- services/fleet_coverage_service.py: fallback from console to local matchers

Dead code removed: unused logger boilerplate from ollama.py, coverage_matching.py

Author: acartag7

pyproject.toml

@@ -24,6 +24,7 @@ dependencies = [
     "email-validator>=2.0",
     "aiosmtplib>=2.0,<3.0",
     "edictum[yaml]>=0.11.3",
+    "structlog>=24.0",
 ]
 
 [project.optional-dependencies]

src/edictum_server/ai/agent_loop.py

@@ -16,15 +16,16 @@
 from __future__ import annotations
 
 import json
-import logging
 import time
 from collections.abc import AsyncIterator
 from typing import Any
 
+import structlog
+
 from edictum_server.ai.base import AIProvider, StreamEvent, ToolCallChunk
 from edictum_server.ai.tools import ToolContext, execute_tool, get_tool_definitions
 
-logger = logging.getLogger(__name__)
+logger = structlog.get_logger(__name__)
 
 # Safety limits to prevent runaway tool calling.
 _DEFAULT_MAX_ITERATIONS = 5
@@ -138,6 +139,12 @@ async def run_agent_loop(
         for tc in tool_calls:
             total_tool_calls += 1
             if total_tool_calls > max_tool_calls:
+                logger.warning(
+                    "tool_call_limit_reached",
+                    tool_name=tc.name,
+                    iteration=_iteration,
+                    max_tool_calls=max_tool_calls,
+                )
                 result = {"error": f"Tool call limit reached ({max_tool_calls})"}
                 duration_ms = 0
             else:

src/edictum_server/ai/anthropic.py

@@ -3,10 +3,11 @@
 from __future__ import annotations
 
 import json
-import logging
 from collections.abc import AsyncIterator
 from typing import Any
 
+import structlog
+
 from edictum_server.ai.base import (
     AIProvider,
     AiUsageResult,
@@ -15,15 +16,15 @@
     ToolDefinition,
 )
 
-logger = logging.getLogger(__name__)
-
 try:
     import anthropic  # type: ignore[import-not-found]
 
     _HAS_ANTHROPIC = True
 except ImportError:
     _HAS_ANTHROPIC = False
 
+logger = structlog.get_logger(__name__)
+
 DEFAULT_MODEL = "claude-haiku-4-5-20251001"
 
 
@@ -141,6 +142,13 @@ async def stream_with_tools(
                         try:
                             arguments = json.loads(raw_json) if raw_json else {}
                         except json.JSONDecodeError:
+                            logger.warning(
+                                "tool_call_json_decode_error",
+                                provider="anthropic",
+                                model=self._model,
+                                tool_name=current_tool_name,
+                                raw_length=len(raw_json),
+                            )
                             arguments = {"_raw": raw_json}
                         yield StreamEvent(
                             tool_call=ToolCallChunk(

src/edictum_server/ai/ollama.py

@@ -2,13 +2,10 @@
 
 from __future__ import annotations
 
-import logging
 from collections.abc import AsyncIterator
 
 from edictum_server.ai.base import AIProvider, AiUsageResult
 
-logger = logging.getLogger(__name__)
-
 try:
     import ollama as _ollama_lib  # type: ignore[import-not-found]
 

src/edictum_server/ai/openai_compat.py

@@ -3,10 +3,11 @@
 from __future__ import annotations
 
 import json
-import logging
 from collections.abc import AsyncIterator
 from typing import Any
 
+import structlog
+
 from edictum_server.ai.base import (
     AIProvider,
     AiUsageResult,
@@ -15,15 +16,15 @@
     ToolDefinition,
 )
 
-logger = logging.getLogger(__name__)
-
 try:
     import openai  # type: ignore[import-not-found]
 
     _HAS_OPENAI = True
 except ImportError:
     _HAS_OPENAI = False
 
+logger = structlog.get_logger(__name__)
+
 DEFAULT_OPENAI_MODEL = "gpt-5-mini"
 DEFAULT_OPENROUTER_MODEL = "qwen/qwen3-4b:free"
 OPENROUTER_BASE_URL = "https://openrouter.ai/api/v1"
@@ -187,6 +188,13 @@ async def stream_with_tools(
                     try:
                         arguments = json.loads(raw_args) if raw_args else {}
                     except json.JSONDecodeError:
+                        logger.warning(
+                            "tool_call_json_decode_error",
+                            provider=self._provider_name,
+                            model=self._model,
+                            tool_name=buf["name"],
+                            raw_length=len(raw_args),
+                        )
                         arguments = {"_raw": raw_args}
                     yield StreamEvent(
                         tool_call=ToolCallChunk(

src/edictum_server/ai/pricing.py

@@ -7,13 +7,13 @@
 from __future__ import annotations
 
 import asyncio
-import logging
 import time
 from decimal import Decimal
 
 import httpx
+import structlog
 
-logger = logging.getLogger(__name__)
+logger = structlog.get_logger(__name__)
 
 OPENROUTER_MODELS_URL = "https://openrouter.ai/api/v1/models"
 _CACHE_TTL_SECONDS = 3600  # 1 hour

src/edictum_server/ai/resources.py

@@ -17,16 +17,16 @@
 
 from __future__ import annotations
 
-import logging
 import uuid
 from datetime import UTC, datetime, timedelta
 from importlib import resources as importlib_resources
 
+import structlog
 import yaml
 from sqlalchemy import func, select
 from sqlalchemy.ext.asyncio import AsyncSession
 
-logger = logging.getLogger(__name__)
+logger = structlog.get_logger(__name__)
 
 # Cache for static template content (loaded once, never changes at runtime).
 _templates_cache: dict[str, str] = {}

src/edictum_server/ai/tools.py

@@ -20,17 +20,17 @@
 from __future__ import annotations
 
 import asyncio
-import logging
 import uuid
 from collections.abc import Awaitable, Callable
 from dataclasses import dataclass
 from typing import Any
 
+import structlog
 import yaml
 
 from edictum_server.ai.base import ToolDefinition
 
-logger = logging.getLogger(__name__)
+logger = structlog.get_logger(__name__)
 
 _TOOL_TIMEOUT_SECONDS = 5.0
 

src/edictum_server/auth/csrf.py

@@ -12,13 +12,12 @@
 
 from __future__ import annotations
 
-import logging
-
+import structlog
 from starlette.middleware.base import BaseHTTPMiddleware, RequestResponseEndpoint
 from starlette.requests import Request
 from starlette.responses import JSONResponse, Response
 
-logger = logging.getLogger(__name__)
+logger = structlog.get_logger(__name__)
 
 _MUTATING_METHODS = frozenset({"POST", "PUT", "DELETE", "PATCH"})
 
@@ -37,9 +36,7 @@
 class CSRFMiddleware(BaseHTTPMiddleware):
     """Require ``X-Requested-With`` on cookie-auth mutating requests."""
 
-    async def dispatch(
-        self, request: Request, call_next: RequestResponseEndpoint
-    ) -> Response:
+    async def dispatch(self, request: Request, call_next: RequestResponseEndpoint) -> Response:
         if request.method not in _MUTATING_METHODS:
             return await call_next(request)
 
@@ -62,6 +59,8 @@ async def dispatch(
 
         # Cookie-auth mutating request — require custom header
         if not request.headers.get("x-requested-with"):
+            client_ip = request.client.host if request.client else "unknown"
+            logger.warning("csrf_rejected", method=request.method, path=path, client_ip=client_ip)
             from edictum_server.security.headers import _HEADERS as _SECURITY_HEADERS
 
             resp = JSONResponse(

src/edictum_server/auth/dependencies.py

@@ -2,11 +2,11 @@
 
 from __future__ import annotations
 
-import logging
 import uuid
 from dataclasses import dataclass
 from typing import Literal
 
+import structlog
 from fastapi import Depends, Header, HTTPException, Request, status
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
@@ -16,7 +16,7 @@
 from edictum_server.db.engine import get_db
 from edictum_server.db.models import ApiKey
 
-logger = logging.getLogger(__name__)
+logger = structlog.get_logger(__name__)
 
 
 @dataclass(frozen=True, slots=True)
@@ -81,28 +81,41 @@ async def require_api_key(
             detail="Invalid or revoked API key.",
         )
 
-    return AuthContext(
+    ctx = AuthContext(
         tenant_id=api_key.tenant_id,
         auth_type="api_key",
         env=api_key.env,
         agent_id=x_edictum_agent_id,
         api_key_prefix=api_key.key_prefix,
     )
+    structlog.contextvars.bind_contextvars(
+        tenant_id=str(ctx.tenant_id),
+        auth_type="api_key",
+        agent_id=x_edictum_agent_id or "unknown",
+        env=api_key.env,
+    )
+    return ctx
 
 
 async def require_dashboard_auth(
     request: Request,
 ) -> AuthContext:
     """Authenticate a dashboard (human) request via session cookie."""
     auth_provider = request.app.state.auth_provider
-    ctx: DashboardAuthContext = await auth_provider.authenticate(request)
-    return AuthContext(
-        tenant_id=ctx.tenant_id,
+    dash_ctx: DashboardAuthContext = await auth_provider.authenticate(request)
+    auth = AuthContext(
+        tenant_id=dash_ctx.tenant_id,
         auth_type="dashboard",
-        user_id=str(ctx.user_id),
-        email=ctx.email,
-        is_admin=ctx.is_admin,
+        user_id=str(dash_ctx.user_id),
+        email=dash_ctx.email,
+        is_admin=dash_ctx.is_admin,
     )
+    structlog.contextvars.bind_contextvars(
+        tenant_id=str(auth.tenant_id),
+        auth_type="dashboard",
+        user_id=str(dash_ctx.user_id),
+    )
+    return auth
 
 
 async def require_admin(