feat: Observabilité et monitoring complet

Implémentation complète de la stack d'observabilité pour le monitoring de la plateforme multi-tenant Classeo. ## Error Tracking (GlitchTip) - Intégration Sentry SDK avec GlitchTip auto-hébergé - Scrubber PII avant envoi (RGPD: emails, tokens JWT, NIR français) - Contexte enrichi: tenant_id, user_id, correlation_id - Configuration backend (sentry.yaml) et frontend (sentry.ts) ## Metrics (Prometheus) - Endpoint /metrics avec restriction IP en production - Métriques HTTP: requests_total, request_duration_seconds (histogramme) - Métriques sécurité: login_failures_total par tenant - Métriques santé: health_check_status (postgres, redis, rabbitmq) - Storage Redis pour persistance entre requêtes ## Logs (Loki) - Processors Monolog: CorrelationIdLogProcessor, PiiScrubberLogProcessor - Détection PII: emails, téléphones FR, tokens JWT, NIR français - Labels structurés: tenant_id, correlation_id, level ## Dashboards (Grafana) - Dashboard principal: latence P50/P95/P99, error rate, RPS - Dashboard par tenant: métriques isolées par sous-domaine - Dashboard infrastructure: santé postgres/redis/rabbitmq - Datasources avec UIDs fixes pour portabilité ## Alertes (Alertmanager) - HighApiLatencyP95/P99: SLA monitoring (200ms/500ms) - HighErrorRate: error rate > 1% pendant 2 min - ExcessiveLoginFailures: détection brute force - ApplicationUnhealthy: health check failures ## Infrastructure - InfrastructureHealthChecker: service partagé (DRY) - HealthCheckController: endpoint /health pour load balancers - Pre-push hook: make ci && make e2e avant push
2026-02-04 11:47:01 +01:00
parent 2ed60fdcc1
commit d3c6773be5
48 changed files with 5846 additions and 32 deletions
--- a/backend/src/Shared/Infrastructure/Monitoring/SentryBeforeSendCallback.php
+++ b/backend/src/Shared/Infrastructure/Monitoring/SentryBeforeSendCallback.php
@@ -0,0 +1,106 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\Monitoring;
+
+use const FILTER_VALIDATE_EMAIL;
+
+use function is_array;
+use function is_string;
+
+use Sentry\Event;
+use Sentry\EventHint;
+
+/**
+ * Scrubs PII from Sentry events before sending to GlitchTip.
+ *
+ * Critical for RGPD compliance (NFR-S3): No personal data in error reports.
+ * This callback runs as the last step before sending to the error tracking service.
+ *
+ * @see Story 1.8 - T1.4: Filter PII before send (scrubber)
+ */
+final class SentryBeforeSendCallback
+{
+    public function __invoke(Event $event, ?EventHint $hint): Event
+    {
+        // Scrub request data
+        $request = $event->getRequest();
+        if (!empty($request)) {
+            $this->scrubArray($request);
+            $event->setRequest($request);
+        }
+
+        // Scrub extra context
+        $extra = $event->getExtra();
+        if (!empty($extra)) {
+            $this->scrubArray($extra);
+            $event->setExtra($extra);
+        }
+
+        // Scrub tags that might contain PII
+        $tags = $event->getTags();
+        if (!empty($tags)) {
+            $this->scrubStringArray($tags);
+            $event->setTags($tags);
+        }
+
+        // Never drop the event - we want all errors tracked
+        return $event;
+    }
+
+    /**
+     * Recursively scrub PII from an array.
+     *
+     * @param array<array-key, mixed> $data
+     */
+    private function scrubArray(array &$data): void
+    {
+        foreach ($data as $key => &$value) {
+            if (is_string($key) && $this->isPiiKey($key)) {
+                $value = '[FILTERED]';
+            } elseif (is_array($value)) {
+                $this->scrubArray($value);
+            } elseif (is_string($value) && $this->looksLikePii($value)) {
+                $value = '[FILTERED]';
+            }
+        }
+    }
+
+    /**
+     * Scrub PII from a string-only array (tags).
+     *
+     * @param array<string, string> $data
+     */
+    private function scrubStringArray(array &$data): void
+    {
+        foreach ($data as $key => &$value) {
+            if ($this->isPiiKey($key) || $this->looksLikePii($value)) {
+                $value = '[FILTERED]';
+            }
+        }
+    }
+
+    private function isPiiKey(string $key): bool
+    {
+        return PiiPatterns::isSensitiveKey($key);
+    }
+
+    private function looksLikePii(string $value): bool
+    {
+        // Filter email-like patterns
+        if (filter_var($value, FILTER_VALIDATE_EMAIL) !== false) {
+            return true;
+        }
+
+        // Filter JWT tokens
+        if (preg_match('/^eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+$/', $value)) {
+            return true;
+        }
+
+        // Filter UUIDs in specific contexts (but not all - some are legitimate IDs)
+        // We keep UUIDs as they're often needed for debugging
+
+        return false;
+    }
+}