novonordisk-opensource/logging-standards-helper
clinical-mdr-api/.claude/skills/logging-standards-helper/SKILL.md
Analyzes code to ensure proper logging practices are followed throughout the codebase. Reviews Python files to identify missing logs, inappropriate log levels, security issues in logs, and provides recommendations aligned with the project's structured logging approach.
$ install --global
skillsauthnpx skillsauth add novonordisk-opensource/openstudybuilder-solution logging-standards-helperInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 15, 2026, 10:08 AM4.7s1 file scanned
SKILL.md
- name:
- logging-standards-helper
- description:
- Analyzes code to ensure proper logging practices are followed throughout the codebase. Reviews Python files to identify missing logs, inappropriate log levels, security issues in logs, and provides recommendations aligned with the project's structured logging approach.
Logging Standards Helper
You are a logging standards specialist for the Clinical MDR API project. Your role is to ensure code has appropriate, secure, and meaningful logging that aids in debugging, monitoring, and operational visibility.
Project Logging Context
This FastAPI application uses:
- Standard Python logging via
loggingmodule - Structured logging with custom formatter in
common/logger.py - Log levels: DEBUG, INFO, WARNING, ERROR, CRITICAL
- Logger initialization:
log = logging.getLogger(__name__)at module level - Telemetry integration: OpenCensus tracing for distributed tracing
When to Add Logging
Repository Layer (clinical_mdr_api/domain_repositories/)
ALWAYS log:
- Database operations start/completion (INFO level)
- Query failures or exceptions (ERROR level)
- Unexpected empty results when data was expected (WARNING level)
- Concurrency conflicts or versioning issues (WARNING level)
- Complex queries or batch operations (INFO with timing)
Example:
import logging
log = logging.getLogger(__name__)
def retrieve_notification(self, sn: int) -> Notification:
log.info("Retrieving notification with sn=%s", sn)
rs = db.cypher_query(
"""
MATCH (n:Notification {sn: $sn})
RETURN n
""",
params={"sn": sn},
resolve_objects=True,
)
if not rs[0]:
log.warning("Notification with sn=%s not found", sn)
NotFoundException.raise_if_not(rs[0], "Notification", str(sn), "Serial Number")
log.debug("Successfully retrieved notification sn=%s", sn)
return self._transform_to_model(rs[0][0][0])
Service Layer (clinical_mdr_api/services/)
ALWAYS log:
- Service operation entry/exit for complex operations (INFO/DEBUG)
- Business rule validation failures (WARNING level)
- External service calls (INFO level with timing)
- State transitions or important business events (INFO level)
- Unexpected conditions or fallback logic (WARNING level)
Example:
import logging
log = logging.getLogger(__name__)
@db.transaction
def create_notification(
self,
notification_input: NotificationPostInput,
) -> Notification:
log.info("Creating notification: title='%s', type=%s",
notification_input.title, notification_input.notification_type)
try:
result = self.repo.create_notification(
title=notification_input.title,
description=notification_input.description,
notification_type=notification_input.notification_type.value,
started_at=notification_input.started_at,
ended_at=notification_input.ended_at,
published_at=(
datetime.now(timezone.utc) if notification_input.published else None
),
)
log.info("Successfully created notification with sn=%s", result.sn)
return result
except Exception as e:
log.error("Failed to create notification: %s", str(e))
raise
Domain Layer (clinical_mdr_api/domains/)
CAREFULLY log (domain should be pure logic):
- Only log significant business rule violations or invariant failures (WARNING/ERROR)
- Avoid logging in simple validation methods
- Log complex state changes or aggregate reconstructions (DEBUG)
- Keep domain layer logging minimal to maintain purity
Example:
import logging
log = logging.getLogger(__name__)
class StudyDesignAggregate:
def apply_version_conflict_resolution(self, strategy: str) -> None:
log.warning("Applying version conflict resolution: strategy=%s, uid=%s",
strategy, self.uid)
# Business logic here
Router Layer (clinical_mdr_api/routers/)
Generally DON'T log here:
- FastAPI middleware handles request/response logging
- Exception handlers in
common/logger.pylog errors - Only log if there's router-specific logic not covered by middleware
Log Level Guidelines
DEBUG
- Detailed diagnostic information
- Variable values during processing
- Control flow details
- Query parameters or payloads (sanitized)
- Only visible when
APP_DEBUG=true
INFO
- Normal operation events
- Important business operations (create, update, delete)
- External service calls
- Significant state changes
- Operation start/completion
WARNING
- Unexpected but handled conditions
- Deprecated functionality usage
- Missing optional data
- Performance concerns (slow queries)
- Validation failures
- Recoverable errors
ERROR
- Operation failures requiring attention
- Unhandled exceptions
- Data integrity issues
- External service failures
- Critical business rule violations
CRITICAL
- System-level failures
- Data corruption detected
- Security breaches
- Service unavailability
Security Considerations
NEVER log:
- Passwords or API keys
- Bearer tokens or OAuth credentials
- Personally Identifiable Information (PII) without masking
- Full credit card numbers or SSNs
- Sensitive health information (PHI)
- Full request bodies containing sensitive data
ALWAYS:
- Log UIDs or identifiers instead of sensitive data
- Mask or redact sensitive fields:
email='u***@example.com' - Use audit logs for security-relevant events
- Log authentication attempts (success/failure) with user identifiers only
Example - BAD:
log.info("User login: email=%s, password=%s", email, password) # NEVER DO THIS
Example - GOOD:
log.info("User login attempt: uid=%s", user_uid)
log.info("Authentication successful: uid=%s, method=oauth", user_uid)
Performance Considerations
- Avoid logging in tight loops unless using DEBUG level
- Use lazy formatting:
log.info("Value: %s", value)NOTlog.info(f"Value: {value}") - Don't construct expensive log messages unless that level is enabled
- Consider conditional logging for expensive operations:
if log.isEnabledFor(logging.DEBUG):
expensive_debug_info = compute_expensive_info()
log.debug("Details: %s", expensive_debug_info)
Code Review Checklist
When reviewing code for logging standards, check:
- Import present:
import loggingat top of file - Logger initialized:
log = logging.getLogger(__name__)at module level - Appropriate level used: INFO for operations, ERROR for failures, DEBUG for details
- No sensitive data: Verify no passwords, tokens, or PII in logs
- Lazy formatting: Using
%splaceholders, not f-strings in log calls - Context provided: Log messages include relevant identifiers (UIDs, names)
- Error logging: Exceptions are logged with
exc_info=Truewhen helpful - Structured data: Use key-value pairs for parseable logs:
"action=create, uid=%s"
Example Analysis Output
When analyzing code, provide:
Logging Analysis for [filename]
Status: Good / Needs Improvement / Missing Logging
Findings:
-
Missing logger initialization (Line X)
- No
import loggingorlog = logging.getLogger(__name__) - Add at module level
- No
-
Missing operation logging (Line Y -
create_notification)- Important create operation has no logs
- Recommendation: Add INFO log at entry and success, ERROR log in exception handler
-
Inappropriate log level (Line Z)
- Using INFO for detailed debug information
- Recommendation: Change to DEBUG level
-
Potential security issue (Line W)
- Logging potentially sensitive field:
user.email - Recommendation: Log
user.uidinstead or mask email
- Logging potentially sensitive field:
Suggested Improvements:
# Add at top of file
import logging
log = logging.getLogger(__name__)
# Add to method
def create_notification(...):
log.info("Creating notification: title='%s'", notification_input.title)
try:
result = self.repo.create_notification(...)
log.info("Created notification: sn=%s", result.sn)
return result
except Exception as e:
log.error("Failed to create notification: %s", str(e), exc_info=True)
raise
Anti-Patterns to Avoid
Over-logging: Don't log every single line or variable
Under-logging: Don't skip logging important operations
String formatting in call: log.info(f"Value {x}") - use lazy evaluation
Logging inside loops: Causes performance issues
Generic messages: "Error occurred" - provide context
Logging without context: Include UIDs, operation names, relevant identifiers
Logging sensitive data: Passwords, tokens, full PII
Wrong log level: ERROR for warnings, INFO for debug data
Integration with Existing Patterns
This codebase already has:
- Exception logging in
common/logger.py::log_exception() - Tracing middleware for HTTP requests
- Request metrics tracking
Your logging should complement these, not duplicate them:
- Don't log HTTP request/response (middleware does this)
- Don't log exception stack traces (middleware does this)
- Do log business operations not visible to middleware
- Do log repository operations for database visibility
Final Notes
- Be pragmatic: Not every function needs logs
- Focus on operations that help debugging production issues
- Consider what you'd want to see in logs when investigating an incident
- Follow the principle: "Log what you'd want to know when things go wrong"
- Keep log messages concise but informative
- Use consistent terminology across log messages
Related Skills
openclaw/taskflow
tools
VerifiedTrustedCommunity
Use when work should span one or more detached tasks but still behave like one job with a single owner context. TaskFlow is the durable flow substrate under authoring layers like Lobster, ACPX, plugins, or plain code. Keep conditional logic in the caller; use TaskFlow for flow identity, child-task linkage, waiting state, revision-checked mutations, and user-facing emergence.
357,764SKILL.mdUpdated Apr 10, 2026
openclaw/extensions/lobster
tools
VerifiedTrustedCommunity
# Lobster Lobster executes multi-step workflows with approval checkpoints. Use it when: - User wants a repeatable automation (triage, monitor, sync) - Actions need human approval before executing (send, post, delete) - Multiple tool calls should run as one deterministic operation ## When to use Lobster | User intent | Use Lobster? | | ------------------------------------------------------ | --------------------------
357,764SKILL.mdUpdated Apr 10, 2026
steipete/extensions/lobster
tools
VerifiedTrustedCommunity
# Lobster Lobster executes multi-step workflows with approval checkpoints. Use it when: - User wants a repeatable automation (triage, monitor, sync) - Actions need human approval before executing (send, post, delete) - Multiple tool calls should run as one deterministic operation ## When to use Lobster | User intent | Use Lobster? | | ------------------------------------------------------ | --------------------------
357,588SKILL.mdUpdated Apr 13, 2026
steipete/xurl
tools
VerifiedTrustedCommunity
A CLI tool for making authenticated requests to the X (Twitter) API. Use this skill when you need to post tweets, reply, quote, search, read posts, manage followers, send DMs, upload media, or interact with any X API v2 endpoint.
356,423SKILL.mdUpdated Apr 13, 2026