레포 업데이트

backend/internal/handler/auth_handler.go

@@ -1770,6 +1770,21 @@ func containsHeadlessAudience(expected []string, actual headlessAssertionAud) bo
 	return false
 }
 
+func joinHeadlessAudiences(values []string) string {
+	if len(values) == 0 {
+		return ""
+	}
+	trimmed := make([]string, 0, len(values))
+	for _, value := range values {
+		value = strings.TrimSpace(value)
+		if value == "" {
+			continue
+		}
+		trimmed = append(trimmed, value)
+	}
+	return strings.Join(trimmed, ", ")
+}
+
 func headlessRequestID(c *fiber.Ctx) string {
 	if c == nil {
 		return ""
@@ -1894,14 +1909,18 @@ func (h *AuthHandler) loadHeadlessJWKS(ctx context.Context, client domain.HydraC
 
 func validateHeadlessClientAssertionClaims(c *fiber.Ctx, claims headlessClientAssertionClaims, clientID string) *headlessLoginFailure {
 	now := time.Now().Unix()
+	expectedAudiences := headlessAssertionAudiences(c)
+	receivedAudiences := []string(claims.Audience)
 	debugFields := map[string]any{
-		"claim_issuer":       claims.Issuer,
-		"claim_subject":      claims.Subject,
-		"claim_expires_at":   claims.ExpiresAt,
-		"claim_not_before":   claims.NotBefore,
-		"claim_issued_at":    claims.IssuedAt,
-		"received_audiences": []string(claims.Audience),
-		"expected_audiences": headlessAssertionAudiences(c),
+		"claim_issuer":            claims.Issuer,
+		"claim_subject":           claims.Subject,
+		"claim_expires_at":        claims.ExpiresAt,
+		"claim_not_before":        claims.NotBefore,
+		"claim_issued_at":         claims.IssuedAt,
+		"received_audiences":      receivedAudiences,
+		"expected_audiences":      expectedAudiences,
+		"received_audiences_text": joinHeadlessAudiences(receivedAudiences),
+		"expected_audiences_text": joinHeadlessAudiences(expectedAudiences),
 	}
 	if claims.Issuer != clientID || claims.Subject != clientID {
 		return newHeadlessLoginFailure(
@@ -1939,7 +1958,7 @@ func validateHeadlessClientAssertionClaims(c *fiber.Ctx, claims headlessClientAs
 			debugFields,
 		)
 	}
-	if !containsHeadlessAudience(headlessAssertionAudiences(c), claims.Audience) {
+	if !containsHeadlessAudience(expectedAudiences, claims.Audience) {
 		return newHeadlessLoginFailure(
 			fiber.StatusUnauthorized,
 			"invalid_client_assertion_audience",

backend/internal/logger/client_log_policy.go

@@ -34,8 +34,7 @@ var (
 )
 
 func IsProductionEnv(appEnv string) bool {
-	env := strings.ToLower(strings.TrimSpace(appEnv))
-	return env == "prod" || env == "production"
+	return IsProductionLikeEnv(appEnv)
 }
 
 func parseBoolFlag(raw string) bool {

backend/internal/logger/client_log_policy_test.go

@@ -15,6 +15,8 @@ func TestClientDebugEnabled(t *testing.T) {
 	t.Run("production disables debug by default", func(t *testing.T) {
 		assert.False(t, ClientDebugEnabled("production", ""))
 		assert.False(t, ClientDebugEnabled("prod", "false"))
+		assert.False(t, ClientDebugEnabled("stage", ""))
+		assert.False(t, ClientDebugEnabled("staging", "false"))
 	})
 
 	t.Run("production accepts explicit debug override", func(t *testing.T) {
@@ -27,14 +29,19 @@ func TestClientDebugEnabled(t *testing.T) {
 func TestShouldAcceptClientLog(t *testing.T) {
 	assert.False(t, ShouldAcceptClientLog("production", "", "INFO"))
 	assert.False(t, ShouldAcceptClientLog("production", "", "DEBUG"))
+	assert.False(t, ShouldAcceptClientLog("stage", "", "INFO"))
+	assert.False(t, ShouldAcceptClientLog("stage", "", "DEBUG"))
 	assert.True(t, ShouldAcceptClientLog("production", "", "WARN"))
 	assert.True(t, ShouldAcceptClientLog("production", "", "ERROR"))
+	assert.True(t, ShouldAcceptClientLog("stage", "", "WARN"))
+	assert.True(t, ShouldAcceptClientLog("stage", "", "ERROR"))
 	assert.True(t, ShouldAcceptClientLog("production", "true", "INFO"))
 	assert.True(t, ShouldAcceptClientLog("dev", "", "INFO"))
 }
 
 func TestShouldFilterNoisyClientInfo(t *testing.T) {
 	assert.True(t, ShouldFilterNoisyClientInfo("production", "", "Navigating to /ko/signin"))
+	assert.True(t, ShouldFilterNoisyClientInfo("stage", "", "Navigating to /ko/signin"))
 	assert.False(t, ShouldFilterNoisyClientInfo("production", "true", "Navigating to /ko/signin"))
 	assert.False(t, ShouldFilterNoisyClientInfo("dev", "", "Navigating to /ko/signin"))
 }

backend/internal/logger/logger.go

@@ -1,6 +1,7 @@
 package logger
 
 import (
+	"io"
 	"log/slog"
 	"os"
 	"strings"
@@ -8,18 +9,28 @@ import (
 
 // Config holds the logger configuration
 type Config struct {
-	ServiceName string
-	Environment string // "dev", "local", "production"
+	ServiceName   string
+	Environment   string // APP_ENV 기준
+	LevelOverride string
+	Output        io.Writer
+}
+
+func IsProductionLikeEnv(appEnv string) bool {
+	env := strings.ToLower(strings.TrimSpace(appEnv))
+	return env == "prod" || env == "production" || env == "stage" || env == "staging"
 }
 
 // Init initializes the global logger with slog.
 // It detects the environment to switch between TextHandler (dev) and JSONHandler (prod).
 func Init(cfg Config) {
 	var handler slog.Handler
+	output := cfg.Output
+	if output == nil {
+		output = os.Stdout
+	}
 
 	opts := &slog.HandlerOptions{
-		// Default level
-		Level: slog.LevelInfo,
+		Level: ResolveBackendLogLevel(cfg.Environment, cfg.LevelOverride),
 		// Customize attributes (Time format)
 		ReplaceAttr: func(groups []string, a slog.Attr) slog.Attr {
 			if a.Key == slog.TimeKey {
@@ -32,11 +43,10 @@ func Init(cfg Config) {
 	// Adjust level and format based on environment
 	env := strings.ToLower(cfg.Environment)
 	if env == "dev" || env == "local" || env == "development" {
-		opts.Level = slog.LevelDebug
-		handler = slog.NewTextHandler(os.Stdout, opts)
+		handler = slog.NewTextHandler(output, opts)
 	} else {
 		// Production defaults to JSON
-		handler = slog.NewJSONHandler(os.Stdout, opts)
+		handler = slog.NewJSONHandler(output, opts)
 	}
 
 	// Create logger with common attributes
@@ -47,3 +57,22 @@ func Init(cfg Config) {
 	// Set as global default logger
 	slog.SetDefault(logger)
 }
+
+func ResolveBackendLogLevel(appEnv, override string) slog.Level {
+	switch strings.ToLower(strings.TrimSpace(override)) {
+	case "debug":
+		return slog.LevelDebug
+	case "info":
+		return slog.LevelInfo
+	case "warn", "warning":
+		return slog.LevelWarn
+	case "error":
+		return slog.LevelError
+	}
+
+	env := strings.ToLower(strings.TrimSpace(appEnv))
+	if env == "dev" || env == "local" || env == "development" {
+		return slog.LevelDebug
+	}
+	return slog.LevelInfo
+}

backend/internal/logger/logger_test.go

@@ -0,0 +1,69 @@
+package logger
+
+import (
+	"bytes"
+	"log/slog"
+	"strings"
+	"testing"
+)
+
+func TestResolveBackendLogLevel_DefaultsByAppEnv(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name      string
+		appEnv    string
+		wantLevel slog.Level
+	}{
+		{name: "dev uses debug", appEnv: "dev", wantLevel: slog.LevelDebug},
+		{name: "local uses debug", appEnv: "local", wantLevel: slog.LevelDebug},
+		{name: "development uses debug", appEnv: "development", wantLevel: slog.LevelDebug},
+		{name: "stage uses info", appEnv: "stage", wantLevel: slog.LevelInfo},
+		{name: "production uses info", appEnv: "production", wantLevel: slog.LevelInfo},
+	}
+
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := ResolveBackendLogLevel(tc.appEnv, "")
+			if got != tc.wantLevel {
+				t.Fatalf("expected level %v, got %v", tc.wantLevel, got)
+			}
+		})
+	}
+}
+
+func TestResolveBackendLogLevel_OverrideWins(t *testing.T) {
+	t.Parallel()
+
+	got := ResolveBackendLogLevel("production", "debug")
+	if got != slog.LevelDebug {
+		t.Fatalf("expected debug override, got %v", got)
+	}
+
+	got = ResolveBackendLogLevel("dev", "warn")
+	if got != slog.LevelWarn {
+		t.Fatalf("expected warn override, got %v", got)
+	}
+}
+
+func TestInit_UsesResolvedBackendLogLevel(t *testing.T) {
+	var buf bytes.Buffer
+	previous := slog.Default()
+	defer slog.SetDefault(previous)
+
+	Init(Config{
+		ServiceName:   "baron-sso",
+		Environment:   "stage",
+		LevelOverride: "debug",
+		Output:        &buf,
+	})
+
+	slog.Debug("debug message should be visible")
+
+	if !strings.Contains(buf.String(), "debug message should be visible") {
+		t.Fatalf("expected debug log to be written, got=%s", buf.String())
+	}
+}

backend/internal/service/dry_run_service.go

@@ -1,6 +1,7 @@
 package service
 
 import (
+	"baron-sso-backend/internal/logger"
 	"os"
 	"strings"
 )
@@ -10,7 +11,7 @@ func IsProductionEnv() bool {
 	if env == "" {
 		env = strings.ToLower(os.Getenv("GO_ENV"))
 	}
-	return env == "prod" || env == "production"
+	return logger.IsProductionLikeEnv(env)
 }
 
 func IsDryRunAllowed() bool {

backend/internal/service/dry_run_service_test.go

@@ -0,0 +1,43 @@
+package service
+
+import (
+	"os"
+	"testing"
+)
+
+func TestIsProductionEnv_StageIsProductionLike(t *testing.T) {
+	t.Setenv("APP_ENV", "stage")
+	t.Setenv("GO_ENV", "")
+
+	if !IsProductionEnv() {
+		t.Fatalf("expected stage to be treated as production-like")
+	}
+}
+
+func TestIsDryRunAllowed_DisabledInStage(t *testing.T) {
+	t.Setenv("APP_ENV", "stage")
+	t.Setenv("GO_ENV", "")
+
+	if IsDryRunAllowed() {
+		t.Fatalf("expected dry-run to be disabled in stage")
+	}
+}
+
+func TestIsProductionEnv_FallsBackToGoEnv(t *testing.T) {
+	originalAppEnv, hadAppEnv := os.LookupEnv("APP_ENV")
+	if hadAppEnv {
+		t.Cleanup(func() {
+			_ = os.Setenv("APP_ENV", originalAppEnv)
+		})
+	} else {
+		t.Cleanup(func() {
+			_ = os.Unsetenv("APP_ENV")
+		})
+	}
+	_ = os.Unsetenv("APP_ENV")
+	t.Setenv("GO_ENV", "production")
+
+	if !IsProductionEnv() {
+		t.Fatalf("expected GO_ENV=production fallback to be production-like")
+	}
+}