logdive-core 0.1.0

Core library for logdive: structured JSON log parsing, SQLite indexing, and query engine
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138

//! The `LogEntry` type — a single parsed log line.
//!
//! This is the canonical in-memory representation used by every layer of
//! logdive: the parser produces `LogEntry` values, the indexer consumes them,
//! and the executor returns them from queries.
//!
//! Field layout follows the hybrid storage decision in the project doc
//! (decisions log, 2026-04-19): the four "known" fields (`timestamp`, `level`,
//! `message`, `tag`) are first-class members that map to indexed SQLite
//! columns, while everything else lives in the `fields` map and is persisted
//! as a JSON blob queried via `json_extract()`.

use serde::{Deserialize, Serialize};
use serde_json::{Map, Value};

/// A single structured log entry.
///
/// All four known fields are `Option<String>` because a JSON line may omit
/// any of them and still be worth indexing — the parser's contract per the
/// milestone 1 spec is "missing optional fields use `None` not panic".
///
/// `fields` holds only keys that are *not* among the known four. The parser
/// is responsible for lifting known keys out of the JSON object and into
/// their dedicated fields before populating this map.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct LogEntry {
    /// The entry's timestamp as it appeared in the source line. Stored as a
    /// string rather than a parsed `DateTime` so unusual formats survive
    /// ingestion; time-range filtering is applied at query time.
    pub timestamp: Option<String>,

    /// Log severity ("error", "warn", "info", ...). Indexed column.
    pub level: Option<String>,

    /// The human-readable message body.
    pub message: Option<String>,

    /// Optional source tag supplied at ingestion time (the `--tag` CLI flag,
    /// per the "Decisions log" entry on optional tags). `None` means
    /// "untagged" and such entries match queries without a tag filter.
    pub tag: Option<String>,

    /// Arbitrary additional keys from the JSON object. Serialized to the
    /// `fields TEXT` column and queried via SQLite's `json_extract()`.
    pub fields: Map<String, Value>,

    /// The original, unmodified source line. Feeds both the `raw` column
    /// and the `blake3`-based dedup hash.
    pub raw: String,
}

impl LogEntry {
    /// The set of top-level JSON keys that are promoted to first-class
    /// struct fields during parsing. Any key *not* in this set is preserved
    /// in [`LogEntry::fields`].
    ///
    /// Kept in a single place so the parser and any future schema-related
    /// code agree on which keys are "known".
    pub const KNOWN_KEYS: &'static [&'static str] = &["timestamp", "level", "message", "tag"];

    /// Construct a new entry from the raw source line, with all optional
    /// fields unset and an empty `fields` map. The parser uses this as a
    /// starting point and fills in the pieces it finds.
    pub fn new(raw: impl Into<String>) -> Self {
        Self {
            timestamp: None,
            level: None,
            message: None,
            tag: None,
            fields: Map::new(),
            raw: raw.into(),
        }
    }

    /// Override the tag. Used by the indexer to apply the `--tag` flag
    /// supplied at ingestion time: if the source JSON did not carry its own
    /// `tag`, the CLI-provided one is substituted here.
    pub fn with_tag(mut self, tag: Option<String>) -> Self {
        if tag.is_some() {
            self.tag = tag;
        }
        self
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn new_entry_has_no_known_fields_and_empty_map() {
        let e = LogEntry::new("hello");
        assert_eq!(e.raw, "hello");
        assert!(e.timestamp.is_none());
        assert!(e.level.is_none());
        assert!(e.message.is_none());
        assert!(e.tag.is_none());
        assert!(e.fields.is_empty());
    }

    #[test]
    fn with_tag_sets_when_some() {
        let e = LogEntry::new("x").with_tag(Some("api".to_string()));
        assert_eq!(e.tag.as_deref(), Some("api"));
    }

    #[test]
    fn with_tag_is_a_noop_when_none() {
        let e = LogEntry::new("x")
            .with_tag(Some("first".to_string()))
            .with_tag(None);
        // An existing tag is NOT cleared by passing None — None means
        // "no override supplied", not "clear the tag".
        assert_eq!(e.tag.as_deref(), Some("first"));
    }

    #[test]
    fn known_keys_are_the_four_documented_ones() {
        // Guards against accidental drift — if someone adds a known field,
        // this test makes them update both the constant and this assertion.
        assert_eq!(
            LogEntry::KNOWN_KEYS,
            &["timestamp", "level", "message", "tag"]
        );
    }

    #[test]
    fn roundtrips_through_serde_json() {
        let mut e = LogEntry::new(r#"{"level":"error","service":"pay"}"#);
        e.level = Some("error".to_string());
        e.fields
            .insert("service".to_string(), Value::String("pay".to_string()));

        let s = serde_json::to_string(&e).expect("serialize");
        let back: LogEntry = serde_json::from_str(&s).expect("deserialize");
        assert_eq!(e, back);
    }
}