fix(core): Add stderr log output option (#2989)

### Proposed Changes

- Adds log output to composite workflows for service
- Adds support for `stderr` as output stream for logs
- Adds `log-type` and `log-level` input params to composite workflows
- Adds output `log-file` for path to the logs output for use with `tail`
or similar checks downstream to mimic log capturing tools


### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions

Author: dmihalcik-virtru

.github/scripts/watch.sh

@@ -1,38 +1,101 @@
 #!/usr/bin/env bash
-# Usage: watch.sh [cfg file] [app and command....]
+# Usage: watch.sh [options] [cfg file] [app and command....]
 #
+# Options:
+#   --tee-out-to FILE    Tee stdout to FILE
+#   --tee-err-to FILE    Tee stderr to FILE
+#
+
+# Kill a process, if it is still running.
+# Use:
+#  silent_kill $PID
+silent_kill() {
+    local pid=$1
+    if kill -0 "$pid" 2>/dev/null && ! kill "$pid" 2>/dev/null; then
+        echo "[WARN] Failed to kill process $pid" >&2
+    fi
+}
 
 quitter() {
-  kill "$PID"
-  exit
+    silent_kill "$PID"
+    exit
 }
 trap quitter SIGINT
 
+# Parse optional tee arguments
+tee_stdout=""
+tee_stderr=""
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --tee-out-to)
+            if [[ -z "$2" || "$2" == --* ]]; then
+                echo "Error: --tee-out-to requires a file path argument." >&2
+                exit 1
+            fi
+            tee_stdout="$2"
+            shift 2
+            ;;
+        --tee-err-to)
+            if [[ -z "$2" || "$2" == --* ]]; then
+                echo "Error: --tee-err-to requires a file path argument." >&2
+                exit 1
+            fi
+            tee_stderr="$2"
+            shift 2
+            ;;
+        *)
+            break
+            ;;
+    esac
+done
+
 file_to_watch="$1"
 shift
 
 wait_for_change_to() {
-  if which inotifywait; then
-    echo "[INFO] inotifywaiting to [${file_to_watch}]"
-    inotifywait -e modify -e move -e create -e delete -e attrib -r "${file_to_watch}"
-  else
-    m=$(date -r "${file_to_watch}" +%s)
-    echo "[INFO] stat checking [${file_to_watch}] from [${m}]"
-    while true; do
-      sleep 1
-      n=$(date -r "${file_to_watch}" +%s)
-      echo "[INFO] stat checking [${file_to_watch}] from [${m} < ${n}]"
-      if [[ $m < $n ]]; then
-        return
-      fi
-    done
-  fi
+    if which inotifywait; then
+        echo "[INFO] inotifywaiting to [${file_to_watch}]"
+        inotifywait -e modify -e move -e create -e delete -e attrib -r "${file_to_watch}"
+    else
+        m=$(date -r "${file_to_watch}" +%s)
+        echo "[INFO] stat checking [${file_to_watch}] from [${m}]"
+        while true; do
+            sleep 1
+            n=$(date -r "${file_to_watch}" +%s)
+            echo "[INFO] stat checking [${file_to_watch}] from [${m} < ${n}]"
+            if [[ $m < $n ]]; then
+                return
+            fi
+        done
+    fi
 }
 
 while true; do
-  "$@" &
-  PID=$!
-  wait_for_change_to "${file_to_watch}"
-  kill $PID
-  echo "[INFO] restarting [${PID}] due to modified file"
+    # Build command with optional tee for stdout/stderr
+    if [[ -n "$tee_stdout" ]] || [[ -n "$tee_stderr" ]]; then
+        # Ensure log directories exist
+        [[ -n "$tee_stdout" ]] && mkdir -p "$(dirname "$tee_stdout")"
+        [[ -n "$tee_stderr" ]] && mkdir -p "$(dirname "$tee_stderr")"
+
+        # Run command with tee for stdout and/or stderr
+        if [[ -n "$tee_stdout" ]] && [[ -n "$tee_stderr" ]]; then
+            # Both stdout and stderr tee
+            "$@" > >(tee -a "$tee_stdout") 2> >(tee -a "$tee_stderr" >&2) &
+        elif [[ -n "$tee_stdout" ]]; then
+            # Only stdout tee
+            "$@" > >(tee -a "$tee_stdout") &
+        else
+            # Only stderr tee
+            "$@" 2> >(tee -a "$tee_stderr" >&2) &
+        fi
+    else
+        # No tee, run normally
+        "$@" &
+    fi
+
+    PID=$!
+    wait_for_change_to "${file_to_watch}"
+    silent_kill "$PID"
+    echo "[INFO] restarting [${PID}] due to modified file"
 done

docs/Configuring.md

@@ -94,19 +94,19 @@ The logger configuration is used to define how the application logs its output.
 
 Root level key `logger`
 
-| Field    | Description                      | Default  | Environment Variable  |
-| -------- | -------------------------------- | -------- | --------------------- |
-| `level`  | The logging level.               | `info`   | OPENTDF_LOGGER_LEVEL  |
-| `type`   | The format of the log output.    | `json`   | OPENTDF_LOGGER_TYPE   |
-| `output` | The output destination for logs. | `stdout` | OPENTDF_LOGGER_OUTPUT |
+| Field    | Description                              | Default  | Environment Variable  |
+| -------- | ---------------------------------------- | -------- | --------------------- |
+| `level`  | The logging level.                       | `info`   | OPENTDF_LOGGER_LEVEL  |
+| `type`   | The format of the log output.            | `json`   | OPENTDF_LOGGER_TYPE   |
+| `output` | Stream output for logs, stderr or stdout | `stdout` | OPENTDF_LOGGER_OUTPUT |
 
 Example:
 
 ```yaml
 logger:
   level: debug
   type: text
-  output: stdout
+  output: stderr
 ```
 
 ## Server Configuration

docs/Contributing.md

@@ -13,7 +13,7 @@ For end-users/consumers, see [here](./Consuming.md).
 
 1.  Configure KAS and Keycloak keys: `.github/scripts/init-temp-keys.sh`. Creates temporary keys for the local KAS and Keycloak Certificate Exchange. 
 2. `docker compose up`. Starts both the local Postgres database (contains the ABAC policy configuration data) and Keycloak (the local IdP).
-   1. Note: You will have to add the ``localhost.crt`` as a trusted certificate to do TLS authentication at ``localhost:8443``.
+   1. Note: You will have to add the ``localhost.crt`` as a trusted certificate to do TLS authentication at ``localhost:8443``. On a mac, this is `security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ./keys/localhost.crt`
 3. Create an OpenTDF config file: `opentdf.yaml`
    1. The `opentdf-dev.yaml` file is the more secure starting point, but you will likely need to modify it to match your environment. This configuration is recommended as it is more secure but it does require valid development keypairs.
    2. The `opentdf-core-mode.yaml` file is simpler to run but less secure. This file configures the platform to startup without a KAS instances, without a built-in ERS instance, and without endpoint authentication.

opentdf-core-mode.yaml

@@ -10,7 +10,7 @@ sdk_config:
 logger:
   level: debug
   type: text
-  output: stdout
+  output: stderr
 # DB and Server configurations are defaulted for local development
 # db:
 #   host: localhost

opentdf-dev.yaml

@@ -1,7 +1,7 @@
 logger:
   level: debug
   type: text
-  output: stdout
+  output: stderr
 # DB and Server configurations are defaulted for local development
 # db:
 #   host: localhost

opentdf-ers-mode.yaml

@@ -4,7 +4,7 @@ mode: entityresolution
 logger:
   level: debug
   type: text
-  output: stdout
+  output: stderr
 services:
   entityresolution:
     log_level: info

opentdf-example.yaml

@@ -1,7 +1,7 @@
 logger:
   level: debug
   type: text
-  output: stdout
+  output: stderr
 # DB and Server configurations are defaulted for local development
 db:
   host: opentdfdb

opentdf-kas-mode.yaml

@@ -10,7 +10,7 @@ sdk_config:
 logger:
   level: debug
   type: text
-  output: stdout
+  output: stderr
 security:
   unsafe:
     # Increase only when diagnosing clock drift issues; default is 1m

service/logger/logger.go

@@ -101,6 +101,8 @@ func (l *Logger) With(key string, value string) *Logger {
 
 func getWriter(config Config) (io.Writer, error) {
 	switch config.Output {
+	case "stderr":
+		return os.Stderr, nil
 	case "stdout":
 		return os.Stdout, nil
 	default:

service/pkg/config/config_test.go

@@ -258,7 +258,7 @@ func TestLoadConfig_Success(t *testing.T) {
 logger:
   level: debug
   type: text
-  output: stdout
+  output: stderr
 mode: core
 db:
   host: opentdf