feat: comprehensive INFO/WARN/ERROR logging across all controller modules

Add structured operational logging at INFO, WARN, and ERROR levels to
every controller module. Standardize custom prefixes ([GEO], [SCHED],
[SYNC]) to use [INFO/WARN/ERROR] [module] format. Fix misleveled logs
(WARN->ERROR for data loss scenarios, WARN->INFO for routine operations).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

controller/internal/cloudflare/geosync.go

@@ -68,6 +68,8 @@ func (g *GeoSyncManager) Sync(ctx context.Context) error {
 		g.mu.Unlock()
 	}()
 
+	g.logger.Printf("[INFO] [cloudflare] Geo-restriction sync starting")
+
 	geo := g.settings.GetGeoRestriction()
 
 	// If geo is nil or disabled, delete all felhom rules and return.
@@ -75,7 +77,7 @@ func (g *GeoSyncManager) Sync(ctx context.Context) error {
 		return g.deleteAllRules(ctx, geo)
 	}
 
-	g.logger.Printf("[GEO] Starting sync for domain %s (%d allowed countries, %d app overrides)",
+	g.logger.Printf("[INFO] [cloudflare] Starting sync for domain %s (%d allowed countries, %d app overrides)",
 		g.domain, len(geo.AllowedCountries), len(geo.AppOverrides))
 
 	// 1. Resolve zone ID (use cached value if available)
@@ -156,7 +158,9 @@ func (g *GeoSyncManager) Sync(ctx context.Context) error {
 
 	// 6. Save success state
 	g.saveError(zoneID, rulesetID, "")
-	g.logger.Printf("[GEO] Sync completed successfully")
+	// Count rules for summary
+	finalRules, _ := g.client.GetFelhomRules(ctx, zoneID, rulesetID)
+	g.logger.Printf("[INFO] [cloudflare] Geo-restriction sync complete (%d active rules)", len(finalRules))
 	return nil
 }
 
@@ -184,7 +188,7 @@ func (g *GeoSyncManager) deleteAllRules(ctx context.Context, geo *settings.GeoRe
 
 	existing, err := g.client.GetFelhomRules(ctx, zoneID, rulesetID)
 	if err != nil {
-		g.logger.Printf("[GEO] Warning: could not list rules for cleanup: %v", err)
+		g.logger.Printf("[WARN] [cloudflare] Could not list rules for cleanup: %v", err)
 		return nil
 	}
 
@@ -195,14 +199,14 @@ func (g *GeoSyncManager) deleteAllRules(ctx context.Context, geo *settings.GeoRe
 	deleted := 0
 	for _, r := range existing {
 		if err := g.client.DeleteRule(ctx, zoneID, rulesetID, r.ID); err != nil {
-			g.logger.Printf("[GEO] Warning: could not delete rule %s: %v", r.ID, err)
+			g.logger.Printf("[ERROR] [cloudflare] Failed to delete WAF rule %s: %v", r.ID, err)
 		} else {
 			deleted++
 		}
 	}
 
 	if len(existing) > 0 {
-		g.logger.Printf("[GEO] Deleted %d felhom-geo rules (feature disabled)", len(existing))
+		g.logger.Printf("[INFO] [cloudflare] Deleted %d felhom-geo rules (feature disabled)", len(existing))
 		if g.debug {
 			g.logger.Printf("[DEBUG] [cloudflare] deleteAllRules: successfully deleted %d/%d rules", deleted, len(existing))
 		}
@@ -296,6 +300,7 @@ func (g *GeoSyncManager) applyDiff(ctx context.Context, zoneID, rulesetID string
 				if err := g.client.UpdateRule(ctx, zoneID, rulesetID, ex.ID, r); err != nil {
 					return fmt.Errorf("update rule %q: %w", d.description, err)
 				}
+				g.logger.Printf("[INFO] [cloudflare] Updated WAF rule %s", d.description)
 			} else if g.debug {
 				g.logger.Printf("[DEBUG] [cloudflare] applyDiff: rule %q unchanged, skipping", d.description)
 			}
@@ -308,6 +313,7 @@ func (g *GeoSyncManager) applyDiff(ctx context.Context, zoneID, rulesetID string
 			if _, err := g.client.CreateRule(ctx, zoneID, rulesetID, r); err != nil {
 				return fmt.Errorf("create rule %q: %w", d.description, err)
 			}
+			g.logger.Printf("[INFO] [cloudflare] Created WAF rule %s", d.description)
 		}
 	}
 
@@ -320,6 +326,7 @@ func (g *GeoSyncManager) applyDiff(ctx context.Context, zoneID, rulesetID string
 			if err := g.client.DeleteRule(ctx, zoneID, rulesetID, ex.ID); err != nil {
 				return fmt.Errorf("delete rule %q: %w", ex.Description, err)
 			}
+			g.logger.Printf("[INFO] [cloudflare] Deleted WAF rule %s", ex.Description)
 		}
 	}
 
@@ -328,7 +335,10 @@ func (g *GeoSyncManager) applyDiff(ctx context.Context, zoneID, rulesetID string
 
 // saveError updates the sync state in settings.
 func (g *GeoSyncManager) saveError(zoneID, rulesetID, errMsg string) {
+	if errMsg != "" {
+		g.logger.Printf("[ERROR] [cloudflare] Geo-sync error: %v", errMsg)
+	}
 	if err := g.settings.SetGeoSyncState(zoneID, rulesetID, errMsg); err != nil {
-		g.logger.Printf("[GEO] Warning: failed to save sync state: %v", err)
+		g.logger.Printf("[WARN] [cloudflare] Failed to save sync state: %v", err)
 	}
 }

controller/internal/cloudflare/waf.go

@@ -63,6 +63,7 @@ func (c *Client) GetCustomRulesetID(ctx context.Context, zoneID string) (string,
 	path := fmt.Sprintf("/zones/%s/rulesets", zoneID)
 	resp, err := c.do(ctx, "GET", path, nil)
 	if err != nil {
+		c.logger.Printf("[ERROR] [cloudflare] Failed to get custom ruleset: %v", err)
 		return "", fmt.Errorf("list rulesets: %w", err)
 	}
 
@@ -120,6 +121,7 @@ func (c *Client) GetRules(ctx context.Context, zoneID, rulesetID string) ([]rule
 	path := fmt.Sprintf("/zones/%s/rulesets/%s", zoneID, rulesetID)
 	resp, err := c.do(ctx, "GET", path, nil)
 	if err != nil {
+		c.logger.Printf("[WARN] [cloudflare] Failed to get WAF rules: %v", err)
 		return nil, fmt.Errorf("get ruleset: %w", err)
 	}
 
@@ -165,9 +167,11 @@ func (c *Client) GetFelhomRules(ctx context.Context, zoneID, rulesetID string) (
 
 // CreateRule adds a new rule to the ruleset.
 func (c *Client) CreateRule(ctx context.Context, zoneID, rulesetID string, r rule) (string, error) {
+	c.logger.Printf("[INFO] [cloudflare] Creating WAF rule: %s", r.Description)
 	path := fmt.Sprintf("/zones/%s/rulesets/%s/rules", zoneID, rulesetID)
 	resp, err := c.do(ctx, "POST", path, r)
 	if err != nil {
+		c.logger.Printf("[ERROR] [cloudflare] Failed to create WAF rule: %v", err)
 		return "", fmt.Errorf("create rule: %w", err)
 	}
 
@@ -198,9 +202,11 @@ func (c *Client) CreateRule(ctx context.Context, zoneID, rulesetID string, r rul
 
 // UpdateRule updates an existing rule in the ruleset.
 func (c *Client) UpdateRule(ctx context.Context, zoneID, rulesetID, ruleID string, r rule) error {
+	c.logger.Printf("[INFO] [cloudflare] Updating WAF rule %s", ruleID)
 	path := fmt.Sprintf("/zones/%s/rulesets/%s/rules/%s", zoneID, rulesetID, ruleID)
 	_, err := c.do(ctx, "PATCH", path, r)
 	if err != nil {
+		c.logger.Printf("[ERROR] [cloudflare] Failed to update WAF rule %s: %v", ruleID, err)
 		return fmt.Errorf("update rule %s: %w", ruleID, err)
 	}
 	c.logger.Printf("[CF] Updated rule %q (%s)", r.Description, ruleID)
@@ -216,9 +222,11 @@ func (c *Client) UpdateRule(ctx context.Context, zoneID, rulesetID, ruleID strin
 
 // DeleteRule removes a rule from the ruleset.
 func (c *Client) DeleteRule(ctx context.Context, zoneID, rulesetID, ruleID string) error {
+	c.logger.Printf("[INFO] [cloudflare] Deleting WAF rule %s", ruleID)
 	path := fmt.Sprintf("/zones/%s/rulesets/%s/rules/%s", zoneID, rulesetID, ruleID)
 	_, err := c.do(ctx, "DELETE", path, nil)
 	if err != nil {
+		c.logger.Printf("[ERROR] [cloudflare] Failed to delete WAF rule %s: %v", ruleID, err)
 		return fmt.Errorf("delete rule %s: %w", ruleID, err)
 	}
 	c.logger.Printf("[CF] Deleted rule %s", ruleID)

controller/internal/cloudflare/zone.go

@@ -52,6 +52,7 @@ func (c *Client) GetZoneID(ctx context.Context, domain string) (string, error) {
 		}
 	}
 
+	c.logger.Printf("[WARN] [cloudflare] No zone found for domain %s", domain)
 	return "", fmt.Errorf("no Cloudflare zone found for domain %q", domain)
 }