[log] Add debug logging to nonce cache in server/hmac.go

[github-actions]

Summary

Adds three focused logHMAC.Printf debug logging calls to the previously-unlogged nonceCache methods in internal/server/hmac.go.

The existing hmacMiddleware function already has 9 log calls, but the nonce cache lifecycle methods (newNonceCache, evictExpired, checkAndSet) had no logging at all, making it hard to diagnose HMAC replay-protection issues in production.

Changes

Only internal/server/hmac.go is modified (+7 lines).

newNonceCache()

logHMAC.Printf("Creating nonce cache: maxAgeSecs=%d, nonceTTL=%s", hmacMaxAgeSecs, nonceTTL)

Logs cache initialization with the configured age and TTL values.

evictExpired()

if evicted > 0 {
    logHMAC.Printf("Nonce cache eviction: evicted=%d, remaining=%d", evicted, len(c.entries))
}

Logs eviction events with a count of expired entries removed and entries remaining. The if evicted > 0 guard avoids noise on calls where nothing is evicted (the common case).

checkAndSet()

logHMAC.Printf("Nonce registered: cacheSize=%d", len(c.entries))

Logs each new nonce registration with current cache size, making it easy to detect cache growth or unexpected replay attempts.

Validation

• go build ./internal/server/... — ✅
• go test ./internal/server/... — ✅
• go vet ./internal/server/... — ✅
• make agent-finished — ✅ all Go tests pass (Rust crates.io network is blocked in sandbox — pre-existing infrastructure constraint)

Quality Checklist

• Exactly 1 file modified
• No test files modified
• Reuses existing logHMAC logger (no new declaration needed)
• Logger naming follows pkg:filename convention (server:hmac)
• Log arguments have no side effects
• Messages are meaningful and helpful for debugging
• No duplicate logging with existing log calls
• Build and targeted package tests pass

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• index.crates.io

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "index.crates.io"

See Network Configuration for more information.

Generated by Go Logger Enhancement · 443.2 AIC · ⊞ 8.3K · ◷

[Copilot]

Pull request overview

This PR adds targeted debug logging to the nonceCache lifecycle in internal/server/hmac.go to improve diagnosability of HMAC replay-protection behavior (initialization, eviction, and nonce registration), complementing the existing debug logging in hmacMiddleware.

Changes:

• Log nonce-cache creation with configured max age and TTL.
• Track and log eviction events when expired nonces are removed.
• Log cache size when registering a new nonce.

Show a summary per file

File	Description
internal/server/hmac.go	Adds debug logs to nonce-cache init/eviction/registration to aid production debugging of HMAC replay protection.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 1

[lpcox]

@copilot address review feedback

[Copilot]

@copilot address review feedback

Done in the latest commit. evictExpired now returns (evicted, remaining int) instead of logging directly, and all logHMAC.Printf calls in checkAndSet and seenNonce happen after the mutex is released — values needed for the log messages are captured while the lock is held.