@gokiteam/goki-dev 0.2.0

package/src/consumers/DockerLogsConsumer.js

@@ -0,0 +1,687 @@
+import Docker from 'dockerode'
+import { PassThrough } from 'stream'
+import { SqliteStore } from '../singletons/SqliteStore.js'
+import { LOGGING_ENTRIES, LOGGING_LOGS } from '../db/Tables.js'
+import { Logger } from '../singletons/Logger.js'
+import { LogBroadcaster } from '../singletons/LogBroadcaster.js'
+
+// Infrastructure containers to exclude from log capture
+const DEFAULT_EXCLUDED_CONTAINERS = [
+  'goki-dev-tools-backend',
+  'goki-dev-tools-frontend',
+  'goki-redis',
+  'goki-pubsub-emulator',
+  'goki-firestore-emulator'
+]
+
+export class DockerLogsConsumer {
+  constructor (options = {}) {
+    this.docker = new Docker({ socketPath: '/var/run/docker.sock' })
+    this.streams = new Map()
+    this.lineBuffers = new Map()
+    this.enabled = options.enabled !== false
+    this.networkName = options.networkName || 'goki-network'
+    this.excludedContainers = options.excludedContainers || DEFAULT_EXCLUDED_CONTAINERS
+  }
+
+  async start () {
+    if (!this.enabled) {
+      Logger.log({
+        level: 'info',
+        message: 'Docker console log capture disabled'
+      })
+      return
+    }
+    try {
+      // Find all containers on the goki-network (except excluded infrastructure)
+      const containers = await this.docker.listContainers({
+        filters: { network: [this.networkName] }
+      })
+      const eligible = containers.filter(c => {
+        const name = c.Names[0].replace(/^\//, '')
+        return !this.excludedContainers.includes(name)
+      })
+      Logger.log({
+        level: 'info',
+        message: `Found ${eligible.length} containers for log capture on ${this.networkName}`,
+        data: {
+          capturing: eligible.map(c => c.Names[0]),
+          excluded: containers.length - eligible.length
+        }
+      })
+      for (const containerInfo of eligible) {
+        await this.attachToContainer(containerInfo)
+      }
+      this.watchForNewContainers()
+    } catch (error) {
+      Logger.log({
+        level: 'error',
+        message: 'Failed to start Docker log capture',
+        data: { error: error.message }
+      })
+    }
+  }
+
+  async attachToContainer (containerInfo) {
+    const containerId = containerInfo.Id
+    const containerName = containerInfo.Names[0].replace(/^\//, '')
+    try {
+      const container = this.docker.getContainer(containerId)
+      const containerDetails = await container.inspect()
+      const serviceName = containerDetails.Config.Labels?.['goki.service'] || containerName
+      const stream = await container.logs({
+        follow: true,
+        stdout: true,
+        stderr: true,
+        timestamps: true
+      })
+      Logger.log({
+        level: 'info',
+        message: 'Attached to container logs',
+        data: { container: containerName, service: serviceName }
+      })
+      const stdout = new PassThrough()
+      const stderr = new PassThrough()
+      this.docker.modem.demuxStream(stream, stdout, stderr)
+      stdout.on('data', (chunk) => {
+        this.parseLogLines(chunk.toString('utf-8'), containerName, serviceName, 1)
+      })
+      stderr.on('data', (chunk) => {
+        this.parseLogLines(chunk.toString('utf-8'), containerName, serviceName, 2)
+      })
+      stream.on('end', () => {
+        Logger.log({
+          level: 'info',
+          message: 'Container log stream ended',
+          data: { container: containerName, service: serviceName }
+        })
+        this.flushLineBuffer(containerName, serviceName, 1)
+        this.flushLineBuffer(containerName, serviceName, 2)
+        this.lineBuffers.delete(`${containerName}:1`)
+        this.lineBuffers.delete(`${containerName}:2`)
+        this.streams.delete(containerId)
+      })
+      stream.on('error', (error) => {
+        Logger.log({
+          level: 'error',
+          message: 'Container log stream error',
+          data: { container: containerName, service: serviceName, error: error.message }
+        })
+      })
+      this.streams.set(containerId, stream)
+    } catch (error) {
+      Logger.log({
+        level: 'error',
+        message: 'Failed to attach to container',
+        data: { container: containerName, error: error.message }
+      })
+    }
+  }
+
+  getLineBuffer (containerName, streamType) {
+    const key = `${containerName}:${streamType}`
+    if (!this.lineBuffers.has(key)) {
+      this.lineBuffers.set(key, { lines: [], braceDepth: 0, firstTimestamp: null, timer: null })
+    }
+    return this.lineBuffers.get(key)
+  }
+
+  flushLineBuffer (containerName, serviceName, streamType) {
+    const buf = this.getLineBuffer(containerName, streamType)
+    if (buf.timer) {
+      clearTimeout(buf.timer)
+      buf.timer = null
+    }
+    if (buf.lines.length === 0) return
+    const merged = buf.lines.join('\n')
+    const timestamp = buf.firstTimestamp
+    buf.lines = []
+    buf.braceDepth = 0
+    buf.firstTimestamp = null
+    this.processLogLine(timestamp ? `${timestamp} ${merged}` : merged, containerName, serviceName, streamType)
+  }
+
+  parseLogLines (data, containerName, serviceName, streamType) {
+    const lines = data.split('\n').filter(line => line.trim())
+    for (const line of lines) {
+      const timestampMatch = line.match(/^(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+Z)\s+(.*)/)
+      const timestamp = timestampMatch ? timestampMatch[1] : null
+      const content = timestampMatch ? timestampMatch[2] : line
+      const buf = this.getLineBuffer(containerName, streamType)
+      // Inside an active multi-line object buffer
+      if (buf.braceDepth > 0) {
+        buf.lines.push(content)
+        buf.braceDepth += (content.match(/\{/g) || []).length
+        buf.braceDepth -= (content.match(/\}/g) || []).length
+        if (buf.braceDepth <= 0) {
+          buf.braceDepth = 0
+          this.flushLineBuffer(containerName, serviceName, streamType)
+        } else {
+          this.resetBufferTimer(containerName, serviceName, streamType)
+        }
+        continue
+      }
+      const trimmed = content.trim()
+      // Opening brace on its own line — start new object buffer
+      if (trimmed === '{') {
+        if (buf.lines.length > 0) {
+          this.flushLineBuffer(containerName, serviceName, streamType)
+        }
+        buf.lines.push(content)
+        buf.braceDepth = 1
+        buf.firstTimestamp = timestamp
+        this.resetBufferTimer(containerName, serviceName, streamType)
+        continue
+      }
+      // Orphan object property line (from a previous chunk that split mid-object)
+      // Pattern: "  key: value," or "  key: {" — starts with optional whitespace + word + colon
+      if (this.isObjectPropertyLine(trimmed)) {
+        if (!buf.firstTimestamp) buf.firstTimestamp = timestamp
+        buf.lines.push(content)
+        buf.braceDepth += (content.match(/\{/g) || []).length
+        buf.braceDepth -= (content.match(/\}/g) || []).length
+        if (buf.braceDepth < 0) buf.braceDepth = 0
+        this.resetBufferTimer(containerName, serviceName, streamType)
+        continue
+      }
+      // Lone closing brace — end of orphan object from previous chunk
+      if (trimmed === '}' && buf.lines.length > 0) {
+        buf.lines.push(content)
+        buf.braceDepth = 0
+        this.flushLineBuffer(containerName, serviceName, streamType)
+        continue
+      }
+      this.processLogLine(line, containerName, serviceName, streamType)
+    }
+  }
+
+  /**
+   * Detect if a line looks like a JS object property (key: value pattern).
+   * Used to identify orphan continuation lines from objects split across chunks.
+   */
+  isObjectPropertyLine (trimmed) {
+    // Match: word followed by colon and a value (string, number, object, array, etc.)
+    // e.g. "level: 'info'," or "messageAttributes: { traceId: 'abc' }," or "count: 42,"
+    // But NOT things like "INFO: Starting server" (uppercase log level prefix)
+    if (/^\w+:\s+/.test(trimmed)) {
+      // Exclude plain text log patterns: "LEVEL: message"
+      if (/^(INFO|WARNING|WARN|ERROR|SEVERE|DEBUG|FINE|FINER|FINEST|CONFIG):\s/i.test(trimmed)) {
+        return false
+      }
+      return true
+    }
+    return false
+  }
+
+  resetBufferTimer (containerName, serviceName, streamType) {
+    const buf = this.getLineBuffer(containerName, streamType)
+    if (buf.timer) clearTimeout(buf.timer)
+    buf.timer = setTimeout(() => {
+      this.flushLineBuffer(containerName, serviceName, streamType)
+    }, 500)
+  }
+
+  tryParseJsObject (text) {
+    try {
+      return JSON.parse(text)
+    } catch {
+      // Try converting JS object notation to JSON
+      try {
+        // Quote unquoted keys and convert single-quoted values to double-quoted
+        let jsonified = text
+        // Replace all single-quoted strings with double-quoted (handles colons in values)
+        jsonified = jsonified.replace(/'([^']*)'/g, (_, content) => `"${content.replace(/"/g, '\\"')}"`)
+
+        // Quote unquoted object keys (word chars before colon, not inside quotes)
+        jsonified = jsonified.replace(/([{,]\s*)(\w+)\s*:/g, '$1"$2":')
+        // Remove trailing commas
+        jsonified = jsonified.replace(/,(\s*[}\]])/g, '$1')
+        return JSON.parse(jsonified)
+      } catch {
+        return null
+      }
+    }
+  }
+
+  async processLogLine (line, containerName, serviceName, streamType) {
+    try {
+      const timestampMatch = line.match(/^(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+Z)\s+([\s\S]*)/)
+      const timestamp = timestampMatch ? timestampMatch[1] : new Date().toISOString()
+      const message = timestampMatch ? timestampMatch[2] : line
+      let logEntry, dedupeKey
+      try {
+        const parsed = JSON.parse(message)
+        logEntry = this.parseWinstonLog(parsed, containerName, serviceName, timestamp)
+        dedupeKey = {
+          timestamp: parsed.timestamp,
+          message: parsed.message,
+          level: parsed.level
+        }
+      } catch {
+        const jsObj = message.includes('\n') ? this.tryParseJsObject(message) : null
+        if (jsObj) {
+          logEntry = this.parseWinstonLog(jsObj, containerName, serviceName, timestamp)
+          logEntry.protoPayload = message
+          dedupeKey = {
+            timestamp: jsObj.timestamp || timestamp,
+            message: jsObj.message,
+            level: jsObj.level
+          }
+        } else {
+          const isMultiLineObject = message.includes('\n') && message.trim().startsWith('{')
+          if (isMultiLineObject) {
+            logEntry = this.parseConsoleObject(message, containerName, serviceName, timestamp)
+          } else {
+            logEntry = this.parsePlainTextLog(message, containerName, serviceName, timestamp, streamType)
+          }
+          dedupeKey = {
+            timestamp,
+            textPayload: logEntry.textPayload
+          }
+        }
+      }
+      const timeWindow = 2000
+      const timestampDate = new Date(dedupeKey.timestamp)
+      const textToCheck = dedupeKey.message || dedupeKey.textPayload
+      const startTime = new Date(timestampDate.getTime() - timeWindow).toISOString()
+      const endTime = new Date(timestampDate.getTime() + timeWindow).toISOString()
+      const isDuplicate = SqliteStore.exists(LOGGING_ENTRIES,
+        'text_payload = ? AND service_name = ? AND timestamp >= ? AND timestamp <= ?',
+        [textToCheck, serviceName, startTime, endTime]
+      )
+      if (isDuplicate) {
+        return
+      }
+      const logId = serviceName || containerName
+      try {
+        SqliteStore.create(LOGGING_LOGS, {
+          projectId: 'dev',
+          logId,
+          logName: `projects/dev/logs/${serviceName}`,
+          createdAt: new Date().toISOString(),
+          updatedAt: new Date().toISOString()
+        })
+      } catch (error) {
+        if (!error.message.includes('UNIQUE')) {
+          throw error
+        }
+      }
+      await SqliteStore.create(LOGGING_ENTRIES, logEntry)
+      LogBroadcaster.broadcast(logEntry)
+    } catch (error) {
+      Logger.log({
+        level: 'error',
+        message: 'Failed to process log line',
+        data: { container: containerName, error: error.message }
+      })
+    }
+  }
+
+  findNestedValue (obj, key, maxDepth = 3) {
+    if (!obj || typeof obj !== 'object' || maxDepth <= 0) return undefined
+    if (obj[key] !== undefined) return obj[key]
+    for (const val of Object.values(obj)) {
+      if (val && typeof val === 'object') {
+        const found = this.findNestedValue(val, key, maxDepth - 1)
+        if (found !== undefined) return found
+      }
+    }
+    return undefined
+  }
+
+  parseWinstonLog (parsed, containerName, serviceName, timestamp) {
+    const severityMap = {
+      error: 'ERROR',
+      warn: 'WARNING',
+      info: 'INFO',
+      http: 'INFO',
+      verbose: 'DEBUG',
+      debug: 'DEBUG'
+    }
+    const logName = `projects/dev/logs/${serviceName}`
+    const severity = severityMap[parsed.level] || 'INFO'
+    // Merge log.metadata into labels (minus traceId/requestId which get own columns)
+    const metadata = parsed.metadata || {}
+    const labels = { container: containerName, ...metadata }
+    delete labels.traceId
+    delete labels.requestId
+    // Build jsonPayload: original object minus standard logger envelope fields
+    // These fields are already extracted into dedicated columns
+    const envelopeFields = ['level', 'message', 'msg', 'timestamp', 'metadata']
+    const payload = {}
+    for (const [key, value] of Object.entries(parsed)) {
+      if (!envelopeFields.includes(key)) {
+        payload[key] = value
+      }
+    }
+    const hasPayload = Object.keys(payload).length > 0
+    const logEntry = {
+      logName,
+      serviceName,
+      severity,
+      source: 'docker',
+      level: parsed.level || null,
+      timestamp: parsed.timestamp || timestamp,
+      receiveTimestamp: new Date().toISOString(),
+      textPayload: parsed.message || parsed.msg || parsed.event,
+      jsonPayload: hasPayload ? payload : null,
+      labels
+    }
+    // Extract traceId — check metadata first, then search entire object
+    const traceId = metadata.traceId || this.findNestedValue(parsed, 'traceId')
+    if (traceId) logEntry.trace = traceId
+    // Extract requestId
+    const requestId = metadata.requestId || parsed.requestId
+    if (requestId) logEntry.insertId = requestId
+    // Extract error info and stack trace
+    const errorObj = parsed.error || metadata.error
+    if (errorObj || parsed.stack) {
+      if (typeof errorObj === 'string') {
+        logEntry.errorMessage = errorObj
+      } else if (errorObj) {
+        logEntry.errorMessage = errorObj.message || parsed.message
+        const stack = errorObj.stack || parsed.stack
+        if (stack && typeof stack === 'string') logEntry.stackTrace = stack
+        // Extract @gokiteam/oops error.data fields
+        const errorData = errorObj.data
+        if (errorData && typeof errorData === 'object') {
+          if (errorData.code) logEntry.errorCode = String(errorData.code)
+          if (errorData.status) logEntry.errorStatus = errorData.status
+          if (errorData.reason) logEntry.errorReason = errorData.reason
+          if (errorData.resource) logEntry.errorResource = errorData.resource
+          // Extract entity IDs from error.data.meta
+          const meta = errorData.meta
+          if (meta && typeof meta === 'object') {
+            if (meta.propertyId) logEntry.propertyId = meta.propertyId
+            if (meta.deviceId) logEntry.deviceId = meta.deviceId
+            if (meta.doorId) logEntry.doorId = meta.doorId
+          }
+        }
+      } else {
+        // parsed.stack without error object
+        logEntry.errorMessage = parsed.message
+        if (typeof parsed.stack === 'string') logEntry.stackTrace = parsed.stack
+      }
+    }
+    // Extract event (LogEvent enum - very common across all services)
+    if (parsed.event) logEntry.event = parsed.event
+    // Extract duration (timing metrics)
+    if (parsed.duration !== undefined && parsed.duration !== null) {
+      logEntry.duration = Number(parsed.duration) || null
+    }
+    // Extract Pub/Sub subscriber fields
+    if (parsed.subscriptionName) logEntry.subscriptionName = parsed.subscriptionName
+    if (parsed.messageId) logEntry.messageId = parsed.messageId
+    // Extract domain entity IDs (spread at top level in Winston data)
+    if (parsed.propertyId && !logEntry.propertyId) logEntry.propertyId = parsed.propertyId
+    if (parsed.deviceId && !logEntry.deviceId) logEntry.deviceId = parsed.deviceId
+    if (parsed.doorId && !logEntry.doorId) logEntry.doorId = parsed.doorId
+    return logEntry
+  }
+
+  /**
+   * Parse a multi-line console.log() object that couldn't be converted to JSON.
+   * Extracts message, level, error, and traceId via regex from the raw text.
+   * The full original text is preserved in protoPayload since we can't reliably
+   * parse the original structure (contains non-JSON values like Buffer, Circular, etc.).
+   */
+  parseConsoleObject (text, containerName, serviceName, timestamp) {
+    const logName = `projects/dev/logs/${serviceName}`
+    const labels = { container: containerName }
+    // Extract key fields from JS object notation via regex
+    const extractField = (key) => {
+      const match = text.match(new RegExp(`${key}:\\s*'([^']*)'`))
+      return match ? match[1] : null
+    }
+    const message = extractField('message') || extractField('msg') || extractField('event')
+    const level = extractField('level')
+    const traceId = extractField('traceId')
+    const error = extractField('error')
+    const severityMap = { error: 'ERROR', warn: 'WARNING', info: 'INFO', debug: 'DEBUG' }
+    const logEntry = {
+      logName,
+      serviceName,
+      severity: severityMap[level] || this.detectSeverity(text),
+      source: 'docker',
+      level: level || null,
+      timestamp: extractField('timestamp') || timestamp,
+      receiveTimestamp: new Date().toISOString(),
+      textPayload: message || text.split('\n').map(l => l.trim()).join(' '),
+      protoPayload: text,
+      labels
+    }
+    if (traceId) logEntry.trace = traceId
+    if (error) logEntry.errorMessage = error
+    // Extract stack trace from raw text
+    // JS object notation uses string concatenation: stack: 'Error\n' + '    at func (file:1:1)\n' + ...
+    // Reconstruct by extracting all quoted segments after "stack:" and joining them
+    const stackFieldMatch = text.match(/stack:\s*'/)
+    if (stackFieldMatch) {
+      const startIdx = stackFieldMatch.index + stackFieldMatch[0].length - 1
+      const stackStr = this.extractConcatenatedString(text, startIdx)
+      if (stackStr && stackStr.includes('\n    at ')) {
+        logEntry.stackTrace = stackStr
+      }
+    }
+    // Extract event field
+    const event = extractField('event')
+    if (event) logEntry.event = event
+    // Extract duration (number, not quoted)
+    const durationMatch = text.match(/duration:\s*(\d+(?:\.\d+)?)/)
+    if (durationMatch) logEntry.duration = Number(durationMatch[1]) || null
+    // Extract Pub/Sub fields
+    const subscriptionName = extractField('subscriptionName')
+    if (subscriptionName) logEntry.subscriptionName = subscriptionName
+    const messageId = extractField('messageId')
+    if (messageId) logEntry.messageId = messageId
+    // Extract domain entity IDs
+    const propertyId = extractField('propertyId')
+    if (propertyId) logEntry.propertyId = propertyId
+    const deviceId = extractField('deviceId')
+    if (deviceId) logEntry.deviceId = deviceId
+    const doorId = extractField('doorId')
+    if (doorId) logEntry.doorId = doorId
+    // Extract error.data fields (code, status, reason, resource)
+    const errorCode = extractField('code')
+    if (errorCode) logEntry.errorCode = errorCode
+    const errorReason = extractField('reason')
+    if (errorReason) logEntry.errorReason = errorReason
+    const errorResource = extractField('resource')
+    if (errorResource) logEntry.errorResource = errorResource
+    const statusMatch = text.match(/status:\s*(\d+)/)
+    if (statusMatch) logEntry.errorStatus = Number(statusMatch[1]) || null
+    return logEntry
+  }
+
+  /**
+   * Extract a concatenated string from JS object notation starting at a quote.
+   * Handles: 'part1\n' + '    part2\n' + '    part3'
+   * Returns the joined string or null.
+   */
+  extractConcatenatedString (text, startIdx) {
+    const parts = []
+    let pos = startIdx
+    while (pos < text.length) {
+      // Expect a single-quoted string
+      if (text[pos] !== "'") break
+      const endQuote = text.indexOf("'", pos + 1)
+      if (endQuote === -1) break
+      parts.push(text.substring(pos + 1, endQuote))
+      pos = endQuote + 1
+      // Skip whitespace and look for + concatenation
+      const afterQuote = text.substring(pos).match(/^\s*\+\s*/)
+      if (afterQuote) {
+        pos += afterQuote[0].length
+      } else {
+        break
+      }
+    }
+    if (parts.length === 0) return null
+    // Unescape \\n → \n within the joined string
+    return parts.join('').replace(/\\n/g, '\n').replace(/\\'/g, "'").replace(/\\t/g, '\t')
+  }
+
+  /**
+   * Parse structured plain-text log formats (Java logger, tagged logs, etc.)
+   * Supports:
+   *   [tag] LEVEL: message
+   *   [tag] Jan 01, 2026 12:00:00 AM class.method
+   *   LEVEL: message
+   *   Plain text fallback
+   */
+  parsePlainTextLog (message, containerName, serviceName, timestamp, streamType) {
+    const logName = `projects/dev/logs/${serviceName}`
+    const labels = {
+      container: containerName,
+      stream: streamType === 1 ? 'stdout' : 'stderr'
+    }
+    // Try tagged format: [tag] LEVEL: message  OR  [tag] Java date class
+    const taggedMatch = message.match(/^\[([^\]]+)\]\s+(.*)$/)
+    if (taggedMatch) {
+      const tag = taggedMatch[1]
+      const rest = taggedMatch[2]
+      labels.tag = tag
+      // Check for LEVEL: message pattern
+      const levelMsgMatch = rest.match(/^(INFO|WARNING|WARN|ERROR|SEVERE|DEBUG|FINE|FINER|FINEST|CONFIG):\s*(.*)$/i)
+      if (levelMsgMatch) {
+        const severity = this.mapJavaSeverity(levelMsgMatch[1])
+        return {
+          logName,
+          serviceName,
+          severity,
+          source: 'docker',
+          level: levelMsgMatch[1].toLowerCase(),
+          timestamp,
+          receiveTimestamp: new Date().toISOString(),
+          textPayload: levelMsgMatch[2],
+          labels
+        }
+      }
+      // Check for Java date pattern: Feb 19, 2026 11:21:41 AM class.method
+      const javaDateMatch = rest.match(/^[A-Z][a-z]{2}\s+\d{1,2},\s+\d{4}\s+\d{1,2}:\d{2}:\d{2}\s+[AP]M\s+(.*)$/)
+      if (javaDateMatch) {
+        return {
+          logName,
+          serviceName,
+          severity: 'DEBUG',
+          source: 'docker',
+          level: 'debug',
+          timestamp,
+          receiveTimestamp: new Date().toISOString(),
+          textPayload: javaDateMatch[1],
+          labels
+        }
+      }
+      // Tagged but unrecognized format — use rest as message
+      return {
+        logName,
+        serviceName,
+        severity: this.detectSeverity(rest),
+        source: 'docker',
+        level: null,
+        timestamp,
+        receiveTimestamp: new Date().toISOString(),
+        textPayload: rest,
+        labels
+      }
+    }
+    // Untagged LEVEL: message (e.g., "INFO: starting server")
+    const levelMatch = message.match(/^(INFO|WARNING|WARN|ERROR|SEVERE|DEBUG):\s*(.*)$/i)
+    if (levelMatch) {
+      const severity = this.mapJavaSeverity(levelMatch[1])
+      return {
+        logName,
+        serviceName,
+        severity,
+        source: 'docker',
+        level: levelMatch[1].toLowerCase(),
+        timestamp,
+        receiveTimestamp: new Date().toISOString(),
+        textPayload: levelMatch[2],
+        labels
+      }
+    }
+    // Plain text fallback
+    return {
+      logName,
+      serviceName,
+      severity: this.detectSeverity(message),
+      source: 'docker',
+      level: null,
+      timestamp,
+      receiveTimestamp: new Date().toISOString(),
+      textPayload: message,
+      labels
+    }
+  }
+
+  mapJavaSeverity (level) {
+    const map = {
+      severe: 'ERROR',
+      error: 'ERROR',
+      warning: 'WARNING',
+      warn: 'WARNING',
+      info: 'INFO',
+      config: 'INFO',
+      fine: 'DEBUG',
+      finer: 'DEBUG',
+      finest: 'DEBUG',
+      debug: 'DEBUG'
+    }
+    return map[level.toLowerCase()] || 'INFO'
+  }
+
+  detectSeverity (text) {
+    if (/error|exception|fatal|severe/i.test(text)) return 'ERROR'
+    if (/warn/i.test(text)) return 'WARNING'
+    if (/debug|trace/i.test(text)) return 'DEBUG'
+    return 'INFO'
+  }
+
+  watchForNewContainers () {
+    this.docker.getEvents({ filters: { event: ['start'] } }, (err, stream) => {
+      if (err) {
+        Logger.log({
+          level: 'error',
+          message: 'Failed to watch Docker events',
+          data: { error: err.message }
+        })
+        return
+      }
+      stream.on('data', async (chunk) => {
+        try {
+          const event = JSON.parse(chunk.toString())
+          const containerId = event.id
+          const container = this.docker.getContainer(containerId)
+          const info = await container.inspect()
+          const containerName = info.Name.replace(/^\//, '')
+          // Skip excluded infrastructure containers
+          if (this.excludedContainers.includes(containerName)) return
+          // Skip if already attached
+          if (this.streams.has(containerId)) return
+          // Check if container is on the target network
+          const networks = info.NetworkSettings?.Networks || {}
+          if (networks[this.networkName]) {
+            await this.attachToContainer({
+              Id: containerId,
+              Names: [info.Name]
+            })
+          }
+        } catch (error) {
+          // Ignore errors from short-lived containers
+        }
+      })
+    })
+  }
+
+  async stop () {
+    for (const [containerId, stream] of this.streams) {
+      stream.destroy()
+    }
+    this.streams.clear()
+    Logger.log({
+      level: 'info',
+      message: 'Docker log capture stopped'
+    })
+  }
+}