fix(ops): 修复日志级别过滤并增强OpenAI错误诊断日志

- 移除 warn 级别下 access info 的强制入库补写，确保运行时日志级别真实生效

- 将 OpenAI fallback matched 与 passthrough 断流提示按需求降级为 info

- 为 codex_cli_only 与 instructions required 场景补充请求诊断字段（含 User-Agent）

- 出于安全考虑移除请求体预览，仅保留 request_body_size 与白名单头信息

- 新增/更新回归测试，覆盖 Forward 入口到日志落库链路

backend/internal/server/middleware/logger.go

@@ -58,36 +58,6 @@ func Logger() gin.HandlerFunc {
 
 		l := logger.FromContext(c.Request.Context()).With(fields...)
 		l.Info("http request completed", zap.Time("completed_at", endTime))
-		// 当全局日志级别高于 info（如 warn/error）时，access info 不会进入 zap core，
-		// 这里补写一次 sink，保证 ops 系统日志仍可索引关键访问轨迹。
-		if !logger.L().Core().Enabled(logger.LevelInfo) {
-			sinkFields := map[string]any{
-				"component":    "http.access",
-				"status_code":  statusCode,
-				"latency_ms":   latency.Milliseconds(),
-				"client_ip":    clientIP,
-				"protocol":     protocol,
-				"method":       method,
-				"path":         path,
-				"completed_at": endTime,
-			}
-			if requestID, ok := c.Request.Context().Value(ctxkey.RequestID).(string); ok && requestID != "" {
-				sinkFields["request_id"] = requestID
-			}
-			if clientRequestID, ok := c.Request.Context().Value(ctxkey.ClientRequestID).(string); ok && clientRequestID != "" {
-				sinkFields["client_request_id"] = clientRequestID
-			}
-			if hasAccountID && accountID > 0 {
-				sinkFields["account_id"] = accountID
-			}
-			if platform != "" {
-				sinkFields["platform"] = platform
-			}
-			if model != "" {
-				sinkFields["model"] = model
-			}
-			logger.WriteSinkEvent("info", "http.access", "http request completed", sinkFields)
-		}
 
 		if len(c.Errors) > 0 {
 			l.Warn("http request contains gin errors", zap.String("errors", c.Errors.String()))

backend/internal/server/middleware/request_access_logger_test.go

@@ -201,7 +201,7 @@ func TestLogger_HealthPathSkipped(t *testing.T) {
 	}
 }
 
-func TestLogger_AccessLogStillIndexedWhenLevelWarn(t *testing.T) {
+func TestLogger_AccessLogDroppedWhenLevelWarn(t *testing.T) {
 	gin.SetMode(gin.TestMode)
 	sink := initMiddlewareTestLoggerWithLevel(t, "warn")
 
@@ -220,30 +220,9 @@ func TestLogger_AccessLogStillIndexedWhenLevelWarn(t *testing.T) {
 	}
 
 	events := sink.list()
-	if len(events) == 0 {
-		t.Fatalf("expected access log event to be indexed when level=warn")
-	}
-
-	found := false
 	for _, event := range events {
-		if event == nil || event.Message != "http request completed" {
-			continue
+		if event != nil && event.Message == "http request completed" {
+			t.Fatalf("access log should not be indexed when level=warn: %+v", event)
 		}
-		found = true
-		if event.Level != "info" {
-			t.Fatalf("event level=%q, want info", event.Level)
-		}
-		if event.Component != "http.access" && event.Fields["component"] != "http.access" {
-			t.Fatalf("event component mismatch: component=%q fields=%v", event.Component, event.Fields["component"])
-		}
-		if _, ok := event.Fields["status_code"]; !ok {
-			t.Fatalf("status_code field missing: %+v", event.Fields)
-		}
-		if _, ok := event.Fields["request_id"]; !ok {
-			t.Fatalf("request_id field missing: %+v", event.Fields)
-		}
-	}
-	if !found {
-		t.Fatalf("access log event not found")
 	}
 }