[OPIK-5191] [BE] feat: add user identity to ClickHouse log_comment

[Nimrod007]

Details

Extends the existing ClickHouse log_comment SETTINGS format from query_name:workspace_id:details to query_name:workspace_id:user_name:details so slow query investigations can identify which user triggered each query.

• Adds userName parameter to DatabaseUtils.getSTWithLogComment() and getLogComment()
• Updates ~100 call sites across 11 DAO files — userName was already in scope at every site (first param of makeMonoContextAware lambda)
• Motivated by a prod analysis showing 30 slow queries (>1s) in 60 min including a 209s OOM — user attribution would significantly improve investigation

Change checklist

• User facing
• Documentation update

Issues

• OPIK-5191

AI-WATERMARK

AI-WATERMARK: yes

• If yes:
  • Tools: Claude Code
  • Model(s): Claude Opus 4.6
  • Scope: Full implementation
  • Human verification: Build compilation verified, code review of all changes

Testing

• Verified build compiles: mvn compile passes with zero errors
• No existing tests reference log_comment or DatabaseUtils — consistent with prior log_comment changes (OPIK-5050, OPIK-4380) which also had no tests
• Post-deployment verification query:

SELECT
    extractAll(log_comment, ':([^:]+)')[3] AS user_name,
    count() AS query_count,
    avg(query_duration_ms) AS avg_duration_ms
FROM system.query_log
WHERE event_date = today() AND type = 'QueryFinish' AND log_comment != ''
GROUP BY user_name
ORDER BY query_count DESC

Documentation

No documentation changes needed — internal observability improvement only.

[github-actions]

📋 PR Linter Failed

❌ Missing Section. The description is missing the ## Details section.

---

❌ Missing Section. The description is missing the ## Change checklist section.

---

❌ Missing Section. The description is missing the ## Issues section.

---

❌ Missing Section. The description is missing the ## Testing section.

---

❌ Missing Section. The description is missing the ## Documentation section.

[github-actions]

📋 PR Linter Failed

❌ Missing Section. The description is missing the ## Details section.

---

❌ Missing Section. The description is missing the ## Change checklist section.

---

❌ Missing Section. The description is missing the ## Issues section.

---

❌ Missing Section. The description is missing the ## Testing section.

---

❌ Missing Section. The description is missing the ## Documentation section.

[github-actions]

📋 PR Linter Failed

❌ Missing Section. The description is missing the ## Details section.

---

❌ Missing Section. The description is missing the ## Change checklist section.

---

❌ Missing Section. The description is missing the ## Issues section.

---

❌ Missing Section. The description is missing the ## Testing section.

---

❌ Missing Section. The description is missing the ## Documentation section.

[baz-reviewer]

getLogComment logs RequestContext.USER_NAME into ClickHouse (which can include emails/PII) and violates .agents/skills/opik-backend/SKILL.md; should we restrict log_comment to a non-PII identifier like workspace_id/opaque user ID or mask the user string?

_{Finding type: AI Coding Guidelines | Severity: 🔴 High}

---

Want Baz to fix this for you? Activate Fixer

Other fix methods

Prompt for AI Agents:

Before applying, verify this suggestion against the current code. In
apps/opik-backend/src/main/java/com/comet/opik/infrastructure/DatabaseUtils.java around
lines 174 to 185, the getLogComment method currently adds user_name directly into
log_comment which can contain PII (emails/display names). Change getLogComment to NOT
log raw user_name: either remove the .add("user_name", ...) entry entirely or replace it
with a sanitized non-PII value (for example: look up an opaque user id from
RequestContext or compute a short deterministic hash of the user_name and render it as
"user_hash:<first8chars>" or mask emails by replacing the local-part with '***'). Make
the change in getLogComment and update getSTWithLogComment signature/usage if needed to
accept the sanitized value; preserve the existing single-quote escaping behavior for the
final rendered string. Add a short unit test ensuring that log_comment never contains an
'@' or full email and that workspace_id continues to be logged as before.

[andrescrz]

LGTM, just a future suggestion.

[andrescrz]

Nit: at some point we will need to create a Java record (with a builder) for the whole payload containing the query_name, workspace_id etc. fields for the log comment, instead of so many params.