Conversation
* feat(observability): integrate Sentry into app and portal Wire @sentry/nextjs into apps/app (via wizard) and apps/portal (manual setup mirroring the wizard). Both apps push to Sentry org=comp-ai, project=comp. - Add server, edge, and client init files plus instrumentation.ts in both apps - Wrap each app's next.config.ts with withSentryConfig (tunnelRoute /monitoring, widenClientFileUpload, source map upload, debug-log treeshake) - Use env-var-driven DSN with the literal as fallback so dev still works without setup, and gate tracesSampleRate by NODE_ENV (1.0 dev / 0.1 prod) - Set includeLocalVariables on server init for richer stack frames - Capture render errors via Sentry.captureException in both global-error.tsx - Consolidate apps/app instrumentation-client.ts to src/, merging the existing botid init alongside Sentry init (avoids Next.js loading only one of two) - Place the wizard's sample page inside the [orgId] route group so it isn't redirected by the org-scoped layout Source maps require SENTRY_AUTH_TOKEN to be set in Vercel env (Production + Preview) for both projects; same token works since it's org-scoped. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(turbo): allow Sentry env vars through to next build Turbo filters env vars to only what's listed in globalEnv. Without this, the Sentry webpack plugin can't see SENTRY_AUTH_TOKEN at build time and silently skips source map upload + release creation, even when the var is set in Vercel. Adds NEXT_PUBLIC_SENTRY_DSN, SENTRY_AUTH_TOKEN, SENTRY_DSN to globalEnv. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(sentry): drop sendDefaultPii and remove example pages P1 from cubic review: Sentry's sendDefaultPii: true auto-attaches IPs, cookies, and request headers to every event sent to a third-party processor. For a compliance product that's not the right default; turn it off across all six init files (server, edge, client × app, portal). Per-user attribution can still be added explicitly via Sentry.setUser. P2 from cubic review: the wizard's sentry-example-page used next/head which doesn't work in App Router. Page was scaffolding intended for deletion before merge anyway — removed both the page and its companion API route instead of migrating to the Metadata API. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
3 issues found across 18 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="apps/app/sentry.server.config.ts">
<violation number="1" location="apps/app/sentry.server.config.ts:14">
P1: `includeLocalVariables` is enabled unconditionally on the server, which can leak sensitive request-scoped values in error payloads and add avoidable overhead in production.</violation>
</file>
<file name="apps/portal/sentry.server.config.ts">
<violation number="1" location="apps/portal/sentry.server.config.ts:14">
P2: `includeLocalVariables` is enabled for all environments; this adds debugger-based overhead on exceptions and can capture request-local data in production. Gate it to development (or an explicit opt-in env var).</violation>
</file>
<file name="apps/app/src/instrumentation-client.ts">
<violation number="1" location="apps/app/src/instrumentation-client.ts:12">
P1: Use route paths (e.g. `/api/...`) in BotID `protect` rules instead of absolute URLs; absolute URL patterns can fail to match and leave these POST calls unprotected.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| protect: [ | ||
| { path: '/api/chat', method: 'POST' }, | ||
| { | ||
| path: `${process.env.NEXT_PUBLIC_ENTERPRISE_API_URL}/api/tasks-automations/chat`, |
Contributor
There was a problem hiding this comment.
P1: Use route paths (e.g. /api/...) in BotID protect rules instead of absolute URLs; absolute URL patterns can fail to match and leave these POST calls unprotected.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/app/src/instrumentation-client.ts, line 12:
<comment>Use route paths (e.g. `/api/...`) in BotID `protect` rules instead of absolute URLs; absolute URL patterns can fail to match and leave these POST calls unprotected.</comment>
<file context>
@@ -0,0 +1,38 @@
+ protect: [
+ { path: '/api/chat', method: 'POST' },
+ {
+ path: `${process.env.NEXT_PUBLIC_ENTERPRISE_API_URL}/api/tasks-automations/chat`,
+ method: 'POST',
+ },
</file context>
* feat(observability): integrate Sentry into app and portal Wire @sentry/nextjs into apps/app (via wizard) and apps/portal (manual setup mirroring the wizard). Both apps push to Sentry org=comp-ai, project=comp. - Add server, edge, and client init files plus instrumentation.ts in both apps - Wrap each app's next.config.ts with withSentryConfig (tunnelRoute /monitoring, widenClientFileUpload, source map upload, debug-log treeshake) - Use env-var-driven DSN with the literal as fallback so dev still works without setup, and gate tracesSampleRate by NODE_ENV (1.0 dev / 0.1 prod) - Set includeLocalVariables on server init for richer stack frames - Capture render errors via Sentry.captureException in both global-error.tsx - Consolidate apps/app instrumentation-client.ts to src/, merging the existing botid init alongside Sentry init (avoids Next.js loading only one of two) - Place the wizard's sample page inside the [orgId] route group so it isn't redirected by the org-scoped layout Source maps require SENTRY_AUTH_TOKEN to be set in Vercel env (Production + Preview) for both projects; same token works since it's org-scoped. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(turbo): allow Sentry env vars through to next build Turbo filters env vars to only what's listed in globalEnv. Without this, the Sentry webpack plugin can't see SENTRY_AUTH_TOKEN at build time and silently skips source map upload + release creation, even when the var is set in Vercel. Adds NEXT_PUBLIC_SENTRY_DSN, SENTRY_AUTH_TOKEN, SENTRY_DSN to globalEnv. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(sentry): drop sendDefaultPii and remove example pages P1 from cubic review: Sentry's sendDefaultPii: true auto-attaches IPs, cookies, and request headers to every event sent to a third-party processor. For a compliance product that's not the right default; turn it off across all six init files (server, edge, client × app, portal). Per-user attribution can still be added explicitly via Sentry.setUser. P2 from cubic review: the wizard's sentry-example-page used next/head which doesn't work in App Router. Page was scaffolding intended for deletion before merge anyway — removed both the page and its companion API route instead of migrating to the Metadata API. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * revert(sentry): re-enable sendDefaultPii across both apps Reversing the conservative default after team review: app does not collect SSN-style typed PII, and IP / user-agent / cookie context is useful for debugging real production incidents. Sentry's default ingest scrubbers continue to mask Authorization, Cookie, and X-Api-Key by key; session replay still masks <input type="password"> by default. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Mariano <marfuen98@gmail.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
1 issue found across 6 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="apps/portal/sentry.server.config.ts">
<violation number="1" location="apps/portal/sentry.server.config.ts:18">
P1: `sendDefaultPii` is enabled unconditionally on the server, which can leak user PII (for example IP address and request metadata) to Sentry. This should be explicitly opt-in (env-gated) rather than always on.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
…oks (#2709) Sentry session replay defaults to masking all text and blocking all media, which produces unreadable rows of asterisks on every replay. Turn both off so replays are actually useful for debugging, and add .sentry-mask / [data-sentry-mask] / [data-sentry-block] selectors so we can opt specific customer-sensitive elements (risk descriptions, secret values, policy markdown) back into masking as we identify them. <input type="password"> remains masked automatically by the SDK regardless. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3 tasks
Contributor
|
Reviewed cubic's three findings: P1 — P1 — P1 — botid absolute URLs in |
* fix(sentry): gate includeLocalVariables to non-production includeLocalVariables uses Node's debugger inspector to attach every local variable in scope at the moment an error throws. In production that scope can include DB rows, auth tokens being validated, request bodies, and session state — far broader than sendDefaultPii. Off in prod, on in dev/test where the debugging value justifies the exposure. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(sentry): drop sendDefaultPii now that replay unmask is the right knob sendDefaultPii was originally added to make session replay text readable, but that's actually controlled by replayIntegration's maskAllText / blockAllMedia (handled in #2709). With replays already showing real text, the only thing sendDefaultPii adds is per-event IP addresses and User-Agent — useful triage signal but not worth the sub-processor data exposure for a compliance product. Errors still carry full stack traces, breadcrumbs, source-mapped frames, and replay context; only the IP/UA metadata layer goes away. Removing across all six init files (server, edge, client × app, portal). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Mariano <marfuen98@gmail.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
|
🎉 This PR is included in version 3.38.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Integrates Sentry across
apps/appandapps/portalfor error tracking, tracing, and session replay. Adds client, server, and edge setup with source map upload and a/monitoringtunnel.New Features
@sentry/nextjson server, edge, and client with env-driven DSN and dev/prod trace sampling; removedsendDefaultPiiand gatedincludeLocalVariablesto non-production.withSentryConfigfor source maps, debug-log treeshake, and/monitoringtunnel;apps/appalso enablesautomaticVercelMonitors.global-error.tsx; exportsonRequestErrorand router transition capture..sentry-mask,[data-sentry-mask], and[data-sentry-block]selectors for selective masking/blocking.botidinit intoapps/app/src/instrumentation-client.tsalongside Sentry.NEXT_PUBLIC_SENTRY_DSN,SENTRY_AUTH_TOKEN,SENTRY_DSN); added.mcp.jsonfor the Sentry MCP server.Migration
SENTRY_AUTH_TOKENin CI/Vercel to upload source maps.SENTRY_DSN(server) andNEXT_PUBLIC_SENTRY_DSN(client) for production; dev falls back to the default DSN./monitoringdoes not clash with middleware or rewrites..sentry-mask/data-sentry-maskto hide sensitive UI in replays, ordata-sentry-blockto exclude sections.Written for commit e985b8b. Summary will update on new commits. Review in cubic