[codex] Trace first-party relay clients#2995
Conversation
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
github-actions
Bot
added
vouch:trusted
|
🚀 Expo continuous deployment is ready!
|
Co-authored-by: codex <codex@users.noreply.github.com>
Co-authored-by: codex <codex@users.noreply.github.com>
juliusmarminge
force-pushed
the
codex/hosted-web-tracing-poc
branch
from
34a5a25 to
a1779f7
Compare
ApprovabilityVerdict: Needs human review This PR introduces distributed tracing infrastructure across multiple applications and deployment pipelines. The scope includes new cloud resource provisioning, CI/CD modifications, and runtime integration in mobile, web, and server apps - warranting human review for the coordination and completeness of the feature. You can customize Macroscope's approvability policy. Learn more. |
Co-authored-by: codex <codex@users.noreply.github.com>
Co-authored-by: codex <codex@users.noreply.github.com>
github-actions
Bot
added
size:XL
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Renewal drops relay trace headers
- Added
relayTraceHeaders: renewed.relayTraceHeadersto the options passed toensureSavedEnvironmentConnectionafter credential renewal, ensuring the connect trace fromrenewManagedRelayCredentialis propagated to the new websocket setup.
- Added
Or push these changes by commenting:
@cursor push f4367e9265
Preview (f4367e9265)
diff --git a/apps/web/src/environments/runtime/service.ts b/apps/web/src/environments/runtime/service.ts
--- a/apps/web/src/environments/runtime/service.ts
+++ b/apps/web/src/environments/runtime/service.ts
@@ -1601,6 +1601,7 @@
scopes: scopeHint,
serverConfig: options?.serverConfig ?? null,
allowManagedRenewal: false,
+ relayTraceHeaders: renewed.relayTraceHeaders,
});
}
}You can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit 03c78cc. Configure here.
| activeRecord.environmentId, | ||
| activeCredential, | ||
| relayTraceHeaders, | ||
| ); |
There was a problem hiding this comment.
Renewal drops relay trace headers
Low Severity
When a managed saved environment’s initial connection fails auth and credentials are renewed, the follow-up ensureSavedEnvironmentConnection call omits renewed.relayTraceHeaders, so the first websocket ticket request no longer continues the connect trace that renewManagedRelayCredential just produced.
Reviewed by Cursor Bugbot for commit 03c78cc. Configure here.
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
There was a problem hiding this comment.
🟢 Low
When renewManagedRelayCredential succeeds in the auth error handling block (lines 1595-1604), the recursive call to ensureSavedEnvironmentConnection omits renewed.relayTraceHeaders. This causes the newly created client to use null instead of the fresh trace headers from the renewal, losing the tracing context for the connection attempt.
🚀 Reply "fix it for me" or copy this AI Prompt for your agent:
In file @apps/web/src/environments/runtime/service.ts around line 1599:
When `renewManagedRelayCredential` succeeds in the auth error handling block (lines 1595-1604), the recursive call to `ensureSavedEnvironmentConnection` omits `renewed.relayTraceHeaders`. This causes the newly created client to use `null` instead of the fresh trace headers from the renewal, losing the tracing context for the connection attempt.
Evidence trail:
apps/web/src/environments/runtime/service.ts lines 1595-1604 (recursive call omitting relayTraceHeaders); lines 1358-1402 (renewManagedRelayCredential returning relayTraceHeaders); line 1521 (default to null when not provided); line 1527 (relayTraceHeaders passed to createSavedEnvironmentClient); lines 1201-1204 (relayTraceHeaders used when resolving WebSocket URL); line 1957 (other caller that does pass relayTraceHeaders); lines 1218-1220 (renewal inside client resolver that properly passes renewed.relayTraceHeaders).
1 participant
Problem
Relay requests made by hosted web, desktop, and the headless CLI were not exported to the product-owned relay tracing dataset. Mobile had an OTLP tracer, but it was installed as a broad runtime tracer rather than being scoped to relay operations. Installing another global tracer on web or server would also capture unrelated user server/provider work that belongs to the user's own observability configuration.
Approach
This PoC adds a dedicated
RelayClientTracerreference in@t3tools/client-runtime. Relay operations explicitly switch to that tracer while executing, so ordinary application, provider, and server spans continue to use the existing user-controlled tracer.The shared managed relay client now traces all relay API operations through that boundary. Mobile and web provide platform-specific OTLP layers to the shared reference. The server and headless CLI provide the same scoped tracer and wrap their raw relay link/unlink requests. Desktop is covered by the web renderer build, with a distinct client resource attribute.
Infrastructure and release configuration
Alchemy creates a dataset-scoped ingest-only token for first-party relay clients and exposes its endpoint, dataset, and token in stack output. The relay deploy command can read persisted production stack output with
--read-statewithout planning or applying infrastructure.The release workflow reads that output and injects canonical
T3CODE_RELAY_CLIENT_OTLP_TRACES_*values into desktop, CLI, and hosted web builds.loadRepoEnvprojects those values to concise Vite aliases for browser builds. The CLI bundle embeds build-time fallbacks while still allowing runtime overrides.Validation
vp checkvp run typecheckvp run lint:mobilevp checkreports the existing ninereact(no-unstable-nested-components)warnings and no errors.Note
Add OTLP tracing for first-party relay clients across web, mobile, server, and CLI
RelayClientTracerandwithRelayClientTracinginpackages/shared/src/relayTracing.tsas the shared mechanism for switching the active tracer to a per-surface OTLP exporter for relay operations.infra/relay/src/observability.tsand propagates the URL, dataset, and token through the deploy pipeline and into.env/GitHub outputs via three newT3CODE_RELAY_CLIENT_OTLP_TRACES_*variables.t3MintCredentialserver route, the CLI unlink handler, and managed WebSocket URL resolution withwithRelayClientTracing, creating and continuing W3C trace context across these boundaries.connectManagedCloudEnvironmentroot span andrelayTraceHeaderspropagation so trace context flows from the initial cloud connection through credential renewal and WebSocket reconnects.--read-stateflag to the relay deploy CLI that fetches deployed stack outputs without planning or applying changes, used by the release workflow to inject tracing config into downstream build and deploy jobs.addManagedRelayEnvironmentnow requires arelayTraceHeadersargument; callers not yet passing this will need updating.📊 Macroscope summarized 03c78cc. 7 files reviewed, 0 issues evaluated, 0 issues filtered, 0 comments posted
🗂️ Filtered Issues
No issues evaluated.
Note
Medium Risk
Touches release CI, public ingest tokens, and distributed trace propagation on managed cloud connect paths; misconfiguration could leak tokens in build env or break trace continuity without affecting core auth.
Overview
Adds scoped OTLP tracing for first-party relay clients so web, mobile, server, and CLI emit relay-operation spans to a product-owned dataset without replacing the global tracer.
A new shared
RelayClientTracerandwithRelayClientTracingroute only explicit relay work through a dedicated Axiom OTLP layer;makeRelayClientTracingLayerwires platform-specific resources (mobile, web runtime, headless CLI, server broker). Managed relay HTTP calls, cloud CLI unlink, server relay broker requests, and web managed-environment connect/reconnect paths are wrapped accordingly;traceRelayBrokerHandlercontinues incomingtraceparentont3MintCredential.Config & release:
resolveRelayClientTracingConfig(HTTPS-only) plus build-timeT3CODE_RELAY_CLIENT_OTLP_TRACES_*embeds;loadRepoEnvprojects toVITE_RELAY_OTLP_TRACES_*. Relay infra adds a client ingest token and stack outputs; deploy gains--read-stateand GitHub outputs. Release workflow reads prod relay state and injects tracing env into desktop, CLI, and Vercel web builds. WebCloudManagedConnectioncarriesrelayTraceHeadersfor trace propagation across DPoP/WebSocket setup.Reviewed by Cursor Bugbot for commit 03c78cc. Bugbot is set up for automated code reviews on this repo. Configure here.