feat(ops): Sprint 16 — Sentry + Mailgun webhooks#12
Merged
Conversation
Two production-readiness features in one PR. Sprint 17 will land the remaining scheduled-digest-cron piece (tracked separately — its scope is bigger). === Sentry observability === - `apps/core/src/instrument.ts` — Sentry.init loaded BEFORE any other import in main.ts. @sentry/node v8+ monkey-patches require/http/fs at init; late init means untraced dependencies. - Zero boot impact when SENTRY_DSN is empty (dev default) — SDK becomes a no-op, no warnings, no init failures. - DomainExceptionFilter forwards 5xx-and-above to Sentry with request + user context (userId from req.user set by JwtAuthGuard). Client errors (4xx) stay out of Sentry by design — they're expected user behaviour, not alerting signal. - `beforeSend` strips cookie/authorization/x-auth-token headers and redacts body keys matching /password|token|secret|otp|auth/i. Defense-in-depth: clients shouldn't be sending secrets in bodies but one misconfig away from Sentry holding access tokens. - main.ts bootstrap.catch() now flushes Sentry (2s) before process.exit so prod boot crashes don't silently vanish. - Config: SENTRY_DSN, SENTRY_ENVIRONMENT, SENTRY_TRACES_SAMPLE_RATE (defaults: 1.0 dev, 0.1 prod). === Mailgun webhooks (deliverability) === - `POST /webhooks/mailgun` — @public() endpoint, HMAC-SHA256 signed. - Signature scheme: hex(hmac-sha256(key, timestamp + token)) === signature - Four guardrails on verification: 1. Fail loud if signing key missing (400 every req, not silent accept) 2. 5-minute replay window (+60s forward skew for clock drift) 3. Length check BEFORE timingSafeEqual (throws on unequal length, leaks signature-length as oracle otherwise) 4. timingSafeEqual on the hex buffers (constant-time compare) - Events handled: - `failed severity=permanent` → suppress (hard bounce) - `failed severity=temporary` → log, no action (Mailgun retries) - `complained` → suppress (spam complaint) - `unsubscribed` → suppress (Mailgun-rendered unsub link click) - `delivered`/`opened`/`clicked` → ignored (tracking, future sprint) - Suppression fans out across ALL NewsletterSubscription rows for the email — community-wide, per-author, per-topic all get unsubscribed=true. Sender-reputation damage is shared across destinations; consent withdrawal is too. - Structured `{ ok, outcome: { action, recipient, event } }` response so Mailgun's webhook dashboard log makes incident triage easy. - Config: MAILGUN_WEBHOOK_SIGNING_KEY (separate from API key). === Tests (16 new, 439/439 total) === MailgunWebhookService — all signature edge cases (tamper, wrong key, replay, missing field, non-numeric timestamp) + every event type (permanent/temporary failure, complaint, unsub, tracking-positive ignored, unknown recipient, already-suppressed, case-insensitive email, missing recipient). Sentry integration isn't unit-tested — it's a pass-through to the SDK with well-defined behaviour. The scrubbing logic in `beforeSend` is tight enough to review by hand; adding mocks for Sentry.captureException would test the mock, not the integration. === Pattern docs === - 41-sentry-observability — init ordering, 5xx-only capture, scrubbing, trade-offs - 42-mailgun-webhooks — HMAC scheme, four guardrails, event decision tree, reuse checklist Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 13 minutes and 40 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (5)
📝 WalkthroughWalkthroughAdds Sentry initialization and 5xx error forwarding with request/body scrubbing, plus a Mailgun HMAC-SHA256 webhook endpoint that verifies signatures, enforces replay protection, and suppresses newsletter subscriptions on permanent bounces/complaints/unsubscribes. Changes
Sequence Diagram(s)sequenceDiagram
actor Mailgun
participant Controller as MailgunWebhookController
participant Service as MailgunWebhookService
participant DB as PrismaDB
Mailgun->>Controller: POST /webhooks/mailgun (payload + signature)
Controller->>Service: verifySignature(signature)
Service->>Service: load MAILGUN_WEBHOOK_SIGNING_KEY\nvalidate timestamp (replay/clock-skew)
Service->>Service: compute HMAC-SHA256\nlength check + timingSafeEqual
alt signature invalid
Service-->>Controller: throw ValidationError
Controller-->>Mailgun: 400 Bad Request
else signature valid
Controller->>Service: handleEvent(eventData)
Service->>Service: determine action (suppress/ignore)
alt suppress
Service->>DB: updateMany(email, unsubscribed=true)
DB-->>Service: updated count
else ignore
Service-->>Service: log outcome
end
Service-->>Controller: { ok: true, outcome }
Controller-->>Mailgun: 200 OK
end
sequenceDiagram
participant Bootstrap as main.ts
participant Instrument as instrument.ts
participant Sentry as `@sentry/node`
participant App as NestApp
Bootstrap->>Instrument: import ./instrument (first)
Instrument->>Sentry: init(dsn?, environment, tracesSampleRate, beforeSend)
Sentry-->>Instrument: initialized (enabled or no-op)
Bootstrap->>App: bootstrap NestJS
alt bootstrap error
App-->>Sentry: captureException(error)
App->>Sentry: flush(2000ms)
Sentry-->>App: flushed/timeout
App->>App: process.exit(1)
else running
App->>DomainExceptionFilter: error (>=500)
DomainExceptionFilter->>Sentry: withScope { setContext(request), setUser(id), captureException }
Sentry-->>App: event queued
end
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (2)
docs/discours-patterns/41-sentry-observability.md (1)
41-54: Minor documentation inconsistency.In the code snippet at line 51,
environmentis referenced but not defined within the snippet's scope. The actual implementation ininstrument.tsdefinesenvironmenton line 17 before using it. Consider adding the variable definition to the snippet for clarity, or referencingprocess.env.NODE_ENVdirectly.📝 Suggested fix
Sentry.init({ dsn: process.env.SENTRY_DSN || undefined, // no-op if empty (dev) - environment: process.env.SENTRY_ENVIRONMENT ?? process.env.NODE_ENV, + environment: process.env.SENTRY_ENVIRONMENT ?? process.env.NODE_ENV ?? 'development', release: process.env.APP_VERSION, tracesSampleRate: process.env.SENTRY_TRACES_SAMPLE_RATE !== undefined ? Number.parseFloat(process.env.SENTRY_TRACES_SAMPLE_RATE) - : environment === 'production' ? 0.1 : 1.0, + : (process.env.NODE_ENV === 'production') ? 0.1 : 1.0, beforeSend(event) { /* scrub */ return event; }, });🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/discours-patterns/41-sentry-observability.md` around lines 41 - 54, The snippet passed to Sentry.init references the variable environment but doesn’t define it; update the example so environment is defined (e.g., const environment = process.env.SENTRY_ENVIRONMENT ?? process.env.NODE_ENV) before calling Sentry.init, or change the Sentry.init call to reference process.env.NODE_ENV / process.env.SENTRY_ENVIRONMENT directly; ensure the variable name matches the one used in tracesSampleRate and environment fields to keep the snippet consistent with instrument.ts and Sentry.init.apps/core/test/mailgun-webhook.integration.spec.ts (1)
92-96: Minor edge case in tamper test.The regex
/[0-9a-f]/replaces the first hex character with'0', but if the signature already starts with'0', this is a no-op and the test would incorrectly pass. Consider a more robust tampering approach.🔧 Suggested fix
it('rejects a request with a tampered signature', () => { const sig = makeValidSignature(); - sig.signature = sig.signature.replace(/[0-9a-f]/, '0'); + // XOR the first byte to guarantee a change + const firstChar = sig.signature[0]; + const tampered = firstChar === '0' ? '1' : '0'; + sig.signature = tampered + sig.signature.slice(1); expect(() => webhook.verifySignature(sig)).toThrow(ValidationError); });🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@apps/core/test/mailgun-webhook.integration.spec.ts` around lines 92 - 96, The tamper test can be a no-op if the replaced hex is already '0'; update the test that uses makeValidSignature() and webhook.verifySignature to deterministically alter sig.signature so it always changes (for example, inspect a specific character like sig.signature[0] or last char and toggle it to a different hex char — if it's '0' set to '1', otherwise set to '0' — or replace the last character with a guaranteed different hex digit). Ensure the test still expects verifySignature to throw ValidationError after this guaranteed modification.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@apps/core/src/config/config.schema.ts`:
- Line 152: SENTRY_TRACES_SAMPLE_RATE currently uses z.coerce.number() which
turns empty strings into 0; wrap the validator with the existing
emptyAsUndefined helper so empty env values become undefined and fall back to
defaults (use emptyAsUndefined(z.coerce.number().min(0).max(1).optional())),
keeping the min/max and optional constraints intact and referencing the
SENTRY_TRACES_SAMPLE_RATE symbol for the change.
In `@apps/core/src/instrument.ts`:
- Around line 43-47: The type error comes from assigning undefined to headers
typed as Record<string,string> in the event.request.headers scrub block; update
the scrub to set event.request.headers.cookie,
event.request.headers.authorization, and event.request.headers['x-auth-token']
to a string sentinel like '[REDACTED]' (instead of undefined) so it satisfies
the Sentry SDK types (alternatively, you may cast headers to any and delete the
keys, but prefer setting '[REDACTED]' for a minimal change).
In `@apps/core/src/modules/newsletter/mailgun-webhook.controller.ts`:
- Around line 33-38: The Mailgun webhook handler currently types the body as
MailgunWebhookPayload but lacks runtime checks, causing TypeError when payload
is malformed; change the controller parameter from `@Body`() payload:
MailgunWebhookPayload to `@Body`() payload: unknown and add a runtime guard that
verifies payload is an object with a non-empty signature property and an
"event-data" property before calling
this.webhook.verifySignature(payload.signature) and
this.webhook.handleEvent(payload['event-data']); if the check fails, throw
ValidationError('Mailgun webhook payload malformed', {}) to return a controlled
4xx response.
In `@apps/core/src/shared/errors/domain-exception.filter.ts`:
- Around line 66-69: Replace usages of request.url with request.path to avoid
sending query parameters to Sentry: update the object passed to
scope.setContext('request', { path: request.url, ... }) to use request.path, and
likewise update any logger calls in the DomainExceptionFilter that log
request.url (e.g., the this.logger.error / this.logger.warn calls inside the
filter) so they log request.path instead; search for request.url within the
DomainExceptionFilter class and change each occurrence to request.path to keep
telemetry consistent and avoid leaking query strings.
---
Nitpick comments:
In `@apps/core/test/mailgun-webhook.integration.spec.ts`:
- Around line 92-96: The tamper test can be a no-op if the replaced hex is
already '0'; update the test that uses makeValidSignature() and
webhook.verifySignature to deterministically alter sig.signature so it always
changes (for example, inspect a specific character like sig.signature[0] or last
char and toggle it to a different hex char — if it's '0' set to '1', otherwise
set to '0' — or replace the last character with a guaranteed different hex
digit). Ensure the test still expects verifySignature to throw ValidationError
after this guaranteed modification.
In `@docs/discours-patterns/41-sentry-observability.md`:
- Around line 41-54: The snippet passed to Sentry.init references the variable
environment but doesn’t define it; update the example so environment is defined
(e.g., const environment = process.env.SENTRY_ENVIRONMENT ??
process.env.NODE_ENV) before calling Sentry.init, or change the Sentry.init call
to reference process.env.NODE_ENV / process.env.SENTRY_ENVIRONMENT directly;
ensure the variable name matches the one used in tracesSampleRate and
environment fields to keep the snippet consistent with instrument.ts and
Sentry.init.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 2ed760a1-b1c6-4cee-be08-472bf3e2bf3a
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (13)
.env.exampleapps/core/src/config/config.schema.tsapps/core/src/instrument.tsapps/core/src/main.tsapps/core/src/modules/newsletter/mailgun-webhook.controller.tsapps/core/src/modules/newsletter/mailgun-webhook.service.tsapps/core/src/modules/newsletter/newsletter.module.tsapps/core/src/shared/errors/domain-exception.filter.tsapps/core/test/mailgun-webhook.integration.spec.tsdocs/discours-patterns/41-sentry-observability.mddocs/discours-patterns/42-mailgun-webhooks.mddocs/discours-patterns/README.mdpackage.json
Comment on lines
+33
to
+38
| @Body() payload: MailgunWebhookPayload, | ||
| ): Promise<{ ok: true; outcome: WebhookOutcome }> { | ||
| // Verify first — a malformed or forged event shouldn't even | ||
| // reach our subscription logic. | ||
| this.webhook.verifySignature(payload.signature); | ||
| const outcome = await this.webhook.handleEvent(payload['event-data']); |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify whether runtime-validatable DTO classes exist for the webhook payload
# and whether controller currently relies on type-only payload annotations.
rg -n -C2 'type MailgunWebhookPayload|interface MailgunWebhookPayload|class .*Mailgun.*Payload' apps/core/src/modules/newsletter/mailgun-webhook.service.ts apps/core/src/modules/newsletter/mailgun-webhook.controller.ts
rg -n -C2 '@Body\\(\\) payload' apps/core/src/modules/newsletter/mailgun-webhook.controller.ts
rg -n -C2 'useGlobalPipes|ValidationPipe' apps/core/src/main.tsRepository: Discours/publy-backend
Length of output: 1311
🏁 Script executed:
# Read the full definition of MailgunWebhookPayload and related interfaces
cat -n apps/core/src/modules/newsletter/mailgun-webhook.service.ts | head -80 | tail -50Repository: Discours/publy-backend
Length of output: 2128
🏁 Script executed:
# Check if there are any class-validator decorators on the payload interface/class
rg -n '@Is|@Validate|class MailgunWebhookPayload' apps/core/src/modules/newsletter/mailgun-webhook.service.tsRepository: Discours/publy-backend
Length of output: 48
🏁 Script executed:
# Check the full controller file to understand the endpoint and its decorators
cat -n apps/core/src/modules/newsletter/mailgun-webhook.controller.tsRepository: Discours/publy-backend
Length of output: 1775
🏁 Script executed:
# Search for other webhook or `@Body`() patterns in controllers to see codebase conventions
fd -e controller.ts apps/core/src/modules | head -5 | xargs -I {} sh -c 'rg -l "@Body" {} && echo "---"'Repository: Discours/publy-backend
Length of output: 455
🏁 Script executed:
# Check if MailgunWebhookPayload should have been defined as a class with validators
rg -B5 -A5 'export class.*DTO|export class.*Payload' apps/core/src/modules/newsletter/Repository: Discours/publy-backend
Length of output: 48
🏁 Script executed:
# Look for other `@Body`() usages in controllers to understand codebase pattern
rg -B2 -A2 '@Body' apps/core/src/modules --type ts | head -100Repository: Discours/publy-backend
Length of output: 8060
🏁 Script executed:
# Check ValidationPipe documentation or configuration for interface handling
rg -B3 -A3 'forbidUnknownValues|skipMissingProperties|transform' apps/core/src/main.tsRepository: Discours/publy-backend
Length of output: 244
🏁 Script executed:
# Check if there's any custom validation or middleware for webhooks
rg -n 'webhook|Webhook' apps/core/src/main.tsRepository: Discours/publy-backend
Length of output: 48
🏁 Script executed:
# Find ValidationError definition and its usage
rg -B3 -A3 'class ValidationError|export.*ValidationError' apps/core/srcRepository: Discours/publy-backend
Length of output: 597
🏁 Script executed:
# Check how body validation errors are handled in other controllers
rg -B2 -A2 'BadRequestException|throw.*Error.*payload|throw.*Error.*body' apps/core/src/modules --type ts | head -50Repository: Discours/publy-backend
Length of output: 2915
🏁 Script executed:
# Verify if MailgunWebhookPayload should be a class with validators (check imports in service)
head -30 apps/core/src/modules/newsletter/mailgun-webhook.service.tsRepository: Discours/publy-backend
Length of output: 1218
Add runtime payload guards to prevent 500s on malformed webhook bodies.
@Body() payload: MailgunWebhookPayload is compile-time only. NestJS's global ValidationPipe cannot validate plain TypeScript interfaces at runtime—it only validates class instances with class-validator decorators. Malformed input (missing signature or event-data fields) will bypass validation and reach lines 37–38, causing TypeError on property access and returning 500 instead of a controlled 4xx response.
Codebase pattern: all other controllers use DTO classes (e.g., ScheduleShoutDto, CreateDraftDto), which the ValidationPipe can validate. This endpoint is the only one using an interface.
Suggested fix: change @Body() payload: MailgunWebhookPayload to @Body() payload: unknown, add runtime guards to check for required fields, and throw ValidationError('Mailgun webhook payload malformed', {}) (already used elsewhere in the codebase for input validation) if validation fails. This aligns with the coding guideline to use unknown type with type guards instead of relying on compile-time type annotations.
🔧 Proposed fix
-import { Body, Controller, HttpCode, HttpStatus, Post } from '@nestjs/common';
+import { Body, Controller, HttpCode, HttpStatus, Post } from '@nestjs/common';
+import { ValidationError } from '../../shared/errors/domain-errors';
@@
- async handle(
- `@Body`() payload: MailgunWebhookPayload,
- ): Promise<{ ok: true; outcome: WebhookOutcome }> {
+ async handle(
+ `@Body`() payload: unknown,
+ ): Promise<{ ok: true; outcome: WebhookOutcome }> {
+ if (
+ !payload ||
+ typeof payload !== 'object' ||
+ !('signature' in payload) ||
+ !('event-data' in payload)
+ ) {
+ throw new ValidationError('Mailgun webhook payload malformed', {});
+ }
+ const typed = payload as MailgunWebhookPayload;
+
// Verify first — a malformed or forged event shouldn't even
// reach our subscription logic.
- this.webhook.verifySignature(payload.signature);
- const outcome = await this.webhook.handleEvent(payload['event-data']);
+ this.webhook.verifySignature(typed.signature);
+ const outcome = await this.webhook.handleEvent(typed['event-data']);
return { ok: true, outcome };
}
}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@apps/core/src/modules/newsletter/mailgun-webhook.controller.ts` around lines
33 - 38, The Mailgun webhook handler currently types the body as
MailgunWebhookPayload but lacks runtime checks, causing TypeError when payload
is malformed; change the controller parameter from `@Body`() payload:
MailgunWebhookPayload to `@Body`() payload: unknown and add a runtime guard that
verifies payload is an object with a non-empty signature property and an
"event-data" property before calling
this.webhook.verifySignature(payload.signature) and
this.webhook.handleEvent(payload['event-data']); if the check fails, throw
ValidationError('Mailgun webhook payload malformed', {}) to return a controlled
4xx response.
CI TypeScript strict mode (which my local run apparently used softer settings for) rejects `event.request.headers.cookie = undefined` because those fields are typed as `string` in @sentry/node — not `string | undefined`. Reverting to `delete` with an inline biome-ignore: the noDelete rule guards against hidden-class deopts, but beforeSend fires at most a few times per hour on 5xx events, so the perf concern is irrelevant here. `delete` is also the correct semantic — remove the key entirely so Sentry's UI doesn't display an empty-string value where the real one was scrubbed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Verified all four CR comments against the code. Three were real
(the fourth — instrument.ts type error — was already resolved in the
previous fixup). Fixes:
1. **SENTRY_TRACES_SAMPLE_RATE empty-string coerces to 0** (CR, major)
`.env.example` ships `SENTRY_TRACES_SAMPLE_RATE=` (empty). Without
`emptyAsUndefined`, `z.coerce.number()` turns '' into 0 — silently
disabling tracing instead of using the environment default. Wrapped
the Zod schema with the existing helper for parity with other
optional numerics.
Also hardened instrument.ts: pulled the sample-rate resolution into
a `resolveTracesSampleRate(env)` helper that treats empty / missing
/ unparseable / out-of-[0,1] as "use environment default" (1.0 dev,
0.1 prod). parseFloat('') returns NaN — passing NaN to Sentry
disables tracing too, so the old inline condition had the same bug.
2. **Mailgun webhook body: interface → DTO class** (CR, major)
`@Body() payload: MailgunWebhookPayload` is compile-time only. The
global ValidationPipe validates class instances with class-validator
decorators, not bare interfaces — a malformed POST would reach the
handler and crash on property access (500). Every other controller
in the repo uses DTO classes; this endpoint was the lone holdout.
New `apps/core/src/modules/newsletter/dto/mailgun-webhook.dto.ts`:
- MailgunSignatureDto (timestamp, token, signature)
- MailgunEventDataDto (event, severity?, recipient, message-id?)
- MailgunWebhookBodyDto (signature + event-data with @ValidateNested)
Controller now declares `@Body() payload: MailgunWebhookBodyDto` so
ValidationPipe's whitelist+forbidNonWhitelisted rejects junk fields
at the edge and produces a canonical 400 for malformed bodies.
3. **request.url leaks query strings into logs + Sentry** (CR, major)
`req.url` includes the full query string. Our DomainExceptionFilter
logged it into pino and Sentry `setContext('request', {path: url})`
— any URL carrying a reset token, unsubscribe code, CSRF state, or
email address would ship that tail to disk logs + external Sentry
telemetry. Switched to `req.path` everywhere in the filter (severity
logging paths, Sentry scope context, and the user-facing envelope).
All 439/439 tests still pass; mailgun-webhook.integration.spec.ts
re-run independently to verify DTO change.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two production-readiness features in one PR. Scheduled digest delivery (Sprint 11 follow-up) lands in Sprint 17 — its scope warrants its own focus.
Sentry observability
instrument.tsloaded FIRST in main.ts so@sentry/nodecan monkey-patch the runtimeSENTRY_DSNunset (dev default — boots without Sentry)beforeSendstrips cookie/auth headers + redacts secret-ish body keysMailgun webhooks (email deliverability)
POST /webhooks/mailgun— HMAC-SHA256 signed, @public()timingSafeEqual, constant-time comparefailed:permanent/complained/unsubscribed→ auto-suppress;failed:temporary→ no action;delivered/opened/clicked→ ignoredTests (16 new, 439/439 total)
Mailgun:
Sentry: pass-through to the SDK. Scrubbing logic in
beforeSendis reviewable by eye; mockingSentry.captureExceptionwould test the mock, not the integration.Config
Pattern docs
Test plan
npx tsc --noEmitcleannpx biome check .clean (pre-existing warnings unchanged)npm run build:core+build:crdtcleannpx vitest run→ 439/439 passing🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Documentation
Tests