Skip to content

feat(selfhost): harden Sentry event scrubbing#1907

Merged
JSONbored merged 1 commit into
JSONbored:mainfrom
oktofeesh1:codex/sentry-privacy-scrubber
Jun 30, 2026
Merged

feat(selfhost): harden Sentry event scrubbing#1907
JSONbored merged 1 commit into
JSONbored:mainfrom
oktofeesh1:codex/sentry-privacy-scrubber

Conversation

@oktofeesh1

Copy link
Copy Markdown
Contributor

Summary

Closes #1000.

  • Strengthens the self-host Sentry privacy boundary so beforeSend and beforeSendTransaction share the same scrubber.
  • Removes request bodies and payload-shaped fields, default-denies unknown event contexts, and scrubs unsafe strings, tags, breadcrumbs, exception metadata, and transaction names.
  • Fails closed by dropping the event if scrubbing itself throws, preventing an unscrubbed fallback send.

Scope

  • The PR title follows type(scope): short summary Conventional Commit format, for example fix(api): restore profile access checks.
  • This PR is focused and does not mix unrelated backend, UI, MCP, docs, dependency, and deploy changes.
  • This follows CONTRIBUTING.md and does not reintroduce GitHub Pages, VitePress, site/, or CNAME.
  • I linked an issue, or this is small enough that the summary explains why an issue is not needed.

Validation

  • git diff --check
  • npm run actionlint
  • npm run typecheck
  • npm run test:coverage locally; codecov/patch requires >=97% coverage of the lines AND branches you changed (aim for 98%+ on your diff so CI variance does not fail near the threshold). Global coverage is a non-blocking trend with a loose 90% backstop, not the gate.
  • npm run test:workers
  • npm run build:mcp
  • npm run test:mcp-pack
  • npm run ui:openapi:check
  • npm run ui:lint
  • npm run ui:typecheck
  • npm run ui:build
  • npm audit --audit-level=moderate
  • New or changed behavior has unit/integration tests for new branches, fallback paths, and sanitizer boundaries

If any required check was skipped, explain why:

  • None. npm run test:ci passed end to end after the final code change, and the focused Sentry suite reports 100% statement/branch/function/line coverage for src/selfhost/sentry.ts.

Safety

  • No secrets, wallet details, hotkeys, coldkeys, user PATs, private keys, raw trust scores, private rankings, or private maintainer evidence are exposed.
  • Public GitHub text stays sanitized, low-noise, and does not imply compensation guarantees or optimization tactics.
  • Auth, cookie, CORS, GitHub App, Cloudflare, or session changes include negative-path tests.
  • API/OpenAPI/MCP behavior is updated and tested where needed.
  • UI changes use live API data or real empty/error/loading states, not production mock/demo fallbacks.
  • Visible UI changes include a UI Evidence section below with JPG/JPEG or PNG screenshots arranged as organized, captioned, clickable thumbnails. SVG screenshots are not used as review evidence. Review-only screenshots or recordings are not committed to the repository.
  • Public docs/changelogs are updated where needed; changelogs are only edited for release-prep PRs.

UI Evidence

Not applicable; backend-only Sentry event scrubbing with no visible UI change.

Notes

  • The scrubber composes from the canonical public-boundary redaction constants and keeps Sentry opt-in behavior unchanged.
  • No schema, API, migration, binding, or docs artifact changes were needed.

@oktofeesh1
oktofeesh1 requested a review from JSONbored as a code owner June 30, 2026 20:43
@dosubot dosubot Bot added the size:L label Jun 30, 2026
@loopover-orb

loopover-orb Bot commented Jun 30, 2026

Copy link
Copy Markdown

Tip

🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩

✅ Gittensory review result - approve/merge recommended

Review updated: 2026-06-30 22:31:29 UTC

2 files · 1 AI reviewer · no blockers · readiness 57/100 · CI green · unknown

✅ Suggested Action - Approve/Merge

  • safe to merge

Review summary
The change materially strengthens the self-host Sentry scrubber by sharing one fail-closed sanitizer across normal events and transaction events, deleting request bodies/user data, default-denying event contexts, and scrubbing nested strings across tags, breadcrumbs, spans, exceptions, and URLs. The visible production code is internally coherent and the tests exercise the new privacy boundary through the exported scrubber and Sentry init hook. I do not see a reachable correctness break in the provided changed file.

Nits — 5 non-blocking
  • nit: src/selfhost/sentry.ts:198 duplicates payload-key vocabulary between PAYLOAD_KEY and the compact-key regex, so future additions can drift between the two matching paths.
  • nit: src/selfhost/sentry.ts:250 always round-trips query strings through URLSearchParams, which can reorder repeated keys and normalize encoding even when only one value needed scrubbing.
  • src/selfhost/sentry.ts:198: extract the payload-ish key terms into a single shared list or helper so PAYLOAD_KEY and the compact-key fallback cannot diverge.
  • src/selfhost/sentry.ts:250: consider preserving untouched query strings when no key/value changes are needed, or document that canonicalizing query serialization is acceptable for Sentry payloads.
  • Readiness score is below the configured threshold — Use the readiness panel as advisory maintainer context; the score does not block this PR.
Signal Result Evidence
Code review ✅ No blockers 1 reviewer
Linked issue ✅ Linked #1000
Related work ⚠️ 2 scoped overlaps Top overlaps are listed below; lower-confidence bulk is hidden.
Change scope ❌ 8/20 High review scope from cached public metadata (size label size:L; 1 linked issue).
Validation posture ❌ 5/25 Preflight is holding this PR; address the blocker before review.
Contributor workload ✅ 10/10 Author activity: 73 registered-repo PR(s), 63 merged, 6 issue(s).
Contributor context ✅ Confirmed Gittensor contributor oktofeesh1; Gittensor profile; 73 PR(s), 6 issue(s).
Gate result ✅ Passing No configured blocker found.
Review context
Contributor next steps
  • Review top overlaps.
  • Add a concise scope and risk note.
  • Fix the blocker.
  • Triage stale or unlinked PRs.
  • Refresh registry data or choose a registered active repo.
  • Check active issues and PRs before submitting.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@loopover-orb loopover-orb Bot added gittensor gittensor:feature Gittensor-scored feature linked to a feature issue — scores a 0.25x multiplier. labels Jun 30, 2026
@JSONbored JSONbored added the gittensor:priority Maintainer-selected Gittensor priority — scores a 1.5x multiplier. label Jun 30, 2026
@oktofeesh1
oktofeesh1 force-pushed the codex/sentry-privacy-scrubber branch from 03600de to 33bd591 Compare June 30, 2026 20:58
@loopover-orb loopover-orb Bot removed the gittensor:priority Maintainer-selected Gittensor priority — scores a 1.5x multiplier. label Jun 30, 2026
@JSONbored JSONbored added the gittensor:priority Maintainer-selected Gittensor priority — scores a 1.5x multiplier. label Jun 30, 2026

@JSONbored JSONbored left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent addition, right on par with #1904 in terms of value + how much I wanted it, adding a gittensor:priority label for this one.

@dosubot dosubot Bot added the lgtm label Jun 30, 2026
@JSONbored
JSONbored merged commit f724cd4 into JSONbored:main Jun 30, 2026
8 checks passed
@github-project-automation github-project-automation Bot moved this from Todo to Done in gittensory - v1 roadmap Jun 30, 2026
@loopover-orb loopover-orb Bot removed the gittensor:priority Maintainer-selected Gittensor priority — scores a 1.5x multiplier. label Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:feature Gittensor-scored feature linked to a feature issue — scores a 0.25x multiplier.

Projects

No open projects
Status: Done

Development

Successfully merging this pull request may close these issues.

Sentry: privacy scrubber (beforeSend redaction) — non-negotiable

2 participants