fix(nextjs): universal random tunnel path support (#18257)

Summary for changelog: The `tunnelRoute: true` option didn't work well with Turbopack due to repeated runs of the config files leading to different tunnel URLs in client, server and edge runtimes, this PR fixes that while also fixing Sentry requests spans not being dropped by the sampler.

When using Next.js with Turbopack and the Sentry tunnel route feature
(`tunnelRoute: true`), several issues prevented events from being sent
properly:

### 1. Tunnel Route Consistency (Turbopack)

**Problem**: Random tunnel routes were generated separately for client
and server builds in Turbopack.

**Solution**: Implemented processs-level caching in
`withSentryConfig.ts`:
- Extract tunnel route resolution into `resolveTunnelRoute()` function
- Use `process.env` to store the random tunnel value across
server/client builds.

### 2. Filter Tunnel Request Spans

**Problem**: Requests to the tunnel route (before rewrite) and to Sentry
ingest URLs (after rewrite) were creating spans that polluted Sentry
with internal instrumentation noise, spans were being created by the
middleware and OTEL node.js fetch instrumentation.

**Solution**: Implemented server-side span filtering:

- Created `dropMiddlewareTunnelRequests()` utility to detect and drop
tunnel-related spans
- Filter spans originating from `Middleware.execute` (Next.js
middleware)
- Filter spans originating from `auto.http.otel.node_fetch` (Node.js
fetch instrumentation)
- Check both local tunnel paths and Sentry ingest URLs (using
`isSentryRequestSpan` from `@sentry/opentelemetry`)
- Mark matching spans with `TRANSACTION_ATTR_SHOULD_DROP_TRANSACTION` to
prevent them from being sent
- I tried `beforeSampling` hook but it didn't work for some reason, so I
stuck with the drop attribute.

----

The final issue was excluding the tunnel requests from the
middleware/proxy, but there are many blockers for a solution:

1. The `config` must be statically analyzable, so we cannot expose
`withSentryMiddlewareConfig` wrapper of any kind.
2. Warning the user doesn't help much because they can't do anything
about it since the tunnel route is random.
3. Tested out writing a loader for turbopack/webpack to inject the
tunnel into the matcher as an array but user existing matcher can match
still.
4. Only way is to inject an exclusion match into the user existing
matcher, if it is an array then we need to inject it into each single
entry.

I may explore this further later with a loader for both
webpack/turbopack, and figure out a reliable way to inject the negative
matchers into the user expressions.

Author: logaretm

dev-packages/e2e-tests/test-applications/nextjs-16-tunnel/.gitignore

@@ -0,0 +1,46 @@
+# See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
+
+# dependencies
+/node_modules
+/.pnp
+.pnp.*
+.yarn/*
+!.yarn/patches
+!.yarn/plugins
+!.yarn/releases
+!.yarn/versions
+
+event-dumps
+
+# testing
+/coverage
+
+# next.js
+/.next/
+/out/
+
+# production
+/build
+
+# misc
+.DS_Store
+*.pem
+
+# debug
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+.pnpm-debug.log*
+
+# env files (can opt-in for committing if needed)
+.env*
+
+# vercel
+.vercel
+
+# typescript
+*.tsbuildinfo
+next-env.d.ts
+
+# Sentry Config File
+.env.sentry-build-plugin

dev-packages/e2e-tests/test-applications/nextjs-16-tunnel/.npmrc

@@ -0,0 +1,4 @@
+@sentry:registry=http://127.0.0.1:4873
+@sentry-internal:registry=http://127.0.0.1:4873
+public-hoist-pattern[]=*import-in-the-middle*
+public-hoist-pattern[]=*require-in-the-middle*

dev-packages/e2e-tests/test-applications/nextjs-16-tunnel/app/favicon.ico

@@ -0,0 +1,23 @@
+'use client';
+
+import * as Sentry from '@sentry/nextjs';
+import NextError from 'next/error';
+import { useEffect } from 'react';
+
+export default function GlobalError({ error }: { error: Error & { digest?: string } }) {
+  useEffect(() => {
+    Sentry.captureException(error);
+  }, [error]);
+
+  return (
+    <html>
+      <body>
+        {/* `NextError` is the default Next.js error page component. Its type
+        definition requires a `statusCode` prop. However, since the App Router
+        does not expose status codes for errors, we simply pass 0 to render a
+        generic error message. */}
+        <NextError statusCode={0} />
+      </body>
+    </html>
+  );
+}

dev-packages/e2e-tests/test-applications/nextjs-16-tunnel/app/global-error.tsx

@@ -0,0 +1,7 @@
+export default function Layout({ children }: { children: React.ReactNode }) {
+  return (
+    <html lang="en">
+      <body>{children}</body>
+    </html>
+  );
+}

dev-packages/e2e-tests/test-applications/nextjs-16-tunnel/app/layout.tsx

@@ -0,0 +1,3 @@
+export default function Page() {
+  return <p>Next.js 16 Tunnel Route Test</p>;
+}

dev-packages/e2e-tests/test-applications/nextjs-16-tunnel/app/page.tsx

@@ -0,0 +1,19 @@
+import { dirname } from 'path';
+import { fileURLToPath } from 'url';
+import { FlatCompat } from '@eslint/eslintrc';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+const compat = new FlatCompat({
+  baseDirectory: __dirname,
+});
+
+const eslintConfig = [
+  ...compat.extends('next/core-web-vitals', 'next/typescript'),
+  {
+    ignores: ['node_modules/**', '.next/**', 'out/**', 'build/**', 'next-env.d.ts'],
+  },
+];
+
+export default eslintConfig;

dev-packages/e2e-tests/test-applications/nextjs-16-tunnel/eslint.config.mjs

@@ -0,0 +1,12 @@
+import * as Sentry from '@sentry/nextjs';
+
+Sentry.init({
+  environment: 'qa', // dynamic sampling bias to keep transactions
+  // Use a fake but properly formatted Sentry SaaS DSN for tunnel route testing
+  dsn: 'https://public@o12345.ingest.us.sentry.io/67890',
+  // No tunnel option - using tunnelRoute from withSentryConfig
+  tracesSampleRate: 1.0,
+  sendDefaultPii: true,
+});
+
+export const onRouterTransitionStart = Sentry.captureRouterTransitionStart;

dev-packages/e2e-tests/test-applications/nextjs-16-tunnel/instrumentation-client.ts

@@ -0,0 +1,13 @@
+import * as Sentry from '@sentry/nextjs';
+
+export async function register() {
+  if (process.env.NEXT_RUNTIME === 'nodejs') {
+    await import('./sentry.server.config');
+  }
+
+  if (process.env.NEXT_RUNTIME === 'edge') {
+    await import('./sentry.edge.config');
+  }
+}
+
+export const onRequestError = Sentry.captureRequestError;

dev-packages/e2e-tests/test-applications/nextjs-16-tunnel/instrumentation.ts

@@ -0,0 +1,9 @@
+import { withSentryConfig } from '@sentry/nextjs';
+import type { NextConfig } from 'next';
+
+const nextConfig: NextConfig = {};
+
+export default withSentryConfig(nextConfig, {
+  silent: true,
+  tunnelRoute: true,
+});