[codex] Extract infrastructure, telemetry, and test tooling

[juliusmarminge]

Summary

• isolate relay-side concurrency, token lifetime, and deployment changes
• add mobile OTLP trace configuration as a scoped Effect layer in the shared mobile runtime
• centralize sensitive HTTP header redaction across relay, server, web, and remote clients
• add an Oxlint rule that prevents new manual Effect runtimes in tests while baselining existing debt

Why

This is the base PR for the client connection architecture rewrite. Keeping infrastructure and telemetry setup here makes the stacked client PR reviewable as a client-runtime and connectivity change.

Validation

• vp check (passes with pre-existing warnings from main)
• vp run typecheck
• focused relay, deployment, mobile config, and public config tests: 45 passed
• Oxlint rule tests: 15 passed
• mobile OTLP scoped-export integration test: 1 passed

Note

Add mobile OTLP tracing, HTTP header redaction, and relay deploy observability config

• Adds a mobile tracing layer in mobileTracing.ts that exports spans to a configured OTLP endpoint with Axiom headers; integrated into the mobile runtime in runtime.ts
• Restructures resolveCloudPublicConfig in publicConfig.ts to a nested shape with clerk, relay, and observability sections; adds URL validation enforcing HTTPS
• Adds httpHeaderRedactionLayer in httpObservability.ts that redacts the dpop header in traces; applied to relay, web, and client-side HTTP clients
• Relay deploy in deploy.ts now writes mobile OTLP tracing variables to .env and fails if mobile tracing config is incomplete after deploy
• Provisions a separate mobile OTLP ingest token in observability.ts and adds a no-manual-effect-runtime-in-tests oxlint rule to enforce use of @effect/vitest
• Behavioral Change: DPoP access token TTL increased from 5 to 30 minutes in Api.ts

^{Macroscope summarized 8cffc1b.}

---

Note

Medium Risk
Public ingest tokens ship in client config and root .env, and relay deploy now hard-requires mobile tracing outputs; DPoP TTL and Hyperdrive pool changes affect live relay auth and DB connectivity.

Overview
Adds optional mobile OTLP tracing wired into the shared mobile Effect runtime: public observability settings (HTTPS URL, dataset, ingest token) flow from Expo config through nested CloudPublicConfig, and tracing only activates when all three values are present. Relay infra provisions a separate Axiom mobile ingest token, exports URL/dataset/token from the Alchemy stack, and relay deploy now reconciles those keys into the repo root .env alongside T3CODE_RELAY_URL (deploy fails if stack output is incomplete).

Introduces shared httpHeaderRedactionLayer (adds dpop to redacted trace header names) on relay HTTP tracing, server/web observability, and remoteHttpClientLayer; relay HTTP span tests now expect authorization and dpop as <redacted>.

Relay-side tweaks: parallel environment link + managed allocation loads in EnvironmentConnector and agent-activity replay; Hyperdrive origin connection limit 5→20; DPoP access token TTL 5→30 minutes; health handler drops extra DB timing log; CORS drops x-t3-relay-auth-failure from exposed headers.

Mobile callers move to config.clerk.* / config.relay.url; managed-relay atoms use mobileRuntimeContextLayer. New Oxlint rule no-manual-effect-runtime-in-tests (baselined legacy debt) is enabled in vite.config.ts.

^{Reviewed by Cursor Bugbot for commit 8cffc1b. Bugbot is set up for automated code reviews on this repo. Configure here.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 38af743f-0e92-4a23-87fa-15789a8cabfc

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/connection-infra-otel-base

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🚀 Expo continuous deployment is ready!

• Project → t3-code
• Platforms → android, ios
• Scheme → t3code-preview

	🤖 Android	🍎 iOS
Fingerprint	115200872de1f96e7a9add528e4d026190265f2c	591bbf4e4fae4b05406870d1d283ffb26cec24a4
Build Details	Build Permalink Details Distribution: INTERNAL Build profile: preview:dev Runtime version: 115200872de1f96e7a9add528e4d026190265f2c App version: 0.1.0 Git commit: 7ed0f169e1696971c8507e7dabb6dd180a47f231	Build Permalink Details Distribution: INTERNAL Build profile: preview:dev Runtime version: 591bbf4e4fae4b05406870d1d283ffb26cec24a4 App version: 0.1.0 Git commit: 7ed0f169e1696971c8507e7dabb6dd180a47f231
Update Details	Update Permalink Details Branch: pr-2994 Runtime version: 115200872de1f96e7a9add528e4d026190265f2c Git commit: 7ed0f169e1696971c8507e7dabb6dd180a47f231	Update Permalink Details Branch: pr-2994 Runtime version: 591bbf4e4fae4b05406870d1d283ffb26cec24a4 Git commit: 7ed0f169e1696971c8507e7dabb6dd180a47f231
Update QR

[macroscopeapp]

Approvability

Verdict: Needs human review

This PR introduces new mobile telemetry/tracing infrastructure rather than being a pure extraction. An unresolved review comment raises concerns about the default tracesUrl fallback potentially enabling tracing unintentionally. New observability capabilities and infrastructure changes warrant human review.

^{You can customize Macroscope's approvability policy. Learn more.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Default trace URL enables tracing
  • Changed the tracesUrl fallback in app.config.ts from a hardcoded Axiom URL to null, so omitting EXPO_PUBLIC_OTLP_TRACES_URL no longer silently enables OTLP export when only dataset and token are configured.

Or push these changes by commenting:

@cursor push d2151e6563

Preview (d2151e6563)

diff --git a/apps/mobile/app.config.ts b/apps/mobile/app.config.ts
--- a/apps/mobile/app.config.ts
+++ b/apps/mobile/app.config.ts
@@ -162,7 +162,7 @@
       jwtTemplate: repoEnv.EXPO_PUBLIC_CLERK_JWT_TEMPLATE ?? null,
     },
     observability: {
-      tracesUrl: repoEnv.EXPO_PUBLIC_OTLP_TRACES_URL ?? "https://api.axiom.co/v1/traces",
+      tracesUrl: repoEnv.EXPO_PUBLIC_OTLP_TRACES_URL ?? null,
       tracesDataset: repoEnv.EXPO_PUBLIC_OTLP_TRACES_DATASET ?? null,
       tracesToken: repoEnv.EXPO_PUBLIC_OTLP_TRACES_TOKEN ?? null,
     },

_{You can send follow-ups to the cloud agent here.}

^{Reviewed by Cursor Bugbot for commit 08f375c. Configure here.}

[cursor]

Default trace URL enables tracing

Medium Severity

observability.tracesUrl falls back to a hardcoded Axiom HTTPS endpoint whenever EXPO_PUBLIC_OTLP_TRACES_URL is unset, while dataset and token still come from env. hasMobileTracingPublicConfig then treats tracing as fully configured if only dataset and token are present, so omitting the URL no longer keeps OTLP export off.

 

^{Reviewed by Cursor Bugbot for commit 08f375c. Configure here.}

[cursor]

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Atom runtime omits mobile tracer
  • Exported the resolved tracing layer from runtime.ts and provided it to the atom runtime via Layer.provideMerge so the OTLP tracer is included in the atom runtime's built context.

Or push these changes by commenting:

@cursor push c62f773017

Preview (c62f773017)

diff --git a/apps/mobile/src/features/cloud/managedRelayState.ts b/apps/mobile/src/features/cloud/managedRelayState.ts
--- a/apps/mobile/src/features/cloud/managedRelayState.ts
+++ b/apps/mobile/src/features/cloud/managedRelayState.ts
@@ -15,7 +15,7 @@
 import { AsyncResult, Atom } from "effect/unstable/reactivity";
 import { useCallback } from "react";
 
-import { mobileRuntime } from "../../lib/runtime";
+import { mobileRuntime, mobileTracingLayerResolved } from "../../lib/runtime";
 import { appAtomRegistry } from "../../state/atom-registry";
 
 const managedRelayAtomRuntime = Atom.runtime(
@@ -24,7 +24,7 @@
     mobileRuntime.contextEffect.pipe(
       Effect.map((context) => Context.get(context, ManagedRelayClient)),
     ),
-  ),
+  ).pipe(Layer.provideMerge(mobileTracingLayerResolved)),
 );
 
 export const managedRelayQueryManager = createManagedRelayQueryManager(managedRelayAtomRuntime);

diff --git a/apps/mobile/src/lib/runtime.ts b/apps/mobile/src/lib/runtime.ts
--- a/apps/mobile/src/lib/runtime.ts
+++ b/apps/mobile/src/lib/runtime.ts
@@ -14,10 +14,14 @@
 
 const mobileHttpClientLayer = remoteHttpClientLayer(fetch);
 
+export const mobileTracingLayerResolved = mobileTracingLayer.pipe(
+  Layer.provide(mobileHttpClientLayer),
+);
+
 export const mobileRuntime = ManagedRuntime.make(
   mobileManagedRelayClientLayer(configuredRelayUrl()).pipe(
     Layer.provideMerge(mobileCryptoLayer),
     Layer.provideMerge(mobileHttpClientLayer),
-    Layer.provide(mobileTracingLayer.pipe(Layer.provide(mobileHttpClientLayer))),
+    Layer.provide(mobileTracingLayerResolved),
   ),
 );

_{You can send follow-ups to the cloud agent here.}