Summary
_init.py:148-150 uses pattern in event.url or pattern in event.host. Short or hostname-like patterns over-match. * is taken literally, not as a glob — users naturally pass "*.internal.corp" expecting it to work and silently miss every request.
Also: when api_key is set (cloud mode), the SDK does not auto-exclude localhost / 127.0.0.1. A local dev recost instance could be self-traced.
Fix
- Add an option for exact host match (e.g. accept
("=", "api.example.com") tuples or a separate exclude_hosts field).
- Document the substring contract explicitly; reject patterns containing
* with a clear error so users don't misuse it.
- Auto-exclude localhost when a local recost dev API is detected.
Files
recost/_init.pyREADME.mdtests/test_init.py
Priority
P2 — misleading config; silent self-instrumentation risk in local-dev setups.
Summary
_init.py:148-150usespattern in event.url or pattern in event.host. Short or hostname-like patterns over-match.*is taken literally, not as a glob — users naturally pass"*.internal.corp"expecting it to work and silently miss every request.Also: when
api_keyis set (cloud mode), the SDK does not auto-excludelocalhost/127.0.0.1. A local dev recost instance could be self-traced.Fix
("=", "api.example.com")tuples or a separateexclude_hostsfield).*with a clear error so users don't misuse it.Files
recost/_init.pyREADME.mdtests/test_init.pyPriority
P2 — misleading config; silent self-instrumentation risk in local-dev setups.