feat(mcp): add Sentry monitoring spans

[isuttell]

Summary

Add MCP-aware Sentry monitoring for the hosted MCP Worker without hardcoding a DSN or collecting MCP payloads.

Changes

• Enable MCP tracing only when SENTRY_DSN is configured.
• Add Sentry MCP spans around authenticated JSON-RPC dispatch with method/tool/session metadata.
• Disable Sentry user info, HTTP body, and GenAI input/output capture in shared Worker Sentry defaults.
• Route MCP SENTRY_DSN as optional provider-managed config.
• Add focused tests for Sentry options, MCP span metadata, and secret routing.

Risk: HIGH

• Areas touched: MCP Worker transport, shared Worker Sentry config, deploy secret routing.
• Security: keeps DSN external; does not capture user info, HTTP bodies, tool inputs, or tool outputs.
• Performance: adds one Sentry span around authenticated MCP requests only when Sentry tracing is enabled.
• Breaking: none expected; Sentry remains disabled without SENTRY_DSN.

Test plan

• pnpm --filter @agent-paste/mcp test
• pnpm --filter @agent-paste/worker-runtime test
• pnpm vitest run scripts/lib/secret-routing.test.mjs
• pnpm --filter @agent-paste/mcp build
• pnpm --filter @agent-paste/worker-runtime build
• pnpm exec biome check apps/mcp/src/index.ts apps/mcp/src/index.test.ts apps/mcp/src/transport.ts apps/mcp/src/sentry-mcp.ts apps/mcp/src/sentry-mcp.test.ts packages/worker-runtime/src/sentry.ts packages/worker-runtime/src/sentry.test.ts scripts/lib/secret-routing.mjs scripts/lib/secret-routing.test.mjs
• git diff --check
• pnpm verify
• pre-commit hook: gitleaks, biome, typecheck
• pre-push hook: pnpm test:coverage:strict, pnpm verify

Review

• Local code review refreshed after rebase: no findings.
• CodeRabbit auto-review is enabled for this repository and should run on the PR.

Issue: AP-363

Summary by CodeRabbit

Release Notes

• New Features

  • Enhanced error tracking and monitoring for MCP operations with detailed request tracing.
  • Improved observability through span metadata and status tracking for MCP method calls.

• Improvements

  • Strengthened data privacy by disabling sensitive user information and AI model data capture in error reporting.
  • Added Sentry configuration management for better operational control.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: f5fb1f98-4252-4036-bd50-2a60548bee58

📥 Commits

Reviewing files that changed from the base of the PR and between dd06a29 and e2bfbe8.

📒 Files selected for processing (9)

• apps/mcp/src/index.test.ts
• apps/mcp/src/index.ts
• apps/mcp/src/sentry-mcp.test.ts
• apps/mcp/src/sentry-mcp.ts
• apps/mcp/src/transport.ts
• packages/worker-runtime/src/sentry.test.ts
• packages/worker-runtime/src/sentry.ts
• scripts/lib/secret-routing.mjs
• scripts/lib/secret-routing.test.mjs

---

📝 Walkthrough

Walkthrough

Adds Sentry tracing to the MCP worker: a shared dataCollection privacy config is added to sentryOptions, a new traceMcpRequest module wraps each MCP JSON-RPC dispatch in a Sentry span with protocol metadata and result-based status, mcpSentryOptions enables tracesSampleRate: 1.0 for the MCP entrypoint, and SENTRY_DSN is registered as an optional secret in the routing table.

Changes

MCP Sentry Tracing Instrumentation

Layer / File(s)	Summary
Shared sentryOptions dataCollection config packages/worker-runtime/src/sentry.ts, packages/worker-runtime/src/sentry.test.ts	sentryOptions() now includes a dataCollection block disabling userInfo, emptying httpBodies, and disabling genAI inputs/outputs. Tests assert this shape in both DSN-absent and DSN-present cases.
traceMcpRequest span instrumentation module apps/mcp/src/sentry-mcp.ts, apps/mcp/src/sentry-mcp.test.ts	New module exports traceMcpRequest, which wraps a protocol handler in a Sentry.startSpan call, attaches MCP metadata (server attributes, method, request/session ids, tool name), and records result-based status and error attributes. Tests use a hoisted Sentry mock to verify span data for success and error outcomes.
mcpSentryOptions with tracesSampleRate apps/mcp/src/index.ts, apps/mcp/src/index.test.ts	Exports mcpSentryOptions(env) that extends sentryOptions(env) with tracesSampleRate: 1.0 when Sentry is enabled. Default export updated to use this helper. Tests cover disabled (no DSN) and enabled (trimmed DSN) configurations.
Transport dispatch wired through traceMcpRequest apps/mcp/src/transport.ts	dispatchMcpRequest now routes handleMcpProtocolMethod through traceMcpRequest. Session utilities refactored so optionalSessionHeader delegates to optionalSessionId.
SENTRY_DSN optional secret routing scripts/lib/secret-routing.mjs, scripts/lib/secret-routing.test.mjs	Adds "sentry" to the SecretBinding.source union, registers SENTRY_DSN as an optional source: "sentry" secret for the mcp app, and tests verify routing behavior and required-secret exclusion.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• zaks-io/agent-paste#91: Establishes the Sentry Cloudflare integration in worker-runtime that this PR extends with dataCollection config and the MCP-specific mcpSentryOptions wrapper.
• zaks-io/agent-paste#470: Also modifies apps/mcp/src/transport.ts's dispatchMcpRequest, changing error handling behavior in the same function this PR wraps with traceMcpRequest.

Poem

🐇 Hoppity-hop through the JSON-RPC trail,
Each MCP request now leaves a Sentry trail!
No user info sniffed, no AI bodies leaked,
Span attributes set, error codes peeked.
tracesSampleRate: 1.0 — I log it all!
🥕 (But your secrets stay safe behind the wall.)

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 7.69% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(mcp): add Sentry monitoring spans' accurately describes the main change—adding Sentry monitoring spans to the MCP Worker. It is clear, specific, and directly reflects the primary objective of the PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/ap-363-add-mcp-sentry-monitoring-spans

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cursor]

AP-363 review — Sentry MCP monitoring spans

Verdict: No blocking issues. Recommend human review before merge (risk-security-sensitive).

Acceptance criteria

Criterion	Status
@sentry/cloudflare ≥ 9.44.0	✅ Already ^10.57.0
Inactive without SENTRY_DSN	✅ enabled: false, no tracesSampleRate
tracesSampleRate: 1.0 when DSN set	✅ mcpSentryOptions
Span metadata only (no args/results)	✅ Manual attributes are method/tool/session/id; tests assert no arg leakage
SENTRY_DSN optional in secret routing	✅ required: false, source: "sentry", deploy won't fail if unset

Security / privacy

• Manual span attributes look safe: only mcp.tool.name from params.name, not arguments.
• Error spans record mcp.error.code (enum machine codes), not error.message.
• Shared dataCollection disables userInfo, all httpBodies, and genAI I/O — important guardrail with tracesSampleRate: 1.0.
• Residual: mcp.session.id and client-supplied mcp.request.id are correlation metadata sent to Sentry when DSN is configured.

Scope note

packages/worker-runtime/src/sentry.ts dataCollection applies to every worker using sentryOptions (api, upload, content, jobs, stream, web, apex, mcp). This is fleet-wide privacy hardening, not MCP-only; only MCP gets tracesSampleRate: 1.0.

Non-blocking follow-ups

• Consider gating traceMcpRequest when !options.enabled to avoid noop startSpan overhead.
• Document/confirm PREVIEW_SENTRY_DSN / PRODUCTION_SENTRY_DSN in CI before enabling in hosted envs.
• Production tracesSampleRate: 1.0 is ticket-required but warrants ops sign-off on volume/cost.

Automation recommendation: comment + human review; do not auto-approve.

  

_{Sent by Cursor Automation: First Pass PR Reviewer}

[cursor]

First-pass review (AP-363)

Risk: medium
Decision: needs human review

Ticket triage

• Intended change: Enable optional Sentry MCP monitoring on the hosted MCP Worker via SENTRY_DSN, with manual mcp.server spans (method/tool/session metadata) and no payload capture.
• Scope match: Yes — matches AP-363 acceptance criteria across sentry-mcp.ts, transport.ts, mcpSentryOptions, secret routing, and tests.

Review findings

Blocking: None. Privacy constraints look correctly enforced:

• Spans record method, tool name, session id, request id, and error codes only — not params.arguments, tool results, or error.message.
• Shared sentryOptions sets dataCollection to disable user info, HTTP bodies, and genAI I/O.
• Tracing is gated behind a trimmed SENTRY_DSN; tracesSampleRate: 1.0 applies only when enabled.
• traceMcpRequest runs only after bearer auth succeeds in dispatchMcpRequest.
• SENTRY_DSN is optional in secret routing (not in GENERATABLE; deploy tolerates absence).

Non-blocking:

• traceMcpRequest always calls Sentry.startSpan even when Sentry is disabled (SDK should no-op; could gate on enabled for clarity).
• packages/worker-runtime/src/sentry.ts dataCollection hardening applies fleet-wide to any worker using sentryOptions, not only MCP — intentional defense-in-depth, but worth noting in rollout docs.
• Auth/parse failures (401, invalid JSON) are not traced — acceptable for privacy, minor observability gap.
• Hardcoded mcp.server.version: "0.1.0" may drift from package version.

Merge checklist

• Ticket linked: ✅ AP-363
• Scope matches: ✅
• Checks green: ⚠️ not verified in this run (focused sentry-mcp.test.ts passed locally; rely on CI pnpm verify)
• Tests/docs appropriate: ✅ focused unit tests for options, spans, and secret routing
• No blocking findings: ✅
• No high-risk areas: ❌ — risk-security-sensitive label; third-party telemetry, optional secret provisioning (PREVIEW_SENTRY_DSN / PRODUCTION_SENTRY_DSN), and tracesSampleRate: 1.0 need human sign-off before production enablement
• Merge-safe: ✅ code-only; no deploy/secret writes in this PR

Recommendation

Needs human review — implementation looks correct and privacy-conscious, but production Sentry enablement is a deliberate ops/security decision outside first-pass automation scope. A human should confirm CI secret wiring and Sentry project retention/access before merging if SENTRY_DSN will be set in hosted envs.

  

_{Sent by Cursor Automation: First Pass PR Reviewer}

[github-actions]

agent-paste PR preview resources were cleaned up. The shared Preview GitHub Environment is retained for future preview deploys.