feat(apex): add browser sentry monitoring

[isuttell]

Summary

Adds apex browser-side Sentry monitoring without committing a DSN. The browser client loads same-origin runtime config from the apex Worker and initializes Sentry only when SENTRY_DSN is configured.

Changes

• Add @sentry/browser bootstrap for the apex client bundle.
• Serve /__client/config.json from the apex Worker with no-store JSON config.
• Allow Sentry US ingest in the apex CSP connect-src.
• Route optional apex SENTRY_DSN through deploy secret planning.
• Add focused coverage for client init, the config route, CSP, and secret routing.

Risk: MEDIUM

• Areas touched: apex client/Worker, CSP, deploy secret routing
• Security: DSN remains runtime config; no DSN is committed; endpoint sets no cookies
• Performance: adds the browser Sentry SDK to the apex client bundle
• Breaking: none expected

Test plan

• pnpm install --frozen-lockfile --strict-peer-dependencies
• pnpm --filter @agent-paste/apex... build
• pnpm --filter @agent-paste/apex test
• pnpm --filter @agent-paste/apex typecheck
• pnpm --filter @agent-paste/apex lint
• pnpm --filter @agent-paste/apex test:coverage
• pnpm exec vitest run scripts/lib/secret-routing.test.mjs scripts/deploy.test.mjs
• pnpm verify
• pnpm test:coverage:strict
• pnpm smoke:local
• pre-commit hook: gitleaks, biome, typecheck
• pre-push hook: test:coverage:strict, pnpm verify
• ziw-code-review: READY FOR PR, no findings

Issue: AP-381

Summary by CodeRabbit

• New Features

  • Added browser-side error monitoring with runtime configuration fetched from a new __client/config.json endpoint.
  • Server now provides __client/config.json with monitoring DSN and environment (no DSN returns null).

• Bug Fixes

  • Updated the Apex Content Security Policy to allow connections to the monitoring ingest endpoints.

• Chores

  • Added optional deployment/config support for SENTRY_DSN.
  • Updated related tests and added coverage for monitoring initialization and security headers.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 874921c8-302b-4790-b65f-1c3d0ef2f752

📥 Commits

Reviewing files that changed from the base of the PR and between 6de7d24 and 462f1fa.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• scripts/lib/secret-routing.mjs
• scripts/lib/secret-routing.test.mjs

---

📝 Walkthrough

Walkthrough

Adds browser-side Sentry error monitoring to the Apex app. A new worker endpoint /__client/config.json exposes runtime Sentry DSN and environment. A new sentry-browser.ts module fetches this config and bootstraps Sentry in the browser. The CSP connect-src directive is extended to permit Sentry ingest connections, and SENTRY_DSN is registered as an optional deploy secret for the apex app.

Changes

Apex Sentry Integration

Layer / File(s)	Summary
SENTRY_DSN secret routing and deploy provisioning scripts/lib/secret-routing.mjs, scripts/lib/secret-routing.test.mjs, scripts/deploy.test.mjs	SECRET_ROUTING gains an apex entry with SENTRY_DSN as an optional sentry-sourced secret. Tests update secretConsumingApps expectations and verify conditional SENTRY_DSN provisioning in the deploy plan.
/__client/config.json worker endpoint apps/apex/src/server.ts, apps/apex/src/server.test.ts	Adds CLIENT_CONFIG_PATH constant, routes matching requests to handleClientConfig, which returns JSON {sentry:{dsn,environment}} with no-store cache control and security headers. Tests cover production-configured and unconfigured cases, plus cookie absence.
CSP connect-src extended for Sentry ingest apps/apex/src/security-headers.ts, apps/apex/src/security-headers.test.ts	Adds SENTRY_INGEST_HOST constant and appends https://*.ingest.us.sentry.io to the connect-src directive in apexCsp(). Test assertion updated to include the new host.
Browser Sentry bootstrap module and client wiring apps/apex/package.json, apps/apex/src/sentry-browser.ts, apps/apex/src/sentry-browser.test.ts, apps/apex/src/client.ts	New sentry-browser.ts exports APEX_CLIENT_CONFIG_PATH and initApexBrowserSentry, which fetches /__client/config.json, validates the DSN, and calls Sentry.init with browser tracing, sendDefaultPii: false, and tracesSampleRate: 0.1. client.ts imports and immediately invokes it. @sentry/browser@^10.57.0 dependency added. Tests cover non-browser no-op, successful init, and missing-DSN skip.

Sequence Diagram(s)

sequenceDiagram
  participant client.ts
  participant initApexBrowserSentry
  participant WorkerFetch as GET /__client/config.json
  participant handleClientConfig
  participant SentryInit as Sentry.init

  client.ts->>initApexBrowserSentry: void initApexBrowserSentry()
  initApexBrowserSentry->>initApexBrowserSentry: guard: no window → exit
  initApexBrowserSentry->>initApexBrowserSentry: guard: already initialized → return cached promise
  initApexBrowserSentry->>WorkerFetch: fetch(APEX_CLIENT_CONFIG_PATH, same-origin/json)
  WorkerFetch->>handleClientConfig: route match CLIENT_CONFIG_PATH
  handleClientConfig-->>WorkerFetch: JSON {sentry:{dsn, environment}}, no-store
  WorkerFetch-->>initApexBrowserSentry: config response
  initApexBrowserSentry->>initApexBrowserSentry: validate/trim DSN → exit if null
  initApexBrowserSentry->>SentryInit: init({dsn, environment, sendDefaultPii:false, tracesSampleRate:0.1, integrations:[browserTracingIntegration]})

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• zaks-io/agent-paste#332: Both PRs update the deploy secret-planning/testing logic around conditionally provisioning SENTRY_DSN secrets (main PR adds an apex-specific test expectation, while the retrieved PR refactors createSecretPlanner behavior).
• zaks-io/agent-paste#551: Both PRs modify SECRET_ROUTING to add an optional SENTRY_DSN sourced from "sentry" — that PR for mcp, this one for apex.

Poem

🐇 A little rabbit hops through code so bright,
Adding Sentry's watchful eye to the night.
Config fetched, the DSN confirmed and trimmed,
CSP extended, no ingest request dimmed.
Secrets routed, deploy plan aligned—
Browser errors now shall be easy to find! 🌟

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(apex): add browser sentry monitoring' accurately and concisely describes the main change—adding browser-side Sentry error monitoring to the apex client.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/ap-381-add-apex-browser-sentry-monitoring

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cursor]

First-pass review (AP-381)

Risk: medium
Decision: comment only

Ticket triage

• Intended change: Add browser-side Sentry to the apex marketing client, served via same-origin /__client/config.json, with CSP + optional deploy secret routing for SENTRY_DSN.
• Scope match: Yes — all acceptance criteria appear covered (conditional init, no cookies on config route, US ingest CSP, optional apex secret provisioning, focused tests).

Review findings

Blocking:

• CI Validate failed on this run (@agent-paste/jobs#test:coverage and a flaky @agent-paste/db RLS coverage test). These failures are outside the PR diff; apex lint/build/test (88 tests) passed in the same workflow.

Non-blocking:

• @sentry/browser is always bundled even when no DSN is configured — expected tradeoff for this slice; dynamic import could be a follow-up if bundle size matters.
• initApexBrowserSentry does not retry after a non-throwing miss (!response.ok / empty DSN); acceptable for a one-shot bootstrap, but transient config fetch failures would skip monitoring for that page load.

Merge checklist

• Ticket linked: ✅ AP-381
• Scope matches: ✅
• Checks green: ❌ Validate failed (unrelated packages)
• Tests/docs appropriate: ✅ for changed surface
• No blocking code findings: ✅
• No high-risk areas: ✅ (optional public DSN exposure follows existing web/MCP patterns; deploy routing mirrors MCP)
• Merge-safe: ⏸️ after CI green

Summary

Implementation is clean, mirrors existing Sentry/CSP conventions (https://*.ingest.us.sentry.io), and respects the privacy posture (Sentry is not gated by optional analytics/GPC). Not approving yet because the required CI gate is red on unrelated failures — please rerun Validate (or fix the failing jobs coverage/RLS flake if reproducible), then this should be good to merge.

  

_{Sent by Cursor Automation: First Pass PR Reviewer}

[github-actions]

agent-paste PR preview resources were cleaned up. The shared Preview GitHub Environment is retained for future preview deploys.