Install Sentry Cloudflare SDK for Worker error monitoring

[isuttell]

Summary

Adds server-side Sentry error monitoring for the Cloudflare Worker surfaces while keeping DSN values in Worker secrets and default PII collection disabled. This gives deployed Workers a common Sentry initialization path without changing existing error-envelope behavior.

Changes

• Added @sentry/cloudflare and a shared sentryOptions helper with DSN-from-env, sendDefaultPii: false, and empty-DSN disablement.
• Wrapped API, upload, content, apex, jobs, MCP, and web Worker entrypoints with Sentry.withSentry.
• Added a custom React Start web server entrypoint so the web Worker can be wrapped by Sentry.
• Added nodejs_compat, source map upload for direct Wrangler Workers, and non-secret environment labels where needed.
• Set SENTRY_DSN secrets out-of-band for configured preview/production Worker environments: api, upload, content, apex, and web.

Risk: HIGH

• Areas touched: Cloudflare Worker entrypoints, Wrangler config, package dependencies, web server entrypoint, worker-runtime helper.
• Security: Sentry DSN is secret-backed only; no DSN/auth token is committed; default PII collection is disabled.
• Performance: Sentry wrapper adds runtime instrumentation around Worker requests and scheduled handlers.
• Breaking: no intended API or response-shape breaking changes.

Test plan

• bun run ci:check
• pnpm verify
• Pre-commit hooks: gitleaks, biome, targeted typecheck
• Pre-push hook: coverage test suite, 73 files / 579 tests
• CodeRabbit pre-flight review; all three findings addressed before PR

Linear: AP-42

Summary by CodeRabbit

• New Features

  • Integrated Sentry error tracking across services with environment-aware configuration and DSN support; enabled source map uploads.

• Tests

  • Added tests for Sentry configuration, DSN trimming, and environment selection.

• Refactor

  • Updated worker entrypoints to route through centralized error-reporting wrapper.

• Chores

  • Added runtime dependency on Sentry integration and updated deployment configs to set per-environment variables.

• Documentation

  • Local dev instructions now reference an env var for the smoke-harness secret.

[linear-code]

AP-42 Install Sentry Cloudflare SDK for Worker error monitoring

Context

Cloudflare Worker apps need server-side error monitoring through Sentry. The SDK should initialize from Worker secrets, avoid committing DSNs, and preserve the repo's existing error-envelope behavior.

Scope

• Add @sentry/cloudflare to the Cloudflare app packages.
• Add a shared Worker runtime Sentry helper with SENTRY_DSN from env/secrets.
• Wrap Worker exports with Sentry.withSentry.
• Add the web custom React Start server entrypoint needed for Sentry wrapping.
• Configure required Worker compatibility flags and direct Worker source map upload where applicable.
• Set SENTRY_DSN as a Cloudflare secret for configured preview and production Worker environments.

Out of scope

• Browser-side React Sentry instrumentation.
• Creating deploy configs for scaffold-only jobs or mcp environments.
• Running the interactive Sentry wizard.

Acceptance criteria

• sendDefaultPii is false.
• No DSN or auth token is committed.
• Configured Worker environments read SENTRY_DSN from secrets.
• Existing tests and error envelopes continue to pass.
• pnpm verify passes.

Review in Linear

[coderabbitai]

Caution

Review failed

Failed to post review comments

Walkthrough

This pull request adds a shared sentryOptions helper and re-exports it from the worker-runtime package, adds @sentry/cloudflare to package manifests, and wraps each worker and the web server export with Sentry.withSentry using sentryOptions(env). Env types gain optional SENTRY_DSN and AGENT_PASTE_ENV where applicable. Wrangler configs enable upload_source_maps and nodejs_compat and set AGENT_PASTE_ENV for dev/preview/production. The deploy preview script injects preview env vars, and sentryOptions is covered by Vitest tests.

Sequence Diagram

sequenceDiagram
  participant Client as Client Request
  participant Worker as Cloudflare Worker
  participant Wrapper as Sentry.withSentry
  participant Config as sentryOptions(env)
  participant Env as Environment Bindings
  participant Handler as Worker Handler

  Client->>Worker: HTTP request
  Worker->>Wrapper: exported worker invoked
  Wrapper->>Config: call sentryOptions(env)
  Config->>Env: read SENTRY_DSN, AGENT_PASTE_ENV
  Env-->>Config: return values
  Config-->>Wrapper: CloudflareOptions
  Wrapper->>Handler: invoke worker.fetch(request, env)
  Handler-->>Worker: response (or throw)
  Wrapper-->>Worker: capture error and send to Sentry if enabled

Loading

Possibly related issues

• AP-42: Install Sentry Cloudflare SDK for Worker error monitoring — This PR implements the SDK, shared sentryOptions helper, SENTRY_DSN/env wiring, and wraps workers with Sentry as described.

Possibly related PRs

• zaks-io/agent-paste#1: Earlier changes to the Apex worker entrypoint that this PR wraps with Sentry instrumentation.
• zaks-io/agent-paste#8: Related edits to the API worker entry and wrangler wiring that overlap with Sentry wrapping.

"🐰 I hopped through code and wrapped each fetch,
trimming DSNs, watching every fetch.
Env vars tucked neatly in a row,
errors report where they need to go,
and tests nod yes — then off I stretch! 🥕"

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main objective: installing the Sentry Cloudflare SDK for Worker error monitoring, which is the primary focus of the PR.
Linked Issues check	✅ Passed	The PR implementation comprehensively addresses all coding requirements from AP-42: added @sentry/cloudflare dependency, created sentryOptions helper with SENTRY_DSN support, wrapped all Worker entrypoints with Sentry.withSentry, added custom web server entrypoint, configured nodejs_compat and source map upload, and updated Wrangler configs.
Out of Scope Changes check	✅ Passed	All changes directly support the Sentry integration objectives. Modifications to package.json, Worker entrypoints, Wrangler configs, and the worker-runtime helper are all in-scope per AP-42 requirements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/AP-42-sentry-cloudflare-workers

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/web/src/server.ts`:
- Around line 6-10: The wrapper entry created by createServerEntry simply
forwards fetch to handler.fetch with no extra behavior, so remove the redundant
createServerEntry/entry and call handler.fetch directly from the worker's fetch
method (or export handler as the fetch handler); update any references to entry
to use handler (or its fetch method) and delete createServerEntry usage to
simplify the flow (look for symbols createServerEntry, entry, handler.fetch and
the worker fetch export).

In `@packages/worker-runtime/src/sentry.ts`:
- Around line 10-13: Normalize env.SENTRY_DSN once into a local variable and use
that for both the dsn and enabled fields: create a const like normalizedDsn =
env.SENTRY_DSN?.trim() ?? "" and then set dsn: normalizedDsn and enabled:
normalizedDsn.length > 0 in the sentry configuration (the dsn and enabled fields
in packages/worker-runtime/src/sentry.ts), leaving environment and
sendDefaultPii unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: b123bf6e-0b57-4dde-bc44-7ba2b2470a4d

📥 Commits

Reviewing files that changed from the base of the PR and between b7d92af and bf322c7.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (25)

• apps/apex/package.json
• apps/apex/src/index.ts
• apps/apex/wrangler.jsonc
• apps/api/package.json
• apps/api/src/index.test.ts
• apps/api/src/index.ts
• apps/api/wrangler.jsonc
• apps/content/package.json
• apps/content/src/index.ts
• apps/content/wrangler.jsonc
• apps/jobs/package.json
• apps/jobs/src/index.ts
• apps/mcp/package.json
• apps/mcp/src/index.ts
• apps/upload/package.json
• apps/upload/src/index.ts
• apps/upload/wrangler.jsonc
• apps/web/package.json
• apps/web/src/server.ts
• apps/web/src/server/env.ts
• apps/web/wrangler.jsonc
• packages/worker-runtime/package.json
• packages/worker-runtime/src/index.ts
• packages/worker-runtime/src/sentry.test.ts
• packages/worker-runtime/src/sentry.ts

[github-actions]

agent-paste PR preview is ready.

API: https://agent-paste-api-pr-91.isaac-a46.workers.dev
Upload: https://agent-paste-upload-pr-91.isaac-a46.workers.dev
Content: https://agent-paste-content-pr-91.isaac-a46.workers.dev
Apex: https://agent-paste-apex-pr-91.isaac-a46.workers.dev
Web (login): https://pr-91.preview.agent-paste.sh (first deploy: allow a few minutes for the TLS cert)
Neon branch: https://console.neon.tech/app/projects/still-forest-91029005/branches/br-late-paper-apcvf8mc

[github-actions]

agent-paste PR preview is ready.

API: https://agent-paste-api-pr-91.isaac-a46.workers.dev
Upload: https://agent-paste-upload-pr-91.isaac-a46.workers.dev
Content: https://agent-paste-content-pr-91.isaac-a46.workers.dev
Apex: https://agent-paste-apex-pr-91.isaac-a46.workers.dev
Web (login): https://pr-91.preview.agent-paste.sh (first deploy: allow a few minutes for the TLS cert)
Neon branch: https://console.neon.tech/app/projects/still-forest-91029005/branches/br-late-paper-apcvf8mc

[github-actions]

agent-paste PR preview resources were cleaned up. The pr-preview-${context.issue.number} environment is left in place; remove it from the GitHub UI if desired.