fix(sandbox): Propagate trace context through egress#580
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
dcramer
force-pushed
the
fix/sandbox-egress-trace-propagation
branch
from
2d3dfae to
31e7393
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
dcramer
force-pushed
the
fix/sandbox-egress-trace-propagation
branch
from
31e7393 to
6f24153
Compare
Forward Sentry trace propagation headers through sandbox egress so proxied provider requests can continue from the active bash command span. Keep propagation upstream for Sentry requests and strip it from other providers. Refs GH-557 Co-Authored-By: GPT-5 Codex <codex@openai.com>
Allow Junior apps to opt sandbox egress domains into Sentry trace propagation, including leading wildcard domains. Keep trace continuation behind verified OIDC and signed egress context checks, and strip trace headers from unconfigured upstreams. Update unit and integration coverage plus the sandbox egress tracing specs and generated API docs. Co-Authored-By: GPT-5 Codex <codex@openai.com>
Remove the mutable sandbox trace-domain singleton and carry the configured domains through app-scoped Slack runtime, queue, and proxy wiring. Keep trace propagation headers stripped after credential transforms for unconfigured domains, and cover verified trace continuation with proxy tests. Co-Authored-By: GPT-5 Codex <codex@openai.com>
dcramer
force-pushed
the
fix/sandbox-egress-trace-propagation
branch
from
6f24153 to
7bb99ff
Compare
Apply app-owned sandbox trace config to idle resumed Slack continuations. Each continuation slice still uses its own active trace data. Co-Authored-By: GPT-5 Codex <codex@openai.com>
Include configured trace propagation domains in sandbox network policy. Keep trace-only rules as header transforms without proxy forwarding. Co-Authored-By: GPT-5 Codex <codex@openai.com>
Keep production conversation work construction on the configured factory path. Co-Authored-By: GPT-5 Codex <codex@openai.com>
Trigger a fresh CodeQL run after GitHub failed during initialization. Co-Authored-By: GPT-5 Codex <codex@openai.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 0462b52. Configure here.
Validate sandbox trace domains inside createApp rollback handling. Failed app construction should not leave plugin globals mutated. Co-Authored-By: GPT-5 Codex <codex@openai.com>
Apply current trace headers through the shared sandbox tool span. All sandbox-backed tools now refresh egress policy before execution. Rename the internal session helper to avoid shadowing the active-session refresh method. Co-Authored-By: GPT-5 Codex <codex@openai.com>
Install trace propagation policies without credential egress and keep provider proxying gated on credential tokens. Pass app-scoped trace config through OAuth resume generators and document continuation correlation. Remove telemetry-coupled proxy unit assertions while preserving behavior-facing policy coverage. Co-Authored-By: GPT-5 Codex <codex@openai.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Sandbox egress now carries Sentry trace propagation from the active bash command span into the Vercel Sandbox forwarding policy. The egress proxy continues that trace for its own proxy span, keeps the standard propagation headers when forwarding to Sentry upstreams, and strips them before forwarding to other providers.
This uses Sentry-standard
sentry-trace,baggage, andtraceparentheaders rather than adding Junior-specific parentage headers. The sandbox network policy is refreshed inside the active bash span so shell-originated provider traffic can be correlated back to the tool execution that caused it.Refs GH-557