Summary
- Add a small
caution-observabilitycrate that initializes backend Sentry only whenSENTRY_DSNis set. - Wire opt-in backend Sentry initialization into api, gateway, metering, and email-service while keeping existing stdout tracing intact.
- Add conservative backend and frontend scrubbers that drop request/user context and redact sensitive-looking fields/values before events leave the process.
- Add opt-in Vue Sentry initialization behind
VITE_SENTRY_DSN, with PII disabled and tracing/session replay disabled. - Thread optional frontend Sentry build args through the frontend/gateway container build paths and document optional env vars.
Security / scope notes
- Sentry remains disabled by default when DSNs are unset.
- This first pass intentionally does not enable Session Replay, performance tracing, profiling, source-map upload, request/response body capture, or broad request context capture.
- Backend panic capture is enabled through the Sentry panic integration. Broad
tracing::error!event forwarding is intentionally deferred so existing logs can be audited before sending them to a third-party service.
Test plan
cargo test -p caution-observabilitycargo check -p caution-observability -p api -p gateway -p metering -p email-servicenode --check frontend/src/main.jsgit diff --check- Attempted
cd frontend && npm install --ignore-scripts --no-audit && npm run build; install completed with existing EBADENGINE warnings, but build is blocked locally because Node isv18.20.4and Vite requires Node20.19+or22.12+(ReferenceError: CustomEvent is not defined). Removedfrontend/node_modulesafterward.
Refs #377
## Summary
- Add a small `caution-observability` crate that initializes backend Sentry only when `SENTRY_DSN` is set.
- Wire opt-in backend Sentry initialization into api, gateway, metering, and email-service while keeping existing stdout tracing intact.
- Add conservative backend and frontend scrubbers that drop request/user context and redact sensitive-looking fields/values before events leave the process.
- Add opt-in Vue Sentry initialization behind `VITE_SENTRY_DSN`, with PII disabled and tracing/session replay disabled.
- Thread optional frontend Sentry build args through the frontend/gateway container build paths and document optional env vars.
## Security / scope notes
- Sentry remains disabled by default when DSNs are unset.
- This first pass intentionally does not enable Session Replay, performance tracing, profiling, source-map upload, request/response body capture, or broad request context capture.
- Backend panic capture is enabled through the Sentry panic integration. Broad `tracing::error!` event forwarding is intentionally deferred so existing logs can be audited before sending them to a third-party service.
## Test plan
- `cargo test -p caution-observability`
- `cargo check -p caution-observability -p api -p gateway -p metering -p email-service`
- `node --check frontend/src/main.js`
- `git diff --check`
- Attempted `cd frontend && npm install --ignore-scripts --no-audit && npm run build`; install completed with existing EBADENGINE warnings, but build is blocked locally because Node is `v18.20.4` and Vite requires Node `20.19+` or `22.12+` (`ReferenceError: CustomEvent is not defined`). Removed `frontend/node_modules` afterward.
Refs #377