Optional Sentry integration
Ship brain crashes to Sentry with credentials redacted in-process.
An optional Sentry hook captures unhandled exceptions inside the brain and ships them to a Sentry project you own. Off by default; one env var (Z4J_SENTRY_DSN) flips it on. Before any event leaves the brain it runs through a redaction pass that strips Authorization headers, cookies, OAuth-style token query params, webhook URLs, MFA recovery codes, and any extras whose key matches a credential pattern, so a captured 500 never leaks the bearer token that hit it.
Ships with
- Opt-in via Z4J_SENTRY_DSN; missing-package and missing-DSN both noop instead of crashing boot
- Errors-only mode by default; traces and profiles are independent sample-rate knobs (default 0)
- before_send scrubber strips Authorization / Cookie / X-Z4J-Signature / X-API-Key headers and OAuth-style query params from every event
- Webhook payloads (notification dispatcher bodies) are redacted wholesale so a delivery exception cannot leak a Slack / Teams / Discord workflow token
- Release tag pinned to the installed z4j package version so Sentry first-seen attribution works without extra config
Highlights
- 76-case test suite pins the scrubber: a regression that drops a header from the allowlist or weakens the query-key scrub fails CI
- send_default_pii=false by default; even flipping it on leaves Authorization headers and webhook URLs redacted
- Brain CLI commands (init, audit verify, reset-mfa) deliberately do NOT init Sentry; short-lived commands keep their old terminal-and-audit-log failure shape
Related