55cac8a395
W0 — security hardening (5 fixes verified live on disclosure.top)
- middleware: gate /api/admin/* same as /admin/* (F1)
- imgproxy: tighten LOCAL_FILESYSTEM_ROOT from / to /var/lib/storage (F2)
- studio: real basic-auth label (bcrypt hash, middleware reference) (F3)
- relations: ENABLE ROW LEVEL SECURITY + public SELECT policy (F4)
- migration 0003: fold is_searchable + hybrid_search update into canonical (TD#2)
W1 — observability + resilience + autocomplete
- studio: HOSTNAME=0.0.0.0 so Next.js binds on loopback for healthcheck
- compose: PG_POOL_MAX=20, CLAUDE_CODE_OAUTH_TOKEN gated by separate env
- claude-code.ts: subprocess timeout configurable (CLAUDE_CODE_TIMEOUT_MS)
- openrouter.ts: retry with exponential backoff + Retry-After + in-memory
circuit breaker (promotes FALLBACK after CB_THRESHOLD failures)
- lib/logger.ts: pino logger (NDJSON prod / pretty dev) + withRequest helper
- middleware: mints correlation_id, stamps x-correlation-id response header,
emits structured http_request log per /api/* call
- messages/route.ts: switch to structured logger
- 60_meili_index.py: push documents + chunks into Meilisearch
- /api/search/autocomplete: parallel meili search (docs + chunks), 5-8ms p50
- search-autocomplete.tsx: debounced dropdown wired into search-panel
W1.2 — Glitchtip + Forgejo self-hosted
- compose: glitchtip-redis + glitchtip-web + glitchtip-worker (v4.2)
- compose: forgejo + forgejo-runner (server v9, runner v6) with group_add=988
- @sentry/nextjs SDK wired (instrumentation.ts + sentry.{client,server}.config.ts)
- /api/admin/throw smoke endpoint (gated by W0-F1 middleware)
- Synthetic event ingestion verified at glitchtip.disclosure.top
- forgejo.disclosure.top up, repo discadmin/disclosure-bureau created,
runner registered (labels: ubuntu-latest, docker)
- .forgejo/workflows/ci.yml: typecheck + lint + build + npm audit + python
syntax + compose validation
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
33 lines
1.3 KiB
TypeScript
33 lines
1.3 KiB
TypeScript
/**
|
|
* Next.js instrumentation hook — loads Sentry (Glitchtip) init on server/edge.
|
|
*
|
|
* https://nextjs.org/docs/app/building-your-application/optimizing/instrumentation
|
|
*/
|
|
export async function register() {
|
|
if (process.env.NEXT_RUNTIME === "nodejs") {
|
|
await import("./sentry.server.config");
|
|
}
|
|
if (process.env.NEXT_RUNTIME === "edge") {
|
|
// Edge runtime gets a slimmer init via the same DSN; the SDK auto-detects.
|
|
await import("./sentry.server.config");
|
|
}
|
|
}
|
|
|
|
// Capture unhandled promise rejections in Server Components / API routes and
|
|
// forward them through Sentry's hook. Loaded only on the server.
|
|
// Forward unhandled errors from Server Components / Route Handlers to Sentry.
|
|
// Loose typing so it tracks any captureRequestError signature change in
|
|
// @sentry/nextjs — observability code must not block real errors.
|
|
export const onRequestError = async (
|
|
err: unknown,
|
|
request: Parameters<typeof import("@sentry/nextjs").captureRequestError>[1],
|
|
context: Parameters<typeof import("@sentry/nextjs").captureRequestError>[2],
|
|
) => {
|
|
if (process.env.NEXT_RUNTIME !== "nodejs") return;
|
|
try {
|
|
const { captureRequestError } = await import("@sentry/nextjs");
|
|
await captureRequestError(err, request, context);
|
|
} catch {
|
|
/* never let observability swallow the original error */
|
|
}
|
|
};
|