From d7e9ff1ed49f5a297a04a3c1aa7b8e8f816b3bd8 Mon Sep 17 00:00:00 2001 From: Mariano Date: Wed, 29 Apr 2026 17:20:57 -0400 Subject: [PATCH 1/2] fix(sentry): gate includeLocalVariables to non-production MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit includeLocalVariables uses Node's debugger inspector to attach every local variable in scope at the moment an error throws. In production that scope can include DB rows, auth tokens being validated, request bodies, and session state — far broader than sendDefaultPii. Off in prod, on in dev/test where the debugging value justifies the exposure. Co-Authored-By: Claude Opus 4.7 (1M context) --- apps/app/sentry.server.config.ts | 4 +++- apps/portal/sentry.server.config.ts | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/apps/app/sentry.server.config.ts b/apps/app/sentry.server.config.ts index 092295b30a..1cbbf01598 100644 --- a/apps/app/sentry.server.config.ts +++ b/apps/app/sentry.server.config.ts @@ -11,7 +11,9 @@ Sentry.init({ tracesSampleRate: process.env.NODE_ENV === 'development' ? 1.0 : 0.1, - includeLocalVariables: true, + // Off in production: local variables in stack frames can expose request-scoped + // data (DB rows, auth tokens, request bodies) to Sentry payloads. + includeLocalVariables: process.env.NODE_ENV !== 'production', enableLogs: true, diff --git a/apps/portal/sentry.server.config.ts b/apps/portal/sentry.server.config.ts index 092295b30a..1cbbf01598 100644 --- a/apps/portal/sentry.server.config.ts +++ b/apps/portal/sentry.server.config.ts @@ -11,7 +11,9 @@ Sentry.init({ tracesSampleRate: process.env.NODE_ENV === 'development' ? 1.0 : 0.1, - includeLocalVariables: true, + // Off in production: local variables in stack frames can expose request-scoped + // data (DB rows, auth tokens, request bodies) to Sentry payloads. + includeLocalVariables: process.env.NODE_ENV !== 'production', enableLogs: true, From bece3c752dc6fbcb59071f4036c6863978f068c3 Mon Sep 17 00:00:00 2001 From: Mariano Date: Wed, 29 Apr 2026 17:22:11 -0400 Subject: [PATCH 2/2] fix(sentry): drop sendDefaultPii now that replay unmask is the right knob MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit sendDefaultPii was originally added to make session replay text readable, but that's actually controlled by replayIntegration's maskAllText / blockAllMedia (handled in #2709). With replays already showing real text, the only thing sendDefaultPii adds is per-event IP addresses and User-Agent — useful triage signal but not worth the sub-processor data exposure for a compliance product. Errors still carry full stack traces, breadcrumbs, source-mapped frames, and replay context; only the IP/UA metadata layer goes away. Removing across all six init files (server, edge, client × app, portal). Co-Authored-By: Claude Opus 4.7 (1M context) --- apps/app/sentry.edge.config.ts | 2 -- apps/app/sentry.server.config.ts | 2 -- apps/app/src/instrumentation-client.ts | 2 -- apps/portal/sentry.edge.config.ts | 2 -- apps/portal/sentry.server.config.ts | 2 -- apps/portal/src/instrumentation-client.ts | 2 -- 6 files changed, 12 deletions(-) diff --git a/apps/app/sentry.edge.config.ts b/apps/app/sentry.edge.config.ts index ef68b306dd..e996f794ca 100644 --- a/apps/app/sentry.edge.config.ts +++ b/apps/app/sentry.edge.config.ts @@ -13,6 +13,4 @@ Sentry.init({ tracesSampleRate: process.env.NODE_ENV === 'development' ? 1.0 : 0.1, enableLogs: true, - - sendDefaultPii: true, }); diff --git a/apps/app/sentry.server.config.ts b/apps/app/sentry.server.config.ts index 1cbbf01598..6d9894dbca 100644 --- a/apps/app/sentry.server.config.ts +++ b/apps/app/sentry.server.config.ts @@ -16,6 +16,4 @@ Sentry.init({ includeLocalVariables: process.env.NODE_ENV !== 'production', enableLogs: true, - - sendDefaultPii: true, }); diff --git a/apps/app/src/instrumentation-client.ts b/apps/app/src/instrumentation-client.ts index 87ebf6c2e1..49774232c3 100644 --- a/apps/app/src/instrumentation-client.ts +++ b/apps/app/src/instrumentation-client.ts @@ -42,8 +42,6 @@ Sentry.init({ // 10% of all sessions; 100% of sessions where an error occurs. replaysSessionSampleRate: 0.1, replaysOnErrorSampleRate: 1.0, - - sendDefaultPii: true, }); export const onRouterTransitionStart = Sentry.captureRouterTransitionStart; diff --git a/apps/portal/sentry.edge.config.ts b/apps/portal/sentry.edge.config.ts index ef68b306dd..e996f794ca 100644 --- a/apps/portal/sentry.edge.config.ts +++ b/apps/portal/sentry.edge.config.ts @@ -13,6 +13,4 @@ Sentry.init({ tracesSampleRate: process.env.NODE_ENV === 'development' ? 1.0 : 0.1, enableLogs: true, - - sendDefaultPii: true, }); diff --git a/apps/portal/sentry.server.config.ts b/apps/portal/sentry.server.config.ts index 1cbbf01598..6d9894dbca 100644 --- a/apps/portal/sentry.server.config.ts +++ b/apps/portal/sentry.server.config.ts @@ -16,6 +16,4 @@ Sentry.init({ includeLocalVariables: process.env.NODE_ENV !== 'production', enableLogs: true, - - sendDefaultPii: true, }); diff --git a/apps/portal/src/instrumentation-client.ts b/apps/portal/src/instrumentation-client.ts index 7ec9adbca8..c265121a9b 100644 --- a/apps/portal/src/instrumentation-client.ts +++ b/apps/portal/src/instrumentation-client.ts @@ -27,8 +27,6 @@ Sentry.init({ // 10% of all sessions; 100% of sessions where an error occurs. replaysSessionSampleRate: 0.1, replaysOnErrorSampleRate: 1.0, - - sendDefaultPii: true, }); export const onRouterTransitionStart = Sentry.captureRouterTransitionStart;