Skip to content

fix(effect-sdk): decouple browser replay/session-metadata from ingest key#188

Open
Makisuo wants to merge 2 commits into
mainfrom
fix/effect-sdk-ingestkey-auth-only
Open

fix(effect-sdk): decouple browser replay/session-metadata from ingest key#188
Makisuo wants to merge 2 commits into
mainfrom
fix/effect-sdk-ingestkey-auth-only

Conversation

@Makisuo

@Makisuo Makisuo commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

Problem

A customer fronts their telemetry with a self-hosted proxy that attaches the Maple ingest key server-side (to sidestep ad-blockers / privacy browsers), so they deliberately leave ingestKey unset in browser code. With @maple-dev/effect-sdk/client, traces flowed but session replay and session-metadata silently never started.

Root cause: the browser client SDK overloaded ingestKey presence to mean two unrelated things — "attach this Authorization header" and "is this feature enabled at all." Traces survived because OTLP export already omits the header when there's no key, but replay/metadata were hard-gated:

  • replay-loader.tsif (!config.ingestKey) return killed both replay and metadata.
  • standalone-session.tsif (!options.ingestKey) return killed metadata.

The sibling @maple-dev/browser SDK never gated on the key, so the asymmetry was specific to the Effect SDK.

Change

Make ingestKey auth-only in the browser client. Feature enablement is governed solely by the existing replay.enabled / emitSessionMeta options (both default true).

  • Shared transport (@maple/browser-session): ingestKey is now optional in ReplayEngineConfig, postSessionMetaRow, and ReplaySessionOptions; a new authHeaders helper attaches Authorization: Bearer … only when a key is set — otherwise the POST goes out headerless for the proxy to complete.
  • Effect client (replay-loader.ts, standalone-session.ts): removed the two ingest-key gates (kept the SSR and readSessionSink() guards).
  • MapleFlush.make (client): aligned with Maple.layer via an internal allowKeyless flag on buildResolved, so it exports keyless instead of no-op'ing, with a one-shot heads-up log.
  • Deliberately unchanged: the env-driven server and Cloudflare flushable presets keep their keyless no-op (they don't pass allowKeyless). @maple-dev/browser needs no change.
  • Docs: docstrings updated + a new "Auth via a proxy" section in the README.

For proxy users this removes the dummy-key workaround entirely: point endpoint at the proxy, leave ingestKey unset, and traces/logs/metrics/replay/metadata all POST without an Authorization header for the proxy to attach.

Test plan

  • @maple-dev/effect-sdk — vitest 73/73, tsc --noEmit clean, tsdown build clean.
  • @maple/browser-session — vitest 25/25, tsc --noEmit clean.
  • @maple-dev/browser — vitest 1/1, tsc --noEmit clean, build clean.
  • Rewrote the standalone-session "no key" test (SSR posts nothing; window + no key now posts, without an auth header), added a postSessionMetaRow header test (present when keyed, absent when keyless), and updated the MapleFlush client test to assert keyless export.

🤖 Generated with Claude Code


Open in Devin Review

… key

The browser client SDK overloaded `ingestKey` presence to mean both
"attach the Authorization header" and "is this feature enabled", so
leaving `ingestKey` unset (auth handled by a self-hosted proxy) silently
disabled session replay and session-metadata even though traces still
flowed through the proxy.

Make `ingestKey` auth-only: replay/metadata now run regardless of key
presence (gated solely by `replay.enabled` / `emitSessionMeta`), and every
session/replay POST attaches `Authorization` only when a key is set —
otherwise it goes out headerless for a proxy/gateway to complete, matching
how OTLP trace export already behaved. `MapleFlush.make` (client) is
aligned with `Maple.layer` via an internal `allowKeyless` flag; the
env-driven server and Cloudflare presets keep their existing keyless no-op.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@pullfrog

pullfrog Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Your LLM provider API key was rejected. Rotate the key in your provider dashboard, then update the matching GitHub Actions secret.

Update repo secret → · Model settings → · Setup docs → · Ask in Discord →

Pullfrog  | ⚠️ this action is pinned to a commit SHA, which freezes the cleanup step — switch to @v0 or keep the SHA fresh with Dependabot | Rerun failed job ➔View workflow run | via Pullfrog | Using Claude Opus𝕏

devin-ai-integration[bot]

This comment was marked as resolved.

…etups

Extends the ingest-key decouple to `@maple-dev/browser` so the proxy
pattern works there too (addresses PR review): `ingestKey` is now optional
and used only for the `Authorization` header. With no key, tracing and
replay still run — the OTLP trace exporter omits the auth header for a
proxy/gateway to complete, matching `@maple/browser-session`'s POSTs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant