fix(effect-sdk): decouple browser replay/session-metadata from ingest key#188
Open
Makisuo wants to merge 2 commits into
Open
fix(effect-sdk): decouple browser replay/session-metadata from ingest key#188Makisuo wants to merge 2 commits into
Makisuo wants to merge 2 commits into
Conversation
… key The browser client SDK overloaded `ingestKey` presence to mean both "attach the Authorization header" and "is this feature enabled", so leaving `ingestKey` unset (auth handled by a self-hosted proxy) silently disabled session replay and session-metadata even though traces still flowed through the proxy. Make `ingestKey` auth-only: replay/metadata now run regardless of key presence (gated solely by `replay.enabled` / `emitSessionMeta`), and every session/replay POST attaches `Authorization` only when a key is set — otherwise it goes out headerless for a proxy/gateway to complete, matching how OTLP trace export already behaved. `MapleFlush.make` (client) is aligned with `Maple.layer` via an internal `allowKeyless` flag; the env-driven server and Cloudflare presets keep their existing keyless no-op. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
|
Your LLM provider API key was rejected. Rotate the key in your provider dashboard, then update the matching GitHub Actions secret. Update repo secret → · Model settings → · Setup docs → · Ask in Discord →
|
…etups Extends the ingest-key decouple to `@maple-dev/browser` so the proxy pattern works there too (addresses PR review): `ingestKey` is now optional and used only for the `Authorization` header. With no key, tracing and replay still run — the OTLP trace exporter omits the auth header for a proxy/gateway to complete, matching `@maple/browser-session`'s POSTs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

Problem
A customer fronts their telemetry with a self-hosted proxy that attaches the Maple ingest key server-side (to sidestep ad-blockers / privacy browsers), so they deliberately leave
ingestKeyunset in browser code. With@maple-dev/effect-sdk/client, traces flowed but session replay and session-metadata silently never started.Root cause: the browser client SDK overloaded
ingestKeypresence to mean two unrelated things — "attach thisAuthorizationheader" and "is this feature enabled at all." Traces survived because OTLP export already omits the header when there's no key, but replay/metadata were hard-gated:replay-loader.ts—if (!config.ingestKey) returnkilled both replay and metadata.standalone-session.ts—if (!options.ingestKey) returnkilled metadata.The sibling
@maple-dev/browserSDK never gated on the key, so the asymmetry was specific to the Effect SDK.Change
Make
ingestKeyauth-only in the browser client. Feature enablement is governed solely by the existingreplay.enabled/emitSessionMetaoptions (both defaulttrue).@maple/browser-session):ingestKeyis now optional inReplayEngineConfig,postSessionMetaRow, andReplaySessionOptions; a newauthHeadershelper attachesAuthorization: Bearer …only when a key is set — otherwise the POST goes out headerless for the proxy to complete.replay-loader.ts,standalone-session.ts): removed the two ingest-key gates (kept the SSR andreadSessionSink()guards).MapleFlush.make(client): aligned withMaple.layervia an internalallowKeylessflag onbuildResolved, so it exports keyless instead of no-op'ing, with a one-shot heads-up log.allowKeyless).@maple-dev/browserneeds no change.For proxy users this removes the dummy-key workaround entirely: point
endpointat the proxy, leaveingestKeyunset, and traces/logs/metrics/replay/metadata all POST without anAuthorizationheader for the proxy to attach.Test plan
@maple-dev/effect-sdk— vitest73/73,tsc --noEmitclean,tsdownbuild clean.@maple/browser-session— vitest25/25,tsc --noEmitclean.@maple-dev/browser— vitest1/1,tsc --noEmitclean, build clean.postSessionMetaRowheader test (present when keyed, absent when keyless), and updated theMapleFlushclient test to assert keyless export.🤖 Generated with Claude Code