fix(router): forward project credentials to sentry-bound workers#1259
Merged
zbigniewsobiecki merged 1 commit intodevfrom May 6, 2026
Merged
fix(router): forward project credentials to sentry-bound workers#1259zbigniewsobiecki merged 1 commit intodevfrom
zbigniewsobiecki merged 1 commit intodevfrom
Conversation
`extractProjectIdFromJob` had no `sentry` branch, so sentry jobs hit the `return null` fall-through and `buildWorkerEnvWithProjectId` skipped credential loading entirely (the `if (projectId)` gate). Worker spawned without `CASCADE_CREDENTIAL_KEYS`, the in-worker resolver auto-selector fell back to `DbCredentialResolver`, hit an encrypted row, and crashed with "CREDENTIAL_MASTER_KEY is not set" — workers intentionally don't have the master key. This was the first sentry-bound agent run in prod (cascade project, 2026-05-06 12:48 UTC). The router pipeline succeeded end-to-end; only the worker boot failed. Add the `sentry` branch (sentry jobs carry `projectId` directly per `SentryJob.projectId`) and pin the regression in the worker-env unit test. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
extractProjectIdFromJobhad nosentrybranch — sentry jobs hit thereturn nullfall-through, sobuildWorkerEnvWithProjectIdskipped credential loading entirely (theif (projectId)gate atworker-env.ts:133). The worker spawned withoutCASCADE_CREDENTIAL_KEYS, the in-worker resolver auto-selector atsrc/config/provider.ts:164-179fell back toDbCredentialResolver, hit an encrypted Trello row, and crashed withCredential is encrypted but CREDENTIAL_MASTER_KEY is not set— workers intentionally don't carry the master key (seeworker-env.ts:132).Why this surfaced now
This was the first sentry-bound agent run in prod (cascade project, 2026-05-06 12:48 UTC). Router pipeline succeeded end-to-end (webhook parsed →
SentryIssueAlertTriggermatched → BullMQ queued → worker spawned). Only the worker boot failed, with[WorkerManager] Spawning worker: hasCredentials: falsethenWorker exited: statusCode: 1, oomKilled: false, durationMs: 2622.Fix
One-line branch in
extractProjectIdFromJobreturningjobData.projectIdfor sentry jobs (SentryJob.projectIdis already populated bySentryRouterAdapter.buildJob).Test plan
tests/unit/router/worker-env.test.ts— fails onmain, passes after fixnpm test— all 8794 unit tests passnpm run typecheckcleannpm run lintclean (no new warnings)cascade runs list --project cascade --agent alertingshows a non-crashed runFollow-ups (not in this PR)
jobIdso this class of failure has a non-Sentry trail.🤖 Generated with Claude Code