feat(obs): trust-gate at 100% — every /api/* route propagates request IDs#174
Merged
operatoruplift merged 1 commit intomasterfrom Apr 27, 2026
Merged
feat(obs): trust-gate at 100% — every /api/* route propagates request IDs#174operatoruplift merged 1 commit intomasterfrom
operatoruplift merged 1 commit intomasterfrom
Conversation
The final 3 routes adopt the apiHelpers pattern. Trust-gate now reports
44/44 route files import @/lib/apiHelpers and all call withRequestMeta.
| Route | What it does |
|---|---|
| app/api/tools/tokens/route.ts | Tokens API (search, resolve, asset, price, risk, markets) |
| app/api/subscription/route.ts | Subscription GET + POST (create_invoice, dev_simulate, confirm) |
| app/api/webhooks/photon/route.ts | iMessage webhook receiver (signature-verified, idempotent) |
## Notable
### subscription
Already had a hand-rolled requestId + startedAt + X-Request-Id pattern
identical in shape to withRequestMeta. Replaced the local newRequestId()
function and the manual header construction with the helper. Behavior
identical; structured logs share a single `route` taxonomy.
### webhooks/photon
The webhook receiver had no request-id propagation, every response
just returned `{ ok: true, ... }`. Adding meta.headers to all 7
response paths (signature-fail, parse-fail, no-supabase, duplicate,
insert-error, success, GET-health-probe) and including requestId in
each body. Spectrum's webhook retry can now correlate to the server
log line.
### tools/tokens
Tier-1 tokens lookup tool. Already had a clean honest demo-mode 403
guard from earlier session work; this PR standardizes the error
envelope (errorClass, requestId, timestamp, nextAction) and adds
X-Request-Id to every response.
## Trust-gate journey
11/44 (25%) -> 16/44 -> 21/44 -> 26/44 -> 30/44 -> 33/44 -> 37/44 ->
41/44 -> 44/44 (100%) across PRs #167-#173 plus this one.
## Verified
- pnpm exec tsc --noEmit: clean
- pnpm check: 3 passed, 0 failed
- trust-gate: 44/44 route files (100%)
## Rollback
Single git revert. 3 files.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
operatoruplift
added a commit
that referenced
this pull request
Apr 27, 2026
#183) The middleware was a hidden gap in the trust-gate contract. Source trust-gate (#167-#174) confirmed every route file imports withRequestMeta. But the middleware in middleware.ts intercepts every /api/* request first, and its 401 "Authentication required" response went out without an X-Request-Id header. Two changes: ## middleware.ts - Mints `req_<uuid>` if the incoming request doesn't already carry an X-Request-Id, otherwise propagates. - Attaches the ID to: - the 401 unauthorized response (status, body envelope, header) - every pass-through (forwarded as a request header so the route handler's `withRequestMeta` reads the same value) - The 401 body now also carries `requestId` and `timestamp` to match the canonical envelope shape. ## tests/e2e/request-id-runtime.spec.ts (new) - 16 probes against representative endpoints, all four response shapes (200 success, 401 middleware-block, 400/410/403 handler envelopes). - Each asserts `X-Request-Id` is present and matches `^req_[0-9a-f-]+`. - Picked endpoints to cover: public (capabilities, providers, sns.resolve, health.adapters, health.llm, waitlist, auth.login), auth-gated (whoami, dashboard.stats, receipts.public-key, subscription, x402, tools.web, tools.notes, access.check, risk). ## .github/workflows/ci.yml - request-id-runtime.spec.ts joins the hermetic spec list, so a middleware regression that drops the header fails CI before merge. Trust-gate is now enforced at BOTH layers: source (every route file imports the helper) and runtime (every response carries the header). ## Verified - pnpm exec tsc --noEmit: clean - pnpm check: 3 passed, 0 failed - pnpm exec playwright test request-id-runtime.spec.ts: 16/16 pass ## Rollback Single git revert. Three files.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Trust-gate hits 100%
The final 3 routes adopt the
apiHelperspattern. After this merges, 44/44 (100%) of/api/*routes import@/lib/apiHelpersand callwithRequestMeta.app/api/tools/tokens/route.tsapp/api/subscription/route.tsapp/api/webhooks/photon/route.tsNotable
subscription
Already had a hand-rolled
requestId+startedAt+X-Request-Idpattern identical in shape towithRequestMeta. Replaced the localnewRequestId()function and the manual header construction with the helper. Behavior identical; structured logs now share the canonicalroutetaxonomy.webhooks/photon
The webhook receiver had no request-id propagation — every response just returned
{ ok: true, ... }. Addingmeta.headersto all 7 response paths (signature-fail, parse-fail, no-supabase, duplicate, insert-error, success, GET health-probe) and includingrequestIdin each body. Spectrum's webhook retry can now correlate to the server log line.tools/tokens
Tier-1 tokens lookup tool. Already had a clean honest demo-mode 403 guard from earlier session work; this PR standardizes the error envelope (
errorClass,requestId,timestamp,nextAction) and addsX-Request-Idto every response.Trust-gate journey
8 PRs to take request-id propagation from 25% → 100% of routes.
Verified
Net diff
Rollback
Single
git revert.