fix(sandbox): Inject provider credentials without URL forwarding#371
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
dcramer
force-pushed
the
fix/sentry-oauth-egress-diagnostics
branch
from
cceb391 to
4908ed7
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 4908ed7. Configure here.
Restore slashless Sentry API paths before the proxy calls upstream. Vercel Sandbox forwarding can deliver provider API paths without the trailing slash that Sentry expects, which made valid authenticated calls look like OAuth failures. Log the Sentry API path observed at the sandbox egress boundary before any credential verification or provider path restoration. This makes the forwarding behavior visible without recording query contents or credentials. Co-Authored-By: GPT-5 Codex <[email protected]>
dcramer
force-pushed
the
fix/sentry-oauth-egress-diagnostics
branch
from
4908ed7 to
6fba565
Compare
dcramer
changed the title
Use command-scoped Vercel Sandbox network policy transforms for active plugin provider credentials. This avoids routing provider API calls through forwardURL, so provider paths and trailing slashes stay intact. Clear credential transforms after each command and preserve the auth-required marker when a provider credential is unavailable. Co-Authored-By: GPT-5 Codex <[email protected]>
Keep egress proxy diagnostics on status, path, host, and provider metadata. Provider response bodies can contain user or service content, so do not attach previews to warning logs. Co-Authored-By: GPT-5 Codex <[email protected]>
dcramer
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Use Vercel Sandbox network policy header transforms for active plugin provider credentials instead of forwarding provider traffic through Junior. This keeps provider request URLs intact, including trailing slash-sensitive API paths, while still keeping real credentials out of the sandbox.
Command-scoped Credentials
Before each sandbox command, Junior issues a lease only for the active provider when that provider declares credentials or API headers, applies its header transforms to the sandbox network policy, and clears the transforms after command cleanup. If credentials are missing, bash returns the existing
junior-auth-required ...marker so plugin OAuth can start.Proxy Fallback
The forwarded egress proxy remains for existing forwarded traffic and diagnostic failures, but the Sentry-specific path repair and response-body logging are removed.