getsentry · trevor-e · Jun 26, 2026 · Jun 16, 2026 · Jun 16, 2026 · Jun 17, 2026
@@ -1,4 +1,5 @@
 import type {Organization} from 'sentry/types/organization';
+import type {SeerExplorerRunId} from 'sentry/views/seerExplorer/types';
 
 export type SeerAnalyticsEventsParameters = {
   'ai_query.applied': {
@@ -142,7 +143,7 @@ export type SeerAnalyticsEventsParameters = {
     conversations_url: string | undefined;
     explorer_url: string | undefined;
     langfuse_url: string | undefined;
-    run_id: number | undefined;
+    run_id: SeerExplorerRunId | undefined;
     type: 'positive' | 'negative';
   };
   'seer.explorer.global_panel.opened': {
@@ -164,7 +165,7 @@ export type SeerAnalyticsEventsParameters = {
   };
   'seer.explorer.session_link_copied': Record<string, unknown>;
   'seer.explorer.timed_out': {
-    run_id: number | null;
+    run_id: SeerExplorerRunId | null;
   };
 };
 

@@ -31,7 +31,6 @@ function makeSession(
   overrides: Partial<NonNullable<SeerExplorerResponse['session']>> = {}
 ): NonNullable<SeerExplorerResponse['session']> {
   return {
-    run_id: 1,
     status: 'completed',
     updated_at: new Date().toISOString(),
     blocks: [],

@@ -11,7 +11,7 @@ import {trackAnalytics} from 'sentry/utils/analytics';
 import {useOrganization} from 'sentry/utils/useOrganization';
 import {useSessionStorage} from 'sentry/utils/useSessionStorage';
 import {getConversationsUrlForExternalUse} from 'sentry/views/explore/conversations/utils/urlParams';
-import type {Block} from 'sentry/views/seerExplorer/types';
+import type {Block, SeerExplorerRunId} from 'sentry/views/seerExplorer/types';
 import {getExplorerUrl, getLangfuseUrl} from 'sentry/views/seerExplorer/utils';
 
 import type {AssistantBlockProps} from './shared';
@@ -53,7 +53,11 @@ export function AssistantBlock({
   );
 }
 
-function useBlockFeedback(block: Block, blockIndex: number, runId: number | undefined) {
+function useBlockFeedback(
+  block: Block,
+  blockIndex: number,
+  runId: SeerExplorerRunId | undefined
+) {
   const organization = useOrganization();
   const [feedbackSubmitted, setFeedbackSubmitted] = useSessionStorage(
     `seer-explorer-feedback:run-${runId ?? 'null'}:block-${block.id}`,

@@ -3,7 +3,7 @@ import {motion} from 'framer-motion';
 import {Container} from '@sentry/scraps/layout';
 
 import {unreachable} from 'sentry/utils/unreachable';
-import type {Block} from 'sentry/views/seerExplorer/types';
+import type {Block, SeerExplorerRunId} from 'sentry/views/seerExplorer/types';
 
 import {AssistantBlock} from './assistant';
 import {ToolUseBlock} from './toolUse';
@@ -18,7 +18,7 @@ interface BlockProps {
   onClick?: () => void;
   readOnly?: boolean;
   ref?: React.Ref<HTMLDivElement>;
-  runId?: number;
+  runId?: SeerExplorerRunId;
   showThinking?: boolean;
 }
 

@@ -8,7 +8,7 @@ import {Link} from '@sentry/scraps/link';
 import {Markdown, type MarkdownProps} from '@sentry/scraps/markdown';
 import {Heading} from '@sentry/scraps/text';
 
-import type {Block} from 'sentry/views/seerExplorer/types';
+import type {Block, SeerExplorerRunId} from 'sentry/views/seerExplorer/types';
 
 interface BlockVariantProps {
   block: Block;
@@ -20,7 +20,7 @@ export interface AssistantBlockProps extends BlockVariantProps {
   blockIndex: number;
   interactionPending?: boolean;
   readOnly?: boolean;
-  runId?: number;
+  runId?: SeerExplorerRunId;
 }
 
 export interface ToolUseBlockProps extends BlockVariantProps {

@@ -7,6 +7,7 @@ import {trackAnalytics} from 'sentry/utils/analytics';
 import {useOrganization} from 'sentry/utils/useOrganization';
 import {ExplorerDrawerContent} from 'sentry/views/seerExplorer/components/drawer/explorerDrawerContent';
 import {useSeerExplorerChatDispatch} from 'sentry/views/seerExplorer/seerExplorerChatStateContext';
+import type {SeerExplorerRunId} from 'sentry/views/seerExplorer/types';
 import {isSeerExplorerEnabled, usePageReferrer} from 'sentry/views/seerExplorer/utils';
 
 const SEER_EXPLORER_DRAWER_KEY = 'seer-explorer-drawer';
@@ -21,7 +22,7 @@ export type OpenSeerExplorerDrawerOptions = {
    * Optional run ID to open. If provided, opens an existing session.
    * Cannot be used together with `startNewRun`.
    */
-  runId?: number;
+  runId?: SeerExplorerRunId;
   /**
    * If true, switches to a new session before opening.
    * Cannot be used together with `runId`.

@@ -7,6 +7,7 @@ import {Flex} from '@sentry/scraps/layout';
 import {LoadingIndicator} from 'sentry/components/loadingIndicator';
 import {IconSeer} from 'sentry/icons';
 import {t, tct} from 'sentry/locale';
+import type {SeerExplorerRunId} from 'sentry/views/seerExplorer/types';
 
 const SUGGESTED_QUESTIONS = [
   t('Which of my open issues are getting worse, not better?'),
@@ -19,7 +20,7 @@ interface EmptyStateProps {
   isError?: boolean;
   isLoading?: boolean;
   onSuggestionClick?: (question: string) => void;
-  runId?: number | null;
+  runId?: SeerExplorerRunId | null;
 }
 
 export function EmptyState({

@@ -26,7 +26,10 @@ import {
 import {t} from 'sentry/locale';
 import {useDebouncedValue} from 'sentry/utils/useDebouncedValue';
 import {useSeerExplorerSessionsQuery} from 'sentry/views/seerExplorer/seerExplorerSessionContext';
-import type {SeerExplorerSidebarPosition} from 'sentry/views/seerExplorer/types';
+import type {
+  SeerExplorerRunId,
+  SeerExplorerSidebarPosition,
+} from 'sentry/views/seerExplorer/types';
 
 const POSITION_ICON_DIRECTION = {
   auto: undefined,
@@ -44,7 +47,7 @@ const POSITION_ICON_DIRECTION = {
 interface SeerExplorerHeaderProps {
   isPipSupported: boolean;
   isPoppedOut: boolean;
-  onChangeSession: (runId: number) => void;
+  onChangeSession: (runId: SeerExplorerRunId) => void;
   onCopyLinkClick: (() => void) | undefined;
   onCopySessionClick: (() => void) | undefined;
   onNewChatClick: () => void;
@@ -92,7 +95,7 @@ export function SeerExplorerHeader({
     }
     return (
       data?.data.map(session => ({
-        value: session.run_id,
+        value: session.sentry_run_id ?? session.run_id,
         label: session.title,
         details: (
           <TimeSince

@@ -343,6 +343,43 @@ describe('useSeerExplorer', () => {
         expect(result.current.hasSentInterrupt).toBe(false);
       });
     });
+
+    it('URL-encodes the runId when building explorer-update URLs', async () => {
+      // A runId carrying path separators must be encoded so the same-origin
+      // POST can't traverse to another endpoint.
+      const maliciousRunId = '../../foo';
+      MockApiClient.addMockResponse({
+        url: `/organizations/${organization.slug}/seer/explorer-chat/..%2F..%2Ffoo/`,
+        method: 'GET',
+        body: {session: {blocks: [], status: 'processing'}},
+      });
+      const updateMock = MockApiClient.addMockResponse({
+        url: `/organizations/${organization.slug}/seer/explorer-update/..%2F..%2Ffoo/`,
+        method: 'POST',
+        body: {run_id: 123},
+      });
+
+      const {result} = renderHookWithProviders(() => useSeerExplorer(), {
+        organization,
+        additionalWrapper: SeerExplorerChatStateProvider,
+      });
+
+      act(() => {
+        result.current.switchToRun(maliciousRunId);
+      });
+
+      await waitFor(() => {
+        expect(result.current.runId).toBe(maliciousRunId);
+      });
+
+      act(() => {
+        result.current.interruptRun();
+      });
+
+      await waitFor(() => {
+        expect(updateMock).toHaveBeenCalled();
+      });
+    });
   });
 
   describe('Polling Logic', () => {

@@ -20,6 +20,7 @@ import type {
   Block,
   RepoPRState,
   SeerExplorerResponse,
+  SeerExplorerRunId,
 } from 'sentry/views/seerExplorer/types';
 import {
   isSeerExplorerEnabled,
@@ -30,12 +31,21 @@ import {
 type SeerExplorerChatResponse = {
   message: Block;
   run_id: number;
+  sentry_run_id?: string | null;
 };
 
 type SeerExplorerUpdateResponse = {
   run_id: number;
 };
 
+/**
+ * Build the explorer-update endpoint URL. `runId` can originate from an
+ * attacker-controlled `explorerRunId` deep link, so it must be encoded to
+ * prevent path traversal in the resulting same-origin POST.
+ */
+const makeExplorerUpdateUrl = (orgSlug: string, runId: SeerExplorerRunId | null) =>
+  `/organizations/${orgSlug}/seer/explorer-update/${encodeURIComponent(String(runId))}/`;
+
 /** Routes where the LLMContext tree provides structured page context. */
 const STRUCTURED_CONTEXT_ROUTES = new Set([
   '/dashboard/:dashboardId/',
@@ -101,7 +111,6 @@ const getOptimisticAssistantTexts = () => [
 
 const makeErrorSeerExplorerData = (errorMessage: string): SeerExplorerResponse => ({
   session: {
-    run_id: undefined,
     blocks: [
       {
         id: 'error',
@@ -170,7 +179,7 @@ export const useSeerExplorer = () => {
       overrideCtxEngEnable: boolean;
       pageName: string;
       query: string;
-      runId: number | null;
+      runId: SeerExplorerRunId | null;
       screenshot: string | undefined;
     }
   >({
@@ -209,8 +218,11 @@ export const useSeerExplorer = () => {
     },
     onSuccess: (response, params) => {
       if (params.runId === null) {
-        // set run ID if this is a new session
-        dispatch({type: 'set run id', payload: response.run_id});
+        // Prefer the UUID; fall back to the numeric run_id for legacy runs.
+        dispatch({
+          type: 'set run id',
+          payload: response.sentry_run_id ?? response.run_id,
+        });
       } else {
         // invalidate the query so fresh data is fetched
         queryClient.invalidateQueries({
@@ -237,13 +249,17 @@ export const useSeerExplorer = () => {
     },
   });
 
-  const {mutate: userInputMutate} = useMutation({
-    mutationFn: async (params: {
+  const {mutate: userInputMutate} = useMutation<
+    SeerExplorerUpdateResponse,
+    RequestError,
+    {
       inputId: string;
       orgSlug: string;
-      runId: number | null;
+      runId: SeerExplorerRunId | null;
       responseData?: Record<string, unknown>;
-    }) => {
+    }
+  >({
+    mutationFn: async params => {
       setHasSentInterrupt(false);
 
       // Set optimistic status and updated_at to prevent isPolling flicker on new message.
@@ -264,8 +280,8 @@ export const useSeerExplorer = () => {
               : prev
         );
       }
-      return fetchMutation<SeerExplorerUpdateResponse>({
-        url: `/organizations/${params.orgSlug}/seer/explorer-update/${params.runId}/`,
+      return fetchMutation({
+        url: makeExplorerUpdateUrl(params.orgSlug, params.runId),
         method: 'POST',
         data: {
           payload: {
@@ -305,7 +321,7 @@ export const useSeerExplorer = () => {
   const {mutate: createPRMutate} = useMutation<
     SeerExplorerUpdateResponse,
     RequestError,
-    {orgSlug: string; runId: number | null; repoName?: string}
+    {orgSlug: string; runId: SeerExplorerRunId | null; repoName?: string}
   >({
     mutationFn: async params => {
       setHasSentInterrupt(false);
@@ -329,7 +345,7 @@ export const useSeerExplorer = () => {
         );
       }
       return fetchMutation({
-        url: `/organizations/${params.orgSlug}/seer/explorer-update/${params.runId}/`,
+        url: makeExplorerUpdateUrl(params.orgSlug, params.runId),
         method: 'POST',
         data: {
           payload: {
@@ -363,13 +379,13 @@ export const useSeerExplorer = () => {
     RequestError,
     {
       orgSlug: string;
-      runId: number | null;
+      runId: SeerExplorerRunId | null;
     }
   >({
     mutationFn: async params => {
       setHasSentInterrupt(true);
       return fetchMutation({
-        url: `/organizations/${params.orgSlug}/seer/explorer-update/${params.runId}/`,
+        url: makeExplorerUpdateUrl(params.orgSlug, params.runId),
         method: 'POST',
         data: {
           payload: {
@@ -401,7 +417,7 @@ export const useSeerExplorer = () => {
 
   /** Switches to a different run and fetches its latest state. */
   const switchToRun = useCallback(
-    (newRunId: number | null, {onSuccess}: {onSuccess?: () => void} = {}) => {
+    (newRunId: SeerExplorerRunId | null, {onSuccess}: {onSuccess?: () => void} = {}) => {
       if (newRunId === runId) {
         return;
       }
@@ -432,7 +448,11 @@ export const useSeerExplorer = () => {
   );
 
   const sendMessage = useCallback(
-    (query: string, explicitInsertIndex?: number, explicitRunId?: number | null) => {
+    (
+      query: string,
+      explicitInsertIndex?: number,
+      explicitRunId?: SeerExplorerRunId | null
+    ) => {
       if (!orgSlug) {
         return;
       }
@@ -639,7 +659,6 @@ export const useSeerExplorer = () => {
     ];
 
     const baseSession = rawSessionData ?? {
-      run_id: runId ?? undefined,
       blocks: [],
       status: 'processing' as const,
       updated_at: new Date().toISOString(),

@@ -5,7 +5,10 @@ import {useApiQuery} from 'sentry/utils/queryClient';
 import {useOrganization} from 'sentry/utils/useOrganization';
 import {useTimeout} from 'sentry/utils/useTimeout';
 import type {PollingState} from 'sentry/views/seerExplorer/seerExplorerChatStateContext';
-import type {SeerExplorerResponse} from 'sentry/views/seerExplorer/types';
+import type {
+  SeerExplorerResponse,
+  SeerExplorerRunId,
+} from 'sentry/views/seerExplorer/types';
 import type {Block} from 'sentry/views/seerExplorer/types';
 import {
   isSeerExplorerEnabled,
@@ -36,7 +39,7 @@ const getTimestampAge = (updatedAt: string | undefined): number | null => {
 };
 
 const getPollingState = (
-  runId: number | null,
+  runId: SeerExplorerRunId | null,
   sessionData: SeerExplorerResponse['session'] | undefined,
   isError: boolean,
   errorStatusCode: number | undefined,
@@ -70,7 +73,7 @@ const getPollingState = (
  * Called exclusively by `SeerExplorerChatStateProvider`, which dispatches the
  * derived polling state into context for all consumers.
  */
-export const useSeerExplorerPolling = ({runId}: {runId: number | null}) => {
+export const useSeerExplorerPolling = ({runId}: {runId: SeerExplorerRunId | null}) => {
   const organization = useOrganization({allowNull: true});
   const orgSlug = organization?.slug;
   const errorPollCountRef = useRef(0);