feat: HTTP Observability with Network Tab DevTools-style Inspector #199
Conversation
betterclever
force-pushed
the
betterclever/http-observability
branch
2 times, most recently
from
9874736 to
34813e3
Compare
betterclever
changed the title
betterclever
force-pushed
the
betterclever/http-observability
branch
from
34813e3 to
9dea811
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9dea811d36
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| const headers = maskHeaders(headersToHar(request.headers), sensitiveHeaders); | ||
| const queryString = parseQueryString(request.url); | ||
|
|
There was a problem hiding this comment.
buildHarRequest only masks headers but captures request.url and queryString verbatim, so any API key or token placed in query parameters (e.g., ?token=..., presigned URLs) will be persisted in trace data and surfaced in the Network panel without redaction. This leaks secrets in environments where query-string auth is used; consider masking query values using the same sensitive list (or a dedicated allowlist) before recording.
Useful? React with 👍 / 👎.
| const sensitiveHeaders = options.sensitiveHeaders ?? DEFAULT_SENSITIVE_HEADERS; | ||
| const maxBodySize = options.maxResponseBodySize ?? DEFAULT_MAX_RESPONSE_BODY_SIZE; | ||
| const rawBody = await response.text(); | ||
| const { text } = truncateBody(rawBody, maxBodySize); |
There was a problem hiding this comment.
buildHarResponse calls response.text() and only then truncates to maxResponseBodySize, which still reads the entire response into memory. For large downloads or streaming responses, this defeats the size limit and can cause significant memory/latency overhead; consider streaming and stopping once the max size is reached.
Useful? React with 👍 / 👎.
- Add comprehensive spec for HTTP request/response tracing - Defines phased implementation plan (9 phases) - Uses standard HAR 1.2 format for DevTools compatibility - Adds @types/har-format dependency to component-sdk Signed-off-by: betterclever <[email protected]>
Signed-off-by: betterclever <[email protected]>
Signed-off-by: betterclever <[email protected]>
Signed-off-by: betterclever <[email protected]>
Signed-off-by: betterclever <[email protected]>
Signed-off-by: betterclever <[email protected]>
Signed-off-by: betterclever <[email protected]>
Signed-off-by: betterclever <[email protected]>
Signed-off-by: betterclever <[email protected]>
Signed-off-by: betterclever <[email protected]>
Signed-off-by: betterclever <[email protected]>
Signed-off-by: betterclever <[email protected]>
Signed-off-by: betterclever <[email protected]>
…ling - Add http-observability.test.ts with 3 E2E tests validating HAR capture - Test HTTP request/response tracing with full HAR data - Test HTTP error (404) capture in HAR - Test multiple sequential HTTP requests with unique correlation IDs - Fix node: prefixed imports for Webpack compatibility in Temporal bundles - Change diagnostics_channel, crypto, perf_hooks imports to non-prefixed Signed-off-by: betterclever <[email protected]>
…ection - Add NetworkPanel component displaying all HTTP requests made by components - Show request list grouped by host with method, status, path, and duration - Request detail view with tabs: Headers, Payload, Response, Timing - Timing waterfall visualization matching HAR format (blocked, DNS, connect, SSL, send, wait, receive) - Color-coded HTTP methods (GET=green, POST=blue, PUT=amber, DELETE=red, PATCH=purple) - Color-coded status codes (2xx=green, 3xx=blue, 4xx=amber, 5xx=red) - Copy-to-clipboard for header values - JSON response body formatting - Filter by selected node from timeline - Add 'network' to inspector tab options in workflowUiStore Signed-off-by: betterclever <[email protected]>
Signed-off-by: betterclever <[email protected]>
Signed-off-by: betterclever <[email protected]>
- Mask sensitive query parameters in HAR requests (P1) - Added DEFAULT_SENSITIVE_QUERY_PARAMS list with common secret param names - Added maskQueryParams and maskUrlQueryParams functions - Both queryString and URL are now masked before storing - Use streaming for response body capture (P2) - Updated buildHarResponse to use ReadableStream when available - Stops reading once maxResponseBodySize is reached - Falls back to response.text() for responses without body stream - Added 'body' property to HttpResponseLike interface Signed-off-by: betterclever <[email protected]>
betterclever
force-pushed
the
betterclever/http-observability
branch
from
b0b6097 to
4c71b03
Compare
Summary
This PR implements full HTTP observability for workflow executions, allowing users to inspect all HTTP requests made by components in a browser DevTools-style Network tab.
What's Included
1. HTTP Instrumentation Layer (
@shipsec/component-sdk)HTTP_REQUEST_SENT,HTTP_RESPONSE_RECEIVED,HTTP_REQUEST_ERRORevent types2. Component SDK Integration
context.http.fetch()method available to all componentstoCurl()helper for debugging3. Component Migration
Components now using instrumented HTTP:
core/http-request- Generic HTTP Request componentsecurity/abuseipdb- AbuseIPDB IP reputation checkssecurity/virustotal- VirusTotal malware scanningsecurity/atlassian-offboarding- Atlassian user offboardingnotification/slack- Slack webhook/API notificationsgithub/remove-org-membership- GitHub org membership managementai/ai-agent- MCP tool invocations4. Frontend Network Tab
Testing
Breaking Changes
None. The
context.http.fetch()method is additive and existing components continue to work.