@sentry/junior 0.32.0 → 0.34.0

package/dist/app.js

@@ -3,7 +3,7 @@ import {
   findSkillByName,
   loadSkillsByName,
   parseSkillInvocation
-} from "./chunk-EHXMTKBA.js";
+} from "./chunk-LAD5O3RX.js";
 import {
   GEN_AI_PROVIDER_NAME,
   MISSING_GATEWAY_CREDENTIALS_ERROR,
@@ -30,7 +30,7 @@ import {
   runNonInteractiveCommand,
   sandboxSkillDir,
   sandboxSkillFile
-} from "./chunk-3M7ZD6FF.js";
+} from "./chunk-HZIJ4BSE.js";
 import {
   CredentialUnavailableError,
   buildOAuthTokenRequest,
@@ -53,6 +53,7 @@ import {
   logException,
   logInfo,
   logWarn,
+  mergeHeaderTransforms,
   parseOAuthTokenResponse,
   resolveAuthTokenPlaceholder,
   resolveErrorReference,
@@ -64,7 +65,7 @@ import {
   toOptionalString,
   withContext,
   withSpan
-} from "./chunk-XARRBRQV.js";
+} from "./chunk-QZRPUFO6.js";
 import "./chunk-Z3YD6NHK.js";
 import {
   discoverInstalledPluginPackageContent,
@@ -1131,7 +1132,6 @@ async function postSlackMessage(input) {
     () => getSlackClient().chat.postMessage({
       channel: channelId,
       text,
-      mrkdwn: true,
       ...input.blocks?.length ? {
         blocks: input.blocks
       } : {},
@@ -3134,11 +3134,11 @@ function buildBehaviorSection() {
   ].join("\n\n");
 }
 function buildOutputSection() {
-  const openTag = `<output format="slack-mrkdwn" max_inline_chars="${slackOutputPolicy.maxInlineChars}" max_inline_lines="${slackOutputPolicy.maxInlineLines}">`;
+  const openTag = `<output format="slack-markdown" max_inline_chars="${slackOutputPolicy.maxInlineChars}" max_inline_lines="${slackOutputPolicy.maxInlineLines}">`;
   return [
     openTag,
     "- Start with the answer or result, not internal process narration.",
-    "- Use Slack-friendly mrkdwn: bolded section labels instead of headings, no markdown tables or markdown links, and plain URLs.",
+    "- Use Slack-flavored Markdown: **bold** section labels, `code`, [text](url) links, bullet lists, and fenced code blocks. No tables. When the answer primarily lists several URLs, show each URL bare instead of as a labeled link.",
     "- Keep replies brief and scannable; use bullets or short code blocks when helpful, and one compact thread reply when it fits.",
     "- When a research or document-style answer would benefit from continuation, multiple sections, or future reference value, create a Slack canvas and keep the thread reply to one or two short sentences plus the link; do not recap the canvas contents.",
     "- Unless a successful Slack side-effect tool intentionally satisfied the request by itself, end every turn with a final user-facing markdown response.",
@@ -3367,7 +3367,7 @@ var SkillCapabilityRuntime = class {
       throw new Error("Credential enablement requires requester context");
     }
     const plugin = getPluginDefinition(provider);
-    if (!plugin?.manifest.credentials) {
+    if (!plugin?.manifest.credentials && !plugin?.manifest.apiHeaders) {
       return void 0;
     }
     const existing = this.enabledByProvider.get(provider);
@@ -3499,19 +3499,22 @@ var TestCredentialBroker = class {
   async issue(input) {
     const token = process.env.EVAL_TEST_CREDENTIAL_TOKEN?.trim() || "eval-test-token";
     const expiresAt = new Date(Date.now() + 5 * 60 * 1e3).toISOString();
+    const env = this.config.envKey && this.config.placeholder ? { [this.config.envKey]: this.config.placeholder } : {};
+    const tokenTransforms = this.config.domains?.map((domain) => ({
+      domain,
+      headers: {
+        ...this.config.apiHeaders ?? {},
+        Authorization: `Bearer ${token}`
+      }
+    })) ?? [];
     return {
       id: randomUUID2(),
       provider: this.config.provider,
-      env: {
-        [this.config.envKey]: this.config.placeholder
-      },
-      headerTransforms: this.config.domains.map((domain) => ({
-        domain,
-        headers: {
-          ...this.config.apiHeaders ?? {},
-          Authorization: `Bearer ${token}`
-        }
-      })),
+      env,
+      headerTransforms: mergeHeaderTransforms([
+        ...this.config.headerTransforms?.() ?? [],
+        ...tokenTransforms
+      ]),
       expiresAt,
       metadata: {
         reason: input.reason
@@ -3521,24 +3524,50 @@ var TestCredentialBroker = class {
 };
 
 // src/chat/capabilities/factory.ts
+var ENV_PLACEHOLDER_RE = /\$\{([A-Z_][A-Z0-9_]*)\}/g;
 function createUserTokenStore() {
   return new StateAdapterTokenStore(getStateAdapter());
 }
+function resolveTestApiHeaderTransforms(manifest) {
+  const { apiDomains, apiHeaders } = manifest;
+  if (!apiDomains || !apiHeaders) {
+    return [];
+  }
+  const headers = Object.fromEntries(
+    Object.entries(apiHeaders).map(([key, value]) => [
+      key,
+      value.replace(ENV_PLACEHOLDER_RE, (_match, name) => {
+        return `eval-test-${String(name).toLowerCase().replaceAll("_", "-")}`;
+      })
+    ])
+  );
+  return apiDomains.map((domain) => ({ domain, headers }));
+}
 function createSkillCapabilityRuntime(options = {}) {
   logCapabilityCatalogLoadedOnce();
   const useTestBroker = process.env.EVAL_ENABLE_TEST_CREDENTIALS === "1";
   const userTokenStore = createUserTokenStore();
   const brokersByProvider = {};
   for (const plugin of getPluginProviders()) {
-    const { credentials, name } = plugin.manifest;
+    const { apiHeaders, credentials, name } = plugin.manifest;
+    if (!credentials && !apiHeaders) {
+      continue;
+    }
     if (!credentials) {
+      brokersByProvider[name] = useTestBroker ? new TestCredentialBroker({
+        provider: name,
+        headerTransforms: () => resolveTestApiHeaderTransforms(plugin.manifest)
+      }) : createPluginBroker(name, { userTokenStore });
       continue;
     }
     const placeholder = resolveAuthTokenPlaceholder(credentials);
     brokersByProvider[name] = useTestBroker ? new TestCredentialBroker({
       provider: name,
       domains: credentials.apiDomains,
-      apiHeaders: credentials.apiHeaders,
+      ...credentials.apiHeaders ? { apiHeaders: credentials.apiHeaders } : {},
+      ...apiHeaders ? {
+        headerTransforms: () => resolveTestApiHeaderTransforms(plugin.manifest)
+      } : {},
       envKey: credentials.authTokenEnv,
       placeholder
     }) : createPluginBroker(name, { userTokenStore });
@@ -4109,7 +4138,6 @@ var PluginMcpClient = class {
         setSpanAttributes({
           "mcp.method.name": MCP_TOOLS_CALL_METHOD,
           "gen_ai.operation.name": "execute_tool",
-          "gen_ai.tool.name": name,
           ...this.transport?.sessionId ? { "mcp.session.id": this.transport.sessionId } : {},
           ...this.transport?.protocolVersion ? { "mcp.protocol.version": this.transport.protocolVersion } : {},
           ...getMcpNetworkAttributes(url)
@@ -4459,7 +4487,6 @@ var McpToolManager = class {
       execute: async (args) => {
         const resolvedArgs = typeof args === "object" && args !== null ? args : {};
         const baseAttributes = {
-          "gen_ai.tool.name": tool2.name,
           "mcp.method.name": "tools/call"
         };
         setSpanAttributes(baseAttributes);
@@ -8753,12 +8780,6 @@ function createAgentTools(tools, sandbox, spanContext, onStatus, sandboxExecutor
     execute: async (toolCallId, params) => {
       const normalizedToolCallId = typeof toolCallId === "string" && toolCallId.length > 0 ? toolCallId : void 0;
       const toolArgumentsAttribute = serializeGenAiAttribute(params);
-      const traceToolContext = {
-        ...spanContext,
-        conversationId: spanContext.conversationId,
-        turnId: spanContext.turnId,
-        agentId: spanContext.agentId
-      };
       if (toolName === "reportProgress") {
         const status = buildReportedProgressStatus(params);
         if (status) {
@@ -8813,9 +8834,8 @@ function createAgentTools(tools, sandbox, spanContext, onStatus, sandboxExecutor
                 details: normalized.details
               });
             }
-            const toolResultAttribute = serializeGenAiAttribute(
-              normalized.details
-            );
+            const resultAttributeValue = normalized.details && typeof normalized.details === "object" && "rawResult" in normalized.details && normalized.details.rawResult !== void 0 ? normalized.details.rawResult : normalized.details;
+            const toolResultAttribute = serializeGenAiAttribute(resultAttributeValue);
             if (toolResultAttribute) {
               setSpanAttributes({
                 "gen_ai.tool.call.result": toolResultAttribute
@@ -8831,7 +8851,7 @@ function createAgentTools(tools, sandbox, spanContext, onStatus, sandboxExecutor
               toolName,
               normalizedToolCallId,
               shouldTrace,
-              traceToolContext
+              spanContext
             );
           }
         },
@@ -9889,13 +9909,17 @@ function commandTargetsProvider(provider, command, details) {
   }
   const plugin = getPluginDefinition(provider);
   const candidates = /* @__PURE__ */ new Set([provider.toLowerCase()]);
-  const credentials = plugin?.manifest.credentials;
+  const manifest = plugin?.manifest;
+  const credentials = manifest?.credentials;
   if (credentials) {
     candidates.add(credentials.authTokenEnv.toLowerCase());
     for (const domain of credentials.apiDomains) {
       candidates.add(domain.toLowerCase());
     }
   }
+  for (const domain of manifest?.apiDomains ?? []) {
+    candidates.add(domain.toLowerCase());
+  }
   const combinedText = `${normalizedCommand}
 ${details.stdout?.toLowerCase() ?? ""}
 ${details.stderr?.toLowerCase() ?? ""}`;
@@ -11230,25 +11254,25 @@ function buildSlackReplyFooter(args) {
   return items.length > 0 ? { items } : void 0;
 }
 function buildSlackReplyBlocks(text, footer) {
-  if (!text.trim() || !footer?.items.length) {
+  if (!text.trim()) {
     return void 0;
   }
-  return [
-    {
-      type: "section",
-      text: {
-        type: "mrkdwn",
-        text
-      }
-    },
+  const blocks = [
     {
+      type: "markdown",
+      text
+    }
+  ];
+  if (footer?.items.length) {
+    blocks.push({
       type: "context",
       elements: footer.items.map((item) => ({
         type: "mrkdwn",
         text: `*${escapeSlackMrkdwn(item.label)}:* ${escapeSlackMrkdwn(item.value)}`
       }))
-    }
-  ];
+    });
+  }
+  return blocks;
 }
 
 // src/chat/slack/reply.ts
@@ -11372,11 +11396,13 @@ async function postSlackApiReplyPosts(args) {
     let messageTs;
     try {
       if (post.text.trim().length > 0) {
+        const footer = index === lastTextPostIndex ? args.footer : void 0;
+        const blocks = buildSlackReplyBlocks(post.text, footer);
         const response = await postSlackMessage({
           channelId: args.channelId,
           threadTs: args.threadTs,
           text: post.text,
-          ...index === lastTextPostIndex && args.footer ? { blocks: buildSlackReplyBlocks(post.text, args.footer) } : {}
+          ...blocks ? { blocks } : {}
         });
         messageTs = response.ts;
         lastPostedMessageTs = response.ts;
@@ -13484,6 +13510,7 @@ function buildFailureMessage(reference) {
 }
 function buildLogContext(deps, args) {
   return {
+    conversationId: args.threadId ?? args.runId,
     slackThreadId: args.threadId,
     slackUserId: args.requesterId,
     slackUserName: args.requesterUserName,
@@ -13608,78 +13635,6 @@ function createSlackTurnRuntime(deps) {
         const threadId = deps.getThreadId(thread, message);
         const channelId = deps.getChannelId(thread, message);
         const runId = deps.getRunId(thread, message);
-        const rawUserText = message.text;
-        const userText = deps.stripLeadingBotMention(rawUserText, {
-          stripLeadingSlackMentionToken: Boolean(message.isMention)
-        });
-        const context = {
-          threadId,
-          requesterId: message.author.userId,
-          channelId,
-          runId
-        };
-        const preflightDecision = getSubscribedReplyPreflightDecision({
-          botUserName: deps.assistantUserName,
-          rawText: rawUserText,
-          text: userText,
-          isExplicitMention: Boolean(message.isMention)
-        });
-        if (preflightDecision && !preflightDecision.shouldReply) {
-          const reason = preflightDecision.reasonDetail ? `${preflightDecision.reason}:${preflightDecision.reasonDetail}` : preflightDecision.reason;
-          await skipSubscribedMessage({
-            thread,
-            message,
-            decision: { shouldReply: false, reason },
-            context,
-            userText
-          });
-          return;
-        }
-        const preparedState = await deps.prepareTurnState({
-          thread,
-          message,
-          userText,
-          explicitMention: Boolean(message.isMention),
-          context
-        });
-        await deps.persistPreparedState({
-          thread,
-          preparedState
-        });
-        const decision = await deps.decideSubscribedReply({
-          rawText: rawUserText,
-          text: userText,
-          conversationContext: deps.getPreparedConversationContext(preparedState),
-          hasAttachments: message.attachments.length > 0,
-          isExplicitMention: Boolean(message.isMention),
-          context
-        });
-        if (await maybeHandleThreadOptOutDecision({
-          thread,
-          decision,
-          beforeFirstResponsePost: hooks?.beforeFirstResponsePost
-        })) {
-          await skipSubscribedMessage({
-            thread,
-            message,
-            decision,
-            context,
-            preparedState,
-            userText
-          });
-          return;
-        }
-        if (!decision.shouldReply) {
-          await skipSubscribedMessage({
-            thread,
-            message,
-            decision,
-            context,
-            preparedState,
-            userText
-          });
-          return;
-        }
         await deps.withSpan(
           "chat.turn",
           "chat.turn",
@@ -13691,6 +13646,78 @@ function createSlackTurnRuntime(deps) {
             runId
           }),
           async () => {
+            const rawUserText = message.text;
+            const userText = deps.stripLeadingBotMention(rawUserText, {
+              stripLeadingSlackMentionToken: Boolean(message.isMention)
+            });
+            const context = {
+              threadId,
+              requesterId: message.author.userId,
+              channelId,
+              runId
+            };
+            const preflightDecision = getSubscribedReplyPreflightDecision({
+              botUserName: deps.assistantUserName,
+              rawText: rawUserText,
+              text: userText,
+              isExplicitMention: Boolean(message.isMention)
+            });
+            if (preflightDecision && !preflightDecision.shouldReply) {
+              const reason = preflightDecision.reasonDetail ? `${preflightDecision.reason}:${preflightDecision.reasonDetail}` : preflightDecision.reason;
+              await skipSubscribedMessage({
+                thread,
+                message,
+                decision: { shouldReply: false, reason },
+                context,
+                userText
+              });
+              return;
+            }
+            const preparedState = await deps.prepareTurnState({
+              thread,
+              message,
+              userText,
+              explicitMention: Boolean(message.isMention),
+              context
+            });
+            await deps.persistPreparedState({
+              thread,
+              preparedState
+            });
+            const decision = await deps.decideSubscribedReply({
+              rawText: rawUserText,
+              text: userText,
+              conversationContext: deps.getPreparedConversationContext(preparedState),
+              hasAttachments: message.attachments.length > 0,
+              isExplicitMention: Boolean(message.isMention),
+              context
+            });
+            if (await maybeHandleThreadOptOutDecision({
+              thread,
+              decision,
+              beforeFirstResponsePost: hooks?.beforeFirstResponsePost
+            })) {
+              await skipSubscribedMessage({
+                thread,
+                message,
+                decision,
+                context,
+                preparedState,
+                userText
+              });
+              return;
+            }
+            if (!decision.shouldReply) {
+              await skipSubscribedMessage({
+                thread,
+                message,
+                decision,
+                context,
+                preparedState,
+                userText
+              });
+              return;
+            }
             await deps.replyToThread(thread, message, {
               explicitMention: Boolean(message.isMention),
               preparedState,
@@ -15317,6 +15344,24 @@ function nonEmptyString(value) {
   return trimmed || void 0;
 }
 
+// src/chat/ingress/workspace-membership.ts
+import { AsyncLocalStorage } from "async_hooks";
+var workspaceTeamIdStorage = new AsyncLocalStorage();
+function runWithWorkspaceTeamId(teamId, fn) {
+  if (!teamId) return fn();
+  return workspaceTeamIdStorage.run(teamId, fn);
+}
+function isExternalSlackUser(raw) {
+  if (!raw) return false;
+  const workspaceTeamId = workspaceTeamIdStorage.getStore();
+  if (!workspaceTeamId) return false;
+  const userTeam = typeof raw.user_team === "string" ? raw.user_team : void 0;
+  if (userTeam) return userTeam !== workspaceTeamId;
+  const sourceTeam = typeof raw.source_team === "string" ? raw.source_team : void 0;
+  if (sourceTeam) return sourceTeam !== workspaceTeamId;
+  return false;
+}
+
 // src/chat/ingress/junior-chat.ts
 function enqueueBackgroundTask(options, task) {
   if (!options?.waitUntil) {
@@ -15355,6 +15400,9 @@ var JuniorChat = class extends Chat {
         (async () => {
           try {
             const message = await messageOrFactory();
+            if (isExternalSlackUser(message.raw)) {
+              return;
+            }
             const normalized = normalizeIncomingSlackThreadId(
               threadId,
               message
@@ -15373,6 +15421,9 @@ var JuniorChat = class extends Chat {
       );
       return;
     }
+    if (isExternalSlackUser(messageOrFactory.raw)) {
+      return;
+    }
     enqueueBackgroundTask(
       options,
       (async () => {
@@ -15824,12 +15875,16 @@ function extractMessageChangedMention(body, botUserId, adapter) {
   const userId = event.message.user ?? "unknown";
   const threadId = `slack:${channelId}:${threadTs}`;
   const teamId = typeof body.team_id === "string" ? body.team_id : void 0;
+  const userTeam = typeof event.message.user_team === "string" ? event.message.user_team : void 0;
+  const sourceTeam = typeof event.message.source_team === "string" ? event.message.source_team : void 0;
   const raw = {
     channel: channelId,
     ts: messageTs,
     thread_ts: threadTs,
     user: userId,
-    ...teamId ? { team_id: teamId } : {}
+    ...teamId ? { team_id: teamId } : {},
+    ...userTeam ? { user_team: userTeam } : {},
+    ...sourceTeam ? { source_team: sourceTeam } : {}
   };
   const message = new Message({
     id: getEditedMentionMessageId(messageTs),
@@ -15931,6 +15986,7 @@ async function handlePlatformWebhook(request, platform, waitUntil, bot = getProd
       return new Response(`Unknown platform: ${platform}`, { status: 404 });
     }
     let rebuiltRequest = request;
+    let slackWorkspaceTeamId;
     if (platform === "slack") {
       const rawBody = await request.text();
       let parsedBody;
@@ -15939,15 +15995,19 @@ async function handlePlatformWebhook(request, platform, waitUntil, bot = getProd
       } catch {
         parsedBody = void 0;
       }
+      slackWorkspaceTeamId = getSlackPayloadTeamId(parsedBody);
       if (parsedBody && isMessageChangedEnvelope(parsedBody)) {
         try {
-          await handleAuthenticatedSlackMessageChangedMention({
-            body: parsedBody,
-            bot,
-            rawBody,
-            request,
-            waitUntil
-          });
+          await runWithWorkspaceTeamId(
+            slackWorkspaceTeamId,
+            () => handleAuthenticatedSlackMessageChangedMention({
+              body: parsedBody,
+              bot,
+              rawBody,
+              request,
+              waitUntil
+            })
+          );
         } catch (error) {
           logException(error, "slack_message_changed_side_channel_failed");
         }
@@ -15965,9 +16025,12 @@ async function handlePlatformWebhook(request, platform, waitUntil, bot = getProd
         requestContext,
         async () => {
           try {
-            const response = await handler(rebuiltRequest, {
-              waitUntil: (task) => waitUntil(task)
-            });
+            const response = await runWithWorkspaceTeamId(
+              slackWorkspaceTeamId,
+              () => handler(rebuiltRequest, {
+                waitUntil: (task) => waitUntil(task)
+              })
+            );
             if (response.status >= 400) {
               let responseBodySnippet;
               try {

package/dist/{chunk-3M7ZD6FF.js → chunk-HZIJ4BSE.js}

@@ -7,7 +7,7 @@ import {
   serializeGenAiAttribute,
   setSpanAttributes,
   withSpan
-} from "./chunk-XARRBRQV.js";
+} from "./chunk-QZRPUFO6.js";
 
 // src/chat/state/adapter.ts
 import { createMemoryState } from "@chat-adapter/state-memory";
@@ -128,68 +128,73 @@ async function completeText(params) {
   const apiKey = getPiGatewayApiKeyOverride();
   const requestMessagesAttribute = serializeGenAiAttribute(params.messages);
   const systemInstructionsAttribute = params.system ? serializeGenAiAttribute([{ type: "text", content: params.system }]) : void 0;
-  const startAttributes = {
+  const baseAttributes = {
     "gen_ai.provider.name": GEN_AI_PROVIDER_NAME,
     "gen_ai.operation.name": GEN_AI_OPERATION_CHAT,
     "gen_ai.request.model": params.modelId,
+    ...params.thinkingLevel ? { "app.ai.reasoning_effort": params.thinkingLevel } : {}
+  };
+  const startAttributes = {
+    ...baseAttributes,
     ...systemInstructionsAttribute ? { "gen_ai.system_instructions": systemInstructionsAttribute } : {},
     ...requestMessagesAttribute ? { "gen_ai.input.messages": requestMessagesAttribute } : {},
-    "app.ai.auth_mode": apiKey ? "oidc" : "api_key",
-    ...params.thinkingLevel ? { "app.ai.reasoning_effort": params.thinkingLevel } : {}
+    "app.ai.auth_mode": apiKey ? "oidc" : "api_key"
   };
-  setSpanAttributes(startAttributes);
-  const message = await completeSimple(
-    model,
-    {
-      systemPrompt: params.system,
-      messages: params.messages
+  return withSpan(
+    "ai.chat_completion",
+    "gen_ai.chat",
+    { modelId: params.modelId },
+    async () => {
+      const message = await completeSimple(
+        model,
+        {
+          systemPrompt: params.system,
+          messages: params.messages
+        },
+        {
+          ...apiKey ? { apiKey } : {},
+          temperature: params.temperature,
+          maxTokens: params.maxTokens,
+          reasoning: params.thinkingLevel,
+          signal: params.signal,
+          metadata: params.metadata
+        }
+      );
+      const outputText = extractText(message);
+      const outputMessagesAttribute = serializeGenAiAttribute([
+        {
+          role: "assistant",
+          content: outputText ? [{ type: "text", text: outputText }] : []
+        }
+      ]);
+      const usageAttributes = extractGenAiUsageAttributes(message);
+      const endAttributes = {
+        ...baseAttributes,
+        ...outputMessagesAttribute ? { "gen_ai.output.messages": outputMessagesAttribute } : {},
+        ...usageAttributes,
+        ...message.stopReason ? { "gen_ai.response.finish_reasons": [message.stopReason] } : {}
+      };
+      setSpanAttributes(endAttributes);
+      if (message.stopReason === "error") {
+        const providerMessage = message.errorMessage?.trim() || "Unknown provider error";
+        logWarn(
+          "ai_completion_provider_error",
+          {},
+          {
+            ...baseAttributes,
+            "error.message": providerMessage
+          },
+          "AI completion returned provider error"
+        );
+        throw new Error(`AI provider error: ${providerMessage}`);
+      }
+      return {
+        message,
+        text: outputText
+      };
     },
-    {
-      ...apiKey ? { apiKey } : {},
-      temperature: params.temperature,
-      maxTokens: params.maxTokens,
-      reasoning: params.thinkingLevel,
-      signal: params.signal,
-      metadata: params.metadata
-    }
+    startAttributes
   );
-  const outputText = extractText(message);
-  const outputMessagesAttribute = serializeGenAiAttribute([
-    {
-      role: "assistant",
-      content: outputText ? [{ type: "text", text: outputText }] : []
-    }
-  ]);
-  const usageAttributes = extractGenAiUsageAttributes(message);
-  const endAttributes = {
-    "gen_ai.provider.name": GEN_AI_PROVIDER_NAME,
-    "gen_ai.operation.name": GEN_AI_OPERATION_CHAT,
-    "gen_ai.request.model": params.modelId,
-    ...outputMessagesAttribute ? { "gen_ai.output.messages": outputMessagesAttribute } : {},
-    ...usageAttributes,
-    ...message.stopReason ? { "gen_ai.response.finish_reasons": [message.stopReason] } : {},
-    ...params.thinkingLevel ? { "app.ai.reasoning_effort": params.thinkingLevel } : {}
-  };
-  setSpanAttributes(endAttributes);
-  if (message.stopReason === "error") {
-    const providerMessage = message.errorMessage?.trim() || "Unknown provider error";
-    logWarn(
-      "ai_completion_provider_error",
-      {},
-      {
-        "gen_ai.provider.name": GEN_AI_PROVIDER_NAME,
-        "gen_ai.operation.name": GEN_AI_OPERATION_CHAT,
-        "gen_ai.request.model": params.modelId,
-        "error.message": providerMessage
-      },
-      "AI completion returned provider error"
-    );
-    throw new Error(`AI provider error: ${providerMessage}`);
-  }
-  return {
-    message,
-    text: outputText
-  };
 }
 async function completeObject(params) {
   const startedAt = Date.now();

package/dist/{chunk-EHXMTKBA.js → chunk-LAD5O3RX.js}

@@ -2,7 +2,7 @@ import {
   getPluginForSkillPath,
   getPluginSkillRoots,
   logWarn
-} from "./chunk-XARRBRQV.js";
+} from "./chunk-QZRPUFO6.js";
 import {
   skillRoots
 } from "./chunk-XPXD3FCE.js";

package/dist/{chunk-XARRBRQV.js → chunk-QZRPUFO6.js}

@@ -971,6 +971,9 @@ function setLogContext(context) {
   );
   contextStorage.enterWith(merged);
 }
+function getLogContextAttributes() {
+  return contextStorage.getStore() ?? {};
+}
 function createLogContextFromRequest(request, context = {}) {
   const url = new URL(request.url);
   return {
@@ -1052,20 +1055,20 @@ async function withSpan(name, op, context, callback, attributes = {}) {
       normalizedAttributes[key] = normalizedValue;
     }
   }
-  return withLogContext(
-    context,
-    () => sentry_exports.startSpan(
+  return withLogContext(context, () => {
+    const inheritedAttributes = getLogContextAttributes();
+    return sentry_exports.startSpan(
       {
         name,
         op,
         attributes: {
-          ...toSpanAttributes(context),
+          ...inheritedAttributes,
           ...normalizedAttributes
         }
       },
       callback
-    )
-  );
+    );
+  });
 }
 function setSpanAttributes(attributes) {
   const sentry = sentry_exports;
@@ -1246,6 +1249,7 @@ var SHORT_CONFIG_KEY_RE = /^[a-z0-9]+(\.[a-z0-9-]+)*$/;
 var TARGET_FLAG_RE = /^-{1,2}[A-Za-z0-9][A-Za-z0-9-]*$/;
 var AUTH_TOKEN_ENV_RE = /^[A-Z][A-Z0-9_]*$/;
 var ENV_VAR_NAME_RE = /^[A-Z_][A-Z0-9_]*$/;
+var ENV_PLACEHOLDER_RE = /\$\{([A-Z_][A-Z0-9_]*)\}/g;
 var API_DOMAIN_RE = /^(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?$/;
 var RUNTIME_POSTINSTALL_CMD_RE = /^[A-Za-z0-9._/-]+$/;
 var RESERVED_AUTHORIZE_PARAM_KEYS = /* @__PURE__ */ new Set([
@@ -1340,7 +1344,7 @@ var stringMapSchema = z.record(z.string(), z.unknown()).transform((record, ctx)
     seen.add(normalizedKey);
     result[key] = rawValue.trim();
   }
-  return Object.keys(result).length > 0 ? result : void 0;
+  return result;
 });
 var apiDomainsSchema = z.array(z.unknown()).min(1, {
   error: "must be a non-empty array of strings"
@@ -1433,6 +1437,8 @@ var manifestSourceSchema = z.object({
   "config-keys": z.array(z.string(), {
     error: "must be an array when provided"
   }).optional(),
+  "api-domains": apiDomainsSchema.optional(),
+  "api-headers": stringMapSchema.optional(),
   credentials: z.record(z.string(), z.unknown(), {
     error: "must be an object when provided"
   }).optional(),
@@ -1470,7 +1476,11 @@ function normalizeStringMap(value, prefix, options = {}) {
   if (!value) {
     return void 0;
   }
-  for (const key of Object.keys(value)) {
+  const keys = Object.keys(value);
+  if (keys.length === 0) {
+    return void 0;
+  }
+  for (const key of keys) {
     const normalizedKey = key.toLowerCase();
     if (options.reservedKeys?.has(normalizedKey)) {
       throw new Error(`${prefix}.${key} is reserved by the runtime`);
@@ -1481,6 +1491,31 @@ function normalizeStringMap(value, prefix, options = {}) {
   }
   return value;
 }
+function assertDeclaredEnvReferences(value, envVars, context) {
+  for (const match of value.matchAll(ENV_PLACEHOLDER_RE)) {
+    const name = match[1];
+    if (!Object.prototype.hasOwnProperty.call(envVars, name)) {
+      throw new Error(
+        `${context} references env var ${name} which is not declared in env-vars`
+      );
+    }
+    if (envVars[name]?.default !== void 0) {
+      throw new Error(
+        `${context} references env var ${name}, but API header env vars must not declare defaults`
+      );
+    }
+  }
+}
+function normalizeRequiredApiHeaders(value, prefix, envVars) {
+  const apiHeaders = normalizeStringMap(value, prefix);
+  if (!apiHeaders) {
+    throw new Error(`${prefix} must contain at least one header`);
+  }
+  for (const [key, headerValue] of Object.entries(apiHeaders)) {
+    assertDeclaredEnvReferences(headerValue, envVars, `${prefix}.${key}`);
+  }
+  return apiHeaders;
+}
 function normalizeCredentials(data, name) {
   const schema = data.type === "oauth-bearer" ? oauthBearerCredentialsSchema : data.type === "github-app" ? githubAppCredentialsSchema : void 0;
   if (!schema) {
@@ -1493,30 +1528,28 @@ function normalizeCredentials(data, name) {
     throw new Error(issueMessage(result.error, `Plugin ${name} credentials`));
   }
   if (result.data.type === "oauth-bearer") {
+    const apiHeaders2 = result.data["api-headers"] ? normalizeStringMap(
+      result.data["api-headers"],
+      `Plugin ${name} credentials.api-headers`,
+      { forbiddenKeys: FORBIDDEN_API_HEADER_NAMES }
+    ) : void 0;
     return {
       type: "oauth-bearer",
       apiDomains: result.data["api-domains"],
-      ...result.data["api-headers"] ? {
-        apiHeaders: normalizeStringMap(
-          result.data["api-headers"],
-          `Plugin ${name} credentials.api-headers`,
-          { forbiddenKeys: FORBIDDEN_API_HEADER_NAMES }
-        )
-      } : {},
+      ...apiHeaders2 ? { apiHeaders: apiHeaders2 } : {},
       authTokenEnv: result.data["auth-token-env"],
       ...result.data["auth-token-placeholder"] ? { authTokenPlaceholder: result.data["auth-token-placeholder"] } : {}
     };
   }
+  const apiHeaders = result.data["api-headers"] ? normalizeStringMap(
+    result.data["api-headers"],
+    `Plugin ${name} credentials.api-headers`,
+    { forbiddenKeys: FORBIDDEN_API_HEADER_NAMES }
+  ) : void 0;
   return {
     type: "github-app",
     apiDomains: result.data["api-domains"],
-    ...result.data["api-headers"] ? {
-      apiHeaders: normalizeStringMap(
-        result.data["api-headers"],
-        `Plugin ${name} credentials.api-headers`,
-        { forbiddenKeys: FORBIDDEN_API_HEADER_NAMES }
-      )
-    } : {},
+    ...apiHeaders ? { apiHeaders } : {},
     authTokenEnv: result.data["auth-token-env"],
     ...result.data["auth-token-placeholder"] ? { authTokenPlaceholder: result.data["auth-token-placeholder"] } : {},
     appIdEnv: result.data["app-id-env"],
@@ -1650,7 +1683,6 @@ function normalizeRuntimePostinstall(commands, name) {
   }
   return parsed.length > 0 ? parsed : void 0;
 }
-var ENV_PLACEHOLDER_RE = /\$\{([A-Z_][A-Z0-9_]*)\}/g;
 var envVarDeclarationSchema = z.preprocess(
   (value) => value === null || value === void 0 ? {} : value,
   z.object({
@@ -1714,16 +1746,13 @@ function normalizeMcp(data, envVars, name) {
   if (!result.success) {
     throw new Error(issueMessage(result.error, `Plugin ${name} mcp`));
   }
+  const headers = result.data.headers ? normalizeStringMap(result.data.headers, `Plugin ${name} mcp.headers`, {
+    forbiddenKeys: FORBIDDEN_API_HEADER_NAMES
+  }) : void 0;
   return {
     transport: "http",
     url: result.data.url,
-    ...result.data.headers ? {
-      headers: normalizeStringMap(
-        result.data.headers,
-        `Plugin ${name} mcp.headers`,
-        { forbiddenKeys: FORBIDDEN_API_HEADER_NAMES }
-      )
-    } : {},
+    ...headers ? { headers } : {},
     ...result.data["allowed-tools"] ? { allowedTools: result.data["allowed-tools"] } : {}
   };
 }
@@ -1761,6 +1790,16 @@ function parsePluginManifest(raw, dir) {
         `Plugin ${parsedYaml.name ?? "unknown"} config-keys must be an array when provided`
       );
     }
+    if (path3 === "api-domains") {
+      throw new Error(
+        `Plugin ${parsedYaml.name ?? "unknown"} api-domains must be a non-empty array of domains`
+      );
+    }
+    if (path3 === "api-headers") {
+      throw new Error(
+        `Plugin ${parsedYaml.name ?? "unknown"} api-headers must be an object when provided`
+      );
+    }
     if (path3 === "credentials") {
       throw new Error(
         `Plugin ${parsedYaml.name ?? "unknown"} credentials must be an object when provided`
@@ -1813,16 +1852,29 @@ function parsePluginManifest(raw, dir) {
     }
     return `${data.name}.${key}`;
   });
+  const envVars = data["env-vars"] ? normalizeEnvVars(data["env-vars"], data.name) : {};
+  const apiHeaders = data["api-headers"] ? normalizeRequiredApiHeaders(
+    data["api-headers"],
+    `Plugin ${data.name} api-headers`,
+    envVars
+  ) : void 0;
+  if (apiHeaders && !data["api-domains"]) {
+    throw new Error(`Plugin ${data.name} api-headers requires api-domains`);
+  }
+  if (data["api-domains"] && !apiHeaders) {
+    throw new Error(`Plugin ${data.name} api-domains requires api-headers`);
+  }
   const credentials = data.credentials ? normalizeCredentials(data.credentials, data.name) : void 0;
   const runtimeDependencies = data["runtime-dependencies"] ? normalizeRuntimeDependencies(data["runtime-dependencies"], data.name) : void 0;
   const runtimePostinstall = data["runtime-postinstall"] ? normalizeRuntimePostinstall(data["runtime-postinstall"], data.name) : void 0;
-  const envVars = data["env-vars"] ? normalizeEnvVars(data["env-vars"], data.name) : {};
   const mcp = data.mcp ? normalizeMcp(data.mcp, envVars, data.name) : void 0;
   const manifest = {
     name: data.name,
     description: data.description,
     capabilities,
     configKeys,
+    ...data["api-domains"] ? { apiDomains: data["api-domains"] } : {},
+    ...apiHeaders ? { apiHeaders } : {},
     ...Object.keys(envVars).length > 0 ? { envVars } : {},
     ...credentials ? { credentials } : {},
     ...runtimeDependencies ? { runtimeDependencies } : {},
@@ -1903,7 +1955,76 @@ import { readFileSync, readdirSync, statSync } from "fs";
 import path2 from "path";
 
 // src/chat/plugins/auth/github-app-broker.ts
-import { createPrivateKey, createSign, randomUUID } from "crypto";
+import { createPrivateKey, createSign, randomUUID as randomUUID2 } from "crypto";
+
+// src/chat/credentials/header-transforms.ts
+function mergeHeaderTransforms(transforms) {
+  const byDomain = /* @__PURE__ */ new Map();
+  for (const transform of transforms) {
+    byDomain.set(transform.domain, {
+      ...byDomain.get(transform.domain) ?? {},
+      ...transform.headers
+    });
+  }
+  return [...byDomain.entries()].map(([domain, headers]) => ({
+    domain,
+    headers
+  }));
+}
+
+// src/chat/plugins/auth/api-headers-broker.ts
+import { randomUUID } from "crypto";
+var MAX_LEASE_MS = 60 * 60 * 1e3;
+var ENV_PLACEHOLDER_RE2 = /\$\{([A-Z_][A-Z0-9_]*)\}/g;
+function resolveHeaders(provider, headers) {
+  return Object.fromEntries(
+    Object.entries(headers).map(([key, value]) => {
+      const resolved = value.replace(ENV_PLACEHOLDER_RE2, (_match, name) => {
+        const envName = name;
+        const envValue = process.env[envName]?.trim();
+        if (!envValue) {
+          throw new Error(
+            `Missing ${envName} for API header provider "${provider}"`
+          );
+        }
+        return envValue;
+      });
+      return [key, resolved];
+    })
+  );
+}
+function resolveApiHeaderTransforms(manifest) {
+  const { apiDomains, apiHeaders } = manifest;
+  if (!apiDomains || !apiHeaders) {
+    return [];
+  }
+  const resolvedHeaders = resolveHeaders(manifest.name, apiHeaders);
+  return apiDomains.map((domain) => ({
+    domain,
+    headers: resolvedHeaders
+  }));
+}
+function createApiHeadersBroker(manifest) {
+  const provider = manifest.name;
+  return {
+    async issue(input) {
+      const headerTransforms = resolveApiHeaderTransforms(manifest);
+      if (headerTransforms.length === 0) {
+        throw new Error(`No API headers configured for plugin "${provider}"`);
+      }
+      return {
+        id: randomUUID(),
+        provider,
+        env: {},
+        headerTransforms,
+        expiresAt: new Date(Date.now() + MAX_LEASE_MS).toISOString(),
+        metadata: {
+          reason: input.reason
+        }
+      };
+    }
+  };
+}
 
 // src/chat/plugins/auth/auth-token-placeholder.ts
 var DEFAULT_PLACEHOLDERS = {
@@ -1915,7 +2036,7 @@ function resolveAuthTokenPlaceholder(credentials) {
 }
 
 // src/chat/plugins/auth/github-app-broker.ts
-var MAX_LEASE_MS = 60 * 60 * 1e3;
+var MAX_LEASE_MS2 = 60 * 60 * 1e3;
 function base64Url(input) {
   return Buffer.from(input).toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
 }
@@ -2060,6 +2181,7 @@ function createGitHubAppBroker(manifest, credentials) {
   } = credentials;
   const apiBase = `https://${apiDomains[0]}`;
   const placeholder = resolveAuthTokenPlaceholder(credentials);
+  const pluginHeaderTransforms = () => resolveApiHeaderTransforms(manifest);
   const GIT_DOMAIN = "github.com";
   const GIT_CAPABILITIES = /* @__PURE__ */ new Set([
     `${provider}.contents.read`,
@@ -2097,16 +2219,19 @@ function createGitHubAppBroker(manifest, credentials) {
       const now = Date.now();
       if (cached && cached.expiresAt - now > 2 * 60 * 1e3) {
         return {
-          id: randomUUID(),
+          id: randomUUID2(),
           provider,
           env: { [authTokenEnv]: placeholder },
-          headerTransforms: leaseDomains.map((domain) => ({
-            domain,
-            headers: {
-              ...apiHeaders ?? {},
-              Authorization: authorizationFor(domain, cached.token)
-            }
-          })),
+          headerTransforms: mergeHeaderTransforms([
+            ...pluginHeaderTransforms(),
+            ...leaseDomains.map((domain) => ({
+              domain,
+              headers: {
+                ...apiHeaders ?? {},
+                Authorization: authorizationFor(domain, cached.token)
+              }
+            }))
+          ]),
           expiresAt: new Date(cached.expiresAt).toISOString(),
           metadata: {
             installationId: String(cached.installationId),
@@ -2130,7 +2255,7 @@ function createGitHubAppBroker(manifest, credentials) {
       const providerExpiresAtMs = Date.parse(accessTokenResponse.expires_at);
       const expiresAtMs = Math.min(
         providerExpiresAtMs,
-        Date.now() + MAX_LEASE_MS
+        Date.now() + MAX_LEASE_MS2
       );
       tokenCache.set(cacheKey, {
         installationId,
@@ -2138,16 +2263,22 @@ function createGitHubAppBroker(manifest, credentials) {
         expiresAt: expiresAtMs
       });
       return {
-        id: randomUUID(),
+        id: randomUUID2(),
         provider,
         env: { [authTokenEnv]: placeholder },
-        headerTransforms: leaseDomains.map((domain) => ({
-          domain,
-          headers: {
-            ...apiHeaders ?? {},
-            Authorization: authorizationFor(domain, accessTokenResponse.token)
-          }
-        })),
+        headerTransforms: mergeHeaderTransforms([
+          ...pluginHeaderTransforms(),
+          ...leaseDomains.map((domain) => ({
+            domain,
+            headers: {
+              ...apiHeaders ?? {},
+              Authorization: authorizationFor(
+                domain,
+                accessTokenResponse.token
+              )
+            }
+          }))
+        ]),
         expiresAt: new Date(expiresAtMs).toISOString(),
         metadata: {
           installationId: String(installationId),
@@ -2159,7 +2290,7 @@ function createGitHubAppBroker(manifest, credentials) {
 }
 
 // src/chat/plugins/auth/oauth-bearer-broker.ts
-import { randomUUID as randomUUID2 } from "crypto";
+import { randomUUID as randomUUID3 } from "crypto";
 
 // src/chat/credentials/broker.ts
 var CredentialUnavailableError = class extends Error {
@@ -2270,7 +2401,7 @@ function parseOAuthTokenResponse(data, fallbackScope) {
 }
 
 // src/chat/plugins/auth/oauth-bearer-broker.ts
-var MAX_LEASE_MS2 = 60 * 60 * 1e3;
+var MAX_LEASE_MS3 = 60 * 60 * 1e3;
 var REFRESH_BUFFER_MS = 5 * 60 * 1e3;
 async function refreshAccessToken(refreshToken, oauth, fallbackScope) {
   const clientId = process.env[oauth.clientIdEnv]?.trim();
@@ -2302,21 +2433,25 @@ async function refreshAccessToken(refreshToken, oauth, fallbackScope) {
   return parseOAuthTokenResponse(data, fallbackScope);
 }
 function getLeaseExpiry(expiresAt) {
-  return expiresAt ? Math.min(expiresAt, Date.now() + MAX_LEASE_MS2) : Date.now() + MAX_LEASE_MS2;
+  return expiresAt ? Math.min(expiresAt, Date.now() + MAX_LEASE_MS3) : Date.now() + MAX_LEASE_MS3;
 }
 function createOAuthBearerBroker(manifest, credentials, deps) {
   const provider = manifest.name;
   const { apiDomains, apiHeaders, authTokenEnv } = credentials;
   const authTokenPlaceholder = resolveAuthTokenPlaceholder(credentials);
+  const pluginHeaderTransforms = () => resolveApiHeaderTransforms(manifest);
   function buildLease(token, expiresAtMs, reason) {
     return {
-      id: randomUUID2(),
+      id: randomUUID3(),
       provider,
       env: { [authTokenEnv]: authTokenPlaceholder },
-      headerTransforms: apiDomains.map((domain) => ({
-        domain,
-        headers: { ...apiHeaders ?? {}, Authorization: `Bearer ${token}` }
-      })),
+      headerTransforms: mergeHeaderTransforms([
+        ...pluginHeaderTransforms(),
+        ...apiDomains.map((domain) => ({
+          domain,
+          headers: { ...apiHeaders ?? {}, Authorization: `Bearer ${token}` }
+        }))
+      ]),
       expiresAt: new Date(expiresAtMs).toISOString(),
       metadata: { reason }
     };
@@ -2327,7 +2462,7 @@ function createOAuthBearerBroker(manifest, credentials, deps) {
       const oauth = manifest.oauth;
       if (!oauth) {
         if (envToken) {
-          return buildLease(envToken, Date.now() + MAX_LEASE_MS2, input.reason);
+          return buildLease(envToken, Date.now() + MAX_LEASE_MS3, input.reason);
         }
         throw new CredentialUnavailableError(
           provider,
@@ -2734,11 +2869,15 @@ function createPluginBroker(provider, deps) {
     throw new Error(`Unknown plugin provider: "${provider}"`);
   }
   const { credentials, name } = plugin.manifest;
-  if (!credentials) {
-    throw new Error(`Provider "${name}" has no credentials configured`);
+  if (!credentials && !plugin.manifest.apiHeaders) {
+    throw new Error(
+      `Provider "${name}" has no credentials or API headers configured`
+    );
   }
   let broker;
-  if (credentials.type === "oauth-bearer") {
+  if (!credentials) {
+    broker = createApiHeadersBroker(plugin.manifest);
+  } else if (credentials.type === "oauth-bearer") {
     broker = createOAuthBearerBroker(plugin.manifest, credentials, deps);
   } else if (credentials.type === "github-app") {
     broker = createGitHubAppBroker(plugin.manifest, credentials);
@@ -2773,6 +2912,7 @@ export {
   serializeGenAiAttribute,
   extractGenAiUsageSummary,
   extractGenAiUsageAttributes,
+  mergeHeaderTransforms,
   resolveAuthTokenPlaceholder,
   parsePluginManifest,
   CredentialUnavailableError,

package/dist/cli/check.js

@@ -1,9 +1,9 @@
 import {
   parseSkillFile
-} from "../chunk-EHXMTKBA.js";
+} from "../chunk-LAD5O3RX.js";
 import {
   parsePluginManifest
-} from "../chunk-XARRBRQV.js";
+} from "../chunk-QZRPUFO6.js";
 import "../chunk-Z3YD6NHK.js";
 import "../chunk-XPXD3FCE.js";
 import "../chunk-2KG3PWR4.js";

package/dist/cli/snapshot-warmup.js

@@ -1,12 +1,12 @@
 import {
   disconnectStateAdapter,
   resolveRuntimeDependencySnapshot
-} from "../chunk-3M7ZD6FF.js";
+} from "../chunk-HZIJ4BSE.js";
 import {
   getPluginProviders,
   getPluginRuntimeDependencies,
   getPluginRuntimePostinstall
-} from "../chunk-XARRBRQV.js";
+} from "../chunk-QZRPUFO6.js";
 import "../chunk-Z3YD6NHK.js";
 import "../chunk-XPXD3FCE.js";
 import "../chunk-2KG3PWR4.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sentry/junior",
-  "version": "0.32.0",
+  "version": "0.34.0",
   "private": false,
   "publishConfig": {
     "access": "public"