feat(cms): Sentry server instrumentation + withSentryConfig + R38 PII test

Adds apps/cms/instrumentation.ts (server-only — Payload admin client DSN
is out-of-scope per spec §8). Wraps the Payload-wrapped next config with
withSentryConfig. Adds the R38 PII scrubber test. Required adding
@repo/core-shared as a direct dep of cms (was only transitive before).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-05-07 20:14:56 +02:00
parent f911892d0b
commit d348cb9179
5 changed files with 93 additions and 1 deletions

View File

@@ -0,0 +1,56 @@
import { describe, it, expect } from "vitest";
import {
beforeSend,
beforeSendTransaction,
} from "@repo/core-shared/instrumentation/sentry/scrub";
describe("R38 — apps/cms PII scrubber", () => {
it("strips email/password/cookie/auth/IP from event payload", () => {
const event = {
extra: {
userEmail: "alice@example.com",
password: "p4$$w0rd",
ipAddress: "192.168.1.10",
note: "request from 10.0.0.1",
},
request: {
headers: {
Authorization: "Bearer secret",
"Set-Cookie": "session=abc",
"User-Agent": "Mozilla",
},
},
} as Parameters<typeof beforeSend>[0];
const result = beforeSend(event, {}) as {
extra: Record<string, string>;
request: { headers: Record<string, string> };
};
expect(result.extra["userEmail"]).toBe("[redacted]");
expect(result.extra["password"]).toBe("[redacted]");
expect(result.extra["ipAddress"]).toBe("[redacted]");
expect(result.extra["note"]).toContain("[redacted-ip]");
expect(result.request.headers["Authorization"]).toBe("[redacted]");
expect(result.request.headers["Set-Cookie"]).toBe("[redacted]");
expect(result.request.headers["User-Agent"]).toBe("Mozilla");
});
it("strips ?token / ?email / ?password / ?secret / ?signature from URLs", () => {
const event = {
request: {
url: "https://app/api/x?token=abc&email=a@b.c&password=p&secret=z&signature=s&safe=1",
},
transaction: "/foo?accessToken=t",
} as Parameters<typeof beforeSendTransaction>[0];
const result = beforeSendTransaction(event, {}) as {
request: { url: string };
transaction: string;
};
const url = decodeURIComponent(result.request.url);
const txn = decodeURIComponent(result.transaction);
for (const key of ["token", "email", "password", "secret", "signature"]) {
expect(url).toContain(`${key}=[redacted]`);
}
expect(url).toContain("safe=1");
expect(txn).toContain("accessToken=[redacted]");
});
});