Skip to content

feat: OTel instrumentation with strict-privacy telemetry defaults#39

Merged
wcypierre merged 1 commit into
mainfrom
feat/otel-privacy-telemetry
May 22, 2026
Merged

feat: OTel instrumentation with strict-privacy telemetry defaults#39
wcypierre merged 1 commit into
mainfrom
feat/otel-privacy-telemetry

Conversation

@wcypierre
Copy link
Copy Markdown
Owner

@wcypierre wcypierre commented May 22, 2026

Summary

This PR adds end-to-end OpenTelemetry instrumentation for Storm API operations and middleware, expands service metrics, and enforces strict-privacy telemetry defaults so sensitive values are not emitted in plaintext.

What Changed

  • Added package-level tracer usage and business spans across torrent/label/plugin/view/session handlers.
  • Added tracing.go helper (endSpan) to consistently record span errors and close spans.
  • Extended HTTP middleware to create server spans, track inflight operations, record request duration, and increment application error metrics.
  • Added external-call metrics around Deluge RPC interactions (external_calls_total, external_call_duration_seconds).
  • Expanded telemetry metric inventory with request-duration, app-error, inflight, and external-call instruments.
  • Hardened OTLP trace exporter setup: defaults to localhost:4318; insecure transport only when OTEL_EXPORTER_OTLP_INSECURE=true.

Privacy/Security Posture

  • No hardcoded secrets/tokens/keys were added.
  • tempo.i.wcyp.ru reference was removed.
  • Strict privacy defaults retained:
    • sensitive telemetry attributes (torrent hash, label names) are redacted,
    • span status messages use generic text (operation failed) instead of raw error strings,
    • request logging no longer includes RemoteAddr.

Validation

Local

  • go test ./... ?
  • cd frontend && npm ci --legacy-peer-deps ?
  • cd frontend && npm run lint ? (warnings only)
  • cd frontend && npm run test -- --watch=false ?
    • failure: src/app/preferences.service.spec.ts:42:7 (filterState implicitly has any type).

Notes

  • CI workflow check jobs are configured in .github/workflows/ci.yml as:
    • Frontend Lint
    • Frontend Test
    • Frontend Build
    • Security Audit

Risk & Rollback

  • Risk: increased telemetry cardinality and runtime instrumentation overhead.
  • Mitigations: route-template labeling for low-cardinality HTTP metrics; sensitive values redacted.
  • Rollback: revert this PR commit to restore previous telemetry/logging behavior.

@wcypierre wcypierre enabled auto-merge (squash) May 22, 2026 17:37
@wcypierre wcypierre merged commit 3b1ff43 into main May 22, 2026
4 checks passed
@wcypierre wcypierre deleted the feat/otel-privacy-telemetry branch May 22, 2026 17:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wcypierre