[codex] Trace first-party relay clients

[juliusmarminge]

Summary

Add product-owned OTLP tracing for first-party relay traffic without replacing the application's or user's global tracer.

• add RelayClientTracer and withRelayClientTracing in @t3tools/shared/relayTracing
• scope managed relay HTTP calls, server broker calls, CLI relay operations, and hosted-web connection bootstrap to the relay tracer
• propagate W3C trace context through credential minting, connection setup, renewal, and reconnect paths
• configure web, mobile, desktop, server, and CLI resource attributes and OTLP settings
• provision a dataset-scoped ingest token and expose relay-client tracing outputs from the Alchemy stack
• add relay deploy --read-state support and inject deployed tracing configuration into release and hosted-web builds

The tracing boundary is explicit: unrelated provider, server, and application spans continue using their existing tracer configuration.

Stack

1. main
2. [codex] Trace first-party relay clients #2995 Trace first-party relay clients ← this PR
3. [codex] Rewrite client connection architecture #2978 Rewrite client connection architecture

Review this PR against main. PR #2978 is stacked on top and adapts these tracing hooks to the rewritten connection runtime.

Validation

• vp check
• vp run typecheck
• vp run lint:mobile
• focused tests for tracer isolation, OTLP configuration/export, relay requests, public config, deploy-state decoding, and connection trace propagation

---

Note

Medium Risk
Touches auth-adjacent relay broker minting and connection flows with trace propagation; ingest tokens are public but scoped, and misconfiguration could disable tracing or leak tokens into client bundles.

Overview
Adds product-owned OTLP tracing for first-party relay traffic via @t3tools/shared/relayTracing: RelayClientTracer, withRelayClientTracing, and makeRelayClientTracingLayer route relay spans to a dedicated tracer without replacing the app’s global tracer.

Runtime wiring: Web, mobile, server (broker + headless CLI), and client-runtime managed-relay HTTP calls wrap relay work with withRelayClientTracing. The server broker uses traceRelayBrokerHandler to continue incoming traceparent on t3MintCredential. Web connection flows emit and carry relayTraceHeaders through connect, renewal, and managed WebSocket ticket paths so downstream HTTP shares one trace id.

Config & release: New T3CODE_RELAY_CLIENT_OTLP_TRACES_* / VITE_RELAY_OTLP_TRACES_* resolution (runtime + build-time embed in server Vite). Relay infra provisions a client ingest token and exports clientTracing* from Alchemy; deploy gains --read-state and GitHub outputs. Release workflow reads prod relay state and injects tracing env into desktop, CLI, and Vercel web builds.

^{Reviewed by Cursor Bugbot for commit fe78bce. Bugbot is set up for automated code reviews on this repo. Configure here.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 89f2bf1d-0ef9-4658-bafc-5ac3c62c4e24

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/hosted-web-tracing-poc

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🚀 Expo continuous deployment is ready!

• Project → t3-code
• Platforms → android, ios
• Scheme → t3code-preview

	🤖 Android	🍎 iOS
Fingerprint	f9033cdeb2089379d2da4fc425aba1c94bc5feb7	58a0e3786e25e8165e9c158dc7b1ba699ce30e0d
Build Details	Build Permalink Details Distribution: INTERNAL Build profile: preview:dev Runtime version: f9033cdeb2089379d2da4fc425aba1c94bc5feb7 App version: 0.1.0 Git commit: 6ffa8a6953dcd5af7bff46cffad286f52922038c	Build Permalink Details Distribution: INTERNAL Build profile: preview:dev Runtime version: 58a0e3786e25e8165e9c158dc7b1ba699ce30e0d App version: 0.1.0 Git commit: 6ffa8a6953dcd5af7bff46cffad286f52922038c
Update Details	Update Permalink Details Branch: pr-2995 Runtime version: f9033cdeb2089379d2da4fc425aba1c94bc5feb7 Git commit: 6ffa8a6953dcd5af7bff46cffad286f52922038c	Update Permalink Details Branch: pr-2995 Runtime version: 58a0e3786e25e8165e9c158dc7b1ba699ce30e0d Git commit: 6ffa8a6953dcd5af7bff46cffad286f52922038c
Update QR

[macroscopeapp]

Approvability

Verdict: Needs human review

This PR introduces distributed tracing infrastructure across multiple applications and deployment pipelines. The scope includes new cloud resource provisioning, CI/CD modifications, and runtime integration in mobile, web, and server apps - warranting human review for the coordination and completeness of the feature.

No code changes detected at fe78bce. Prior analysis still applies.

^{You can customize Macroscope's approvability policy. Learn more.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Renewal drops relay trace headers
  • Added relayTraceHeaders: renewed.relayTraceHeaders to the options passed to ensureSavedEnvironmentConnection after credential renewal, ensuring the connect trace from renewManagedRelayCredential is propagated to the new websocket setup.

Or push these changes by commenting:

@cursor push f4367e9265

Preview (f4367e9265)

diff --git a/apps/web/src/environments/runtime/service.ts b/apps/web/src/environments/runtime/service.ts
--- a/apps/web/src/environments/runtime/service.ts
+++ b/apps/web/src/environments/runtime/service.ts
@@ -1601,6 +1601,7 @@
                   scopes: scopeHint,
                   serverConfig: options?.serverConfig ?? null,
                   allowManagedRenewal: false,
+                  relayTraceHeaders: renewed.relayTraceHeaders,
                 });
               }
             }

_{You can send follow-ups to the cloud agent here.}

^{Reviewed by Cursor Bugbot for commit 03c78cc. Configure here.}

[macroscopeapp]

🟢 Low

t3code/apps/web/src/environments/runtime/service.ts

Line 1599 in 03c78cc

return await ensureSavedEnvironmentConnection(renewed.record, {

When renewManagedRelayCredential succeeds in the auth error handling block (lines 1595-1604), the recursive call to ensureSavedEnvironmentConnection omits renewed.relayTraceHeaders. This causes the newly created client to use null instead of the fresh trace headers from the renewal, losing the tracing context for the connection attempt.

🚀 Reply "fix it for me" or copy this AI Prompt for your agent:

In file @apps/web/src/environments/runtime/service.ts around line 1599:

When `renewManagedRelayCredential` succeeds in the auth error handling block (lines 1595-1604), the recursive call to `ensureSavedEnvironmentConnection` omits `renewed.relayTraceHeaders`. This causes the newly created client to use `null` instead of the fresh trace headers from the renewal, losing the tracing context for the connection attempt.

Evidence trail:
apps/web/src/environments/runtime/service.ts lines 1595-1604 (recursive call omitting relayTraceHeaders); lines 1358-1402 (renewManagedRelayCredential returning relayTraceHeaders); line 1521 (default to null when not provided); line 1527 (relayTraceHeaders passed to createSavedEnvironmentClient); lines 1201-1204 (relayTraceHeaders used when resolving WebSocket URL); line 1957 (other caller that does pass relayTraceHeaders); lines 1218-1220 (renewal inside client resolver that properly passes renewed.relayTraceHeaders).