Merge pull request #63 from QWED-AI/feat/sentry-monitoring

feat(monitoring): Integrate Sentry SDK + docker security fix

Author: rahuldass19

Dockerfile

@@ -19,8 +19,8 @@ RUN useradd -m -u 1000 appuser
 # Fix permissions for GitHub Actions workspace
 RUN mkdir -p /github/workspace && chown -R appuser:appuser /github
 
-# Install gosu and dos2unix for entrypoint management
-RUN apt-get update && apt-get install -y --no-install-recommends gosu dos2unix && rm -rf /var/lib/apt/lists/*
+# Install dos2unix for entrypoint management (runuser is native in base image)
+RUN apt-get update && apt-get install -y --no-install-recommends dos2unix && rm -rf /var/lib/apt/lists/*
 
 # Copy requirements file first to leverage cache
 COPY requirements.txt /app/requirements.txt
@@ -56,7 +56,7 @@ if [ -d "/github/file_commands" ]; then\n\
 fi\n\
 \n\
 # Switch to appuser and run the main entrypoint\n\
-exec gosu appuser python /action_entrypoint.py "$@"\n\
+exec runuser -u appuser -- python /action_entrypoint.py "$@"\n\
 ' > /entrypoint.sh && chmod +x /entrypoint.sh
 
 # Set Python path to use local SDK
@@ -65,5 +65,5 @@ ENV PYTHONPATH=/app
 WORKDIR /github/workspace
 
 # NOTE: We do NOT switch USER here. We start as root to fix permissions on mounted volumes
-# in entrypoint.sh, then drop privileges to appuser using gosu.
+# in entrypoint.sh, then drop privileges to appuser using runuser.
 ENTRYPOINT ["/entrypoint.sh"]

action_entrypoint.py

@@ -13,6 +13,11 @@
 import glob
 from pathlib import Path
 
+try:
+    import sentry_sdk
+except ImportError:
+    sentry_sdk = None
+
 # QWED SDK imports - only guards (no heavy dependencies)
 sys.path.insert(0, "/app")
 from qwed_sdk.guards.system_guard import SystemGuard
@@ -415,4 +420,30 @@ def main():
 
 
 if __name__ == "__main__":
-    main()
+    # Initialize Sentry if DSN is provided
+    sentry_dsn = get_env("SENTRY_DSN") or os.environ.get("SENTRY_DSN")
+    if sentry_dsn and sentry_sdk:
+        print("🔭 Initializing Sentry SDK...")
+        sentry_sdk.init(
+            dsn=sentry_dsn,
+            traces_sample_rate=1.0,  # Capture 100% of transactions for performance monitoring
+            environment="production",
+            release=os.environ.get("GITHUB_SHA", "unknown"),
+        )
+        sentry_sdk.set_tag("repository", os.environ.get("GITHUB_REPOSITORY", "unknown"))
+        sentry_sdk.set_tag("actor", os.environ.get("GITHUB_ACTOR", "unknown"))
+        sentry_sdk.set_tag("run_id", os.environ.get("GITHUB_RUN_ID", "unknown"))
+        
+        # Capture strictly necessary context, avoid PII unless explicitly enabled
+        sentry_sdk.set_context("github", {
+            "ref": os.environ.get("GITHUB_REF"),
+            "workflow": os.environ.get("GITHUB_WORKFLOW"),
+            "action": os.environ.get("GITHUB_ACTION"),
+        })
+
+    try:
+        main()
+    except Exception as e:
+        if sentry_dsn and sentry_sdk:
+            sentry_sdk.capture_exception(e)
+        raise

requirements.in

@@ -3,3 +3,4 @@ httpx>=0.28.1
 httpcore>=1.0.9
 h11>=0.16.0
 colorama==0.4.6
+sentry-sdk

requirements.txt

@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.11
 # by the following command:
 #
-#    pip-compile --generate-hashes --output-file=requirements.txt requirements.in
+#    pip-compile --generate-hashes requirements.in
 #
 anyio==4.12.1 \
     --hash=sha256:41cfcc3a4c85d3f05c932da7c26d0201ac36f72abd4435ba90d0464a3ffed703 \
@@ -14,6 +14,7 @@ certifi==2026.1.4 \
     # via
     #   httpcore
     #   httpx
+    #   sentry-sdk
 colorama==0.4.6 \
     --hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \
     --hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6
@@ -44,6 +45,10 @@ mpmath==1.3.0 \
     --hash=sha256:7a28eb2a9774d00c7bc92411c19a89209d5da7c4c9a9e227be8330a23a25b91f \
     --hash=sha256:a0b2b9fe80bbcd81a6647ff13108738cfb482d481d826cc0e02f5b35e5c88d2c
     # via sympy
+sentry-sdk==2.52.0 \
+    --hash=sha256:931c8f86169fc6f2752cb5c4e6480f0d516112e78750c312e081ababecbaf2ed \
+    --hash=sha256:fa0bec872cfec0302970b2996825723d67390cdd5f0229fb9efed93bd5384899
+    # via -r requirements.in
 sympy==1.12 \
     --hash=sha256:3e2e0e09210c4d8f8d660e574c88f728c050228497d51921356a9829352e8253 \
     --hash=sha256:c3588cd4295d0c0f603d0f2ae780587e64e2efeedb3521e46b9bb1d08d184fa5 \
@@ -53,3 +58,7 @@ typing-extensions==4.15.0 \
     --hash=sha256:0cea48d173cc12fa28ecabc3b837ea3cf6f38c6d1136f85cbaaf598984861466 \
     --hash=sha256:f0fa19c6845758ab08074a0cfa8b7aecb71c999ca73d62883bc25cc018c4e548
     # via anyio
+urllib3==2.6.3 \
+    --hash=sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed \
+    --hash=sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4
+    # via sentry-sdk