fix(observability,composio): demote direct-mode Composio 401/Invalid API key noise (Sentry TAURI-RUST-X9)

[oxoxDev]

Summary

• Restore symmetric error routing on Composio direct-mode call sites that were silently bypassing the classifier ladder.
• Add an expected_error_kind arm for the canonical [composio-direct] … HTTP 401 / Invalid API key shape so user-supplied bad API keys land at debug instead of Sentry.
• Closes the leak behind Sentry TAURI-RUST-X9 (15,732 events in ~22h from a single user on openhuman@0.54.0).
• Adds 9 unit tests pinning the new classifier + the failure-tag / status-extraction contract on the canonical body.

Problem

Composio direct mode (shipped via #1825, 2026-05-15) added per-tenant list_connections / authorize / list_tools call sites on the agent-integrations path, but the direct branches did not wire their error closures through report_composio_op_error() the way the backend branches do. The classifier ladder in src/core/observability.rs::expected_error_kind was therefore never consulted for direct-mode errors, so an invalid user API key (ak_…) returned a raw 401 to the JSON-RPC layer where it captured to Sentry on every 5 s UI poll and every server-side composio::periodic tick.

Result: Sentry TAURI-RUST-X9 accumulated 15,732 events in ~22 hours from a single affected user (release openhuman@0.54.0+c25fc8e5fd3e). Bug-shape was user-config (their own key was bad), not a runtime fault — it is exactly the kind of shape the existing classifier ladder is designed to demote.

Two compounding gaps:

1. Asymmetric reporting — direct-mode .map_err closures never called report_composio_op_error even though the backend branch in the same handler did. The classifier never had a chance to see the message.
2. Missing matcher — even after fixing the asymmetry, expected_error_kind had no arm for the [composio-direct] … HTTP 401 / Invalid API key shape, so the message would still have classified as a real error → Sentry capture.

Solution

Three micro-commits, each independently revertible.

Commit 1 — fix(composio): restore symmetric reporting

Add report_composio_op_error(op, &e) to every direct-mode .map_err closure that was missing it, mirroring the backend branch pattern exactly:

• src/openhuman/composio/ops.rs — composio_list_connections (direct branch), composio_authorize (direct branch), composio_list_tools prefetch + main call (direct branches). Widened report_composio_op_error from private to pub(super) so siblings (tools, periodic) can call it.
• src/openhuman/composio/tools.rs — ComposioListConnectionsTool::execute direct branch (the only tool-side direct branch that issues a network call against the user's tenant).
• src/openhuman/composio/periodic.rs — run_one_tick direct branch.

composio_delete_connection already routes through the unified resolve_client path, so the single .map_err at ops.rs:362 covers both modes; no change needed.

Commit 2 — fix(observability): new classifier arm

Add a matcher in is_provider_user_state_message (src/core/observability.rs) that recognizes the [composio-direct] caller prefix combined with one of HTTP 401 / Invalid API key. Routes to the existing ExpectedErrorKind::ProviderUserState variant (no new enum variants), which downgrades to debug log and skips Sentry.

The combined prefix anchor ([composio-direct] is unique to our own callers in src/openhuman/composio/*) keeps the matcher discriminating — unrelated 401s elsewhere in the codebase are unaffected.

Commit 3 — test: pin the contract

• 5 new tests in src/core/observability.rs covering: canonical Sentry-body match, sibling op-name match, Invalid API key without HTTP 401, negative case (unrelated 401 stays unclassified), negative case (composio-direct 500 stays unclassified).
• 4 new tests in src/openhuman/composio/ops_test.rs pinning the classifier + failure-tag (non_2xx) + status-extraction contract on the canonical body, plus a 500-doesn't-demote regression test.

Rejected alternatives

• Stateful auth-state machinery that pauses the 5 s UI poll on direct-mode 401. Triples PR size and the classifier alone fully solves the Sentry-noise leak. Defer to a follow-up if poll-volume becomes the next concern.
• Dropping the [composio-direct] log line entirely. Hurts debuggability when users report "integrations missing". Demoting to debug via the expected-kind branch is the right trade.

Submission Checklist

If a section does not apply to this change, mark the item as N/A with a one-line reason. Do not delete items.

• Tests added or updated (happy path + at least one failure / edge case) per Testing Strategy
• Diff coverage ≥ 80% — changed lines (Vitest + cargo-llvm-cov merged via diff-cover) meet the gate enforced by .github/workflows/coverage.yml. Run pnpm test:coverage and pnpm test:rust locally; PRs below 80% on changed lines will not merge.
• N/A: behaviour-only change to observability classifier + symmetric error routing. No new product features in the coverage matrix.
• N/A: no feature IDs map to this fix — observability/classifier hygiene + symmetric error routing only.
• No new external network dependencies introduced (mock backend used per Testing Strategy)
• N/A: this does not touch release-cut surfaces — server-side error routing + classifier ladder only.
• N/A: Sentry-only triage (self-hosted sentry.tinyhumans.ai issue TAURI-RUST-X9); no GitHub issue to close. Sentry-Issue: header in ## Related so the post-merge resolver hook can flip it.

Impact

• Runtime/platform: Rust core (src/openhuman/composio/*, src/core/observability.rs). No frontend / Tauri shell changes. Desktop only.
• Performance: nil (one extra closure call per error path; never on the happy path).
• Security: nil (no new logging surface for credentials; the log line already exists, only its level changes).
• Migration / compat: nil (no schema, no API change, no user-visible UX change).
• Sentry impact: eliminates the dominant tauri-rust project leak (15.7 k events / 22 h from a single user) and pre-empts the same shape from every other direct-mode call site that was bypassing the classifier.

Related

• Closes:
• Follow-up PR(s)/TODOs: backend branch of composio::periodic::run_one_tick also lacks the report_composio_op_error hook on its list_connections (backend) arm. Out of scope here (plan was direct-only) but worth a follow-up issue.

Sentry-Issue: TAURI-RUST-X9

---

AI Authored PR Metadata (required for Codex/Linear PRs)

Keep this section for AI-authored PRs. For human-only PRs, mark each field N/A.

Linear Issue

• Key: N/A: triage driven from self-hosted Sentry (sentry.tinyhumans.ai) not Linear.
• URL: N/A: see Sentry-Issue header above.

Commit & Branch

• Branch: fix/sentry-1166-composio-direct-auth-symmetry
• Commit SHA: b21d43be (tip — 3 micro-commits ahead of upstream/main@c204a53d)

Validation Run

• N/A: no app/ changes in this PR (Rust core + observability only).
• N/A: no TypeScript changes in this PR.
• Focused tests: cargo test -p openhuman --lib openhuman::composio::ops (61 passed), cargo test -p openhuman --lib core::observability (84 passed), cargo test -p openhuman --lib openhuman::composio::periodic (6 passed), cargo test -p openhuman --lib openhuman::composio::tools (31 passed).
• Rust fmt/check (if changed): cargo fmt --check clean; cargo check --manifest-path Cargo.toml clean.
• Tauri fmt/check (if changed): cargo check --manifest-path app/src-tauri/Cargo.toml clean (no Tauri-shell changes in this PR; checked for parity).

Validation Blocked

• command: N/A
• error: N/A
• impact: N/A

Behavior Changes

• Intended behavior change: direct-mode Composio HTTP 401 / Invalid API key errors no longer reach Sentry. They surface in debug logs and the existing user-visible "not connected" UI state remains the actionable surface for the user.
• User-visible effect: zero functional change. Settings UI continues to show direct-mode connections as not-connected when the user's API key is invalid (same as before this PR). Only Sentry stops capturing the noise.

Parity Contract

• Legacy behavior preserved: backend-mode error routing untouched. The same report_composio_op_error → report_error_or_expected → expected_error_kind pipeline that the backend branch already used is now applied uniformly to the direct branch.
• Guard/fallback/dispatch parity checks: pre-existing report_composio_op_error pinning tests at ops_test.rs:1376+ still pass. The new arm in is_provider_user_state_message reuses the existing ExpectedErrorKind::ProviderUserState variant — no enum surface change, no dispatcher branches changed.

Summary by CodeRabbit

• Bug Fixes

  • More accurate classification of Composio direct-mode authentication failures: only messages containing the direct-mode anchor plus 401 / "Invalid API key" patterns are treated as provider-user errors, preventing unrelated 401s from being demoted.
  • Direct-mode error paths now also flow through the unified reporting/observability funnel so direct-mode failures are consistently reported.

• Tests

  • Added tests covering direct-mode auth-rejection wire shapes, op-name and status-text variants, and negative cases to prevent regressions.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1fba41a3-7b60-469d-839a-bd6cb2ece295

📥 Commits

Reviewing files that changed from the base of the PR and between 1936fd9 and 1060eaa.

📒 Files selected for processing (1)

• src/openhuman/composio/tools.rs

---

📝 Walkthrough

Walkthrough

Composio direct-mode authentication failures marked with [composio-direct] and containing HTTP 401 or Invalid API key are classified as ProviderUserState; the composio op error reporter is exposed and invoked from direct-mode ops, periodic, and tool paths. Tests validate positive and negative message shapes.

Changes

Composio Direct-Mode Auth Observability

Layer / File(s)	Summary
Direct-mode auth failure detection src/core/observability.rs, src/openhuman/composio/ops_test.rs	is_provider_user_state_message matches [composio-direct] plus HTTP 401 or Invalid API key, returning ProviderUserState; unit tests added for canonical, variant, and negative cases.
Error reporting helper visibility src/openhuman/composio/ops.rs	report_composio_op_error visibility changed to pub(super) so direct-mode branches can call the shared reporting path.
Direct-mode error reporting across operations src/openhuman/composio/ops.rs, src/openhuman/composio/periodic.rs, src/openhuman/composio/tools.rs	Direct-mode error paths for list_connections, authorize, and list_tools (including prefetch), periodic tick, and the ComposioListConnections tool now render [composio-direct]-anchored messages and call report_composio_op_error before returning formatted errors.

sequenceDiagram
  participant Client as Client (direct mode)
  participant ComposioOp as composio op (list/authorize/tools)
  participant Reporter as report_composio_op_error
  participant Classifier as is_provider_user_state_message
  participant Sentry as Sentry/Observability

  Client->>ComposioOp: invoke direct operation
  ComposioOp->>Reporter: report_composio_op_error(operation, &error)
  Reporter->>Classifier: pass rendered error message for classification
  Classifier->>Sentry: classification result (e.g., ProviderUserState) forwarded

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• tinyhumansai/openhuman#1795: Related changes to is_provider_user_state_message and ProviderUserState classification.
• tinyhumansai/openhuman#1798: Overlaps on composio observability plumbing and routing errors through reporting.
• tinyhumansai/openhuman#2107: Refinements to provider-specific expected-user-state detection in is_provider_user_state_message.

Suggested reviewers

• graycyrus

Poem

🐰 I hopped through logs with a careful glance,
Found [composio-direct] in the error dance,
Routed reports to the watcher near,
So invalid keys are clearly clear,
A little rabbit cheers—observability is here!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main objective: fixing observability for direct-mode Composio 401/Invalid API key errors by demoting them to avoid Sentry noise.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[oxoxDev]

Heads-up to reviewers: the 3 frontend failures on this PR (Frontend Coverage, test / Frontend Unit Tests, test / i18n Coverage) are pre-existing breakage on main, not introduced by this PR.

Root cause: PR #2378 (Add German locale support, merged 2026-05-21) shipped without 20 keys that PR #2280 (feat(settings): add MCP server configuration panel, 4e5eaa71) added to English. The strict-equality assertion in src/lib/i18n/__tests__/coverage.test.ts:77 and I18nContext.test.tsx:86 fails as a result.

Verification:

• gh run list --branch main --event push -R tinyhumansai/openhuman shows the Test workflow failing on every push since c9ab4b9c (PR Add German locale support #2378), including the latest chore(staging): v0.54.7 tag at 7fe3dd06.
• This PR touches zero frontend files (src/openhuman/composio/*.rs + src/core/observability.rs only).
• Other in-flight PRs (fix(observability): Wave 4 classifier — socket transport + custom-provider config-rejection (~366 events, 13 IDs) #2309, fix(tauri): retry main-window lookup on Windows after SW_SHOW (#3A) #2341, fix(tauri): pre-flight every xdg-utils binary before register_all (#5V) #2416) all branched off main before PR Add German locale support #2378 merged, so they don't inherit the broken state and their frontend coverage is green — confirms the failure is base-state, not change-induced.

This PR's own quality gates are clean:

• cargo fmt --check, cargo check, all Rust core + tauri checks green
• Focused tests: cargo test -p openhuman --lib openhuman::composio::ops (61 passed), core::observability (84 passed), openhuman::composio::periodic (6 passed), openhuman::composio::tools (31 passed)
• PR Submission Checklist parser: 12/12 satisfied
• All Rust Quality, Type Check, e2e/Linux integration, Smoke install.sh green

Happy to rebase once a German-backfill PR lands on main. Flagging in case anyone wants to pick up that fix in parallel — out of scope for this Sentry triage PR.

Sentry-Issue: TAURI-RUST-X9 (15,732 events / 22h, single user, openhuman@0.54.0)

[M3gA-Mind]

@oxoxDev this PR has merge conflicts with main — please rebase/resolve before review.

[oxoxDev]

Rebased onto upstream/main ed3e453b (was c204a53d). Resolved one conflict in composio_authorize direct branch — upstream PR #2469 swapped direct_authorize for direct_authorize_with_meta_guard + rate-limit wrap; merged my report_composio_op_error hook onto the wrapped error so rate-limit classifications also flow through the expected-kind ladder.

New tip: 549a4add (3 GPG-signed commits). Focused tests still green post-rebase:

• cargo test -p openhuman --lib core::observability → 86 passed
• cargo test -p openhuman --lib openhuman::composio::ops → 62 passed

PR now MERGEABLE. The 3 frontend failures persist — confirmed pre-existing main breakage per earlier comment; main Test workflow still red on ed3e453b.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/openhuman/composio/ops.rs`:
- Around line 246-255: The report_composio_op_error calls in the direct-mode
branches are logging the original error before adding the “[composio-direct]”
anchor, so the classifier misses demotion; update each direct-mode error mapping
(the ones wrapping direct_list_connections, authorize, the direct list_tools
prefetch and the direct list_tools call) to first prepend or format the error
with the “[composio-direct]” anchor and then pass that prefixed error into
report_composio_op_error, e.g. create a prefixed_error =
format!("[composio-direct] {e:#}") (or otherwise attach the anchor) and call
report_composio_op_error("list_connections", &prefixed_error) before returning
the formatted error string; apply the same pattern to the authorize and
list_tools direct branches referenced in the comment.

In `@src/openhuman/composio/periodic.rs`:
- Around line 178-190: The periodic Direct branch (ComposioClientKind::Direct)
currently calls super::ops::report_composio_op_error with the raw error `e`,
which bypasses the composio-direct classifier; instead, build a rendered message
containing the `[composio-direct]` anchor (e.g. let msg =
format!("[composio-direct] list_connections (direct): {e:#}")), call
super::ops::report_composio_op_error("list_connections", &msg) with that string,
and then return Err(msg) (i.e. propagate the same rendered message via the
map_err return) so the periodic 401s are classified the same as UI failures;
update the direct_list_connections(direct).await.map_err closure to construct
and use that anchored message rather than passing `e` directly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: eea3e84a-6e18-472c-9876-5c17f589b4a2

📥 Commits

Reviewing files that changed from the base of the PR and between d1d8f1d and 549a4ad.

📒 Files selected for processing (5)

• src/core/observability.rs
• src/openhuman/composio/ops.rs
• src/openhuman/composio/ops_test.rs
• src/openhuman/composio/periodic.rs
• src/openhuman/composio/tools.rs

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/openhuman/composio/tools.rs`:
- Around line 512-519: The formatted direct-mode error string loses inner error
details because it uses "{e}" when building `rendered` in the
`composio_list_connections` failure path; change the interpolation to use the
alternate/debug display "{e:#}" so the full error chain (e.g. "HTTP 401: Invalid
API key ...") is preserved before calling
`super::ops::report_composio_op_error("list_connections", &rendered)` and
returning `anyhow::anyhow!("{rendered}")`, ensuring the reported message
includes the inner anchors expected by the observability tests.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 30b69478-d0a7-4273-8350-39f83965192b

📥 Commits

Reviewing files that changed from the base of the PR and between 549a4ad and 1936fd9.

📒 Files selected for processing (4)

• src/openhuman/composio/ops.rs
• src/openhuman/composio/ops_test.rs
• src/openhuman/composio/periodic.rs
• src/openhuman/composio/tools.rs