fix(ui): reduce sentry alert noise

[Alan-TheGentleman]

Context

The UI Sentry Slack alert channel was receiving non-actionable noise from warning-level events, controlled API/form validation, and duplicate backend/API failure paths. The goal is to make UI Sentry alerts actionable: if it reaches the alert channel, it should be worth reviewing.

This work is tied to the Sentry UI alert-channel cleanup tracked in the roadmap.

Description

This PR:

• Adds a centralized UI Sentry actionability policy for client, server, and edge events
• Suppresses warning-level events and expected control-flow noise such as redirects, aborts, and ResizeObserver issues
• Suppresses expected 401 / 403 / 404 API events only when structured status or clear API/HTTP context exists
• Keeps actionable runtime/fatal failures, including messages that merely contain numeric status-like values without API context
• Updates Server Action error handling to avoid duplicate recapture and only report unexpected client/API contract failures
• Adds focused unit coverage for the policy and server-action helper behavior
• Updates the UI changelog for this fix

Steps to review

1. Review ui/sentry/event-policy.ts and confirm the actionability boundaries:
   • warnings are dropped
   • expected control flow is dropped
   • structured API 401 / 403 / 404 is dropped
   • runtime/fatal messages containing 401 / 403 / 404 without API context are kept
2. Review ui/lib/server-actions-helper.ts and confirm expected 4xx validation is suppressed while unexpected 4xx contract failures are captured
3. Run:

cd ui
pnpm exec vitest run sentry/event-policy.test.ts sentry/sentry-event-filter.test.ts lib/server-actions-helper.test.ts
pnpm run typecheck

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable. N/A for SDK; UI changelog updated

SDK/CLI

• Are there new checks included in this PR? No
  • If so, do we need to update permissions for the provider? No

UI

• All issue/task requirements work as expected on the UI
• If this PR adds or updates npm dependencies, include package-health evidence (maintenance, popularity, known vulnerabilities, license, release age) and explain why existing/native alternatives are insufficient. N/A, no dependencies added
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px) N/A, no visual changes
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px) N/A, no visual changes
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px) N/A, no visual changes
• Ensure new entries are added to CHANGELOG.md, if applicable

API

• All issue/task requirements work as expected on the API N/A
• Endpoint response output (if applicable) N/A
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable) N/A
• Performance test results (if applicable) N/A
• Any other relevant evidence of the implementation (if applicable) N/A
• Verify if API specs need to be regenerated. N/A
• Check if version updates are required (e.g., specs, uv, etc.). N/A
• Ensure new entries are added to CHANGELOG.md, if applicable. N/A

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Summary by CodeRabbit

• Improvements
  • Sentry alert filtering is now centralized and applies consistent event actionability rules across client, server, and edge, suppressing non-actionable warnings and expected control-flow/status noise while keeping actionable failures.
  • Actionable events are enriched with standardized metadata (including actionability and source) and expected/duplicate errors are suppressed more reliably.
• Testing
  • Expanded test coverage for the new event policy and warning filtering to ensure correct keep/drop behavior and tagging.

[coderabbitai]

📝 Walkthrough

Walkthrough

A shared Sentry event policy module now handles filtering, tagging, and deduplication. Client, Edge, and server Sentry configs delegate beforeSend to it, and server-action error handling now uses the same reported-error markers and structured capture paths.

Changes

Centralized Sentry Event Policy

Layer / File(s)	Summary
Event policy: types, constants, and deduplication helpers ui/sentry/event-policy.ts	Defines Sentry policy constants, source and kind tags, HTTP/message matching helpers, and the markErrorAsReported/isErrorAlreadyReported pair backed by a WeakSet and Symbol marker.
Event policy: filtering, suppression, and tagging implementation ui/sentry/event-policy.ts	Implements applySentryEventPolicy, dropping warning, already-reported, control-flow, and expected HTTP events, and tagging retained events with actionability, kind, and optional source metadata.
Public module surface and backward-compat filter ui/sentry/index.ts, ui/sentry/sentry-event-filter.ts	index.ts re-exports the event-policy surface; sentry-event-filter.ts keeps the warning filter name while delegating to applySentryEventPolicy.
Sentry runtime configs wired to shared policy ui/instrumentation-client.ts, ui/sentry/sentry.edge.config.ts, ui/sentry/sentry.server.config.ts	Client, Edge, and server Sentry configs import the shared policy helper and source enum, remove inline suppression branches and HTTP status ignoreErrors entries, and route beforeSend through applySentryEventPolicy with runtime-specific source tags.
Server actions helper deduplication and structured capture ui/lib/server-actions-helper.ts	Uses the shared deduplication markers, adds suppression and fingerprint helpers, and updates handleApiResponse and handleApiError to mark reported errors and capture unexpected API failures with structured tags and contexts.
Tests and changelog for Sentry policy changes ui/sentry/event-policy.test.ts, ui/sentry/sentry-event-filter.test.ts, ui/lib/server-actions-helper.test.ts, ui/CHANGELOG.md	Vitest suites cover actionable and non-actionable policy outcomes, warning-event filtering, and the updated server-action response and error handling paths; the changelog records the new UI Sentry alert behavior.

Sequence Diagram(s)

sequenceDiagram
  participant Runtime as Client/Edge/Server
  participant Config as Sentry beforeSend
  participant Policy as applySentryEventPolicy
  participant Dedup as isErrorAlreadyReported
  participant Tagging as tagActionableEvent

  Runtime->>Config: event + hint
  Config->>Policy: applySentryEventPolicy(event, hint, source)
  Policy->>Dedup: check reported marker
  Dedup-->>Policy: reported or not
  Policy-->>Config: null for warning/control-flow/expected HTTP
  Policy->>Tagging: tag retained event
  Tagging-->>Policy: event.tags updated
  Policy-->>Config: tagged event

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• prowler-cloud/prowler#11500: Modifies the same ui/instrumentation-client.ts client-side Sentry beforeSend and event filtering logic that this PR refactors into the centralized applySentryEventPolicy helper.

Suggested reviewers

• HugoPBrito
• alejandrobailo

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 3.45% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is concise and accurately summarizes the main change: reducing UI Sentry alert noise.
Description check	✅ Passed	The description follows the template with Context, Description, Steps to review, and Checklist, and it is detailed enough for review.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ui-sentry-actionability

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

🔒 Container Security Scan

Image: prowler-ui:676fcf7
Last scan: 2026-06-25 11:37:49 UTC

✅ No Vulnerabilities Detected

The container image passed all security checks. No known CVEs were found.

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ui/lib/server-actions-helper.ts (1)

158-188: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Mark errors captured by handleApiError as reported.

Line 160 captures an unreported Error, but the object is never marked afterward, so a later pass through this helper or the shared policy still sees it as unreported and can duplicate the alert. Mark after capture, matching the 5xx path.

Suggested fix

     if (error instanceof Error) {
       Sentry.captureException(error, {
         tags: {
           error_source: SentryErrorSource.HANDLE_API_ERROR,
           error_type: SentryErrorType.UNEXPECTED_ERROR,
         },
         level: "error",
         contexts: {
           error_details: {
             message: error.message,
             stack: error.stack,
           },
         },
       });
+      markErrorAsReported(error);
     } else {
       // Capture non-Error objects
       Sentry.captureMessage(
         `Non-Error object in handleApiError: ${String(error)}`,
         {
           level: "warning",
           tags: {
             error_source: SentryErrorSource.HANDLE_API_ERROR,
             error_type: SentryErrorType.NON_ERROR_OBJECT,
           },
           extra: {
             error: error,
           },
         },
       );
+      markErrorAsReported(error);
     }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ui/lib/server-actions-helper.ts` around lines 158 - 188, The handleApiError
function captures errors using Sentry.captureException but does not mark them as
captured afterward, which can result in duplicate alerts if the same error
object is processed again. After calling Sentry.captureException in the code
block where error instanceof Error is checked, mark the error as captured using
the same mechanism employed in the 5xx path to prevent subsequent processing
from treating it as an unreported error.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ui/lib/server-actions-helper.ts`:
- Around line 238-242: The Sentry fingerprint in the error handling code is
using the full response.url which can contain query strings and resource IDs,
causing over-fragmentation of error grouping and exposing URL values in
metadata. Replace the response.url value in the fingerprint array with a
sanitized, low-cardinality path instead (such as the pathname from the URL
object). Apply this same normalization pattern consistently to both the
fingerprint array at line 238 and the captureApiServerError function at line 92
to ensure consistent URL handling across error capture methods.

In `@ui/sentry/event-policy.ts`:
- Around line 44-54: The interfaces SentryEventPolicyOptions, SentryEventHint,
and SentryPolicyEvent are currently not exported, which limits their
accessibility for type safety at call sites. Add the export keyword before each
of these three interface declarations to make them available to consumers in
client, edge, and server configurations, improving type safety and
documentation.

---

Outside diff comments:
In `@ui/lib/server-actions-helper.ts`:
- Around line 158-188: The handleApiError function captures errors using
Sentry.captureException but does not mark them as captured afterward, which can
result in duplicate alerts if the same error object is processed again. After
calling Sentry.captureException in the code block where error instanceof Error
is checked, mark the error as captured using the same mechanism employed in the
5xx path to prevent subsequent processing from treating it as an unreported
error.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 26713a2d-b677-438e-a70f-7b0ea8afa1d0

📥 Commits

Reviewing files that changed from the base of the PR and between ca48fd0 and 722bc3f.

📒 Files selected for processing (11)

• ui/CHANGELOG.md
• ui/instrumentation-client.ts
• ui/lib/server-actions-helper.test.ts
• ui/lib/server-actions-helper.ts
• ui/sentry/event-policy.test.ts
• ui/sentry/event-policy.ts
• ui/sentry/index.ts
• ui/sentry/sentry-event-filter.test.ts
• ui/sentry/sentry-event-filter.ts
• ui/sentry/sentry.edge.config.ts
• ui/sentry/sentry.server.config.ts

[Alan-TheGentleman]

CI note: I reran the failed e2e-tests job and it failed again on the same Okta provider E2E, PROVIDER-E2E-019, at ui/tests/providers/providers-page.ts:988 while waiting for a provider wizard action or error state. I audited the PR diff against ui/lib/server-actions-helper.ts and the provider actions. The helper changes preserve the success, revalidation, and error-return contracts, and the failure happens before checkConnectionProvider can run. This looks like the Okta wizard entering an unobserved loading or provider-load error state that the E2E currently reports as a timeout, not a regression from the Sentry filtering changes.

[Alan-TheGentleman]

Two things to address:

1. Captured handleApiError errors are not marked as reported. handleApiError checks isErrorAlreadyReported(error) before capturing, but after Sentry.captureException(error, ...) it never calls markErrorAsReported(error). If the same Error object goes through the shared beforeSend policy later, it still looks unreported and can produce the duplicate alert this PR is trying to prevent.

2. Fingerprints use the full response URL. Both the 5xx path and unexpected 4xx path include response.url directly in the fingerprint. That can include query strings or resource identifiers, which fragments grouping and can leak high-cardinality URL data into Sentry metadata. Normalize this to a low-cardinality path, and use the same normalization in both fingerprint paths.

The interface export suggestion from CodeRabbit is not blocking; it is useful only if consumers need those exact helper types. The Okta E2E failure also looks unrelated to this diff based on the current logs.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ui/lib/server-actions-helper.ts (1)

96-98: 🩺 Stability & Availability | 🟠 Major

Avoid setting a sync dedupe flag on the error object immediately after Sentry.captureException.

captureException returns immediately after queuing the event, while beforeSend (where you likely check for duplicates) runs asynchronously later. Placing markErrorAsReported(serverError) on line 96 synchronously sets a flag on the exception object before Sentry processes the event. If your beforeSend logic uses this flag to deduplicate, it will suppress the very first report.

Move the markErrorAsReported call to a point after the event has been sent (if your SDK supports a post_process hook) or decouple the "internal error reported" state from the specific error object reference.

// Incorrect: Flag set before Sentry processes the event, potentially causing premature drop in beforeSend.
Sentry.captureException(serverError, { /* ... */ });
markErrorAsReported(serverError);
throw serverError;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ui/lib/server-actions-helper.ts` around lines 96 - 98, The
`markErrorAsReported(serverError)` call in `server-actions-helper` is happening
too early relative to `Sentry.captureException`, which can cause `beforeSend`
dedupe logic to drop the first report. Update the error-reporting flow so the
reported flag is set only after Sentry has finished queuing/sending the event,
or store the “reported” state separately from the `serverError` object
reference. Keep the `throw serverError` behavior unchanged, and adjust the
surrounding error handling path where `captureException` is invoked.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@ui/lib/server-actions-helper.ts`:
- Around line 96-98: The `markErrorAsReported(serverError)` call in
`server-actions-helper` is happening too early relative to
`Sentry.captureException`, which can cause `beforeSend` dedupe logic to drop the
first report. Update the error-reporting flow so the reported flag is set only
after Sentry has finished queuing/sending the event, or store the “reported”
state separately from the `serverError` object reference. Keep the `throw
serverError` behavior unchanged, and adjust the surrounding error handling path
where `captureException` is invoked.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: b5d53d51-9b6e-47df-ba7a-76b9ffa90973

📥 Commits

Reviewing files that changed from the base of the PR and between 722bc3f and 3ea6858.

📒 Files selected for processing (4)

• ui/lib/server-actions-helper.test.ts
• ui/lib/server-actions-helper.ts
• ui/sentry/event-policy.test.ts
• ui/sentry/event-policy.ts