feat: propagate traceparent from bandit callback URLs#196
Conversation
Extracts the tp query parameter from URL test links and sets it as the traceparent HTTP header. This enables contiguous distributed tracing from the API's config assignment through the client and proxy to the callback receipt. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR propagates distributed tracing context embedded in bandit callback/test URLs by extracting a tp query parameter and setting it as the outgoing request’s traceparent header in the MutableURLTest HTTP client, enabling end-to-end trace continuity across URL test → proxy → callback.
Changes:
- Extract
tpfrom the URL test link’s query string. - Set the extracted value as the
traceparentHTTP header on the outbound GET request.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // Propagate embedded trace context so the bandit callback | ||
| // appears in the same distributed trace as the config assignment. | ||
| if tp := linkURL.Query().Get("tp"); tp != "" { | ||
| req.Header.Set("traceparent", tp) | ||
| } |
There was a problem hiding this comment.
tp comes from a URL query parameter and is copied verbatim into an HTTP header. If it contains control characters (or is just not a valid W3C traceparent), Go's HTTP client can fail the request at send time (invalid header value) and an untrusted URL could also attempt header injection. Consider validating/sanitizing the value (e.g., trim spaces, reject any CTLs, and only accept the expected version-traceid-spanid-flags format) before setting traceparent.
| // Propagate embedded trace context so the bandit callback | ||
| // appears in the same distributed trace as the config assignment. | ||
| if tp := linkURL.Query().Get("tp"); tp != "" { | ||
| req.Header.Set("traceparent", tp) | ||
| } |
There was a problem hiding this comment.
This new behavior (extract tp from the test URL and propagate it as the traceparent header) is not covered by tests. Since this package already has unit tests for urlTestGroup, consider adding a focused test that asserts a request created by urlTestGET includes the expected header when tp is present (and omits it when absent/invalid).
Summary
tpquery parameter from URL test links and sets it as thetraceparentHTTP headerContext
The bandit system embeds W3C traceparent in callback URLs (
?token=XYZ&tp=00-traceID-spanID-01). This change makes the MutableURLTest HTTP client extract and propagate it, so the proxy passes it through to the API's callback handler.Test plan
go vet ./protocol/group/...passes🤖 Generated with Claude Code