refactor(webapp): user-based sentry attribution, no middleware DB lookup

Pivot the sentry tenant attribution flow based on review feedback:

- `user.id` is now the real signed-in user cuid, so "Users Impacted"
  counts distinct humans. Tenant context (org / project / env slugs,
  IDs, env type) moves entirely to tags.
- The Express middleware no longer queries the database. It parses the
  URL with a regex and sets an ALS scope with whatever subset of slugs
  is present (`/orgs/:o`, `/orgs/:o/projects/:p`, or the full triple).
- `_app/route.tsx` enriches the scope with `userId` for any
  authenticated dashboard request — reusing the existing `requireUser`
  call. No new query.
- The env layout loader's existing `prisma.project.findFirst` gains two
  extra columns in its select (`externalRef`, `organization.id`) and
  enriches the scope with the IDs / env type after picking an env. Same
  single query, no extra round-trip.
- API routes flow through `tenantContextFromAuthEnvironment`, which
  pulls `userId` from `env.orgMember.userId` (already selected by
  `authIncludeBase`) and stamps the full tenant set up-front.

Trade-off: errors that fire before the env layout loader's enrich on
env-scoped pages get slugs + `user.id` but no tenant IDs. Realistic
errors after async work get the full set. API requests without an
`orgMember` get tenant tags but no `user.id`.

Out of scope (deferred): background workers, schedule-engine, socket
handlers — those events still ship without tenant attribution.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: d-cs

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam/route.tsx

@@ -5,6 +5,7 @@ import { redirectWithErrorMessage } from "~/models/message.server";
 import { updateCurrentProjectEnvironmentId } from "~/services/dashboardPreferences.server";
 import { logger } from "~/services/logger.server";
 import { requireUser } from "~/services/session.server";
+import { tenantContext } from "~/services/tenantContext.server";
 import { EnvironmentParamSchema, v3ProjectPath } from "~/utils/pathBuilder";
 
 export const loader = async ({ request, params }: LoaderFunctionArgs) => {
@@ -26,6 +27,8 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
     },
     select: {
       id: true,
+      externalRef: true,
+      organization: { select: { id: true } },
       environments: {
         select: {
           id: true,
@@ -52,6 +55,7 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
   }
 
   let environmentId: string | undefined = undefined;
+  let environmentType: "DEVELOPMENT" | "PREVIEW" | "STAGING" | "PRODUCTION" | undefined;
 
   if (environments.length > 1) {
     const bestEnvironment = environments.find((env) => env.orgMember?.userId === user.id);
@@ -63,10 +67,21 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
     }
 
     environmentId = bestEnvironment.id;
+    environmentType = bestEnvironment.type;
   } else {
     environmentId = environments[0].id;
+    environmentType = environments[0].type;
   }
 
+  // userId is enriched higher up in `_app/route.tsx`; only stamp tenant fields here.
+  tenantContext.enrich({
+    orgId: project.organization.id,
+    projectId: project.id,
+    projectRef: project.externalRef,
+    envId: environmentId,
+    envType: environmentType,
+  });
+
   await updateCurrentProjectEnvironmentId({ user: user, projectId: project.id, environmentId });
 
   return project;

apps/webapp/app/routes/_app/route.tsx

@@ -5,10 +5,12 @@ import { RouteErrorDisplay } from "~/components/ErrorDisplay";
 import { AppContainer, MainCenteredContainer } from "~/components/layout/AppLayout";
 import { clearRedirectTo, commitSession } from "~/services/redirectTo.server";
 import { requireUser } from "~/services/session.server";
+import { tenantContext } from "~/services/tenantContext.server";
 import { confirmBasicDetailsPath } from "~/utils/pathBuilder";
 
 export const loader = async ({ request }: LoaderFunctionArgs) => {
   const user = await requireUser(request);
+  tenantContext.enrich({ userId: user.id });
 
   //you have to confirm basic details before you can do anything
   if (!user.confirmedBasicDetails) {

apps/webapp/app/services/tenantContext.server.ts

@@ -1,14 +1,22 @@
 import { AsyncLocalStorage } from "node:async_hooks";
 import type { AuthenticatedEnvironment } from "./apiAuth.server";
 
+// All fields are optional. The middleware establishes an empty scope per
+// request; entry points fill what they know:
+//   - URL-matching paths get the slug trio from the Express middleware (zero IO).
+//   - The `_app` layout adds `userId` for any authenticated request.
+//   - The env layout adds tenant IDs / env type after its own existing DB query.
+//   - API routes get the full set up-front from `authenticationResult.environment`.
 export type TenantContext = {
-  org: { id: string; slug: string };
-  project: { id: string; ref: string };
-  environment: {
-    id: string;
-    slug: string;
-    type: "DEVELOPMENT" | "PREVIEW" | "STAGING" | "PRODUCTION";
-  };
+  userId?: string;
+  orgSlug?: string;
+  projectSlug?: string;
+  envSlug?: string;
+  orgId?: string;
+  projectId?: string;
+  projectRef?: string;
+  envId?: string;
+  envType?: "DEVELOPMENT" | "PREVIEW" | "STAGING" | "PRODUCTION";
   impersonating?: boolean;
 };
 
@@ -21,12 +29,22 @@ export const tenantContext = {
   get(): TenantContext | undefined {
     return storage.getStore();
   },
+  enrich(patch: Partial<TenantContext>): void {
+    const current = storage.getStore();
+    if (current) Object.assign(current, patch);
+  },
 };
 
 export function tenantContextFromAuthEnvironment(env: AuthenticatedEnvironment): TenantContext {
   return {
-    org: { id: env.organization.id, slug: env.organization.slug },
-    project: { id: env.project.id, ref: env.project.externalRef },
-    environment: { id: env.id, slug: env.slug, type: env.type },
+    userId: env.orgMember?.userId,
+    orgSlug: env.organization.slug,
+    projectSlug: env.project.slug,
+    envSlug: env.slug,
+    orgId: env.organization.id,
+    projectId: env.project.id,
+    projectRef: env.project.externalRef,
+    envId: env.id,
+    envType: env.type,
   };
 }

apps/webapp/app/services/tenantContextResolver.server.ts

@@ -1,77 +1,41 @@
 import type { NextFunction, Request, Response } from "express";
-import { prisma } from "~/db.server";
 import { tenantContext, type TenantContext } from "./tenantContext.server";
-import { logger } from "./logger.server";
 
 const URL_PATTERN = /^\/orgs\/([^/]+)(?:\/projects\/([^/]+)(?:\/env\/([^/]+))?)?/;
 
 export type ParsedTenantPath = {
   orgSlug: string;
-  projectParam: string;
-  envParam: string;
+  projectSlug?: string;
+  envSlug?: string;
 };
 
+// Pulls whatever tenant slugs are present in the URL. `/orgs/:o` returns the
+// org alone; `/orgs/:o/projects/:p` adds the project; `/orgs/:o/projects/:p/env/:e`
+// returns all three. Non-tenant paths (`/`, `/login`, `/admin/*`) return undefined.
 export function parseTenantPath(pathname: string): ParsedTenantPath | undefined {
   const match = pathname.match(URL_PATTERN);
   if (!match) return undefined;
-  const [, orgSlug, projectParam, envParam] = match;
-  if (!orgSlug || !projectParam || !envParam) return undefined;
-  return { orgSlug, projectParam, envParam };
+  const [, orgSlug, projectSlug, envSlug] = match;
+  if (!orgSlug) return undefined;
+  return {
+    orgSlug,
+    ...(projectSlug ? { projectSlug } : {}),
+    ...(envSlug ? { envSlug } : {}),
+  };
 }
 
-export async function resolveTenantContextFromPath(
-  pathname: string
-): Promise<TenantContext | undefined> {
-  const parsed = parseTenantPath(pathname);
-  if (!parsed) return undefined;
-
-  try {
-    const env = await prisma.runtimeEnvironment.findFirst({
-      where: {
-        slug: parsed.envParam,
-        project: { slug: parsed.projectParam, organization: { slug: parsed.orgSlug } },
-      },
-      select: {
-        id: true,
-        slug: true,
-        type: true,
-        project: { select: { id: true, externalRef: true } },
-        organization: { select: { id: true, slug: true } },
-      },
-    });
-    if (!env) return undefined;
-    return {
-      org: { id: env.organization.id, slug: env.organization.slug },
-      project: { id: env.project.id, ref: env.project.externalRef },
-      environment: {
-        id: env.id,
-        slug: env.slug,
-        type: env.type,
-      },
-    };
-  } catch (error) {
-    logger.warn("tenantContextResolver: lookup failed", {
-      error: error instanceof Error ? error.message : String(error),
-      pathname,
-    });
-    return undefined;
-  }
+export function resolveTenantContextFromPath(pathname: string): TenantContext {
+  return parseTenantPath(pathname) ?? {};
 }
 
-export type PathResolver = (pathname: string) => Promise<TenantContext | undefined>;
+export type PathResolver = (pathname: string) => TenantContext;
 
 export function createTenantContextMiddleware(resolver: PathResolver) {
-  return async function tenantContextMiddleware(
-    req: Request,
-    res: Response,
-    next: NextFunction
-  ) {
-    const ctx = await resolver(req.path);
-    if (ctx) {
-      tenantContext.run(ctx, () => next());
-    } else {
-      next();
-    }
+  // Always establish an ALS scope, even when the path carries no tenant
+  // slugs. Authenticated loaders (e.g. the `_app` layout) then enrich the
+  // same scope with `userId`, so non-tenant pages still get user attribution.
+  return function tenantContextMiddleware(req: Request, res: Response, next: NextFunction) {
+    tenantContext.run(resolver(req.path), () => next());
   };
 }
 

apps/webapp/app/utils/sentryTenantContext.server.ts

@@ -6,20 +6,20 @@ export function addTenantContextToEvent(event: Event, _hint: EventHint): Event {
   if (!ctx) return event;
   return {
     ...event,
-    user: {
-      ...event.user,
-      id: ctx.org.id,
-      username: ctx.org.slug,
-    },
+    // Only stamp user.id when we have a real user — keeps "Users Impacted"
+    // counting distinct humans rather than mixing in tenants. Events without
+    // a known user (e.g. unauthenticated paths) skip user attribution.
+    ...(ctx.userId ? { user: { ...event.user, id: ctx.userId } } : {}),
     tags: {
       ...event.tags,
-      org_id: ctx.org.id,
-      org_slug: ctx.org.slug,
-      project_id: ctx.project.id,
-      project_ref: ctx.project.ref,
-      environment_id: ctx.environment.id,
-      env_slug: ctx.environment.slug,
-      env_type: ctx.environment.type,
+      ...(ctx.orgSlug ? { org_slug: ctx.orgSlug } : {}),
+      ...(ctx.projectSlug ? { project_slug: ctx.projectSlug } : {}),
+      ...(ctx.envSlug ? { env_slug: ctx.envSlug } : {}),
+      ...(ctx.orgId ? { org_id: ctx.orgId } : {}),
+      ...(ctx.projectId ? { project_id: ctx.projectId } : {}),
+      ...(ctx.projectRef ? { project_ref: ctx.projectRef } : {}),
+      ...(ctx.envId ? { environment_id: ctx.envId } : {}),
+      ...(ctx.envType ? { env_type: ctx.envType } : {}),
       ...(ctx.impersonating ? { impersonating: "true" } : {}),
     },
   };

apps/webapp/test/sentryTenantContext.test.ts

@@ -3,10 +3,20 @@ import type { Event } from "@sentry/remix";
 import { tenantContext } from "../app/services/tenantContext.server";
 import { addTenantContextToEvent } from "../app/utils/sentryTenantContext.server";
 
-const sample = {
-  org: { id: "org_1", slug: "acme" },
-  project: { id: "proj_1", ref: "proj_abc" },
-  environment: { id: "env_1", slug: "prod", type: "PRODUCTION" as const },
+const slugOnly = {
+  orgSlug: "acme",
+  projectSlug: "web",
+  envSlug: "prod",
+};
+
+const enrichedWithUser = {
+  ...slugOnly,
+  userId: "usr_42",
+  orgId: "org_1",
+  projectId: "proj_1",
+  projectRef: "proj_abc",
+  envId: "env_1",
+  envType: "PRODUCTION" as const,
 };
 
 describe("addTenantContextToEvent", () => {
@@ -16,37 +26,68 @@ describe("addTenantContextToEvent", () => {
     expect(out).toEqual(event);
   });
 
-  it("stamps user + tags when ALS context is set", () => {
-    tenantContext.run(sample, () => {
+  it("stamps only userId when the scope holds just a user (non-tenant page)", () => {
+    tenantContext.run({ userId: "usr_42" }, () => {
       const event: Event = { message: "boom", tags: { existing: "1" } };
       const out = addTenantContextToEvent(event, {});
-      expect(out.user).toEqual({ id: "org_1", username: "acme" });
+      expect(out.user).toEqual({ id: "usr_42" });
+      expect(out.tags).toEqual({ existing: "1" });
+    });
+  });
+
+  it("stamps slug tags and no user.id when only slugs are set", () => {
+    tenantContext.run(slugOnly, () => {
+      const event: Event = { message: "boom", tags: { existing: "1" } };
+      const out = addTenantContextToEvent(event, {});
+      expect(out.user).toBeUndefined();
       expect(out.tags).toMatchObject({
         existing: "1",
-        org_id: "org_1",
         org_slug: "acme",
+        project_slug: "web",
+        env_slug: "prod",
+      });
+      expect(out.tags?.org_id).toBeUndefined();
+      expect(out.tags?.env_type).toBeUndefined();
+    });
+  });
+
+  it("stamps user.id + full tag set when fully enriched", () => {
+    tenantContext.run(enrichedWithUser, () => {
+      const out = addTenantContextToEvent({}, {});
+      expect(out.user).toEqual({ id: "usr_42" });
+      expect(out.tags).toMatchObject({
+        org_slug: "acme",
+        project_slug: "web",
+        env_slug: "prod",
+        org_id: "org_1",
         project_id: "proj_1",
         project_ref: "proj_abc",
         environment_id: "env_1",
-        env_slug: "prod",
         env_type: "PRODUCTION",
       });
-      expect(out.tags?.impersonating).toBeUndefined();
+    });
+  });
+
+  it("emits no slug/ID tags when scope is empty", () => {
+    tenantContext.run({}, () => {
+      const out = addTenantContextToEvent({ tags: { existing: "1" } }, {});
+      expect(out.tags).toEqual({ existing: "1" });
+      expect(out.user).toBeUndefined();
     });
   });
 
   it("adds impersonating tag when flag set", () => {
-    tenantContext.run({ ...sample, impersonating: true }, () => {
+    tenantContext.run({ ...slugOnly, impersonating: true }, () => {
       const out = addTenantContextToEvent({}, {});
       expect(out.tags?.impersonating).toBe("true");
     });
   });
 
   it("preserves prior event.user fields it does not own", () => {
-    tenantContext.run(sample, () => {
+    tenantContext.run(enrichedWithUser, () => {
       const event: Event = { user: { ip_address: "1.2.3.4" } };
       const out = addTenantContextToEvent(event, {});
-      expect(out.user).toEqual({ ip_address: "1.2.3.4", id: "org_1", username: "acme" });
+      expect(out.user).toEqual({ ip_address: "1.2.3.4", id: "usr_42" });
     });
   });
 });