chore(observability): Integrates with Sentry

Author: timothedelion

.env.example

@@ -12,3 +12,12 @@ GITGUARDIAN_URL=https://dashboard.gitguardian.com
 
 # Log level (DEBUG, INFO, WARNING, ERROR, CRITICAL)
 LOG_LEVEL=INFO
+
+# Optional: Sentry Integration for Error Tracking
+# Sentry provides error tracking and performance monitoring
+# Install with: pip install 'secops-mcp-server[sentry]'
+# SENTRY_DSN=https://your-sentry-dsn@sentry.io/project-id
+# SENTRY_ENVIRONMENT=production
+# SENTRY_RELEASE=1.0.0
+# SENTRY_TRACES_SAMPLE_RATE=0.1
+# SENTRY_PROFILES_SAMPLE_RATE=0.1

DEVELOPMENT.md

@@ -172,6 +172,45 @@ For all transport modes, you can provide a PAT via environment variable:
 GITGUARDIAN_PERSONAL_ACCESS_TOKEN=<your-pat> developer-mcp-server
 ```
 
+## Optional Dependencies
+
+The project supports optional dependencies (extras) for additional features:
+
+### Installing Optional Dependencies
+
+```bash
+# Install with specific extras during development
+uv sync --extra sentry
+
+# Install all optional dependencies
+uv sync --all-extras
+
+# Add an optional dependency to the project
+uv add --optional sentry sentry-sdk
+```
+
+### Using Optional Dependencies with uvx
+
+When running the server with `uvx` from Git, you can include optional dependencies:
+
+```bash
+# Include extras using the #egg syntax
+uvx --from 'git+https://github.com/GitGuardian/ggmcp.git@main#egg=secops-mcp-server[sentry]' secops-mcp-server
+
+# Or install the optional dependency separately
+uv pip install sentry-sdk
+uvx --from git+https://github.com/GitGuardian/ggmcp.git@main secops-mcp-server
+```
+
+### Current Optional Dependencies
+
+- **sentry**: Adds Sentry SDK for error tracking and performance monitoring
+  - Core package: `gg-api-core[sentry]`
+  - Available in: `developer-mcp-server[sentry]`, `secops-mcp-server[sentry]`
+  - Implementation: `gg_api_core/src/gg_api_core/sentry_integration.py`
+  - Used for: Production error monitoring and alerting
+  - See individual package READMEs for configuration details
+
 ## Testing
 
 Run tests using uv (OAuth is disabled by default in tests):

packages/developer_mcp_server/README.md

@@ -44,6 +44,11 @@ Note: Honeytoken scopes are omitted for self-hosted instances as they require th
 |----------|-------------|---------|
 | `GITGUARDIAN_URL` | GitGuardian base URL | `https://dashboard.gitguardian.com` (SaaS US), `https://dashboard.eu1.gitguardian.com` (SaaS EU), `https://dashboard.gitguardian.mycorp.local` (Self-Hosted) |
 | `GITGUARDIAN_SCOPES` | Comma-separated list of OAuth scopes | Auto-detected based on instance type |
+| `SENTRY_DSN` | Sentry Data Source Name for error tracking (optional) | None |
+| `SENTRY_ENVIRONMENT` | Environment name for Sentry (optional) | `production` |
+| `SENTRY_RELEASE` | Release version or commit SHA for Sentry (optional) | None |
+| `SENTRY_TRACES_SAMPLE_RATE` | Performance traces sampling rate 0.0-1.0 (optional) | `0.1` |
+| `SENTRY_PROFILES_SAMPLE_RATE` | Profiling sampling rate 0.0-1.0 (optional) | `0.1` |
 
 **OAuth Callback Server**: The OAuth authentication flow uses a local callback server on port range 29170-29998 (same as ggshield). This ensures compatibility with self-hosted GitGuardian instances where the `ggshield_oauth` client is pre-configured with these redirect URIs.
 
@@ -53,6 +58,52 @@ Note: Honeytoken scopes are omitted for self-hosted instances as they require th
 
 To override auto-detection, set `GITGUARDIAN_SCOPES` explicitly in your MCP configuration.
 
+## Optional Integrations
+
+### Sentry Error Tracking
+
+The MCP server supports optional Sentry integration for error tracking and performance monitoring. This is completely optional and designed to avoid vendor lock-in.
+
+**Installation:**
+
+```bash
+# Install with pip
+pip install 'developer-mcp-server[sentry]'
+
+# Install with uv (in a project)
+uv add 'developer-mcp-server[sentry]'
+
+# Run with uvx (from Git)
+uvx --from 'git+https://github.com/GitGuardian/ggmcp.git@main#egg=developer-mcp-server[sentry]' developer-mcp-server
+
+# Or install Sentry SDK separately (works with any installation method)
+pip install sentry-sdk>=2.0.0
+uv pip install sentry-sdk>=2.0.0
+```
+
+**Configuration:**
+
+Set the `SENTRY_DSN` environment variable to enable Sentry:
+
+```bash
+export SENTRY_DSN="https://your-key@sentry.io/project-id"
+export SENTRY_ENVIRONMENT="development"
+export SENTRY_RELEASE="1.0.0"
+
+# Then run the server as usual
+developer-mcp-server
+```
+
+**Features:**
+
+- Automatic exception tracking
+- Performance monitoring with configurable sampling
+- Logging integration (INFO+ as breadcrumbs, ERROR+ as events)
+- Optional profiling support
+- Privacy-focused (PII not sent by default)
+
+If `SENTRY_DSN` is not set, the server runs normally without any error tracking overhead.
+
 ## Honeytoken Management
 
 The server provides functions to create and manage honeytokens, which are fake credentials that can be used to detect unauthorized access to your systems.

packages/developer_mcp_server/pyproject.toml

@@ -22,14 +22,19 @@ classifiers = [
 ]
 readme = "README.md"
 requires-python = ">=3.11"
+license = {text = "MIT"}
 dependencies = [
     "fastmcp>=2.0.0",
     "httpx>=0.24.0",
     "pydantic>=2.0.0",
     "gg-api-core",
     "uvicorn>=0.27.0"
 ]
-license = {text = "MIT"}
+
+[project.optional-dependencies]
+sentry = [
+    "gg-api-core[sentry]",
+]
 
 
 [project.scripts]

packages/developer_mcp_server/src/developer_mcp_server/server.py

@@ -5,6 +5,7 @@
 
 from gg_api_core.mcp_server import get_mcp_server
 from gg_api_core.scopes import set_developer_scopes
+from gg_api_core.sentry_integration import init_sentry
 
 from developer_mcp_server.register_tools import DEVELOPER_INSTRUCTIONS, register_developer_tools
 
@@ -29,6 +30,13 @@
 def run_mcp_server():
     logger.info("Starting Developer MCP server...")
 
+    # Initialize Sentry if configured (optional)
+    sentry_enabled = init_sentry()
+    if sentry_enabled:
+        logger.info("Sentry monitoring is enabled")
+    else:
+        logger.debug("Sentry monitoring is not configured")
+
     # Check if HTTP/SSE transport is requested via environment variables
     mcp_port = os.environ.get("MCP_PORT")
     mcp_host = os.environ.get("MCP_HOST", "127.0.0.1")

packages/gg_api_core/pyproject.toml

@@ -22,14 +22,19 @@ classifiers = [
 ]
 readme = "README.md"
 requires-python = ">=3.11"
+license = {text = "MIT"}
 dependencies = [
     "httpx>=0.28.1",
     "fastmcp>=2.0.0",
     "python-dotenv>=1.0.0",
     "pydantic-settings>=2.0.0",
     "jinja2>=3.1.0",
 ]
-license = {text = "MIT"}
+
+[project.optional-dependencies]
+sentry = [
+    "sentry-sdk>=2.0.0",
+]
 
 [build-system]
 requires = ["hatchling"]

packages/gg_api_core/src/gg_api_core/sentry_integration.py

@@ -0,0 +1,161 @@
+"""Optional Sentry integration for error tracking and monitoring.
+
+This module provides optional Sentry instrumentation that can be enabled
+via environment variables. It's designed to be non-invasive and vendor-neutral,
+allowing users to opt-in to Sentry monitoring without forcing a dependency.
+
+Environment Variables:
+    SENTRY_DSN: Sentry Data Source Name (required to enable Sentry)
+    SENTRY_ENVIRONMENT: Environment name (e.g., production, development)
+    SENTRY_RELEASE: Release version or commit SHA
+    SENTRY_TRACES_SAMPLE_RATE: Sampling rate for performance traces (0.0 to 1.0)
+    SENTRY_PROFILES_SAMPLE_RATE: Sampling rate for profiling (0.0 to 1.0)
+"""
+
+import logging
+import os
+from typing import Any
+
+logger = logging.getLogger(__name__)
+
+
+def init_sentry() -> bool:
+    """
+    Initialize Sentry SDK if configured via environment variables.
+
+    This function attempts to import and configure Sentry SDK only if
+    SENTRY_DSN is provided. It gracefully handles missing sentry-sdk
+    installation and logs appropriate messages.
+
+    Returns:
+        bool: True if Sentry was successfully initialized, False otherwise
+
+    Example:
+        >>> import os
+        >>> os.environ["SENTRY_DSN"] = "https://..."
+        >>> init_sentry()
+        True
+    """
+    dsn = os.environ.get("SENTRY_DSN")
+
+    if not dsn:
+        logger.debug("SENTRY_DSN not configured, skipping Sentry initialization")
+        return False
+
+    try:
+        import sentry_sdk
+        from sentry_sdk.integrations.logging import LoggingIntegration
+    except ImportError:
+        logger.warning("Sentry SDK not installed")
+        return False
+
+    # Get optional configuration from environment
+    environment = os.environ.get("SENTRY_ENVIRONMENT", "production")
+    release = os.environ.get("SENTRY_RELEASE")
+    traces_sample_rate = float(os.environ.get("SENTRY_TRACES_SAMPLE_RATE", "0.1"))
+    profiles_sample_rate = float(os.environ.get("SENTRY_PROFILES_SAMPLE_RATE", "0.1"))
+
+    # Configure logging integration
+    logging_integration = LoggingIntegration(
+        level=logging.INFO,  # Capture info and above as breadcrumbs
+        event_level=logging.ERROR,  # Send errors as events
+    )
+
+    try:
+        sentry_sdk.init(
+            dsn=dsn,
+            environment=environment,
+            release=release,
+            traces_sample_rate=traces_sample_rate,
+            profiles_sample_rate=profiles_sample_rate,
+            integrations=[logging_integration],
+            # Automatically capture unhandled exceptions
+            send_default_pii=False,  # Don't send personally identifiable information by default
+        )
+
+        logger.info(
+            f"Sentry initialized successfully for environment: {environment}"
+            + (f", release: {release}" if release else "")
+        )
+        return True
+
+    except Exception as e:
+        logger.error(f"Failed to initialize Sentry: {str(e)}")
+        return False
+
+
+def set_sentry_context(key: str, value: Any) -> None:
+    """
+    Set additional context for Sentry error reporting.
+
+    This is a convenience wrapper that safely sets context even if
+    Sentry is not initialized.
+
+    Args:
+        key: Context key (e.g., "user", "workspace", "api_token")
+        value: Context value (can be dict, string, etc.)
+
+    Example:
+        >>> set_sentry_context("workspace", {"id": "123", "name": "acme"})
+    """
+    try:
+        import sentry_sdk
+
+        sentry_sdk.set_context(key, value)
+    except ImportError:
+        # Sentry not installed, silently skip
+        pass
+    except Exception as e:
+        logger.debug(f"Failed to set Sentry context: {str(e)}")
+
+
+def set_sentry_user(user_info: dict[str, Any]) -> None:
+    """
+    Set user information for Sentry error reporting.
+
+    This is a convenience wrapper that safely sets user info even if
+    Sentry is not initialized.
+
+    Args:
+        user_info: Dictionary with user information (id, email, username, etc.)
+
+    Example:
+        >>> set_sentry_user({"id": "123", "email": "user@example.com"})
+    """
+    try:
+        import sentry_sdk
+
+        sentry_sdk.set_user(user_info)
+    except ImportError:
+        # Sentry not installed, silently skip
+        pass
+    except Exception as e:
+        logger.debug(f"Failed to set Sentry user: {str(e)}")
+
+
+def capture_exception(exception: Exception, **kwargs) -> None:
+    """
+    Manually capture an exception to Sentry.
+
+    This is useful for handled exceptions that you still want to track.
+
+    Args:
+        exception: The exception to capture
+        **kwargs: Additional context to attach to the event
+
+    Example:
+        >>> try:
+        ...     risky_operation()
+        ... except ValueError as e:
+        ...     capture_exception(e, extra={"operation": "risky_operation"})
+        ...     handle_error(e)
+    """
+    try:
+        import sentry_sdk
+
+        sentry_sdk.capture_exception(exception, **kwargs)
+    except ImportError:
+        # Sentry not installed, silently skip
+        pass
+    except Exception as e:
+        logger.debug(f"Failed to capture exception in Sentry: {str(e)}")