Port fetch-incident-logs.sh to Cloud V2 admin reports API#3391
Conversation
The V1 agent incidents endpoint (/api/agent/incidents, X-Agent-Key) lives in the frozen cloud/ tree and is superseded by the Cloud V2 reports system. The script now reads GET /api/admin/reports[/:id[/artifacts/:id]] with a MENTRA_ADMIN_TOKEN bearer (msk_ org API key allowlisted via CLOUD_CORE_ADMIN_EMAILS, or a WorkOS admin token), downloads report.json plus every artifact (log bundles, screenshots) into ./incident-logs/<reportId>/, and adds --json, --list, and --env prod|staging|dev modes. Update the AGENTS.md Bug Report Logs section to match and gitignore the download directory.
📋 PR Review Helper📱 Mobile App Build⏳ Waiting for build... 🕶️ ASG Client Build⏳ Waiting for build... 🔀 Test Locallygh pr checkout 3391 |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d03fac2c40
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Artifact source (and screenshot filename) are client-supplied free text, so a value containing / or .. would make the download mv target a nested or parent path — failing under set -e and aborting the remaining artifacts. Strip all path-shaping characters from every metadata-derived filename component and fall back to placeholders when nothing survives.
|
Merge-order note: #3388 (console-mcp V2 port) edits the same AGENTS.md "Bug Report Logs" section — this PR's "MCP not ported yet" line and #3388's "script still V1" line each go stale when the other lands. Whichever merges second should reconcile the section to: script→V2 and MCP→V2 ( |
Scope
scripts/fetch-incident-logs.shstill called the Cloud V1 agent endpoint (GET /api/agent/incidents/:id/logswithX-Agent-Key), which lives in the frozencloud/tree. This ports it to the Cloud V2 reports system using the admin read API that landed in #3378 — no V1 fallback, per the plan to removecloud/../scripts/fetch-incident-logs.sh rep_01...fetchesGET /api/admin/reports/:reportIdand downloads every artifact (GET .../artifacts/:artifactId) into./incident-logs/<reportId>/:report.json(full document + asset rows), pretty-printedNN-logs-<source>.jsonbundles, and screenshots with extensions derived from content type (client filenames sanitized).--jsonprints the raw report JSON to stdout (pipe-to-jq mode, V1 spirit);--list [--kind|--status|--limit]lists recent reports.MENTRA_ADMIN_TOKENsent asAuthorization: Bearer— an org API key (msk_...) whose synthetic email is allowlisted viaCLOUD_CORE_ADMIN_EMAILS, or a WorkOS admin access token. Deliberately not reusingMENTRA_AGENT_API_KEY: V1 agent keys are not valid V2 bearers, and silently sending one would produce confusing 401s.--env prod|staging|dev(default prod,core.mentraglass.com) orMENTRA_CORE_URL(matches the CLI convention). Targeted messages for 401/403/404, including the collecting-status hint that a device may still be uploading.incident-logs/gitignored.Test evidence
cloud-v2/packages/core/src/api/admin/reports.api.ts) and its integration test (cloud-v2/tests/admin-reports.integration.test.ts).--listfilters,--json, full fetch (pretty-printed JSON logs, PNG bytes intact, unsafe filename sanitization), 404 messaging, and a failing artifact (skips it, downloads the rest, exits 1)./healthz200 and return the expected 401 envelope on/api/admin/reportsunauthenticated. A live authenticated run needs an admin-allowlistedmsk_key — pending credentials.Notes
cloud/packages/console-mcp(incident_get/incident_get_logs) still speaks V1; porting it is spun off as a separate task, and AGENTS.md now says so.Note
Low Risk
Developer-tooling and documentation only; no runtime services or app code paths change.
Overview
fetch-incident-logs.shno longer calls the frozen Cloud V1 agent incidents endpoint (X-Agent-Key/ UUID incident ids). It now uses the Cloud V2 admin reports API oncore.*withMENTRA_ADMIN_TOKENas a Bearer token (msk_...or WorkOS admin).Default fetch downloads
report.jsonand every artifact into./incident-logs/<reportId>/, with sanitized local filenames, content-type-based extensions, and pretty-printed JSON log bundles. New modes:--json,--list(kind/status/limit filters),--env prod|staging|dev, andMENTRA_CORE_URL. HTTP 401/403/404 responses get targeted error text; partial artifact failures skip and exit non-zero.AGENTS.md“Bug Report Logs” is rewritten forrep_01...ids and the new auth/output layout, and notes that mentra-console MCP is still on V1.incident-logs/is added to.gitignore.Reviewed by Cursor Bugbot for commit d23e461. Bugbot is set up for automated code reviews on this repo. Configure here.