Add performance monitoring (prometheus for metrics and winston for logging)

[narengogi]

No description provided.

[matter-code-review]

Description

Summary By MatterAI

🔄 What Changed

• Added Qualifire integration for AI safety guardrails (dangerous content, PII, hallucinations, etc.)
• Implemented 12 new Qualifire handlers under plugins/qualifire/
• Added shared utilities: postQualifire, convertToMessages, parseAvailableTools
• Integrated WalledAI with updated auth header and default greetings list
• Updated version to 1.13.0 in package.json
• Enhanced error logging in chatCompletionsHandler and handlerUtils

🔍 Impact of the Change

Introduces comprehensive AI safety evaluation via Qualifire for content moderation, policy enforcement, and output quality. Enables pre/post-request analysis for prompt injections, PII leakage, grounding, and hallucinations. Strengthens observability with improved error logging. Enhances WalledAI integration with proper API key handling.

📁 Total Files Changed

File	ChangeLog
Version Bump package.json	Updated version to 1.13.0
Plugin Index plugins/index.ts	Registered 12 new Qualifire handlers and walledprotect
Dangerous Content plugins/qualifire/dangerousContent.ts	Added handler for detecting dangerous content in prompts/responses
Globals Utils plugins/qualifire/globals.ts	Added shared functions: postQualifire, convertToMessages, parseAvailableTools
Grounding Check plugins/qualifire/grounding.ts	Added handler to verify response grounding in context
Hallucinations plugins/qualifire/hallucinations.ts	Added handler to detect hallucinated content
Harassment plugins/qualifire/harassment.ts	Added handler for harassment detection
Hate Speech plugins/qualifire/hateSpeech.ts	Added hate speech detection handler
Instruction Following plugins/qualifire/instructionFollowing.ts	Added handler to validate instruction adherence
PII Detection plugins/qualifire/pii.ts	Added handler to detect personally identifiable information
Policy Check plugins/qualifire/policy.ts	Added handler for custom policy assertion evaluation
Prompt Injections plugins/qualifire/promptInjections.ts	Added handler to detect prompt injection attempts
Sexual Content plugins/qualifire/sexualContent.ts	Added handler for sexual content detection
Tool Use Quality plugins/qualifire/toolUseQuality.ts	Added handler to evaluate tool selection quality
WalledAI Test plugins/walledai/walledai.test.ts	Added conversational text format test case
Walled Protect plugins/walledai/walledprotect.ts	Updated with x-api-key header and default greetings
Chat Handler src/handlers/chatCompletionsHandler.ts	Enhanced error logging with stack trace
Handler Utils src/handlers/handlerUtils.ts	Added virtualKeyDetails and integrationDetails to config

🧪 Test Added/Recommended

Added

• Comprehensive unit tests in qualifire.test.ts (2426 additions) covering all 12 handlers
• Test cases for convertToMessages with complex content types and tool calls
• Mocked API responses and error scenarios for all handlers
• WalledAI test for conversational text format with greetings and PII lists

Recommended

• Integration tests with real Qualifire API endpoints
• Performance benchmarking for handler execution time
• End-to-end flow testing with multiple guardrails enabled
• Negative test cases for malformed inputs and edge JSON structures

🔒Security Vulnerabilities

• Ensure QUALIFIRE_API_KEY is validated and not logged in any error messages
• Validate that convertContent and convertToolCalls properly sanitize inputs to prevent injection
• Confirm that delete e.stack doesn't mask critical security-relevant error details

⏳ Estimated code review effort

HIGH (~35 minutes)

Tip

Quality Recommendations

1. Add input validation for Qualifire API key to prevent empty/invalid keys from reaching the API

2. Implement request timeout configuration for Qualifire API calls to prevent hanging requests

3. Add rate limiting for Qualifire API calls to prevent abuse and ensure stability

4. Include response validation for Qualifire API to handle malformed responses gracefully

5. Add caching mechanism for repeated policy evaluations to improve performance

6. Enhance error logging in handlerUtils to include context about which plugin failed

7. Validate that convertContent properly handles and sanitizes all input types to prevent injection

♫ Tanka Poem

Code now watches code,
Qualifire guards every word,
No toxic leaks through.
Metrics flow like quiet streams,
AI minds stay safe and clean. 🌊🛡️

Sequence Diagram

sequenceDiagram
    participant User
    participant Gateway
    participant Qualifire
    participant WalledAI

    User->>Gateway: POST /v1/chat/completions
    Gateway->>Gateway: execute beforeRequestHook
    
    alt Prompt Injections Check
        Gateway->>Qualifire: postQualifire(input, prompt_injections: true)
        Qualifire-->>Gateway: {verdict: boolean, data: results}
    end
    
    alt PII Check
        Gateway->>Qualifire: postQualifire(input, pii_check: true)
        Qualifire-->>Gateway: {verdict: boolean, data: results}
    end
    
    alt Dangerous Content Check
        Gateway->>Qualifire: postQualifire(input, dangerous_content_check: true)
        Qualifire-->>Gateway: {verdict: boolean, data: results}
    end
    
    alt WalledAI Protection
        Gateway->>WalledAI: POST /v1/walled-protect
        WalledAI-->>Gateway: {verdict: boolean, data: results}
    end
    
    Gateway->>Upstream: Forward request to AI provider
    Upstream-->>Gateway: Return response
    Gateway->>Gateway: execute afterRequestHook
    
    alt Grounding Check
        Gateway->>Qualifire: postQualifire(input, output, grounding_check: true)
        Qualifire-->>Gateway: {verdict: boolean, data: results}
    end
    
    alt Hallucinations Check
        Gateway->>Qualifire: postQualifire(input, output, hallucinations_check: true)
        Qualifire-->>Gateway: {verdict: boolean, data: results}
    end
    
    alt Policy Compliance
        Gateway->>Qualifire: postQualifire(input, output, assertions: [policies])
        Qualifire-->>Gateway: {verdict: boolean, data: results}
    end
    
    Gateway-->>User: Return final response

Loading

[matter-code-review]

🧪 PR Review is completed: Review of the new APM implementation with Prometheus and Winston. Key issues found in environment variable handling, error logging, and logger initialization.

Skipped files

• package-lock.json: Skipped file pattern
• wrangler.toml: Skipped file pattern

⬇️ Low Priority Suggestions (4)

src/apm/loki/logger.ts

Location: src/apm/loki/logger.ts (Lines 31-31)

🟡 Error Handling

Issue: The broad try-catch block in LokiLogger initialization swallows all errors and sets the logger to null, which can lead to silent failures and make debugging difficult.

Fix: Log specific errors during initialization to help with debugging while still providing a fallback.

Impact: Improves debuggability and error visibility

-    LokiLogger = null;
+    console.error('[LOKI LOGGER] Failed to initialize Loki logger:', error);
+    LokiLogger = null;
+  

src/apm/prometheus/prometheusClient.ts

Location: src/apm/prometheus/prometheusClient.ts (Lines 27-27)

🟡 Performance

Issue: Calling Environment({}) multiple times (in envConfig.ts and here) may cause redundant environment variable parsing.

Fix: Use the already loaded environment variables from envVars instead of calling Environment({}) again.

Impact: Reduces redundant computation and improves performance

-        .PROMETHEUS_LABELS_METADATA_ALLOWED_KEYS?.replaceAll(' ', '')
+      envVars.PROMETHEUS_LABELS_METADATA_ALLOWED_KEYS?.replaceAll(' ', '')
+  

src/apm/prometheus/prometheusClient.ts

Location: src/apm/prometheus/prometheusClient.ts (Lines 322-322)

🟡 Error Handling

Issue: Returning an empty string on JSON parse error in getCustomLabels is not informative and may hide issues with metadata formatting.

Fix: Return an empty object instead to maintain consistent return types and allow for better error handling upstream.

Impact: Improves error handling consistency

-        return '';
+        return {};
+  

src/apm/index.ts

Location: src/apm/index.ts (Lines 3-3)

🟡 Compatibility

Issue: Direct access to process.env may not work in all environments (e.g., Cloudflare Workers) and could cause runtime errors.

Fix: Add a check for process and process.env existence before accessing them.

Impact: Improves compatibility across different runtime environments

-  if (process && process.env.logger === 'loki') {
+  if (typeof process !== 'undefined' && process.env && process.env.logger === 'loki') {
+  

[matter-code-review]

🔴 Security & Stability

Issue: Using process.exit(1) in library code can cause the entire application to crash abruptly without proper cleanup. This is especially problematic in serverless environments.

Fix: Throw a specific error that can be caught and handled by the application's error handling mechanism, allowing for graceful degradation.

Impact: Improves application stability and allows for better error handling

Suggested change

	process.exit(1);
	throw new Error(`Missing required environment variable: ${varName}`);

[matter-code-review]

🔴 Security & Stability

Issue: Using process.exit(1) in library code can cause the entire application to crash abruptly without proper cleanup. This is especially problematic in serverless environments.

Fix: Throw a specific error that can be caught and handled by the application's error handling mechanism, allowing for graceful degradation.

Impact: Improves application stability and allows for better error handling

Suggested change

	process.exit(1);
	throw new Error(`Missing required environment variable: ${varName}`);

[matter-code-review]

✅ Reviewed the changes: Review of APM integration for Prometheus and Winston/Loki

[matter-code-review]

🧪 PR Review is completed: Improved logger initialization with dynamic imports and type safety.

[matter-code-review]

🧪 PR Review is completed: Improved APM logger initialization with conditional loading based on environment configuration.

[matter-code-review]

✅ Reviewed the changes: Review of the addition of APM_LOGGER environment variable and related type safety improvements.

[matter-code-review]

✅ Reviewed the changes: Review complete. Found 1 issue related to potential sensitive data exposure in error logging.

[matter-code-review]

✅ Reviewed the changes: Review of new Qualifire plugins and related updates. Identified issues with error logging and type safety.