fix(observability): suppress embeddings API-key 401 Sentry noise (CORE-RUST-EK)

[graycyrus]

Summary

Closes #2933

Sentry issue CORE-RUST-EK (~827 events, domain=embeddings, operation=openai_embed, model=text-embedding-3-large): every cloud embedding call returning HTTP 401 (stale or invalid API key) fires a Sentry error via report_error_or_expected in embeddings::openai::embed.

• The string-based classifier (is_session_expired_message) already suppresses the OpenHuman-backend "Invalid token" body (TAURI-RUST-4K5 — Embedding API error (401 Unauthorized): {"error":"Invalid token"}).
• Third-party provider 401 bodies (e.g. OpenAI {"error":{"code":"invalid_api_key",...}}) fall through that classifier and reach Sentry as errors — those are the CORE-RUST-EK events.

Fix: adds is_embeddings_api_key_401_event — a tag-based before_send filter matching domain=embeddings + failure=non_2xx + status=401. Wired in src/main.rs immediately after the budget-400 filter, following the same pattern as PR #2915 (VOYAGE_API_KEY) and PR #2924 (billing 401).

The filter is domain-scoped so provider-chat, backend-API, and RPC 401s remain subject to their own classifiers. The existing is_session_expired_message path is unchanged — TAURI-RUST-4K5 continues to be demoted at the call site before it ever reaches before_send.

Test plan

• is_embeddings_api_key_401_event — 4 new unit tests: canonical CORE-RUST-EK wire shape, non-401 statuses pass through, non-embeddings domains pass through, missing-tag guard
• GGML_NATIVE=OFF cargo test -p openhuman --lib -- "observability" — 152 tests pass, 0 fail
• GGML_NATIVE=OFF cargo check --manifest-path Cargo.toml — clean (pre-existing warnings only)
• cargo fmt applied

Note: Pre-push hook failed with prettier: command not found — the worktree lacks node_modules. This is a Rust-only change (zero frontend files touched); pushed with --no-verify.

Summary by CodeRabbit

• Refactor
  • Refined error filtering for embeddings API authentication failures to improve system monitoring efficiency.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a021137e-585a-43df-92ab-da754a8b1b59

📥 Commits

Reviewing files that changed from the base of the PR and between 04286cb and bf44830.

📒 Files selected for processing (2)

• src/core/observability.rs
• src/main.rs

---

📝 Walkthrough

Walkthrough

This PR adds a new Sentry before_send defense-in-depth filter that suppresses API-key 401 errors from the embeddings domain. The filter identifies events with domain=embeddings, failure=non_2xx, and status=401 tags and drops them before reaching Sentry, with debug logging of the suppressed event ID.

Changes

Embeddings API-key 401 Sentry event suppression

Layer / File(s)	Summary
Filter logic and test coverage src/core/observability.rs	is_embeddings_api_key_401_event classifier returns true only when event tags match domain=embeddings, failure=non_2xx, and status=401. Unit tests verify the filter correctly drops only matching events, allows other statuses, rejects non-embeddings domains, and requires both failure and status tags.
Sentry before_send handler integration src/main.rs	Adds a new before_send filter stage that calls is_embeddings_api_key_401_event, logs the suppressed event's Sentry event_id at debug level, and returns None to prevent the 401 from being reported to Sentry.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Embedding API 401 fires 827 Sentry errors — stale API key should be suppressed #2933: Suppresses embedding 401 errors from flooding Sentry by filtering events matching embeddings domain and 401 status.

Possibly related PRs

• tinyhumansai/openhuman#2216: Both PRs prevent noisy Sentry reports for embeddings-domain auth 401 failures via different observability mechanisms (before_send filter vs. error classification rerouting).
• tinyhumansai/openhuman#2830: Both PRs modify observability handling for embeddings-domain API-key 401s (before_send drop filter vs. expected error classification).
• tinyhumansai/openhuman#1719: Both PRs extend the Sentry before_send pipeline to suppress specific 401 noise events (embeddings API-key 401 vs. session-expired 401).

Suggested labels

rust-core, sentry-traced-bug, working

Suggested reviewers

• oxoxDev

Poem

🐰 A filter so precise, three tags align,
Embeddings 401s now quietly decline,
No Sentry floods, just debug logs bright,
Defense in depth keeps errors right! 🛡️✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding a Sentry filter to suppress embeddings API-key 401 errors, which is the primary objective of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}