feat(diagnostics): attach trace context to otel logs

[vincentkoc]

Summary

• Problem: OTEL log export accepted OpenClaw log records but ignored diagnostic trace context carried in log metadata.
• Why it matters: logs produced inside traced work could not correlate with future spans even when callers passed a trace context explicitly.
• What changed: diagnostics-otel now extracts DiagnosticTraceContext from log bindings/metadata, exports explicit trace attributes, and attaches an OTEL log context when a span id is present.
• What did NOT change (scope boundary): no global trace registry, no retained trace maps, no automatic process-wide OTEL SDK state in core, no hook wiring yet.

Change Type

• Feature
• Changelog update

Validation

• pnpm test extensions/diagnostics-otel/src/service.test.ts
• pnpm test extensions/diagnostics-otel
• pnpm format:check -- CHANGELOG.md extensions/diagnostics-otel/src/service.ts extensions/diagnostics-otel/src/service.test.ts
• pnpm exec oxlint --tsconfig tsconfig.oxlint.extensions.json extensions/diagnostics-otel/src/service.ts extensions/diagnostics-otel/src/service.test.ts

Risks and Mitigations

• Risk: log metadata can contain arbitrary objects.
• Mitigation: trace context extraction validates trace/span ids and flags with SDK helpers before emitting OTEL trace fields.
• Risk: OTEL log context must not retain process-wide trace state.
• Mitigation: log records receive per-record context from validated metadata only; no global trace registry or retained maps were added.

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

#	Severity	Title
1	🟡 Medium	Telemetry poisoning via untrusted trace context injection into OTEL log records

1. 🟡 Telemetry poisoning via untrusted trace context injection into OTEL log records

Property	Value
Severity	Medium
CWE	CWE-345
Location	extensions/diagnostics-otel/src/service.ts:391-458

Description

diagnostics-otel now discovers a W3C-like trace context inside arbitrary log bindings / arguments and uses it to set an OpenTelemetry span context on exported log records.

• Input: bindings are parsed from the first log argument if it looks like JSON, and numericArgs include all remaining log arguments (registerLogTransport receives everything logged by the process).
• Propagation: findLogTraceContext() scans bindings and every numeric arg for an object containing { traceId, spanId, traceFlags } (or nested under .trace).
• Sink: when spanId is present, the code calls trace.setSpanContext(..., { traceId, spanId, traceFlags, isRemote: true }) and attaches the resulting context to logRecord.context.

This allows any code path that logs user-influenced objects (e.g., request payloads, webhook bodies, headers, plugin inputs) to inject attacker-chosen traceId/spanId into exported telemetry. In multi-tenant or shared OTEL backends, this can:

• Correlate attacker logs into unrelated traces (cross-tenant / cross-request correlation)
• Poison traces/log-based alerts and dashboards by fabricating parentage
• Mislead incident response by forging trace relationships

Vulnerable code:

const traceContext = findLogTraceContext(bindings, numericArgs);
...
if (traceContext?.spanId) {
  logRecord.context = trace.setSpanContext(otelContextApi.active(), {
    traceId: traceContext.traceId,
    spanId: traceContext.spanId,
    traceFlags: traceFlagsToOtel(traceContext.traceFlags),
    isRemote: true,
  });
}

Recommendation

Treat trace context as trusted-only and do not infer it from arbitrary log arguments.

Options (choose one):

1. Require an explicit, internal-only field (set by OpenClaw code, not by application payloads), and ignore all others:

​// Only accept from known binding key that OpenClaw sets (not from numeric args)
const traceContext = normalizeTraceContext(bindings?.__openclawTrace);

2. Gate on subsystem/logger (e.g., only when bindings.subsystem === "diagnostic") and only read from bindings, not arbitrary args.

3. If the intent is just to record IDs for debugging, only add attributes (openclaw.traceId, etc.) and do not set logRecord.context / isRemote.

Additionally, consider a config flag to disable this behavior in shared/multi-tenant deployments.

---

Analyzed PR: #70961 at commit 312565f

_{Last updated on: 2026-04-24T06:39:14Z}

[greptile-apps]

Greptile Summary

This PR wires DiagnosticTraceContext from log bindings/metadata into exported OTEL log records: explicit openclaw.traceId/spanId/parentSpanId/traceFlags attributes are appended via addTraceAttributes, and a non-recording remote span context is attached via trace.setSpanContext when a spanId is present. Validation reuses the SDK helpers (isValidDiagnosticTrace*) before touching any OTEL primitives, keeping the scope narrow and safe.

Confidence Score: 5/5

Safe to merge; all remaining findings are minor style or test-coverage suggestions.

No P0/P1 issues found. The validation logic is correct, the bitmask in traceFlagsToOtel is sound for the current W3C spec, and the truthiness checks on hex strings behave as intended. The three comments are P2 (attribute consistency, clarifying comment, and additional test coverage).

No files require special attention.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: extensions/diagnostics-otel/src/service.ts
Line: 156-158

Comment:
**`openclaw.traceFlags` silently absent when flags are undefined**

When `traceContext.traceFlags` is `undefined` (valid — the field is optional in `DiagnosticTraceContext`), `addTraceAttributes` omits the `openclaw.traceFlags` attribute, but the OTEL log context is still attached below with a default of `TraceFlags.NONE`. An attribute consumer has no way to infer the effective sampling state from the attributes alone.

Consider emitting the attribute whenever a span context is attached, using the same default that `traceFlagsToOtel` already applies:

```typescript
if (traceContext.spanId) {
  attributes["openclaw.traceFlags"] = traceContext.traceFlags ?? "00";
} else if (traceContext.traceFlags) {
  attributes["openclaw.traceFlags"] = traceContext.traceFlags;
}
```

Or more simply, always write it (conditionally on spanId presence) so attributes stay consistent with the attached OTEL span context.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: extensions/diagnostics-otel/src/service.ts
Line: 135-140

Comment:
**`traceFlagsToOtel` bitmask can silently drop additional W3C flag bits**

`(parsed & TraceFlags.SAMPLED) === TraceFlags.SAMPLED ? TraceFlags.SAMPLED : TraceFlags.NONE` strips every bit except the sampled bit and returns a value that may not equal the original numeric flags. For the current W3C spec this is harmless (only bit 0 is defined), but it differs from the semantics of just casting with `parsed as TraceFlags`. A brief comment explaining the intentional bitmask behaviour (rather than a direct cast) would prevent future readers from "correcting" this into `parsed as TraceFlags` and silently forwarding unknown bits.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: extensions/diagnostics-otel/src/service.test.ts
Line: 348-388

Comment:
**No test coverage for trace context embedded directly in bindings or for unsampled flags**

The test exercises trace context nested under a `trace` key on a positional argument (`numericArgs[1].trace`). Two branches of `normalizeTraceContext`/`findLogTraceContext` aren't exercised:

1. Trace context supplied at the root of a positional arg (direct form: `{ traceId, spanId, traceFlags }` without the `trace` wrapper).
2. `traceFlags: "00"` (unsampled) — worth verifying that `openclaw.traceFlags` is still emitted (the non-empty string `"00"` is truthy so it should be, but it is a non-obvious path).

Not blocking, but these cases are easy to add alongside the existing test.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "feat(diagnostics): attach trace context ..." | Re-trigger Greptile}

[greptile-apps]

openclaw.traceFlags silently absent when flags are undefined

When traceContext.traceFlags is undefined (valid — the field is optional in DiagnosticTraceContext), addTraceAttributes omits the openclaw.traceFlags attribute, but the OTEL log context is still attached below with a default of TraceFlags.NONE. An attribute consumer has no way to infer the effective sampling state from the attributes alone.

Consider emitting the attribute whenever a span context is attached, using the same default that traceFlagsToOtel already applies:

if (traceContext.spanId) {
  attributes["openclaw.traceFlags"] = traceContext.traceFlags ?? "00";
} else if (traceContext.traceFlags) {
  attributes["openclaw.traceFlags"] = traceContext.traceFlags;
}

Or more simply, always write it (conditionally on spanId presence) so attributes stay consistent with the attached OTEL span context.

Prompt To Fix With AI

This is a comment left during a code review.
Path: extensions/diagnostics-otel/src/service.ts
Line: 156-158

Comment:
**`openclaw.traceFlags` silently absent when flags are undefined**

When `traceContext.traceFlags` is `undefined` (valid — the field is optional in `DiagnosticTraceContext`), `addTraceAttributes` omits the `openclaw.traceFlags` attribute, but the OTEL log context is still attached below with a default of `TraceFlags.NONE`. An attribute consumer has no way to infer the effective sampling state from the attributes alone.

Consider emitting the attribute whenever a span context is attached, using the same default that `traceFlagsToOtel` already applies:

```typescript
if (traceContext.spanId) {
  attributes["openclaw.traceFlags"] = traceContext.traceFlags ?? "00";
} else if (traceContext.traceFlags) {
  attributes["openclaw.traceFlags"] = traceContext.traceFlags;
}
```

Or more simply, always write it (conditionally on spanId presence) so attributes stay consistent with the attached OTEL span context.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

traceFlagsToOtel bitmask can silently drop additional W3C flag bits

(parsed & TraceFlags.SAMPLED) === TraceFlags.SAMPLED ? TraceFlags.SAMPLED : TraceFlags.NONE strips every bit except the sampled bit and returns a value that may not equal the original numeric flags. For the current W3C spec this is harmless (only bit 0 is defined), but it differs from the semantics of just casting with parsed as TraceFlags. A brief comment explaining the intentional bitmask behaviour (rather than a direct cast) would prevent future readers from "correcting" this into parsed as TraceFlags and silently forwarding unknown bits.

Prompt To Fix With AI

This is a comment left during a code review.
Path: extensions/diagnostics-otel/src/service.ts
Line: 135-140

Comment:
**`traceFlagsToOtel` bitmask can silently drop additional W3C flag bits**

`(parsed & TraceFlags.SAMPLED) === TraceFlags.SAMPLED ? TraceFlags.SAMPLED : TraceFlags.NONE` strips every bit except the sampled bit and returns a value that may not equal the original numeric flags. For the current W3C spec this is harmless (only bit 0 is defined), but it differs from the semantics of just casting with `parsed as TraceFlags`. A brief comment explaining the intentional bitmask behaviour (rather than a direct cast) would prevent future readers from "correcting" this into `parsed as TraceFlags` and silently forwarding unknown bits.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

No test coverage for trace context embedded directly in bindings or for unsampled flags

The test exercises trace context nested under a trace key on a positional argument (numericArgs[1].trace). Two branches of normalizeTraceContext/findLogTraceContext aren't exercised:

1. Trace context supplied at the root of a positional arg (direct form: { traceId, spanId, traceFlags } without the trace wrapper).
2. traceFlags: "00" (unsampled) — worth verifying that openclaw.traceFlags is still emitted (the non-empty string "00" is truthy so it should be, but it is a non-obvious path).

Not blocking, but these cases are easy to add alongside the existing test.

Prompt To Fix With AI

This is a comment left during a code review.
Path: extensions/diagnostics-otel/src/service.test.ts
Line: 348-388

Comment:
**No test coverage for trace context embedded directly in bindings or for unsampled flags**

The test exercises trace context nested under a `trace` key on a positional argument (`numericArgs[1].trace`). Two branches of `normalizeTraceContext`/`findLogTraceContext` aren't exercised:

1. Trace context supplied at the root of a positional arg (direct form: `{ traceId, spanId, traceFlags }` without the `trace` wrapper).
2. `traceFlags: "00"` (unsampled) — worth verifying that `openclaw.traceFlags` is still emitted (the non-empty string `"00"` is truthy so it should be, but it is a non-obvious path).

Not blocking, but these cases are easy to add alongside the existing test.

How can I resolve this? If you propose a fix, please make it concise.