feat(otel): add OpenTelemetry ingest, query, and frontend traces UI (#18)

* feat(otel): add OpenTelemetry support with new permissions and plugin integration

- Introduced `temps-otel` crate to the workspace and updated dependencies in `Cargo.toml`.
- Added `OtelRead` and `OtelWrite` permissions to the `Permission` enum in `temps-auth`.
- Registered `OtelPlugin` in the console API for OpenTelemetry metrics, traces, and logs collection.
- Created migration for OpenTelemetry tables in the database.
- Updated relevant files to integrate OpenTelemetry functionality across the application.

* feat(otel): add OpenTelemetry ingest, query, and frontend traces UI

- Complete temps-otel crate: OTLP/HTTP protobuf ingest (traces, metrics, logs),
  query handlers, TimescaleDB storage, rate limiting, quota checks, anomaly
  detection, health summaries, and sidecar config generation
- Auth: support tk_ (API key) and dt_ (deployment token) authentication for
  OTel ingest with path-based and header-based routes
- Frontend: Traces list page with filtering (time range, service, status),
  trace detail page with span waterfall visualization and span detail panel,
  setup section with OTLP endpoint and Next.js code snippets
- Add deployment_id to deployment tokens for OTel context propagation
- Fix protobuf Span.flags from uint32 to fixed32 per OTLP v1.1.0+ spec
- Remove server-side tail sampling (sampling is client SDK responsibility)
- Add OtelRead/OtelWrite permissions, plugin registered in console
- 117 passing unit tests, zero clippy warnings

* ci(otel): install protobuf-compiler in CI and document prerequisites

- Add protobuf-compiler installation to all CI jobs that compile the
  workspace (check, clippy, build-tests, unit-tests, integration-tests)
- Add temps-otel to unit-b test group
- Add OTel feature entry to CHANGELOG.md [Unreleased] section
- Document protoc and wasm-pack as prerequisites in CONTRIBUTING.md
  with platform-specific installation instructions
- Add changelog reminder to PR checklist

* feat(otel): add trace-level pagination with TraceSummary endpoint

Add GET /otel/trace-summaries that returns one row per trace (grouped by
trace_id) with root span name, service name, deployment environment,
span count, error count, and duration. This fixes the pagination bug
where the old endpoint returned flat spans causing only ~5 traces to
display per page.

- Add TraceSummary type with deployment_environment field
- Add query_trace_summaries() and count_traces() to OtelStorage trait
- Implement both in TimescaleDB (GROUP BY trace_id with array_agg)
- Implement both in MockOtelStorage for tests
- Add TraceSummariesResponse handler with proper total count
- Register new route and OpenAPI annotations
- Update TracesList.tsx to use new endpoint (remove client-side groupByTrace)
- Show Environment column as badge when viewing all environments
- Change page size from 50 to 10 traces per page
- Auto-inject OTel env vars in workflow_planner for deployments

* style(otel): add mobile responsiveness to traces list and detail views

- TracesList: filters stack vertically on mobile (flex-col sm:flex-row),
  selects go full-width, hide Kind/Spans/Timestamp columns on mobile,
  compact pagination, overflow-x-auto on table
- TraceDetail: waterfall + detail panel stack vertically on mobile
  (flex-col lg:flex-row), detail panel goes full-width, span name
  column narrower on mobile, min-width on scrollable rows
- Add mobile responsiveness guidelines to CLAUDE.md

* feat(otel): add Traces to project command palette (Ctrl+K)

* fix(otel): resolve environment name from deployments table in trace summaries

The deployment_environment column comes from the OTel resource attribute
which most SDKs don't set. JOIN deployments + environments tables to get
the actual environment name, falling back to the resource attribute via
COALESCE. Also qualify all column references with table alias since the
query now involves multiple tables.

* fix(otel): add horizontal overflow to span detail panel

Author: dviejokfs

.github/workflows/rust-tests.yml

@@ -30,6 +30,9 @@ jobs:
       - name: Cache dependencies
         uses: Swatinem/rust-cache@v2
 
+      - name: Install system dependencies
+        run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
+
       - name: Install wasm-pack and Build WASM
         run: |
           cargo install wasm-pack
@@ -76,6 +79,9 @@ jobs:
       - name: Cache dependencies
         uses: Swatinem/rust-cache@v2
 
+      - name: Install system dependencies
+        run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
+
       - name: Install wasm-pack and Build WASM
         run: |
           cargo install wasm-pack
@@ -116,6 +122,9 @@ jobs:
           shared-key: test-build
           save-if: true
 
+      - name: Install system dependencies
+        run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
+
       - name: Install wasm-pack and Build WASM
         run: |
           cargo install wasm-pack
@@ -176,6 +185,7 @@ jobs:
               -p temps-email
               -p temps-analytics
               -p temps-analytics-events
+              -p temps-otel
 
     steps:
       - name: Checkout code
@@ -195,6 +205,9 @@ jobs:
           shared-key: test-build
           save-if: false
 
+      - name: Install system dependencies
+        run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
+
       - name: Install wasm-pack and Build WASM
         run: |
           cargo install wasm-pack
@@ -327,6 +340,9 @@ jobs:
           shared-key: test-build
           save-if: false
 
+      - name: Install system dependencies
+        run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
+
       - name: Install wasm-pack and Build WASM
         run: |
           cargo install wasm-pack

CHANGELOG.md

@@ -8,6 +8,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
+- OpenTelemetry (OTel) ingest and query system (`temps-otel` crate) with OTLP/protobuf support for traces, metrics, and logs; header-based and path-based ingest routes; `tk_` API key and `dt_` deployment token authentication; `OtelRead`/`OtelWrite` permissions; TimescaleDB storage with hypertables; OpenAPI-documented query endpoints for traces, spans, metrics, and logs; web UI with filterable trace list, waterfall span visualization, and setup instructions
+- `deployment_id` field on deployment tokens, allowing OTel ingest to associate telemetry with specific deployments
+- `protobuf-compiler` installation in CI workflow for `temps-otel` proto compilation
 - External plugin system: standalone binaries in `~/.temps/plugins/` are auto-discovered, spawned, and integrated at boot via stdout JSON handshake (manifest + ready) over Unix domain sockets; Temps reverse-proxies `/api/x/{plugin_name}/*` to each plugin and serves `/api/x/plugins` for manifest listing (#19)
 - `temps-plugin-sdk` crate for plugin authors: `ExternalPlugin` trait, `main!()` macro, `PluginContext` (direct Postgres access, data dir), `TempsAuth` extractor, and hyper-over-Unix-socket runtime
 - `temps-external-plugins` crate following the standard `TempsPlugin` pattern with service layer, utoipa-annotated handler, and OpenAPI schema registration

CLAUDE.md

@@ -883,6 +883,16 @@ if (isLoading) return <Spinner />
 - Center content with `mx-auto` when using `max-w-*` constraints
 - Use cards for selections instead of dropdowns where practical
 
+### Mobile Responsiveness
+- **Tables**: wrap in `overflow-x-auto`; hide secondary columns with `hidden md:table-cell`
+- **Filter bars**: `flex flex-col gap-2 sm:flex-row sm:flex-wrap`; selects use `w-full sm:w-[Npx]`
+- **Grids**: `grid-cols-1` → `md:grid-cols-2` → `lg:grid-cols-3` (or `grid-cols-2 md:grid-cols-4` for stat cards)
+- **Side panels**: `flex-col lg:flex-row`; panel uses `w-full lg:w-[Npx]`
+- **Pagination**: compact `{page} / {totalPages}` on mobile; full "Showing X–Y of Z" `hidden sm:inline`
+- **Headers**: `flex flex-col gap-2 sm:flex-row sm:items-center sm:justify-between`
+- **Button text**: `hidden sm:inline` for labels next to icons; icon-only on mobile
+- **Min-width**: add `min-w-[Npx]` on scrollable containers so content doesn't collapse
+
 ### Testing with Playwright
 
 Local dev credentials:

CONTRIBUTING.md

@@ -18,12 +18,41 @@ Thank you for your interest in contributing to Temps. Whether you are reporting
 - **PostgreSQL** with TimescaleDB extension
 - **Bun** (for frontend development)
 - **Node.js** 18+
+- **protobuf compiler** (`protoc`) -- required by the `temps-otel` crate to compile OpenTelemetry `.proto` files
+- **wasm-pack** -- required to build the `temps-captcha-wasm` crate
+
+#### Installing protoc
+
+```bash
+# macOS
+brew install protobuf
+
+# Debian/Ubuntu
+sudo apt-get install -y protobuf-compiler
+
+# Fedora
+sudo dnf install -y protobuf-compiler
+
+# Or download from https://github.com/protocolbuffers/protobuf/releases
+```
+
+#### Installing wasm-pack
+
+```bash
+cargo install wasm-pack
+```
 
 ### Clone and Build
 
 ```bash
 git clone https://github.com/gotempsh/temps.git
 cd temps
+
+# Build the WASM captcha module (required before workspace compilation)
+cd crates/temps-captcha-wasm
+bun run build
+cd ../..
+
 cargo build --release
 ```
 
@@ -97,6 +126,7 @@ HTTP Handlers  ->  Service Layer  ->  Data Access (Sea-ORM)
 - `temps-proxy` -- reverse proxy with TLS/ACME support
 - `temps-auth` -- authentication and permission system
 - `temps-providers` -- external service providers (PostgreSQL, Redis, S3)
+- `temps-otel` -- OpenTelemetry ingest and query (OTLP/protobuf, requires `protoc`)
 
 ## Coding Standards
 
@@ -170,6 +200,7 @@ Pre-commit hooks run automatically on each commit to check formatting (`cargo fm
 - [ ] New functionality includes tests
 - [ ] Commit messages follow Conventional Commits
 - [ ] PR description explains the change
+- [ ] `CHANGELOG.md` updated under `[Unreleased]` (or add `skip-changelog` label)
 
 ## Good First Issues
 

Cargo.lock

@@ -51,6 +51,7 @@ members = [
     "crates/temps-vulnerability-scanner",
     "crates/temps-kv",
     "crates/temps-blob",
+    "crates/temps-otel",
     "crates/temps-environments",
     "crates/temps-screenshots",
     "crates/temps-embeddings",

Cargo.toml

@@ -4,6 +4,16 @@ use temps_entities::deployment_tokens::DeploymentTokenPermission;
 use temps_entities::users;
 use utoipa::ToSchema;
 
+/// Info extracted from a deployment token auth source.
+#[derive(Debug, Clone)]
+pub struct DeploymentTokenInfo {
+    pub project_id: i32,
+    pub environment_id: Option<i32>,
+    pub deployment_id: Option<i32>,
+    pub token_id: i32,
+    pub token_name: String,
+}
+
 // Simplified user schema for OpenAPI documentation
 #[derive(Debug, Clone, Serialize, Deserialize, ToSchema)]
 pub struct UserSchema {
@@ -37,6 +47,7 @@ pub enum AuthSource {
     DeploymentToken {
         project_id: i32,
         environment_id: Option<i32>,
+        deployment_id: Option<i32>,
         token_id: i32,
         token_name: String,
         permissions: Vec<DeploymentTokenPermission>,
@@ -65,6 +76,7 @@ pub enum AuthSourceSchema {
     DeploymentToken {
         project_id: i32,
         environment_id: Option<i32>,
+        deployment_id: Option<i32>,
         token_id: i32,
         token_name: String,
         permissions: Vec<String>,
@@ -152,6 +164,7 @@ impl AuthContext {
     pub fn new_deployment_token(
         project_id: i32,
         environment_id: Option<i32>,
+        deployment_id: Option<i32>,
         token_id: i32,
         token_name: String,
         permissions: Vec<DeploymentTokenPermission>,
@@ -161,6 +174,7 @@ impl AuthContext {
             source: AuthSource::DeploymentToken {
                 project_id,
                 environment_id,
+                deployment_id,
                 token_id,
                 token_name,
                 permissions: permissions.clone(),
@@ -266,15 +280,22 @@ impl AuthContext {
     }
 
     /// Get deployment token info if this is a deployment token auth
-    pub fn deployment_token_info(&self) -> Option<(i32, Option<i32>, i32, String)> {
+    pub fn deployment_token_info(&self) -> Option<DeploymentTokenInfo> {
         match &self.source {
             AuthSource::DeploymentToken {
                 project_id,
                 environment_id,
+                deployment_id,
                 token_id,
                 token_name,
                 ..
-            } => Some((*project_id, *environment_id, *token_id, token_name.clone())),
+            } => Some(DeploymentTokenInfo {
+                project_id: *project_id,
+                environment_id: *environment_id,
+                deployment_id: *deployment_id,
+                token_id: *token_id,
+                token_name: token_name.clone(),
+            }),
             _ => None,
         }
     }
@@ -287,6 +308,14 @@ impl AuthContext {
         }
     }
 
+    /// Get the deployment ID for deployment tokens
+    pub fn deployment_id(&self) -> Option<i32> {
+        match &self.source {
+            AuthSource::DeploymentToken { deployment_id, .. } => *deployment_id,
+            _ => None,
+        }
+    }
+
     /// Get the user, returning an error if this is a deployment token auth
     /// Use this for handlers that require a user
     pub fn require_user(&self) -> Result<&users::Model, &'static str> {