feat(observability): adds tracing withing POST /v1/certificates endpoint

[ygrishajev]

Why

The POST /v1/certificates endpoint takes ~20s (up to 1,5min), with ~12s being completely untraced between AuthInterceptor.intercept and ManagedSignerService.executeDerivedDecodedTxByUserId. This makes it impossible to identify the bottleneck (JWT/JWKS validation, DB lookups, or PEM certificate generation).

What

Adds @Trace() decorators to key methods in the certificate creation flow to break down the untraced gap:

• UserRepository.findById, findByUserId, markAsActive
• UserWalletRepository.findOneByUserId
• ApiKeyAuthService.getAndValidateApiKeyFromHeader
• CertificateService.create
• CertificateService.generatePEM via withSpan (external package, can't use decorator)

Summary by CodeRabbit

• Chores

  • Added distributed tracing instrumentation to API key validation, user wallet lookups, certificate generation, and user repository operations to enhance system observability and monitoring capabilities.

• Refactor

  • Optimized certificate generation flow with improved address handling and enhanced tracing for better performance visibility.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request adds distributed tracing instrumentation across multiple services and repositories by applying the @Trace() decorator to key methods. Additionally, the certificate service refactors its PEM generation flow to use tracing spans and improves null/availability checks by extracting and validating the address variable.

Changes

Cohort / File(s)	Summary
Tracing Instrumentation - Repositories apps/api/src/auth/services/api-key/api-key-auth.service.ts, apps/api/src/billing/repositories/user-wallet/user-wallet.repository.ts, apps/api/src/user/repositories/user/user.repository.ts	Added @Trace() decorator to key lookup and validation methods (getAndValidateApiKeyFromHeader, findOneByUserId, findById, findByUserId, markAsActive) to enable distributed tracing without altering method signatures or behavior.
Certificate Service Tracing & Refactoring apps/api/src/certificate/services/certificate/certificate.service.ts	Integrated @Trace() decorator on the create method; refactored PEM generation to use withSpan() wrapper; extracted address from userWallet into a local variable with improved null/availability checks; updated downstream address references; return payload now maps to public CertificateOutput structure.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Traces bloom across the paths we take,
Each method now a span to awake,
From auth to wallets, certificates too,
Observability shines crystal blue! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding tracing instrumentation to the certificate endpoint to improve observability.
Description check	✅ Passed	The description follows the template structure with clear 'Why' and 'What' sections that explain the motivation and implementation details of the tracing additions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/observability

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

apps/api/src/certificate/services/certificate/certificate.service.ts (1)

43-47: Nit: use object shorthand for encryptedKey.

♻️ Suggested simplification

   return {
     certPem: crtpem,
     pubkeyPem: pubpem,
-    encryptedKey: encryptedKey
+    encryptedKey
   };

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/api/src/certificate/services/certificate/certificate.service.ts` around
lines 43 - 47, The returned object explicitly repeats the property name for
encryptedKey; update the return in the certificate creation function (the block
that currently returns { certPem: crtpem, pubkeyPem: pubpem, encryptedKey:
encryptedKey }) to use object shorthand by returning { certPem: crtpem,
pubkeyPem: pubpem, encryptedKey } so the property name is not duplicated.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@apps/api/src/certificate/services/certificate/certificate.service.ts`:
- Around line 43-47: The returned object explicitly repeats the property name
for encryptedKey; update the return in the certificate creation function (the
block that currently returns { certPem: crtpem, pubkeyPem: pubpem, encryptedKey:
encryptedKey }) to use object shorthand by returning { certPem: crtpem,
pubkeyPem: pubpem, encryptedKey } so the property name is not duplicated.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dce7dde and d6debe8.

📒 Files selected for processing (4)

• apps/api/src/auth/services/api-key/api-key-auth.service.ts
• apps/api/src/billing/repositories/user-wallet/user-wallet.repository.ts
• apps/api/src/certificate/services/certificate/certificate.service.ts
• apps/api/src/user/repositories/user/user.repository.ts

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.11%. Comparing base (dce7dde) to head (d6debe8).
⚠️ Report is 3 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2818      +/-   ##
==========================================
- Coverage   53.96%   53.11%   -0.86%     
==========================================
  Files        1020      985      -35     
  Lines       23608    22777     -831     
  Branches     5776     5683      -93     
==========================================
- Hits        12740    12097     -643     
+ Misses       9477     9298     -179     
+ Partials     1391     1382       -9     

Flag	Coverage Δ		*Carryforward flag
api	76.92% <100.00%> (+0.03%)	⬆️
deploy-web	36.39% <ø> (ø)		Carriedforward from dce7dde
log-collector	?
notifications	85.56% <ø> (ø)		Carriedforward from dce7dde
provider-console	81.48% <ø> (ø)		Carriedforward from dce7dde
provider-proxy	85.93% <ø> (ø)		Carriedforward from dce7dde
tx-signer	?

*This pull request uses carry forward flags. Click here to find out more.

Files with missing lines	Coverage Δ
.../src/auth/services/api-key/api-key-auth.service.ts	100.00% <ø> (ø)
...repositories/user-wallet/user-wallet.repository.ts	73.07% <ø> (ø)
...ficate/services/certificate/certificate.service.ts	100.00% <100.00%> (ø)
.../api/src/user/repositories/user/user.repository.ts	86.66% <ø> (ø)

... and 36 files with indirect coverage changes

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.