AnythingMCP

Sprint 3 closes the observability story (errors + traces opt-in) and ships the operational docs Sprint 1 had flagged.

Highlights

• Validated DTOs on the remaining write endpoints (#129): `POST /import-all`, `PUT /:id/env-vars`, `POST tools/bulk`, `POST tools/:toolId/test` now reject malformed payloads with class-validator + `@ValidateNested` + `@ArrayMinSize(1)` instead of accepting bare object literals.
• Sentry integration, opt-in (#130): `@sentry/nestjs` + `@sentry/nextjs` wired across backend, client, server, and edge runtimes. `SENTRY_DSN` / `NEXT_PUBLIC_SENTRY_DSN` are required to enable; default install ships nothing. `beforeSend` strips auth headers and credential field names. Sample rates default to 0.
• OpenTelemetry tracing, opt-in (#131): NodeSDK with auto-instrumentations for http/express/pg/mysql/redis when `OTEL_EXPORTER_OTLP_ENDPOINT` is set. `fs` and `/health` excluded.
• Settings page → toast + a11y htmlFor (#132): Profile + Change Password sections now have proper label/input pairing and emit toast notifications via `useToast()`.
• Operations docs (#133): `docs/operations/{backup-restore,disaster-recovery,slo,observability}.md` with concrete pg_dump procedures, RPO/RTO targets, six failure-mode runbooks (including the unrecoverable `ENCRYPTION_KEY`-loss case), 99.9% SLO definition, and the three-pipeline observability story threaded by `X-Request-Id`.

Verification

`scripts/smoke-test/run.sh` against this commit: 12/12 PASS end-to-end (REST, SOAP, GraphQL, MySQL prepared statements, schema introspection, free-form SELECT, INSERT/UPDATE/DELETE/DDL, anti-injection assertion, readOnly enforcement).

Playwright e2e: 3/3 PASS.

Backend jest: 554 passing, 1 skipped, 0 failing.

Compatibility

No breaking changes. All new pipelines (Sentry, OpenTelemetry) are opt-in; defaults unchanged.