{ "steward": "react-telemetry-steward", "project": "Azure-AI-RAG-CSharp-Semantic-Kernel-Functions", "runDate": "2026-03-21", "runId": "2026-03-21T00-00-00", "findings": [ { "id": "RTEL-COVERAGE-001", "title": "No business-event telemetry on primary user journey", "severity": "critical", "category": "coverage", "file": "src/web/src/SupportAgent/Agent.js", "description": "The entire primary user journey (page load, session creation, message submission, response receipt) has zero telemetry instrumentation. No analytics library is installed and no tracking calls exist anywhere in the React source. It is impossible to measure usage, success rates, error rates, or user drop-off.", "recommendation": "Install a telemetry library (e.g., @microsoft/applicationinsights-web) and emit events at each primary journey step: session_created, chat_message_sent, chat_response_received, chat_response_failed.", "status": "open" }, { "id": "RTEL-COVERAGE-002", "title": "No telemetry library installed in package.json", "severity": "critical", "category": "coverage", "file": "src/web/package.json", "description": "package.json lists no analytics or telemetry dependency. No equivalent of @microsoft/applicationinsights-web, Google Analytics, Segment, Amplitude, or any observability SDK is present. The reportWebVitals scaffold exists but is not wired to any endpoint.", "recommendation": "Add @microsoft/applicationinsights-web (consistent with the Azure stack) or an equivalent client-side telemetry SDK. Initialize it with a connection string sourced from REACT_APP_APPINSIGHTS_CONNECTION_STRING.", "status": "open" }, { "id": "RTEL-ERROR-001", "title": "API fetch calls have no error handler — error telemetry is impossible", "severity": "critical", "category": "error-handling", "file": "src/web/src/SupportAgent/Agent.js", "line": 29, "description": "Both fetch() calls in Agent.js (handleSession and handlePrompt) have no .catch() handler. Network failures, CORS errors, and non-JSON responses produce unhandled promise rejections. The user receives no feedback, and there is no hook to emit session_fetch_failed or chat_response_failed telemetry events.", "recommendation": "Add .catch() handlers to both fetch calls. In each handler, emit an error telemetry event with { sessionId, errorMessage: error.message, timestamp } and display user-facing feedback.", "status": "open" }, { "id": "RTEL-COVERAGE-003", "title": "Session lifecycle emits no telemetry", "severity": "notable", "category": "coverage", "file": "src/web/src/SupportAgent/Agent.js", "line": 47, "description": "handleSession() initializes every user's interaction context but neither success nor failure is tracked. Without a session_created event it is impossible to correlate downstream chat events to sessions or measure session creation failure rates.", "recommendation": "On successful session creation emit session_created with { sessionId, timestamp }. On failure (in a .catch() handler) emit session_fetch_failed with { errorMessage, timestamp }.", "status": "open" }, { "id": "RTEL-COVERAGE-004", "title": "Chat message submission — the primary conversion event — has no telemetry", "severity": "notable", "category": "coverage", "file": "src/web/src/SupportAgent/Agent.js", "line": 22, "description": "handlePrompt() is the core user action in this application. No chat_message_sent event is emitted before the fetch, and no chat_response_received or chat_response_failed event is emitted after. Message volume, response latency, and success rate are unmeasurable.", "recommendation": "Emit chat_message_sent (with sessionId, promptLength, timestamp) before the fetch. Emit chat_response_received (with sessionId, responseLength, durationMs, timestamp) on success. Emit chat_response_failed (with sessionId, errorMessage, timestamp) in a .catch() handler.", "status": "open" }, { "id": "RTEL-VITALS-001", "title": "Web Vitals scaffold is not wired to any reporting endpoint", "severity": "minor", "category": "coverage", "file": "src/web/src/index.js", "line": 20, "description": "reportWebVitals() is called without a callback in index.js. The CLS, FID, FCP, LCP, and TTFB metrics are imported and measured internally but the results are immediately discarded. Performance telemetry that CRA provides out of the box is not collected.", "recommendation": "Pass a reporting callback: reportWebVitals(metric => appInsights.trackMetric({ name: metric.name, average: metric.value })) once a telemetry client is initialized.", "status": "open" }, { "id": "RTEL-NAMING-001", "title": "Debug console.log left in production chat response handler", "severity": "minor", "category": "naming", "file": "src/web/src/SupportAgent/Agent.js", "line": 38, "description": "A console.log(res) statement inside the chat response .then() handler logs the full API response to the browser console in production builds. This is a debug artifact, not structured telemetry, and leaks response content to any user with devtools open.", "recommendation": "Remove the console.log(res) statement. Replace it with a structured telemetry call (chat_response_received event) that logs only safe metadata.", "status": "open" }, { "id": "RTEL-PAYLOAD-001", "title": "Full user prompt text must not appear in future telemetry payloads (pre-emptive risk)", "severity": "info", "category": "payload", "file": "src/web/src/SupportAgent/Agent.js", "line": 23, "description": "When telemetry is added, the prompt variable in handlePrompt() contains raw free-text user input which may include PII. Including it verbatim in any telemetry event payload would create a data-compliance risk.", "recommendation": "Log only metadata in telemetry payloads: prompt character length (promptLength), session ID, request correlation ID, and response latency. Never include the raw prompt text or API response body.", "status": "open" } ], "summary": { "critical": 3, "notable": 2, "minor": 2, "info": 1, "total": 8 } }