feat: Upgrade LangWatch SDK from 0.1 to 0.16

[rogeriochaves]

Summary

• Upgrade langwatch dependency from ^0.1.1 to ^0.16.1, migrating from the legacy proprietary API to the new OpenTelemetry-based SDK
• additionalCallbacks path (conversation chains): Replace langwatch.getTrace().getLangChainCallback() with LangWatchCallbackHandler which handles all LangChain callback events internally via OTel spans
• AnalyticHandler path (agents/assistants): Replace langwatch.getTrace().startSpan() / startLLMSpan() with getLangWatchTracerFromProvider to create spans with LangWatch-specific methods (setType, setInput, setOutput, setMetrics, setRequestModel)
• Add ensureLangWatchOtel() helper that registers a v1 OTel tracer provider with an OTLP HTTP exporter pointing at LangWatch's ingestion endpoint — required because Flowise uses OTel v1 while the LangWatch SDK ships OTel v2, making setupObservability() incompatible
• Fix pre-existing type error in speechToText.ts for Groq client

Test plan

• Verified conversation chain traces appear in LangWatch dashboard
• Verify conversation agent traces appear in LangWatch dashboard
• Verify OpenAI assistant traces appear in LangWatch dashboard
• Verify error spans are captured correctly

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly updates the langwatch integration by upgrading its SDK to the latest version and transitioning to its new OpenTelemetry-based architecture. This migration improves observability by standardizing tracing mechanisms for both conversation chains and agent/assistant interactions, while also addressing compatibility challenges between different OpenTelemetry versions within the project.

Highlights

• LangWatch SDK Upgrade: Upgraded the langwatch SDK from version 0.1.1 to 0.16.1, migrating from its legacy proprietary API to the new OpenTelemetry-based SDK.
• OpenTelemetry Compatibility: Introduced an ensureLangWatchOtel helper function to register a v1 OpenTelemetry tracer provider, ensuring compatibility with Flowise's existing OTel v1 implementation while using the LangWatch SDK's OTel v2 components.
• Conversation Chain Tracing: Replaced langwatch.getTrace().getLangChainCallback() with LangWatchCallbackHandler for conversation chains, which now handles LangChain callback events internally via OTel spans.
• Agent/Assistant Tracing Refactor: Refactored the AnalyticHandler for agents and assistants to use getLangWatchTracerFromProvider and specific LangWatchSpan methods (e.g., setType, setInput, setOutput, setMetrics, setRequestModel) for more granular control over span creation and data capture.
• Type Error Fix: Resolved a pre-existing type error in speechToText.ts related to the Groq client's audio.transcriptions.create method.

Changelog

• packages/components/package.json
  • Updated langwatch dependency from ^0.1.1 to ^0.16.1.
• packages/components/src/handler.ts
  • Replaced direct import statements for langwatch components with require() calls to correctly resolve package.json "exports" subpaths.
  • Defined a LangWatchSpan type alias for OpenTelemetry spans with LangWatch-specific methods.
  • Added OTLPTraceExporter import for OpenTelemetry HTTP trace export.
  • Introduced ensureLangWatchOtel function to configure an OpenTelemetry v1 tracer provider with an OTLP HTTP exporter pointing to LangWatch's ingestion endpoint.
  • Modified additionalCallbacks to initialize LangWatch tracing using ensureLangWatchOtel and LangWatchCallbackHandler.
  • Updated AnalyticHandler constructor to initialize langWatch with ensureLangWatchOtel and getLangWatchTracerFromProvider.
  • Refactored onChainStart, onChainEnd, onChainError, onLLMStart, onLLMEnd, onLLMError, onToolStart, onToolEnd, and onToolError methods to utilize the new OpenTelemetry-based LangWatchSpan methods for span creation, attribute setting, and error handling.
• packages/components/src/speechToText.ts
  • Added a type assertion (groqClient as any) to fix a type error in the audio.transcriptions.create call for the Groq client.

Activity

• No human activity has occurred on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request upgrades the langwatch SDK from v0.1 to v0.16, migrating from the legacy API to the new OpenTelemetry-based SDK. However, this implementation introduces a critical security vulnerability related to global state management in the OpenTelemetry provider initialization, which can lead to cross-tenant data leakage. Additionally, there is a risk of data exfiltration and SSRF due to a lack of validation on the user-supplied analytics endpoint. While the changes in handler.ts are comprehensive, adapting AnalyticHandler to the new span management methods, I've added a few suggestions to enhance type safety and reduce code duplication.

I am having trouble creating individual review comments. Click here to see my feedback.

packages/components/src/handler.ts (47-63)

The ensureLangWatchOtel function registers a global OpenTelemetry tracer provider and uses a module-level variable langWatchOtelInitialized to ensure it's only initialized once per process. In a multi-user or multi-tenant environment, the first user to run a chatflow with LangWatch configured will set the global tracer provider for the entire Node.js process. Subsequent chatflows from other users will use this same global provider, causing their traces (including sensitive prompts and LLM outputs) to be sent to the first user's LangWatch account. Furthermore, provider.register() makes this the global provider for all OpenTelemetry instrumentations in the application, potentially leaking internal application data (HTTP requests, database queries) to the external LangWatch endpoint.

packages/components/src/handler.ts (51-60)

The langWatchEndpoint is obtained from user-controlled node inputs and used to construct the URL for the HttpOTLPTraceExporter without any validation. An attacker can provide a malicious URL to exfiltrate sensitive trace data (prompts, outputs) or perform SSRF attacks against internal services. Since the exporter sends POST requests with trace data, it can be used to probe internal endpoints or exfiltrate sensitive information to an attacker-controlled server.

packages/components/src/handler.ts (40)

The type for LangWatchSpan is set to any, which reduces type safety. While the langwatch SDK might not export this type directly, you could define a more specific local type to improve code clarity and maintainability. This would also make it easier to work with span objects, leveraging auto-completion and compile-time checks.

type LangWatchSpan = import('@opentelemetry/api').Span & { setType: (type: 'llm' | 'chain' | 'tool') => void; setInput: (input: any) => void; setOutput: (output: any) => void; setMetrics: (metrics: { promptTokens?: number; completionTokens?: number; }) => void; setRequestModel: (modelName: string) => void; };

packages/components/src/handler.ts (1294-1298)

This error handling logic is duplicated in onLLMError (lines 1659-1663) and onToolError (lines 1944-1948). To improve maintainability and adhere to the DRY (Don't Repeat Yourself) principle, consider extracting this block into a private helper method within the AnalyticHandler class. For example: private _endSpanWithError(span: LangWatchSpan, error: any) { ... }.

packages/components/src/speechToText.ts (116)

Using as any bypasses type checking and can hide potential issues. While this might be a necessary workaround due to issues with the groq-sdk typings, it would be best to investigate if a more accurate type can be used for groqClient. If not, consider adding a // TODO: comment explaining why as any is used and what needs to be fixed in the future for better long-term maintainability.

[rogeriochaves]

Hey, this is Claude (AI assistant) responding on behalf of @rogeriochaves to the Gemini code review:

1. Global state / cross-tenant leakage (critical) — Overstated for Flowise's deployment model. The langWatchApiKey and langWatchEndpoint come from admin-configured credentials stored in the database, not from end-user input. Flowise is a single-tenant application where one admin configures analytics per chatflow. Additionally, the existing Arize provider in the same file already calls tracerProvider.register() (line 112) with the same global registration pattern. We use the global provider because LangWatchCallbackHandler internally resolves its tracer via trace.getTracerProvider() — this matches how the SDK is designed to work.

2. SSRF via endpoint (high) — Not a new concern introduced by this PR. Every analytics provider in this file (LangFuse, LangSmith, Lunary, Arize, Phoenix, Opik) takes an endpoint URL from credential data and makes HTTP requests to it without validation. For example, Arize: `${options.baseUrl}/v1`, Lunary: lunaryEndpoint ?? 'https://api.lunary.ai'. The endpoint is configured by the Flowise admin through the credentials system, not by end-users chatting with the bot.

3. LangWatchSpan = any type (medium) — Fair point. We use any because the langwatch SDK's types aren't directly importable due to the project's moduleResolution: "node" not supporting package.json exports subpaths. An inline type definition could help but would need manual upkeep as the SDK evolves. Open to adding it if desired.

4. DRY error handling (medium) — Fair suggestion. The error-to-exception pattern is repeated 3 times. Could be extracted into a helper. Happy to address if desired.

5. speechToText.ts as any (medium) — This is a pre-existing type issue with the groq-sdk typings, not introduced by this PR. We applied the minimal fix to unblock the build.