fix: add request ID tracking for production debugging

No request correlation existed — if a user reported "I got a 500 at
3:15pm", ops could not find that specific request in logs or Sentry.

Adds Hono's built-in requestId() middleware which:
- Generates a UUID per request (or respects incoming X-Request-Id)
- Sets X-Request-Id response header on all responses
- Available via c.get("requestId") throughout the middleware chain

Integration points:
- Global error handler: logs requestId, includes it in error JSON response
- Sentry middleware: tags every scope with request_id for event correlation
- Error responses now include requestId so clients can quote it in reports

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 0x-SquidSol

src/index.ts

@@ -3,6 +3,7 @@ import { Hono } from "hono";
 import { cors } from "hono/cors";
 import { compress } from "hono/compress";
 import { bodyLimit } from "hono/body-limit";
+import { requestId } from "hono/request-id";
 import { serve } from "@hono/node-server";
 import { createLogger, sendInfoAlert, getSupabase, sendCriticalAlert, truncateErrorMessage } from "@percolator/shared";
 import { initSentry, sentryMiddleware, flushSentry } from "./middleware/sentry.js";
@@ -92,6 +93,10 @@ app.use("*", bodyLimit({
   onError: (c) => c.json({ error: "Request body too large" }, 413),
 }));
 
+// Request ID — generates a UUID per request for log correlation and debugging.
+// Respects incoming X-Request-Id headers (e.g., from load balancers).
+app.use("*", requestId());
+
 // Default-deny for mutation methods. Until write endpoints are added,
 // reject any POST/PUT/DELETE/PATCH requests that reach the API.
 // When write routes are needed, apply requireApiKey() from middleware/auth.ts
@@ -193,13 +198,15 @@ app.get("/", (c) => c.json({
 
 // Global error handler
 app.onError((err, c) => {
+  const reqId = c.get("requestId");
   logger.error("Unhandled error", {
+    requestId: reqId,
     error: truncateErrorMessage(err.message, 120),
     stack: truncateErrorMessage(err.stack ?? "", 500),
     endpoint: c.req.path,
     method: c.req.method
   });
-  
+
   // Report to Sentry (sentryMiddleware may have already captured it,
   // but this ensures errors from middleware chain are also caught)
   try {
@@ -208,14 +215,16 @@ app.onError((err, c) => {
         endpoint: c.req.path,
         method: c.req.method,
         handler: "onError",
+        request_id: reqId,
       },
     });
   } catch (_sentryErr) {}
-  
+
   // Truncate error message for API response (details only in development)
   const showDetails = process.env.NODE_ENV !== "production";
   return c.json({
     error: "Internal server error",
+    requestId: reqId,
     ...(showDetails && { details: truncateErrorMessage(err.message, 200) })
   }, 500);
 });

src/middleware/sentry.ts

@@ -53,6 +53,8 @@ export function sentryMiddleware(): MiddlewareHandler {
       // Set request context
       scope.setTag("http.method", c.req.method);
       scope.setTag("http.path", c.req.path);
+      const reqId = c.get("requestId");
+      if (reqId) scope.setTag("request_id", reqId);
 
       // Set a hashed API key fingerprint as pseudonymous user ID.
       // Avoid sending any raw key material (even a prefix) to third-party services.