fix : prevent bun response headers from leaking into transaction telemetry

[naaa760]

• What: Stop storing Bun response headers on the isolation scope.

• Why: Response headers (including Set-Cookie) could leak into transaction telemetry.

• How: Only keep status_code in the Bun response context, no headers.

fix : #19790

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Missing regression test for the header leak fix

Low Severity

This fix PR removes response headers from the isolation scope context but does not include a regression test verifying that the response context set via isolationScope.setContext contains only status_code and no headers. A test asserting the absence of headers in the response context would prevent this leak from being reintroduced. The review rules require fix PRs to include at least one test that covers the regression being fixed.

 

^{Triggered by project rule: PR Review Guidelines for Cursor Bot}

[Lms24]

Hey @naaa760 thanks for opening this PR! I thought about this a bit and while I think removing the unconditional headers object from the event context makes sense, I also think we should collect the response headers more safely as span attributes instead. We can leverage httpHeadersToSpanAttributes to do this, which already has builtin sensitive data and PII protection. I opened #19821 and #19822 (since it turns out we have the same problem in Deno). Gonna close this PR but again, thanks for contributing!