Problem

We log origin (which app) and session_id, but not the client/app version. We can't correlate logged agent behavior (tool-call efficiency, query failures, prompt regressions) with specific geo-agent releases.

Two parts

1. CORS — REQUIRED, and it's the real blocker (ingress, not app)

Verified empirically (see boettiger-lab/geo-agent#254): CORS is terminated at the haproxy ingress, not the app's CORSMiddleware. The ingress uses an explicit cors-allow-headers allow-list that does not reflect requested headers and does not include x-client. So once geo-agent sends X-Client, the browser preflight will fail and the entire request is blocked (not just logging).

Fix — one line in ingress.yaml:

haproxy-ingress.github.io/cors-allow-headers: "DNT,...,Authorization,X-Client"

Deploy this before geo-agent#254 ships the sender. (Also worth reconciling the app's allow_credentials=True vs the ingress cors-allow-credentials: false, though the ingress is authoritative.)

2. Capture + log the header (app)

In log_request (llm_proxy.py), read the header and include it in the log entry:

client = http_request.headers.get("x-client")   # e.g. "geo-agent/v3.13.1"
...
log_entry["client"] = client                     # null when absent

• Additive; null until clients send it.
• Add client to LOGGING.md field reference and the geo-agent-training skill's session-reconstruction queries.

Companion work

Sending side: boettiger-lab/geo-agent#254 (note: version comes from import.meta.url, not package.json — see that issue).