fix: sentry-cli source map and release uploads

Author: franzos

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## [0.1.7] - 2026-04-04
+
+### Fixed
+- Source map and release uploads via sentry-cli
+- Upload chunk isolation and write safety
+
 ## [0.1.6] - 2026-04-04
 
 ### Added

Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "stackpit"
-version = "0.1.6"
+version = "0.1.7"
 edition = "2021"
 description = "Lightweight, self-hosted error tracking and event monitoring"
 authors = ["Franz Geffke <mail@gofranz.com>"]

Cargo.toml

@@ -119,13 +119,20 @@ Alert rules and digest schedules are managed via the web UI under **Alerts**, or
 
 ## Source Maps
 
-stackpit supports source map uploads so JavaScript stack traces resolve to original source locations. Upload artifact bundles using the standard Sentry CLI:
+stackpit supports source map uploads so minified stack traces resolve to original source locations.
+
+Generate a project API key in **Settings → Source Maps** for the project you want to upload to. Then configure `sentry-cli` or your bundler plugin with the ingest URL (the same host as your DSN):
 
 ```bash
-sentry-cli sourcemaps upload --org my-org --project my-project ./dist
+export SENTRY_URL=https://errors.example.com   # ingest host
+export SENTRY_AUTH_TOKEN=spk_...                # project API key
+export SENTRY_ORG=default                       # any value works
+export SENTRY_PROJECT=1                         # project ID
+
+sentry-cli sourcemaps upload ./dist
 ```
 
-The upload endpoints (`/api/0/organizations/{org}/chunk-upload/` and `.../artifactbundle/assemble/`) are Sentry-compatible. Source maps are matched by debug ID and applied automatically when rendering stack traces in the web UI.
+Bundler plugins (`@sentry/vite-plugin`, `@sentry/webpack-plugin`, etc.) accept the same environment variables, or you can pass them as options. Source maps are matched by debug ID and applied automatically when rendering stack traces in the web UI.
 
 Stale upload chunks older than 24 hours are cleaned up by a background task.
 

README.md

@@ -0,0 +1,9 @@
+DROP TABLE IF EXISTS upload_chunks;
+
+CREATE TABLE upload_chunks (
+    checksum     TEXT NOT NULL,
+    project_id   BIGINT NOT NULL,
+    data         BYTEA NOT NULL,
+    created_at   BIGINT NOT NULL DEFAULT EXTRACT(EPOCH FROM NOW())::BIGINT,
+    PRIMARY KEY (checksum, project_id)
+);

migrations/postgres/005_chunk_project_scope.sql

@@ -0,0 +1,9 @@
+DROP TABLE IF EXISTS upload_chunks;
+
+CREATE TABLE upload_chunks (
+    checksum     TEXT NOT NULL,
+    project_id   INTEGER NOT NULL,
+    data         BLOB NOT NULL,
+    created_at   INTEGER NOT NULL DEFAULT (unixepoch()),
+    PRIMARY KEY (checksum, project_id)
+);

migrations/sqlite/005_chunk_project_scope.sql

@@ -14,48 +14,93 @@ pub mod projects;
 pub mod releases;
 pub mod sourcemaps;
 
-pub fn routes() -> Router<AppState> {
+/// Sentry-compatible API routes (releases, sourcemaps) that authenticate
+/// via per-project API keys. Served on the ingest port since sentry-cli
+/// sends requests to the DSN host (SENTRY_URL).
+pub fn sentry_api_routes() -> Router<AppState> {
     Router::new()
-        .route("/api/v1/projects/", get(projects::list))
         .route(
-            "/api/v1/projects/{project_id}/issues/",
-            get(issues::list_for_project),
+            "/api/0/projects/{org}/{project_slug}/",
+            get(projects::sentry_get),
         )
         .route(
-            "/api/v1/projects/{project_id}/events/",
-            get(events::list_for_project),
+            "/api/0/projects/{org}/{project_slug}",
+            get(projects::sentry_get),
         )
         .route(
-            "/api/v1/issues/{fingerprint}/",
-            get(issues::get).put(issues::update_status),
+            "/api/0/organizations/{org}/releases/",
+            post(releases::create),
         )
         .route(
-            "/api/v1/issues/{fingerprint}/events/",
-            get(events::list_for_issue),
+            "/api/0/organizations/{org}/releases",
+            post(releases::create),
         )
         .route(
-            "/api/v1/issues/{fingerprint}/events/latest/",
-            get(events::latest_for_issue),
+            "/api/0/projects/{org}/{project_slug}/releases/",
+            post(releases::create_project_scoped),
         )
-        .route("/api/v1/events/{event_id}/", get(events::get))
-        // Sentry-compatible release API
         .route(
-            "/api/0/organizations/{org}/releases/",
-            post(releases::create),
+            "/api/0/projects/{org}/{project_slug}/releases",
+            post(releases::create_project_scoped),
         )
         .route(
             "/api/0/organizations/{org}/releases/{version}/",
             put(releases::update),
         )
-        // Sentry-compatible sourcemap / artifact bundle API
+        .route(
+            "/api/0/organizations/{org}/releases/{version}",
+            put(releases::update),
+        )
+        .route(
+            "/api/0/projects/{org}/{project_slug}/releases/{version}/",
+            put(releases::update_project_scoped),
+        )
+        .route(
+            "/api/0/projects/{org}/{project_slug}/releases/{version}",
+            put(releases::update_project_scoped),
+        )
         .route(
             "/api/0/organizations/{org}/chunk-upload/",
             get(sourcemaps::chunk_upload_config).post(sourcemaps::chunk_upload),
         )
+        .route(
+            "/api/0/organizations/{org}/chunk-upload",
+            get(sourcemaps::chunk_upload_config).post(sourcemaps::chunk_upload),
+        )
         .route(
             "/api/0/organizations/{org}/artifactbundle/assemble/",
             post(sourcemaps::assemble),
         )
+        .route(
+            "/api/0/organizations/{org}/artifactbundle/assemble",
+            post(sourcemaps::assemble),
+        )
+}
+
+pub fn routes() -> Router<AppState> {
+    Router::new()
+        .route("/api/v1/projects/", get(projects::list))
+        .route(
+            "/api/v1/projects/{project_id}/issues/",
+            get(issues::list_for_project),
+        )
+        .route(
+            "/api/v1/projects/{project_id}/events/",
+            get(events::list_for_project),
+        )
+        .route(
+            "/api/v1/issues/{fingerprint}/",
+            get(issues::get).put(issues::update_status),
+        )
+        .route(
+            "/api/v1/issues/{fingerprint}/events/",
+            get(events::list_for_issue),
+        )
+        .route(
+            "/api/v1/issues/{fingerprint}/events/latest/",
+            get(events::latest_for_issue),
+        )
+        .route("/api/v1/events/{event_id}/", get(events::get))
         // Alert rules
         .route(
             "/api/v1/alerts/rules",

src/api/mod.rs

@@ -1,6 +1,11 @@
+use axum::extract::{Path, State};
+use axum::http::{HeaderMap, StatusCode};
 use axum::response::IntoResponse;
+use axum::Json;
+use serde_json::json;
 
 use crate::queries;
+use crate::server::AppState;
 
 use super::json_or_500;
 use crate::extractors::ApiReadPool;
@@ -9,3 +14,37 @@ use crate::extractors::ApiReadPool;
 pub async fn list(ApiReadPool(pool): ApiReadPool) -> impl IntoResponse {
     json_or_500(queries::projects::list_projects(&pool, None, None, None).await)
 }
+
+/// GET /api/0/projects/{org}/{project_id}/
+///
+/// Minimal project detail endpoint that sentry-cli calls to validate
+/// a project before creating releases or uploading sourcemaps.
+pub async fn sentry_get(
+    State(state): State<AppState>,
+    Path((_org, project_slug)): Path<(String, String)>,
+    headers: HeaderMap,
+) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
+    let key_project_id = super::validate_api_key(&state.pool, &headers, "sourcemap").await?;
+
+    let project_id: u64 = project_slug
+        .parse()
+        .map_err(|_| super::api_error(StatusCode::NOT_FOUND, "project not found"))?;
+
+    if project_id != key_project_id {
+        return Err(super::api_error(StatusCode::NOT_FOUND, "project not found"));
+    }
+
+    let info = queries::projects::get_project_info(&state.pool, project_id)
+        .await
+        .map_err(super::internal_error)?;
+
+    match info {
+        Some(info) => Ok(Json(json!({
+            "id": project_id.to_string(),
+            "slug": project_slug,
+            "name": info.name.unwrap_or_else(|| format!("Project {project_id}")),
+            "status": info.status.as_str(),
+        }))),
+        None => Err(super::api_error(StatusCode::NOT_FOUND, "project not found")),
+    }
+}

src/api/projects.rs

@@ -12,8 +12,10 @@ use crate::extractors::ApiReadPool;
 #[derive(Deserialize)]
 pub struct CreateReleaseRequest {
     pub version: String,
+    /// sentry-cli sends slugs as strings and numeric IDs as integers,
+    /// so we accept arbitrary JSON values and parse them ourselves.
     #[serde(default)]
-    pub projects: Vec<String>,
+    pub projects: Vec<serde_json::Value>,
 }
 
 #[derive(Deserialize)]
@@ -33,12 +35,30 @@ pub struct CommitRef {
     pub commit: String,
 }
 
+/// POST /api/0/projects/{org}/{project_slug}/releases/
+pub async fn create_project_scoped(
+    State(state): State<AppState>,
+    Path((_org, _project)): Path<(String, String)>,
+    headers: HeaderMap,
+    Json(body): Json<CreateReleaseRequest>,
+) -> Result<(StatusCode, Json<serde_json::Value>), (StatusCode, Json<serde_json::Value>)> {
+    create_inner(state, headers, body).await
+}
+
 /// POST /api/0/organizations/{org}/releases/
 pub async fn create(
     State(state): State<AppState>,
     Path(_org): Path<String>,
     headers: HeaderMap,
     Json(body): Json<CreateReleaseRequest>,
+) -> Result<(StatusCode, Json<serde_json::Value>), (StatusCode, Json<serde_json::Value>)> {
+    create_inner(state, headers, body).await
+}
+
+async fn create_inner(
+    state: AppState,
+    headers: HeaderMap,
+    body: CreateReleaseRequest,
 ) -> Result<(StatusCode, Json<serde_json::Value>), (StatusCode, Json<serde_json::Value>)> {
     let key_project_id = super::validate_api_key(&state.pool, &headers, "sourcemap").await?;
     if body.version.is_empty() {
@@ -52,13 +72,16 @@ pub async fn create(
     }
 
     // Create release for each project in the list (must match the key's project)
-    for project_str in &body.projects {
-        let project_id: u64 = project_str.parse().map_err(|_| {
-            api_error(
-                StatusCode::BAD_REQUEST,
-                &format!("invalid project id: {project_str}"),
-            )
-        })?;
+    for project_val in &body.projects {
+        let project_id: u64 = project_val
+            .as_u64()
+            .or_else(|| project_val.as_str().and_then(|s| s.parse().ok()))
+            .ok_or_else(|| {
+                api_error(
+                    StatusCode::BAD_REQUEST,
+                    &format!("invalid project id: {project_val}"),
+                )
+            })?;
 
         if project_id != key_project_id {
             return Err(api_error(
@@ -87,13 +110,34 @@ pub async fn create(
     ))
 }
 
+/// PUT /api/0/projects/{org}/{project_slug}/releases/{version}/
+pub async fn update_project_scoped(
+    State(state): State<AppState>,
+    ApiReadPool(pool): ApiReadPool,
+    Path((_org, _project, version)): Path<(String, String, String)>,
+    headers: HeaderMap,
+    Json(body): Json<UpdateReleaseRequest>,
+) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
+    update_inner(state, pool, version, headers, body).await
+}
+
 /// PUT /api/0/organizations/{org}/releases/{version}/
 pub async fn update(
     State(state): State<AppState>,
     ApiReadPool(pool): ApiReadPool,
     Path((_org, version)): Path<(String, String)>,
     headers: HeaderMap,
     Json(body): Json<UpdateReleaseRequest>,
+) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
+    update_inner(state, pool, version, headers, body).await
+}
+
+async fn update_inner(
+    state: AppState,
+    pool: crate::db::DbPool,
+    version: String,
+    headers: HeaderMap,
+    body: UpdateReleaseRequest,
 ) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
     let key_project_id = super::validate_api_key(&state.pool, &headers, "sourcemap").await?;
     // Process commit refs — take the first ref's commit as the release commit