feat(install): add Sentry error telemetry to install script (#334)

## Summary

Add fire-and-forget error reporting to the install script via Sentry's
envelope API. Uses the CLI's existing public write-only DSN — no new
secrets or projects needed. This would have caught the macOS digest
extraction bug (#331) automatically.

## Changes

- `report_error()` — builds a minimal Sentry envelope and sends it via
  background `curl` (2s timeout, never blocks installation)
- `die()` — replaces all 11 `echo + exit 1` patterns with error
  reporting + exit
- `ERR` trap — catches unexpected `set -e` / `pipefail` exits like the
  gunzip pipeline failure that triggered #331
- UUID generation with fallback chain: `/proc` → `uuidgen` → `awk`
- Opt-out via `SENTRY_CLI_NO_TELEMETRY=1` (same as the CLI binary)

Each error event is tagged with `os`, `arch`, `channel`, `step`,
`install.version`, and bash version for quick triage.

Author: BYK

install

@@ -5,6 +5,75 @@ RED='\033[0;31m'
 MUTED='\033[0;2m'
 NC='\033[0m'
 
+# Sentry error telemetry — fire-and-forget error reporting via envelope API.
+# Uses the CLI's public write-only DSN. No PII collected.
+# Opt-out: SENTRY_CLI_NO_TELEMETRY=1
+SENTRY_DSN_KEY="1188a86f3f8168f089450587b00bca66"
+SENTRY_INGEST="https://o1.ingest.us.sentry.io"
+SENTRY_PROJECT_ID="4510776311808000"
+
+# Generate a UUID for the event. Tries /proc, uuidgen, then awk fallback.
+gen_uuid() {
+  if [[ -r /proc/sys/kernel/random/uuid ]]; then
+    cat /proc/sys/kernel/random/uuid
+  elif command -v uuidgen >/dev/null 2>&1; then
+    uuidgen | tr '[:upper:]' '[:lower:]'
+  else
+    awk 'BEGIN{srand();for(i=1;i<=32;i++)printf "%c",substr("0123456789abcdef",int(rand()*16)+1,1);print ""}'
+  fi
+}
+
+# Send an error event to Sentry. Runs in a subshell in the background so it
+# never blocks installation or propagates failures.
+# Usage: report_error "message" "step-name"
+report_error() {
+  # Respect the same opt-out as the CLI binary
+  [[ "${SENTRY_CLI_NO_TELEMETRY:-}" == "1" ]] && return 0
+
+  (
+    set +e  # Telemetry must never fail the script
+    local msg="${1:-unknown error}"
+    local step="${2:-unknown}"
+    local event_id
+    event_id=$(gen_uuid | tr -d '-')
+    local timestamp
+    timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || echo "")
+
+    # Escape a value for safe JSON string interpolation
+    _esc() { printf '%s' "$1" | sed 's/\\/\\\\/g;s/"/\\"/g' | tr '\n' ' '; }
+
+    local json_msg; json_msg=$(_esc "$msg")
+    local json_step; json_step=$(_esc "$step")
+    local json_channel; json_channel=$(_esc "${requested_version:-stable}")
+    local json_version; json_version=$(_esc "${version:-unknown}")
+
+    local envelope
+    envelope=$(printf '%s\n%s\n%s' \
+      "{\"event_id\":\"${event_id}\",\"dsn\":\"https://${SENTRY_DSN_KEY}@o1.ingest.us.sentry.io/${SENTRY_PROJECT_ID}\"}" \
+      '{"type":"event"}' \
+      "{\"event_id\":\"${event_id}\",\"timestamp\":\"${timestamp}\",\"platform\":\"other\",\"level\":\"error\",\"logger\":\"install\",\"server_name\":\"install-script\",\"message\":{\"formatted\":\"${json_msg}\"},\"tags\":{\"os\":\"${os:-unknown}\",\"arch\":\"${arch:-unknown}\",\"channel\":\"${json_channel}\",\"step\":\"${json_step}\",\"install.version\":\"${json_version}\"},\"contexts\":{\"runtime\":{\"name\":\"bash\",\"version\":\"${BASH_VERSION:-unknown}\"}}}")
+
+    curl -sf --max-time 2 \
+      -H "Content-Type: application/x-sentry-envelope" \
+      -H "X-Sentry-Auth: Sentry sentry_key=${SENTRY_DSN_KEY},sentry_version=7" \
+      -d "$envelope" \
+      "${SENTRY_INGEST}/api/${SENTRY_PROJECT_ID}/envelope/" \
+      >/dev/null 2>&1
+  ) &
+}
+
+# Print error message, report to Sentry, and exit.
+# Usage: die "message" "step-name"
+die() {
+  echo -e "${RED}$1${NC}" >&2
+  report_error "$1" "${2:-unknown}"
+  wait 2>/dev/null || true  # Let the background curl finish; ignore its exit status
+  exit 1
+}
+
+# Catch unexpected failures from set -e / pipefail (e.g., gunzip failing)
+trap 'die "Unexpected failure at line $LINENO" "trap"' ERR
+
 usage() {
   cat <<EOF
 Sentry CLI Installer
@@ -39,8 +108,7 @@ while [[ $# -gt 0 ]]; do
         requested_version="$2"
         shift 2
       else
-        echo -e "${RED}Error: --version requires a version argument${NC}"
-        exit 1
+        die "Error: --version requires a version argument" "args"
       fi
       ;;
     --no-modify-path)
@@ -60,24 +128,23 @@ case "$(uname -s)" in
   Darwin*) os="darwin" ;;
   Linux*) os="linux" ;;
   MINGW*|MSYS*|CYGWIN*) os="windows" ;;
-  *) echo -e "${RED}Unsupported OS: $(uname -s)${NC}"; exit 1 ;;
+  *) die "Unsupported OS: $(uname -s)" "detect-os" ;;
 esac
 
 # Detect architecture
 arch=$(uname -m)
 case "$arch" in
   x86_64) arch="x64" ;;
   aarch64|arm64) arch="arm64" ;;
-  *) echo -e "${RED}Unsupported architecture: $arch${NC}"; exit 1 ;;
+  *) die "Unsupported architecture: $arch" "detect-arch" ;;
 esac
 
 # Validate supported combinations
 suffix=""
 if [[ "$os" == "windows" ]]; then
   suffix=".exe"
   if [[ "$arch" != "x64" ]]; then
-    echo -e "${RED}Unsupported: windows-$arch (only windows-x64 is supported)${NC}"
-    exit 1
+    die "Unsupported: windows-$arch (only windows-x64 is supported)" "detect-arch"
   fi
 fi
 
@@ -103,8 +170,7 @@ if [[ "$requested_version" == "nightly" ]]; then
     "https://ghcr.io/token?scope=repository:getsentry/cli:pull" \
     | awk -F'"' '{for(i=1;i<=NF;i++) if($i=="token"){print $(i+2);exit}}')
   if [[ -z "$GHCR_TOKEN" ]]; then
-    echo -e "${RED}Failed to get GHCR token${NC}"
-    exit 1
+    die "Failed to get GHCR token" "ghcr-token"
   fi
 
   # Step 2: Fetch the OCI manifest for the :nightly tag
@@ -113,16 +179,14 @@ if [[ "$requested_version" == "nightly" ]]; then
     -H "Accept: application/vnd.oci.image.manifest.v1+json" \
     "https://ghcr.io/v2/getsentry/cli/manifests/nightly")
   if [[ -z "$MANIFEST" ]]; then
-    echo -e "${RED}Failed to fetch nightly manifest from GHCR${NC}"
-    exit 1
+    die "Failed to fetch nightly manifest from GHCR" "ghcr-manifest"
   fi
 
   # Step 3: Extract version from manifest annotation
   version=$(echo "$MANIFEST" \
     | awk -F'"' '{for(i=1;i<=NF;i++) if($i=="version"){print $(i+2);exit}}')
   if [[ -z "$version" ]]; then
-    echo -e "${RED}Failed to extract version from nightly manifest${NC}"
-    exit 1
+    die "Failed to extract version from nightly manifest" "ghcr-version"
   fi
 
   echo -e "${MUTED}Installing nightly sentry ${version}...${NC}"
@@ -140,8 +204,7 @@ if [[ "$requested_version" == "nightly" ]]; then
         }
       }')
   if [[ -z "$digest" ]]; then
-    echo -e "${RED}No nightly build found for ${gz_filename}${NC}"
-    exit 1
+    die "No nightly build found for ${gz_filename}" "ghcr-digest"
   fi
 
   # Step 5: Get the redirect URL from the blob endpoint (don't use -L: auth
@@ -150,8 +213,7 @@ if [[ "$requested_version" == "nightly" ]]; then
     -H "Authorization: Bearer $GHCR_TOKEN" \
     "https://ghcr.io/v2/getsentry/cli/blobs/${digest}" | tail -1)
   if [[ -z "$redir_url" ]]; then
-    echo -e "${RED}Failed to get blob redirect URL from GHCR${NC}"
-    exit 1
+    die "Failed to get blob redirect URL from GHCR" "ghcr-redirect"
   fi
 
   # Step 6: Download the .gz blob and decompress (without auth header)
@@ -164,8 +226,7 @@ else
     version=$(curl -fsSL https://api.github.com/repos/getsentry/cli/releases/latest \
       | sed -n 's/.*"tag_name": *"\([^"]*\)".*/\1/p')
     if [[ -z "$version" ]]; then
-      echo -e "${RED}Failed to fetch latest version${NC}"
-      exit 1
+      die "Failed to fetch latest version" "gh-version"
     fi
   else
     version="$requested_version"