fix(test): fix CI hang, auth guard tests, and PR #610 test rewrite (#616)

## Summary

Fixes the CI unit test hang and ~200 test failures caused by three
merged PRs (#610, #611). Supersedes #612 with a cleaner approach.

### 1. CI Hang — telemetry `beforeExit` handler leak

`initSentry(false)` in test `afterEach` hooks never cleaned up the
`beforeExit` handler registered by a prior `initSentry(true)` call — the
removal was gated on `client?.getOptions().enabled`. SDK-internal
handlers from `enableLogs` and `sendClientReports` also accumulated on
re-init.

**Fix** (src/lib/telemetry.ts):
- Close previous Sentry client before re-init
(`Sentry.getClient()?.close(0)`)
- Move handler removal outside the `enabled` guard
- Gate `enableLogs` and `sendClientReports` on `enabled` (not just
`libraryMode`)
- Snapshot and clean up `ProcessSession` `beforeExit` listeners in
telemetry.test.ts

### 2. Auth guard test failures (PR #611)

`buildCommand` now calls `getAuthConfig()` before every command. Tests
had no auth token.

**Fix**:
- Set fake `SENTRY_AUTH_TOKEN` in test/preload.ts (blocked by global
fetch mock)
- Add `auth: false` to all 34 `buildCommand` calls in command.test.ts
- Save/clear/restore `SENTRY_AUTH_TOKEN` in 9 test files that verify
unauthenticated behavior
- Add `getAuthConfig` mock + `resolveOrgProjectFromArg` mock in log/list
tests

### 3. Dead code tests (PR #610)

PR #610 moved org resolution and DSN detection from
`createSentryProject` to `wizard-runner`'s `resolvePreSpinnerOptions`.
Tests that exercised those flows through `handleLocalOp` hit the new
`!options.org` guard.

**Fix**: Rewrote 15 tests to call `resolveOrgSlug` and
`detectExistingProject` directly, plus 2 new tests for
`createSentryProject`'s existing-project check. No test coverage lost.

### 4. Mtime test flakiness

Replaced `Bun.sleep(10)` with explicit `utimes()` calls in dsn-cache and
project-root-cache tests for deterministic mtime differences on Linux
CI.

## Test plan

- `bun test` — 630 pass, 4 fail (pre-existing: 3 resolve-target timeouts
from unmocked fetch, 1 log/list failure from missing generated
api-schema.json)
- `bun run lint` — clean (1 pre-existing warning)

Made with [Cursor](https://cursor.com)

Author: betegon

src/lib/telemetry.ts

@@ -275,7 +275,7 @@ const LIBRARY_EXCLUDED_INTEGRATIONS = new Set([
   ...EXCLUDED_INTEGRATIONS,
   "OnUncaughtException", // process.on('uncaughtException')
   "OnUnhandledRejection", // process.on('unhandledRejection')
-  "ProcessSession", // process.on('beforeExit')
+  "ProcessSession", // process.on('beforeExit') — anonymous handler, no cleanup
   "Http", // diagnostics_channel + trace headers
   "NodeFetch", // diagnostics_channel + trace headers
   "FunctionToString", // wraps Function.prototype.toString
@@ -355,6 +355,13 @@ export function initSentry(
   const libraryMode = options?.libraryMode ?? false;
   const environment = getEnv().NODE_ENV ?? "development";
 
+  // Close the previous client to clean up its internal timers and beforeExit
+  // handlers (client report flusher interval, log flush listener). Without
+  // this, re-initializing the SDK (e.g., in tests) leaks setInterval handles
+  // that keep the event loop alive and prevent the process from exiting.
+  // close(0) removes listeners synchronously; we don't need to await the flush.
+  Sentry.getClient()?.close(0);
+
   const client = Sentry.init({
     dsn: SENTRY_CLI_DSN,
     enabled,
@@ -374,10 +381,12 @@ export function initSentry(
     },
     environment,
     // Enable Sentry structured logs for non-exception telemetry (e.g., unexpected input warnings).
-    // Disabled in library mode — logs use timers/beforeExit that pollute the host process.
-    enableLogs: !libraryMode,
-    // Disable client reports in library mode — they use timers/beforeExit.
-    ...(libraryMode && { sendClientReports: false }),
+    // Disabled when telemetry is off or in library mode — the SDK registers
+    // beforeExit handlers for log flushing that keep the event loop alive.
+    enableLogs: enabled && !libraryMode,
+    // Disable client reports when telemetry is off or in library mode — the SDK
+    // registers a setInterval + beforeExit handler that keep the event loop alive.
+    ...((libraryMode || !enabled) && { sendClientReports: false }),
     // Sample all events for CLI telemetry (low volume)
     tracesSampleRate: 1,
     sampleRate: 1,
@@ -405,6 +414,12 @@ export function initSentry(
     },
   });
 
+  // Always remove our own previous handler on re-init.
+  if (currentBeforeExitHandler) {
+    process.removeListener("beforeExit", currentBeforeExitHandler);
+    currentBeforeExitHandler = null;
+  }
+
   if (client?.getOptions().enabled) {
     const isBun = typeof process.versions.bun !== "undefined";
     const runtime = isBun ? "bun" : "node";
@@ -441,14 +456,7 @@ export function initSentry(
     //
     // Skipped in library mode — the host owns the process lifecycle.
     // The library entry point calls client.flush() manually after completion.
-    //
-    // Replace previous handler on re-init (e.g., auto-login retry calls
-    // withTelemetry → initSentry twice) to avoid duplicate handlers with
-    // independent re-entry guards and stale client references.
     if (!libraryMode) {
-      if (currentBeforeExitHandler) {
-        process.removeListener("beforeExit", currentBeforeExitHandler);
-      }
       currentBeforeExitHandler = createBeforeExitHandler(client);
       process.on("beforeExit", currentBeforeExitHandler);
     }

test/commands/auth/logout.test.ts

@@ -125,6 +125,9 @@ describe("logoutCommand.func", () => {
   test("env token (SENTRY_TOKEN): shows correct env var name in error", async () => {
     isAuthenticatedSpy.mockReturnValue(true);
     isEnvTokenActiveSpy.mockReturnValue(true);
+    // Clear SENTRY_AUTH_TOKEN so SENTRY_TOKEN takes priority
+    const savedAuthToken = process.env.SENTRY_AUTH_TOKEN;
+    delete process.env.SENTRY_AUTH_TOKEN;
     // Set env var directly — getActiveEnvVarName() reads env vars via getEnvToken()
     process.env.SENTRY_TOKEN = "sntrys_token_456";
     const { context } = createContext();
@@ -138,6 +141,9 @@ describe("logoutCommand.func", () => {
       expect(msg).toContain("SENTRY_TOKEN");
     } finally {
       delete process.env.SENTRY_TOKEN;
+      if (savedAuthToken !== undefined) {
+        process.env.SENTRY_AUTH_TOKEN = savedAuthToken;
+      }
     }
     expect(clearAuthSpy).not.toHaveBeenCalled();
   });

test/commands/auth/refresh.test.ts

@@ -84,6 +84,9 @@ describe("refreshCommand.func", () => {
 
   test("env token (SENTRY_TOKEN): throws AuthError with SENTRY_TOKEN in message", async () => {
     isEnvTokenActiveSpy.mockReturnValue(true);
+    // Clear SENTRY_AUTH_TOKEN so SENTRY_TOKEN takes priority
+    const savedAuthToken = process.env.SENTRY_AUTH_TOKEN;
+    delete process.env.SENTRY_AUTH_TOKEN;
     // Set env var directly — getActiveEnvVarName() reads env vars via getEnvToken()
     process.env.SENTRY_TOKEN = "sntrys_token_456";
 
@@ -99,6 +102,9 @@ describe("refreshCommand.func", () => {
       expect((err as AuthError).message).not.toContain("SENTRY_AUTH_TOKEN");
     } finally {
       delete process.env.SENTRY_TOKEN;
+      if (savedAuthToken !== undefined) {
+        process.env.SENTRY_AUTH_TOKEN = savedAuthToken;
+      }
     }
 
     expect(refreshTokenSpy).not.toHaveBeenCalled();

test/commands/auth/whoami.test.ts

@@ -84,6 +84,24 @@ describe("whoamiCommand.func", () => {
   });
 
   describe("unauthenticated", () => {
+    let getAuthConfigSpy: ReturnType<typeof spyOn>;
+    let savedAuthToken: string | undefined;
+
+    beforeEach(() => {
+      savedAuthToken = process.env.SENTRY_AUTH_TOKEN;
+      delete process.env.SENTRY_AUTH_TOKEN;
+      getAuthConfigSpy = spyOn(dbAuth, "getAuthConfig").mockReturnValue(
+        undefined
+      );
+    });
+
+    afterEach(() => {
+      getAuthConfigSpy.mockRestore();
+      if (savedAuthToken !== undefined) {
+        process.env.SENTRY_AUTH_TOKEN = savedAuthToken;
+      }
+    });
+
     test("throws AuthError(not_authenticated) when no token stored", async () => {
       isAuthenticatedSpy.mockReturnValue(false);
 

test/commands/log/list.test.ts

@@ -30,6 +30,8 @@ import {
 import { listCommand } from "../../../src/commands/log/list.js";
 // biome-ignore lint/performance/noNamespaceImport: needed for spyOn mocking
 import * as apiClient from "../../../src/lib/api-client.js";
+// biome-ignore lint/performance/noNamespaceImport: needed for spyOn mocking
+import * as dbAuth from "../../../src/lib/db/auth.js";
 import {
   AuthError,
   ContextError,
@@ -237,6 +239,23 @@ const newerLogs: SentryLog[] = [
   },
 ];
 
+// ============================================================================
+// Auth setup — mock getAuthConfig for all tests (auth guard added in #611)
+// ============================================================================
+
+let getAuthConfigSpy: ReturnType<typeof spyOn>;
+
+beforeEach(() => {
+  getAuthConfigSpy = spyOn(dbAuth, "getAuthConfig").mockReturnValue({
+    token: "sntrys_test",
+    source: "oauth" as const,
+  });
+});
+
+afterEach(() => {
+  getAuthConfigSpy.mockRestore();
+});
+
 // ============================================================================
 // Standard mode (project-scoped, no trace-id positional)
 // ============================================================================
@@ -837,7 +856,14 @@ describe("listCommand.func — flag validation", () => {
 
   test("allows --sort newest with --follow", async () => {
     // Should not throw ValidationError — the error (if any) comes from
-    // downstream resolution, not flag validation.
+    // downstream resolution, not flag validation. Mock resolution to reject
+    // with a non-ValidationError so we can verify flag validation passed.
+    const resolveOrgProjectSpy = spyOn(
+      resolveTarget,
+      "resolveOrgProjectFromArg"
+    ).mockRejectedValueOnce(
+      new ContextError("Organization", "sentry log list")
+    );
     const { context } = createMockContext();
     const func = await listCommand.loader();
     await expect(
@@ -847,6 +873,7 @@ describe("listCommand.func — flag validation", () => {
         "my-org/my-project"
       )
     ).rejects.not.toThrow(ValidationError);
+    resolveOrgProjectSpy.mockRestore();
   });
 });
 

test/commands/project/list.test.ts

@@ -970,7 +970,16 @@ describe("fetchOrgProjectsSafe", () => {
     // Clear auth token so the API client throws AuthError before making any request
     await clearAuth();
 
-    await expect(fetchOrgProjectsSafe("myorg")).rejects.toThrow(AuthError);
+    const savedAuthToken = process.env.SENTRY_AUTH_TOKEN;
+    delete process.env.SENTRY_AUTH_TOKEN;
+
+    try {
+      await expect(fetchOrgProjectsSafe("myorg")).rejects.toThrow(AuthError);
+    } finally {
+      if (savedAuthToken !== undefined) {
+        process.env.SENTRY_AUTH_TOKEN = savedAuthToken;
+      }
+    }
   });
 });
 
@@ -1234,13 +1243,22 @@ describe("handleAutoDetect", () => {
     // Clear auth so getAuthToken() throws AuthError before any fetch
     await clearAuth();
 
-    await expect(
-      handleAutoDetect("/tmp/test-project", {
-        limit: 30,
-        json: true,
-        fresh: false,
-      })
-    ).rejects.toThrow(AuthError);
+    const savedAuthToken = process.env.SENTRY_AUTH_TOKEN;
+    delete process.env.SENTRY_AUTH_TOKEN;
+
+    try {
+      await expect(
+        handleAutoDetect("/tmp/test-project", {
+          limit: 30,
+          json: true,
+          fresh: false,
+        })
+      ).rejects.toThrow(AuthError);
+    } finally {
+      if (savedAuthToken !== undefined) {
+        process.env.SENTRY_AUTH_TOKEN = savedAuthToken;
+      }
+    }
   });
 
   test("slow path: uses full fetch when platform filter is active", async () => {

test/fixture.ts

@@ -114,6 +114,8 @@ export function createE2EContext(
     run: (args: string[]) =>
       runCli(args, {
         env: {
+          SENTRY_AUTH_TOKEN: "",
+          SENTRY_TOKEN: "",
           [CONFIG_DIR_ENV_VAR]: configDir,
           SENTRY_URL: serverUrl,
           SENTRY_CLI_NO_TELEMETRY: "1",

test/lib/api-client.test.ts

@@ -108,6 +108,17 @@ describe("401 retry behavior", () => {
   // Note: These tests use rawApiRequest which goes to control silo (sentry.io)
   // and supports 401 retry with token refresh.
 
+  let savedAuthToken: string | undefined;
+  beforeEach(() => {
+    savedAuthToken = process.env.SENTRY_AUTH_TOKEN;
+    delete process.env.SENTRY_AUTH_TOKEN;
+  });
+  afterEach(() => {
+    if (savedAuthToken !== undefined) {
+      process.env.SENTRY_AUTH_TOKEN = savedAuthToken;
+    }
+  });
+
   test("retries request with new token on 401 response", async () => {
     const requests: RequestLog[] = [];