getsentry
diff --git a/‎AGENTS.md‎
Lines changed: 31 additions & 0 deletions b/‎AGENTS.md‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎package.json‎
Lines changed: 1 addition & 1 deletion b/‎package.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/commands/cli/setup.ts‎
Lines changed: 1 addition & 1 deletion b/‎src/commands/cli/setup.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/lib/oauth.ts‎
Lines changed: 18 additions & 8 deletions b/‎src/lib/oauth.ts‎
Lines changed: 18 additions & 8 deletions
diff --git a/‎src/lib/telemetry.ts‎
Lines changed: 86 additions & 20 deletions b/‎src/lib/telemetry.ts‎
Lines changed: 86 additions & 20 deletions
@@ -383,6 +383,37 @@ Minimal comments, maximum clarity. Comments explain **intent and reasoning**, no
 | Unit tests | `*.test.ts` | `test/` (mirrors `src/`) |
 | E2E tests | `*.test.ts` | `test/e2e/` |
 
+### Test Environment Isolation (CRITICAL)
+
+Tests that need a database or config directory **must** use `useTestConfigDir()` from `test/helpers.ts`. This helper:
+- Creates a unique temp directory in `beforeEach`
+- Sets `SENTRY_CONFIG_DIR` to point at it
+- **Restores** (never deletes) the env var in `afterEach`
+- Closes the database and cleans up temp files
+
+**NEVER** do any of these in test files:
+- `delete process.env.SENTRY_CONFIG_DIR` — This pollutes other test files that load after yours
+- `const baseDir = process.env[CONFIG_DIR_ENV_VAR]!` at module scope — This captures a value that may be stale
+- Manual `beforeEach`/`afterEach` that sets/deletes `SENTRY_CONFIG_DIR`
+
+**Why**: Bun runs test files **sequentially in one thread** (load → run all tests → load next file). If your `afterEach` deletes the env var, the next file's module-level code reads `undefined`, causing `TypeError: The "paths[0]" property must be of type string`.
+
+```typescript
+// CORRECT: Use the helper
+import { useTestConfigDir } from "../helpers.js";
+
+const getConfigDir = useTestConfigDir("my-test-prefix-");
+
+// If you need the directory path in a test:
+test("example", () => {
+  const dir = getConfigDir();
+});
+
+// WRONG: Manual env var management
+beforeEach(() => { process.env.SENTRY_CONFIG_DIR = tmpDir; });
+afterEach(() => { delete process.env.SENTRY_CONFIG_DIR; }); // BUG!
+```
+
 ### Property-Based Testing
 
 Use property-based tests when verifying invariants that should hold for **any valid input**.
 
@@ -59,7 +59,7 @@
   "engines": {
     "node": ">=22"
   },
-  "packageManager": "bun@1.3.3",
+  "packageManager": "bun@1.3.9",
   "patchedDependencies": {
     "@stricli/core@1.2.5": "patches/@stricli%2Fcore@1.2.5.patch",
     "@sentry/core@10.38.0": "patches/@sentry%2Fcore@10.38.0.patch"
 
@@ -171,7 +171,7 @@ function printWelcomeMessage(
   log(`Installed sentry v${version} to ${binaryPath}`);
   log("");
   log("Get started:");
-  log("  sentry login       Authenticate with Sentry");
+  log("  sentry auth login  Authenticate with Sentry");
   log("  sentry --help      See all available commands");
   log("");
   log("https://cli.sentry.dev");
 
@@ -24,12 +24,20 @@ const SENTRY_URL = process.env.SENTRY_URL ?? "https://sentry.io";
  * Build-time: Injected via Bun.build({ define: { SENTRY_CLIENT_ID: "..." } })
  * Runtime: Can be overridden via SENTRY_CLIENT_ID env var (for self-hosted)
  *
+ * Read at call time (not module load time) so tests can set process.env.SENTRY_CLIENT_ID
+ * after module initialization.
+ *
  * @see script/build.ts
  */
 declare const SENTRY_CLIENT_ID_BUILD: string | undefined;
-const SENTRY_CLIENT_ID =
-  process.env.SENTRY_CLIENT_ID ??
-  (typeof SENTRY_CLIENT_ID_BUILD !== "undefined" ? SENTRY_CLIENT_ID_BUILD : "");
+function getClientId(): string {
+  return (
+    process.env.SENTRY_CLIENT_ID ??
+    (typeof SENTRY_CLIENT_ID_BUILD !== "undefined"
+      ? SENTRY_CLIENT_ID_BUILD
+      : "")
+  );
+}
 
 // OAuth scopes requested for the CLI
 const SCOPES = [
@@ -85,7 +93,8 @@ async function fetchWithConnectionError(
 
 /** Request a device code from Sentry's device authorization endpoint */
 function requestDeviceCode() {
-  if (!SENTRY_CLIENT_ID) {
+  const clientId = getClientId();
+  if (!clientId) {
     throw new ConfigError(
       "SENTRY_CLIENT_ID is required for authentication",
       "Set SENTRY_CLIENT_ID environment variable or use a pre-built binary"
@@ -99,7 +108,7 @@ function requestDeviceCode() {
         method: "POST",
         headers: { "Content-Type": "application/x-www-form-urlencoded" },
         body: new URLSearchParams({
-          client_id: SENTRY_CLIENT_ID,
+          client_id: clientId,
           scope: SCOPES,
         }),
       }
@@ -142,7 +151,7 @@ function pollForToken(deviceCode: string): Promise<TokenResponse> {
         method: "POST",
         headers: { "Content-Type": "application/x-www-form-urlencoded" },
         body: new URLSearchParams({
-          client_id: SENTRY_CLIENT_ID,
+          client_id: getClientId(),
           device_code: deviceCode,
           grant_type: "urn:ietf:params:oauth:grant-type:device_code",
         }),
@@ -313,7 +322,8 @@ export async function setApiToken(token: string): Promise<void> {
 export function refreshAccessToken(
   refreshToken: string
 ): Promise<TokenResponse> {
-  if (!SENTRY_CLIENT_ID) {
+  const clientId = getClientId();
+  if (!clientId) {
     throw new ConfigError(
       "SENTRY_CLIENT_ID is required for token refresh",
       "Set SENTRY_CLIENT_ID environment variable or use a pre-built binary"
@@ -327,7 +337,7 @@ export function refreshAccessToken(
         method: "POST",
         headers: { "Content-Type": "application/x-www-form-urlencoded" },
         body: new URLSearchParams({
-          client_id: SENTRY_CLIENT_ID,
+          client_id: clientId,
           grant_type: "refresh_token",
           refresh_token: refreshToken,
         }),
 
@@ -49,11 +49,36 @@ async function initTelemetryContext(): Promise<void> {
   }
 }
 
+/**
+ * Mark the active session as crashed.
+ *
+ * Checks both current scope and isolation scope since processSessionIntegration
+ * stores the session on the isolation scope. Called when a command error
+ * propagates through withTelemetry — the SDK auto-marks crashes for truly
+ * uncaught exceptions (mechanism.handled === false), but command errors need
+ * explicit marking.
+ *
+ * @internal Exported for testing
+ */
+export function markSessionCrashed(): void {
+  const session =
+    Sentry.getCurrentScope().getSession() ??
+    Sentry.getIsolationScope().getSession();
+  if (session) {
+    session.status = "crashed";
+  }
+}
+
 /**
  * Wrap CLI execution with telemetry tracking.
  *
- * Creates a Sentry session and span for the command execution.
- * Captures any unhandled exceptions and reports them.
+ * Creates a Sentry span for the command execution and captures exceptions.
+ * Session lifecycle is managed by the SDK's processSessionIntegration
+ * (started during Sentry.init) and a beforeExit handler (registered in
+ * initSentry) that ends healthy sessions and flushes events. This ensures
+ * sessions are reliably tracked even for unhandled rejections and other
+ * paths that bypass this function's try/catch.
+ *
  * Telemetry can be disabled via SENTRY_CLI_NO_TELEMETRY=1 env var.
  *
  * @param callback - The CLI execution function to wrap, receives the span for naming
@@ -71,9 +96,6 @@ export async function withTelemetry<T>(
   // Initialize user and instance context
   await initTelemetryContext();
 
-  Sentry.startSession();
-  Sentry.captureSession();
-
   try {
     return await Sentry.startSpanManual(
       { name: "cli.command", op: "cli.command", forceTransaction: true },
@@ -92,31 +114,47 @@ export async function withTelemetry<T>(
       e instanceof AuthError && e.reason === "not_authenticated";
     if (!isExpectedAuthState) {
       Sentry.captureException(e);
-      const session = Sentry.getCurrentScope().getSession();
-      if (session) {
-        session.status = "crashed";
-      }
+      markSessionCrashed();
     }
     throw e;
-  } finally {
-    Sentry.endSession();
-    // Flush with a timeout to ensure events are sent before process exits
-    try {
-      await client.flush(3000);
-    } catch {
-      // Ignore flush errors - telemetry should never block CLI
-    }
   }
 }
 
 /**
- * Initialize Sentry for telemetry.
+ * Create a beforeExit handler that ends healthy sessions and flushes events.
  *
- * @param enabled - Whether telemetry is enabled
- * @returns The Sentry client, or undefined if initialization failed
+ * The SDK's processSessionIntegration only ends non-OK sessions (crashed/errored).
+ * This handler complements it by ending OK sessions (clean exit → 'exited')
+ * and flushing pending events. Includes a re-entry guard since flush is async
+ * and causes beforeExit to re-fire when complete.
+ *
+ * @param client - The Sentry client to flush
+ * @returns A handler function for process.on("beforeExit")
  *
  * @internal Exported for testing
  */
+export function createBeforeExitHandler(client: Sentry.BunClient): () => void {
+  let isFlushing = false;
+  return () => {
+    if (isFlushing) {
+      return;
+    }
+    isFlushing = true;
+
+    const session = Sentry.getIsolationScope().getSession();
+    if (session?.status === "ok") {
+      Sentry.endSession();
+    }
+
+    // Flush pending events before exit. Convert PromiseLike to Promise
+    // for proper error handling. The async work causes beforeExit to
+    // re-fire when complete, which the isFlushing guard handles.
+    Promise.resolve(client.flush(3000)).catch(() => {
+      // Ignore flush errors — telemetry should never block CLI exit
+    });
+  };
+}
+
 /**
  * Integrations to exclude for CLI.
  * These add overhead without benefit for short-lived CLI processes.
@@ -128,6 +166,17 @@ const EXCLUDED_INTEGRATIONS = new Set([
   "Modules", // Lists all loaded modules - unnecessary for CLI telemetry
 ]);
 
+/** Current beforeExit handler, tracked so it can be replaced on re-init */
+let currentBeforeExitHandler: (() => void) | null = null;
+
+/**
+ * Initialize Sentry for telemetry.
+ *
+ * @param enabled - Whether telemetry is enabled
+ * @returns The Sentry client, or undefined if initialization failed
+ *
+ * @internal Exported for testing
+ */
 export function initSentry(enabled: boolean): Sentry.BunClient | undefined {
   const environment = process.env.NODE_ENV ?? "development";
 
@@ -187,6 +236,23 @@ export function initSentry(enabled: boolean): Sentry.BunClient | undefined {
 
     // Tag whether targeting self-hosted Sentry (not SaaS)
     Sentry.setTag("is_self_hosted", !isSentrySaasUrl(getSentryBaseUrl()));
+
+    // End healthy sessions and flush events when the event loop drains.
+    // The SDK's processSessionIntegration starts a session during init and
+    // registers its own beforeExit handler that ends non-OK (crashed/errored)
+    // sessions. We complement it by ending OK sessions (clean exit → 'exited')
+    // and flushing pending events. This covers unhandled rejections and other
+    // paths that bypass withTelemetry's try/catch.
+    // Ref: https://nodejs.org/api/process.html#event-beforeexit
+    //
+    // Replace previous handler on re-init (e.g., auto-login retry calls
+    // withTelemetry → initSentry twice) to avoid duplicate handlers with
+    // independent re-entry guards and stale client references.
+    if (currentBeforeExitHandler) {
+      process.removeListener("beforeExit", currentBeforeExitHandler);
+    }
+    currentBeforeExitHandler = createBeforeExitHandler(client);
+    process.on("beforeExit", currentBeforeExitHandler);
   }
 
   return client;