fix(brew): handle root-owned config dir from sudo installs

- Make all post-install setup steps non-fatal using a bestEffort() wrapper
  so Homebrew's post_install never aborts on permission errors
- In tryRepairReadonly(), detect root-owned files (uid 0) and emit a
  targeted message with the actual username instead of falling through
  to the generic warning
- Add ownership detection and repair to `sentry cli fix`:
  - Checks config dir / DB / WAL / SHM file ownership
  - When run as root (sudo sentry cli fix), performs chown to transfer
    ownership back to the real user (inferred from SUDO_USER env var)
  - When not root, prints the exact sudo chown command to run

Author: BYK

src/commands/cli/fix.ts

@@ -1,10 +1,11 @@
 /**
  * sentry cli fix
  *
- * Diagnose and repair CLI database issues (schema and permissions).
+ * Diagnose and repair CLI database issues (schema, permissions, and ownership).
  */
 
-import { chmod, stat } from "node:fs/promises";
+import { chmod, chown, stat } from "node:fs/promises";
+import { userInfo } from "node:os";
 import type { SentryContext } from "../../context.js";
 import { buildCommand } from "../../lib/command.js";
 import { getConfigDir, getDbPath, getRawDatabase } from "../../lib/db/index.js";
@@ -43,6 +44,33 @@ type PermissionIssue = {
   expectedMode: number;
 };
 
+/**
+ * A file or directory that is owned by a different user (typically root),
+ * preventing the current process from writing to it.
+ */
+type OwnershipIssue = {
+  path: string;
+  kind: "directory" | "database" | "journal";
+  /** UID of the file's current owner */
+  ownerUid: number;
+};
+
+/**
+ * Determine the real username for display in chown instructions.
+ *
+ * When running under `sudo`, `SUDO_USER` holds the original user's login name.
+ * Falls back to `USER` / `USERNAME` env vars, then `os.userInfo()`.
+ */
+function getRealUsername(): string {
+  return (
+    process.env.SUDO_USER ||
+    process.env.USER ||
+    process.env.USERNAME ||
+    userInfo().username ||
+    "$(whoami)"
+  );
+}
+
 /**
  * Check if a path has the exact expected permission mode.
  *
@@ -132,6 +160,208 @@ async function checkPermissions(dbPath: string): Promise<PermissionIssue[]> {
   return results.filter((r): r is PermissionIssue => r !== null);
 }
 
+/**
+ * Check whether any config dir files or the DB are owned by a different user
+ * (typically root after a `sudo` install).
+ *
+ * We only check the config directory and the DB file — those are the gating
+ * items. If they are owned by root, chmod will fail and is pointless to attempt.
+ *
+ * @param dbPath - Absolute path to the database file
+ * @param currentUid - The UID of the running process
+ * @returns List of paths owned by a different user (empty = all owned by us)
+ */
+async function checkOwnership(
+  dbPath: string,
+  currentUid: number
+): Promise<OwnershipIssue[]> {
+  const configDir = getConfigDir();
+
+  const checks: Array<{ path: string; kind: OwnershipIssue["kind"] }> = [
+    { path: configDir, kind: "directory" },
+    { path: dbPath, kind: "database" },
+    { path: `${dbPath}-wal`, kind: "journal" },
+    { path: `${dbPath}-shm`, kind: "journal" },
+  ];
+
+  const results = await Promise.all(
+    checks.map(async ({ path, kind }) => {
+      try {
+        const st = await stat(path);
+        if (st.uid !== currentUid) {
+          return { path, kind, ownerUid: st.uid } satisfies OwnershipIssue;
+        }
+      } catch (error: unknown) {
+        const code =
+          error instanceof Error
+            ? (error as NodeJS.ErrnoException).code
+            : undefined;
+        // Missing files are fine (WAL/SHM created on demand).
+        if (code === "ENOENT" || code === "EACCES") {
+          return null;
+        }
+        throw error;
+      }
+      return null;
+    })
+  );
+
+  return results.filter((r): r is OwnershipIssue => r !== null);
+}
+
+/**
+ * Resolve the numeric UID for a username by running `id -u <username>`.
+ * Returns null if the lookup fails or returns a non-numeric result.
+ */
+async function resolveUid(username: string): Promise<number | null> {
+  try {
+    const result = await Bun.$`id -u ${username}`.text();
+    const uid = Number(result.trim());
+    return Number.isNaN(uid) ? null : uid;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Perform chown on the given ownership issues, transferring files to
+ * `username`. Called only when the current process is already root.
+ *
+ * @returns Object with lists of human-readable success and failure messages
+ */
+async function repairOwnership(
+  issues: OwnershipIssue[],
+  username: string,
+  targetUid: number
+): Promise<{ fixed: string[]; failed: string[] }> {
+  const fixed: string[] = [];
+  const failed: string[] = [];
+
+  const results = await Promise.allSettled(
+    issues.map((issue) => chown(issue.path, targetUid, -1))
+  );
+
+  for (let i = 0; i < results.length; i++) {
+    const result = results[i] as PromiseSettledResult<void>;
+    const issue = issues[i] as OwnershipIssue;
+    if (result.status === "fulfilled") {
+      fixed.push(`${issue.kind} ${issue.path}: transferred to ${username}`);
+    } else {
+      const reason =
+        result.reason instanceof Error
+          ? result.reason.message
+          : "unknown error";
+      failed.push(`${issue.kind} ${issue.path}: ${reason}`);
+    }
+  }
+
+  return { fixed, failed };
+}
+
+/**
+ * Diagnose ownership issues and optionally repair them.
+ *
+ * When the running process is root (`currentUid === 0`), we can perform chown
+ * to transfer ownership back to the real user. The real username is inferred
+ * from `SUDO_USER` / `USER` / `USERNAME` env vars (set by sudo).
+ *
+ * When not root, we print the exact `sudo chown` command the user must run.
+ *
+ * @param dbPath - Absolute path to the database file
+ * @param currentUid - UID of the running process
+ * @param dryRun - If true, report issues without repairing
+ * @param output - Streams for user-facing output
+ * @returns Count of issues found and whether any repairs failed
+ */
+async function handleOwnershipIssues(
+  dbPath: string,
+  currentUid: number,
+  dryRun: boolean,
+  { stdout, stderr }: Output
+): Promise<DiagnoseResult> {
+  const issues = await checkOwnership(dbPath, currentUid);
+  if (issues.length === 0) {
+    return { found: 0, repairFailed: false };
+  }
+
+  stdout.write(`Found ${issues.length} ownership issue(s):\n`);
+  for (const issue of issues) {
+    stdout.write(
+      `  - ${issue.kind} ${issue.path}: owned by uid ${issue.ownerUid}\n`
+    );
+  }
+  stdout.write("\n");
+
+  const configDir = getConfigDir();
+  const username = getRealUsername();
+
+  if (dryRun) {
+    stdout.write(
+      printOwnershipInstructions(currentUid, username, configDir, true)
+    );
+    return { found: issues.length, repairFailed: false };
+  }
+
+  if (currentUid !== 0) {
+    // Not root — can't chown, print instructions.
+    stderr.write(
+      printOwnershipInstructions(currentUid, username, configDir, false)
+    );
+    return { found: issues.length, repairFailed: true };
+  }
+
+  // Running as root (e.g. via sudo sentry cli fix) — perform chown.
+  const targetUid = await resolveUid(username);
+  if (targetUid === null) {
+    stderr.write(
+      `Warning: Could not determine UID for user "${username}".\n` +
+        "Run the following command manually:\n" +
+        `  chown -R ${username} "${configDir}"\n\n`
+    );
+    return { found: issues.length, repairFailed: true };
+  }
+
+  stdout.write(`Transferring ownership to ${username} (uid ${targetUid})...\n`);
+  const { fixed, failed } = await repairOwnership(issues, username, targetUid);
+  for (const fix of fixed) {
+    stdout.write(`  + ${fix}\n`);
+  }
+  if (failed.length > 0) {
+    stderr.write("\nSome ownership repairs failed:\n");
+    for (const fail of failed) {
+      stderr.write(`  ! ${fail}\n`);
+    }
+    return { found: issues.length, repairFailed: true };
+  }
+  stdout.write("\n");
+  return { found: issues.length, repairFailed: false };
+}
+
+/**
+ * Return the ownership fix instructions string.
+ *
+ * @param currentUid - UID of the running process
+ * @param username - The real user's login name
+ * @param configDir - The config directory path
+ * @param dryRun - Whether this is a dry-run preview
+ */
+function printOwnershipInstructions(
+  currentUid: number,
+  username: string,
+  configDir: string,
+  dryRun: boolean
+): string {
+  if (dryRun && currentUid === 0) {
+    return `Would transfer ownership of "${configDir}" to ${username}.\n`;
+  }
+  return (
+    "To fix ownership, run one of:\n\n" +
+    `  sudo chown -R ${username} "${configDir}"\n\n` +
+    "Or let sentry fix it automatically:\n\n" +
+    "  sudo sentry cli fix\n\n"
+  );
+}
+
 /**
  * Format a permission mode as an octal string (e.g., "0644").
  *
@@ -315,18 +545,53 @@ function handleSchemaIssues(
   return { found: issues.length, repairFailed: failed.length > 0 };
 }
 
+/**
+ * Run schema diagnostics, guarding against DB open failures.
+ *
+ * The schema check opens the database, which can throw if the DB or config
+ * directory is inaccessible. This wrapper catches those errors so `--dry-run`
+ * can finish all diagnostics even when the filesystem is broken.
+ *
+ * @param priorIssuesFound - Total ownership+permission issues already found.
+ *   If non-zero, a schema open failure is expected and we stay quiet about it.
+ */
+function safeHandleSchemaIssues(
+  dbPath: string,
+  dryRun: boolean,
+  out: Output,
+  priorIssuesFound: number
+): DiagnoseResult {
+  try {
+    return handleSchemaIssues(dbPath, dryRun, out);
+  } catch {
+    if (priorIssuesFound === 0) {
+      out.stderr.write("Could not open database to check schema.\n");
+      out.stderr.write(
+        `Try deleting the database and restarting: rm "${dbPath}"\n`
+      );
+    }
+    return { found: 0, repairFailed: true };
+  }
+}
+
 export const fixCommand = buildCommand({
   docs: {
     brief: "Diagnose and repair CLI database issues",
     fullDescription:
-      "Check the CLI's local SQLite database for schema and permission issues and repair them.\n\n" +
+      "Check the CLI's local SQLite database for schema, permission, and ownership\n" +
+      "issues and repair them.\n\n" +
       "This is useful when upgrading from older CLI versions, if the database\n" +
       "becomes inconsistent due to interrupted operations, or if file permissions\n" +
       "prevent the CLI from writing to its local database.\n\n" +
       "The command performs non-destructive repairs only - it adds missing tables\n" +
-      "and columns, and fixes file permissions, but never deletes data.\n\n" +
+      "and columns, fixes file permissions, and transfers ownership — but never\n" +
+      "deletes data.\n\n" +
+      "If files are owned by root (e.g. after `sudo brew install`), run with sudo\n" +
+      "to transfer ownership back to the current user:\n\n" +
+      "  sudo sentry cli fix\n\n" +
       "Examples:\n" +
       "  sentry cli fix              # Fix database issues\n" +
+      "  sudo sentry cli fix         # Fix root-owned files\n" +
       "  sentry cli fix --dry-run    # Show what would be fixed without making changes",
   },
   parameters: {
@@ -344,32 +609,38 @@ export const fixCommand = buildCommand({
     const dryRun = flags["dry-run"];
     const out = { stdout, stderr: this.stderr };
 
+    // process.getuid() is undefined on Windows
+    const currentUid =
+      typeof process.getuid === "function" ? process.getuid() : -1;
+
     stdout.write(`Database: ${dbPath}\n`);
     stdout.write(`Expected schema version: ${CURRENT_SCHEMA_VERSION}\n\n`);
 
-    const perm = await handlePermissionIssues(dbPath, dryRun, out);
-
-    // Schema check opens the database, which can throw if the DB or config
-    // directory is readonly. Guard with try/catch so --dry-run can finish
-    // diagnostics even when the filesystem is broken.
-    let schema: DiagnoseResult;
-    try {
-      schema = handleSchemaIssues(dbPath, dryRun, out);
-    } catch {
-      // If we already found permission issues, the schema check failure is
-      // expected — don't obscure the permission report with an unrelated crash.
-      // If no permission issues were found, this is unexpected so re-report it.
-      if (perm.found === 0) {
-        out.stderr.write("Could not open database to check schema.\n");
-        out.stderr.write(
-          `Try deleting the database and restarting: rm "${dbPath}"\n`
-        );
-      }
-      schema = { found: 0, repairFailed: true };
-    }
+    // 1. Check ownership first — if files are root-owned, chmod will fail anyway.
+    //    On Windows (currentUid === -1), skip the ownership check entirely.
+    const ownership: DiagnoseResult =
+      currentUid >= 0
+        ? await handleOwnershipIssues(dbPath, currentUid, dryRun, out)
+        : { found: 0, repairFailed: false };
+
+    // 2. Check permissions (skip if ownership issues already reported failures —
+    //    chmod will fail on root-owned files so the output would be misleading).
+    const skipPerm = !dryRun && ownership.repairFailed;
+    const perm: DiagnoseResult = skipPerm
+      ? { found: 0, repairFailed: false }
+      : await handlePermissionIssues(dbPath, dryRun, out);
+
+    // 3. Schema check — guarded so filesystem errors don't hide earlier reports.
+    const schema = safeHandleSchemaIssues(
+      dbPath,
+      dryRun,
+      out,
+      ownership.found + perm.found
+    );
 
-    const totalFound = perm.found + schema.found;
-    const anyFailed = perm.repairFailed || schema.repairFailed;
+    const totalFound = ownership.found + perm.found + schema.found;
+    const anyFailed =
+      ownership.repairFailed || perm.repairFailed || schema.repairFailed;
 
     if (totalFound === 0 && !anyFailed) {
       stdout.write(