feat: add sentry token subcommands (create, list, delete)#1112
feat: add sentry token subcommands (create, list, delete)#1112jared-outpost[bot] wants to merge 5 commits into
sentry token subcommands (create, list, delete)#11123 issues
find-bugs: Found 3 issues (2 medium, 1 low)
Medium
"Save this token" warning is silently suppressed in JSON mode - `src/commands/token/create.ts:106-109`
When --json is used, the one-time token warning is never shown: the human formatter (formatTokenCreated) is skipped, and the return { hint: ... } is explicitly suppressed by the framework in JSON mode — exactly the mode CI/automation pipelines use. If the full token field in the JSON output is not captured immediately, the token value is permanently lost with no indication.
Created token value silently dropped if creation response omits `token` field - `src/types/sentry.ts:1322`
OrgAuthTokenSchema marks token as z.string().optional() because the same schema is reused for both listOrgAuthTokens (GET, never returns the full token) and createOrgAuthToken (POST, returns the full token once). Because token is optional, a POST response that omits the field still parses successfully with token === undefined. In create.ts, formatTokenCreated only prints the value when if (result.token.token) is truthy, so a missing field yields a success message containing the name, ID, and scopes but no token value. Since the full token is only available at creation time, a silent omission leaves the user with an unusable token they cannot recover. The fix is to enforce presence on the creation path (e.g., a dedicated create-response schema with token: z.string(), or an explicit error in create.ts when token is absent) rather than silently skipping the print.
Also found at:
src/lib/api-client.ts:180
Low
Deleting an already-removed token surfaces a raw API error instead of a friendly message - `src/commands/token/delete.ts:143-167`
resolveToken lists the org tokens to resolve the ID/name, and deleteOrgAuthToken(orgSlug, token.id) then issues a separate DELETE request. If the token was already deleted (by another process, or because the resolved ID is stale by the time DELETE runs), the endpoint returns 404 and apiRequestToRegionNoContent calls throwRawApiError, propagating a raw ApiError. Because there is no try/catch around the deleteOrgAuthToken call in func, the user sees a raw API error message rather than a helpful "token not found / already deleted" message. This is purely a UX/error-handling nit — there is no security or state-corruption impact (the delete is effectively idempotent), so the practical effect is a less helpful error message.
⏱ 13m 2s · 2.5M in / 91.4k out · $3.63
Annotations
Check warning on line 109 in src/commands/token/create.ts
sentry-warden / warden: find-bugs
"Save this token" warning is silently suppressed in JSON mode
When `--json` is used, the one-time token warning is never shown: the human formatter (`formatTokenCreated`) is skipped, and the `return { hint: ... }` is explicitly suppressed by the framework in JSON mode — exactly the mode CI/automation pipelines use. If the full `token` field in the JSON output is not captured immediately, the token value is permanently lost with no indication.
Check warning on line 1322 in src/types/sentry.ts
sentry-warden / warden: find-bugs
Created token value silently dropped if creation response omits `token` field
`OrgAuthTokenSchema` marks `token` as `z.string().optional()` because the same schema is reused for both `listOrgAuthTokens` (GET, never returns the full token) and `createOrgAuthToken` (POST, returns the full token once). Because `token` is optional, a POST response that omits the field still parses successfully with `token === undefined`. In `create.ts`, `formatTokenCreated` only prints the value when `if (result.token.token)` is truthy, so a missing field yields a success message containing the name, ID, and scopes but no token value. Since the full token is only available at creation time, a silent omission leaves the user with an unusable token they cannot recover. The fix is to enforce presence on the creation path (e.g., a dedicated create-response schema with `token: z.string()`, or an explicit error in `create.ts` when `token` is absent) rather than silently skipping the print.
Check warning on line 180 in src/lib/api-client.ts
sentry-warden / warden: find-bugs
[FQU-CDL] Created token value silently dropped if creation response omits `token` field (additional location)
`OrgAuthTokenSchema` marks `token` as `z.string().optional()` because the same schema is reused for both `listOrgAuthTokens` (GET, never returns the full token) and `createOrgAuthToken` (POST, returns the full token once). Because `token` is optional, a POST response that omits the field still parses successfully with `token === undefined`. In `create.ts`, `formatTokenCreated` only prints the value when `if (result.token.token)` is truthy, so a missing field yields a success message containing the name, ID, and scopes but no token value. Since the full token is only available at creation time, a silent omission leaves the user with an unusable token they cannot recover. The fix is to enforce presence on the creation path (e.g., a dedicated create-response schema with `token: z.string()`, or an explicit error in `create.ts` when `token` is absent) rather than silently skipping the print.