feat: add sentry token subcommands (create, list, delete)#1112
feat: add sentry token subcommands (create, list, delete)#1112jared-outpost[bot] wants to merge 5 commits into
sentry token subcommands (create, list, delete)#11122 issues
Medium
Silent data loss when token creation response omits the full token value - `src/types/sentry.ts:1320-1321`
If the API response to token creation omits the token field, Zod validation still passes (field is optional()), formatTokenCreated silently skips printing the value, and the user sees a success message with no token — permanently losing access to it since the value is never retrievable again. Throw an error instead of silently omitting it.
Also found at:
src/commands/token/create.ts:31-36src/lib/api-client.ts:179
Low
Token name with terminal escape sequences rendered unsanitized in delete confirmation prompt - `src/commands/token/delete.ts:150-154`
In sentry token delete, the token.name value returned from the org auth-token API is embedded directly into the confirmByTyping prompt string without stripping control/ANSI escape sequences. An org member with token-creation access can name a token with embedded escape sequences (e.g. \r\x1b[K) so that when an admin runs the delete command, the rendered prompt text can be overwritten/spoofed, or — if the name contains non-typeable bytes — interactive confirmation can never match (response.trim() === expected), forcing the admin to fall back to --yes/--force. Impact is limited because the admin themselves initiates the deletion and can bypass the prompt non-interactively.
2 skills analyzed
| Skill | Findings | Duration | Cost |
|---|---|---|---|
| security-review | 0 | 2m 14s | $1.25 |
| find-bugs | 2 | 8m 51s | $3.39 |
⏱ 11m 5s · 3.0M in / 106.0k out · $4.64