feat(dsn): add project root detection for automatic DSN discovery

[BYK]

Summary

This PR implements project root detection and a language-agnostic DSN scanner for automatic Sentry DSN discovery. The CLI now walks up from CWD to find the project root, then scans from there with proper depth limiting and priority ordering.

Problem

1. Running sentry issue list from a subdirectory (e.g., ~/project/src/lib/) would miss .env files at ~/project/.env
2. Language-specific detectors only matched DSNs in specific contexts like Sentry.init({ dsn: "..." }) but missed DSNs assigned to variables
3. No depth limiting meant slow scans in large projects
4. Complex codebase with 7 language-specific detector files

Solution

Project Root Detection:

1. Walk UP from CWD checking each directory for markers
2. At each level, check .env files for SENTRY_DSN (stops walk-up but doesn't short-circuit detection)
3. Stop at VCS/CI markers (.git, .github, etc.) - definitive repo root
4. Language markers (package.json, pyproject.toml, etc.) - closest to CWD wins
5. Scan from project root with 2-level depth limit

Language-Agnostic Code Scanner:

• Greps for DSN URL pattern directly using regex: https://KEY@HOST/PROJECT_ID
• Filters out commented lines using common prefixes (//, #, --, <!--, etc.)
• Respects .gitignore via the ignore package
• Validates DSN hosts: SENTRY_URL set → only that host; not set → only *.sentry.io
• Scans concurrently with p-limit for performance
• Skips large files (>256KB) and known non-source directories

DSN Priority Order:

code > env_file > env_var

Changes

New Files:

• src/lib/dsn/project-root.ts - Project root detection with Sentry instrumentation
• src/lib/dsn/code-scanner.ts - Language-agnostic DSN scanner
• test/lib/dsn/project-root.test.ts - 34 tests for project root detection
• test/lib/dsn/code-scanner.test.ts - 29 tests for code scanner

Modified:

• src/lib/dsn/detector.ts - Uses project root and new scanner with correct priority
• package.json - Added ignore and p-limit dependencies

Deleted (replaced by code-scanner.ts):

• src/lib/dsn/languages/*.ts (8 files: go, java, javascript, php, python, ruby, index, types)
• test/lib/dsn/languages/*.test.ts (6 test files)

Key Features

Feature	Implementation
Project root detection	Walk up from CWD, stop at VCS/CI markers
DSN extraction	Regex-based, filters commented lines
Host validation	SaaS-only or self-hosted-only based on SENTRY_URL
Gitignore support	Uses ignore package with built-in skip dirs
Depth limiting	Max 2 levels from project root
Concurrency	50 parallel file reads via p-limit
Observability	Sentry spans + metrics for scan stats

Testing

bun test test/lib/dsn/           # 89 tests pass
bun run typecheck                # Pass
bun run lint                     # Pass

[github-actions]

Semver Impact of This PR

🟡 Minor (new features)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

New Features ✨

• (dsn) Add project root detection for automatic DSN discovery by BYK in #159

Bug Fixes 🐛

• Added nullable in substatus's zod validation by MathurAditya724 in #157

---

_{🤖 This preview updates automatically when you update the PR.}

[BYK]

Addressed all review comments

I have addressed all the review comments in the latest commits. Here is a summary:

Code changes made:

1. Priority order in detectAllDsns - Fixed! Code DSNs now have priority over env file DSNs found during walk-up. Updated the test to match the documented priority order (code > env_file > env_var).

2. Stop boundary bug in walkUpDirectories - Fixed! Added explicit break when currentDir === stopBoundary BEFORE moving to parent, so we no longer traverse past the home directory.

3. Duplicate ENV_FILES constant - Fixed! Removed from project-root.ts and now imports from env-file.ts.

4. Windows path normalization - Fixed! Added relativePath.replaceAll("\\", "/") before calling ig.ignores() since the ignore package requires forward slashes.

Previously addressed (already in the code):

• Inefficient iteration - Already uses single-pass matchAll() with surrounding line lookup per match
• Limit parameter - Already has limit parameter for early exit
• Hardcoded sentry.io - Already uses DEFAULT_SENTRY_HOST from constants and handles SENTRY_URL properly
• path.extname - Already uses extname() from node:path
• recursive readdir - Already uses recursive: true
• Scanning logic order - Already correctly ordered (non-file → skip, depth check, ignore check, extension check)
• filesScanned metric - Already emits Sentry.metrics.distribution("dsn.files_scanned", ...)

Design decisions (no change needed):

1. Host check at scanning phase vs extraction: The current approach validates hosts in isValidDsnHost() after regex matching. Moving this earlier would require parsing every potential DSN URL upfront just to check the host, which adds overhead. The current flow is: regex match → check surrounding line for comments → parse and validate host. This is efficient because we only parse valid-looking DSNs.

2. Map vs Set for deduplication: We use Map<string, DetectedDsn> because we need to store the full DetectedDsn object (with source, path, etc.) keyed by the raw DSN string. A Set<string> would only store the DSN strings, losing the metadata. We could use Set<DetectedDsn> but that would require custom equality logic since objects are compared by reference.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}