diff --git a/bun.lock b/bun.lock
index 0d041fe0..a55dd9fa 100644
--- a/bun.lock
+++ b/bun.lock
@@ -4,6 +4,10 @@
   "workspaces": {
     "": {
       "name": "sentry",
+      "dependencies": {
+        "ignore": "^7.0.5",
+        "p-limit": "^7.2.0",
+      },
       "devDependencies": {
         "@biomejs/biome": "2.3.8",
         "@sentry/bun": "10.38.0",
@@ -347,6 +351,8 @@
 
     "https-proxy-agent": ["https-proxy-agent@5.0.1", "", { "dependencies": { "agent-base": "6", "debug": "4" } }, "sha512-dFcAjpTQFgoLMzC2VwU+C/CbS7uRL0lWmxDITmqm7C+7F0Odmj6s9l6alZc6AELXhrnggM2CeWSXHGOdX2YtwA=="],
 
+    "ignore": ["ignore@7.0.5", "", {}, "sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg=="],
+
     "import-in-the-middle": ["import-in-the-middle@2.0.6", "", { "dependencies": { "acorn": "^8.15.0", "acorn-import-attributes": "^1.9.5", "cjs-module-lexer": "^2.2.0", "module-details-from-path": "^1.0.4" } }, "sha512-3vZV3jX0XRFW3EJDTwzWoZa+RH1b8eTTx6YOCjglrLyPuepwoBti1k3L2dKwdCUrnVEfc5CuRuGstaC/uQJJaw=="],
 
     "is-binary-path": ["is-binary-path@2.1.0", "", { "dependencies": { "binary-extensions": "^2.0.0" } }, "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw=="],
@@ -391,7 +397,7 @@
 
     "nypm": ["nypm@0.6.4", "", { "dependencies": { "citty": "^0.2.0", "pathe": "^2.0.3", "tinyexec": "^1.0.2" }, "bin": { "nypm": "dist/cli.mjs" } }, "sha512-1TvCKjZyyklN+JJj2TS3P4uSQEInrM/HkkuSXsEzm1ApPgBffOn8gFguNnZf07r/1X6vlryfIqMUkJKQMzlZiw=="],
 
-    "p-limit": ["p-limit@3.1.0", "", { "dependencies": { "yocto-queue": "^0.1.0" } }, "sha512-TYOanM3wGwNGsZN2cVTYPArw454xnXj5qmWF1bEoAc4+cU/ol7GVh7odevjp1FNHduHc3KZMcFduxU5Xc6uJRQ=="],
+    "p-limit": ["p-limit@7.2.0", "", { "dependencies": { "yocto-queue": "^1.2.1" } }, "sha512-ATHLtwoTNDloHRFFxFJdHnG6n2WUeFjaR8XQMFdKIv0xkXjrER8/iG9iu265jOM95zXHAfv9oTkqhrfbIzosrQ=="],
 
     "p-locate": ["p-locate@5.0.0", "", { "dependencies": { "p-limit": "^3.0.2" } }, "sha512-LaNjtRWUBY++zB5nE/NwcaoMylSPk+S+ZHNB1TzdbMJMny6dynpAGt7X/tl/QYq3TIeE6nxHppbo2LGymrG5Pw=="],
 
@@ -471,7 +477,7 @@
 
     "yallist": ["yallist@3.1.1", "", {}, "sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g=="],
 
-    "yocto-queue": ["yocto-queue@0.1.0", "", {}, "sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q=="],
+    "yocto-queue": ["yocto-queue@1.2.2", "", {}, "sha512-4LCcse/U2MHZ63HAJVE+v71o7yOdIe4cZ70Wpf8D/IyjDKYQLV5GD46B+hSTjJsvV5PztjvHoU580EftxjDZFQ=="],
 
     "zod": ["zod@3.25.76", "", {}, "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ=="],
 
@@ -491,6 +497,8 @@
 
     "glob/minimatch": ["minimatch@10.1.1", "", { "dependencies": { "@isaacs/brace-expansion": "^5.0.0" } }, "sha512-enIvLvRAFZYXJzkCYG5RKmPfrFArdLv+R+lbQ53BmIMLIry74bjKzX6iHAm8WYamJkhSSEabrWN5D97XnKObjQ=="],
 
+    "p-locate/p-limit": ["p-limit@3.1.0", "", { "dependencies": { "yocto-queue": "^0.1.0" } }, "sha512-TYOanM3wGwNGsZN2cVTYPArw454xnXj5qmWF1bEoAc4+cU/ol7GVh7odevjp1FNHduHc3KZMcFduxU5Xc6uJRQ=="],
+
     "readdirp/picomatch": ["picomatch@2.3.1", "", {}, "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA=="],
 
     "ultracite/zod": ["zod@4.3.5", "", {}, "sha512-k7Nwx6vuWx1IJ9Bjuf4Zt1PEllcwe7cls3VNzm4CQ1/hgtFUK2bRNG3rvnpPUhFjmqJKAKtjV576KnUkHocg/g=="],
@@ -505,6 +513,8 @@
 
     "@sentry/bundler-plugin-core/glob/path-scurry": ["path-scurry@1.11.1", "", { "dependencies": { "lru-cache": "^10.2.0", "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" } }, "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA=="],
 
+    "p-locate/p-limit/yocto-queue": ["yocto-queue@0.1.0", "", {}, "sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q=="],
+
     "@sentry/bundler-plugin-core/glob/path-scurry/lru-cache": ["lru-cache@10.4.3", "", {}, "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ=="],
 
     "@sentry/bundler-plugin-core/glob/path-scurry/minipass": ["minipass@7.1.2", "", {}, "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw=="],
diff --git a/package.json b/package.json
index c9549394..995a7a61 100644
--- a/package.json
+++ b/package.json
@@ -57,5 +57,9 @@
   "patchedDependencies": {
     "@stricli/core@1.2.5": "patches/@stricli%2Fcore@1.2.5.patch",
     "@sentry/core@10.38.0": "patches/@sentry%2Fcore@10.38.0.patch"
+  },
+  "dependencies": {
+    "ignore": "^7.0.5",
+    "p-limit": "^7.2.0"
   }
 }
diff --git a/src/lib/dsn/code-scanner.ts b/src/lib/dsn/code-scanner.ts
new file mode 100644
index 00000000..0e20f8b8
--- /dev/null
+++ b/src/lib/dsn/code-scanner.ts
@@ -0,0 +1,626 @@
+/**
+ * Language-Agnostic Code Scanner
+ *
+ * Scans source code for Sentry DSNs using a simple grep-based approach.
+ * This replaces the language-specific detectors with a unified scanner that:
+ *
+ * 1. Greps for DSN URL pattern directly: https://KEY@HOST/PROJECT_ID
+ * 2. Filters out DSNs appearing in commented lines
+ * 3. Respects .gitignore using the `ignore` package
+ * 4. Validates DSN hosts (SaaS when no SENTRY_URL, or self-hosted host when set)
+ * 5. Scans concurrently with p-limit for performance
+ * 6. Skips large files and known non-source directories
+ */
+
+import { readdir } from "node:fs/promises";
+import path from "node:path";
+// biome-ignore lint/performance/noNamespaceImport: Sentry SDK recommends namespace import
+import * as Sentry from "@sentry/bun";
+import ignore, { type Ignore } from "ignore";
+import pLimit from "p-limit";
+import { DEFAULT_SENTRY_HOST } from "../constants.js";
+import { ConfigError } from "../errors.js";
+import { createDetectedDsn, inferPackagePath, parseDsn } from "./parser.js";
+import type { DetectedDsn } from "./types.js";
+
+/**
+ * Maximum file size to scan (256KB).
+ * Files larger than this are skipped as they're unlikely to be source files
+ * with DSN configuration.
+ *
+ * Note: This check happens during file processing rather than collection to
+ * avoid extra stat() calls. Bun.file().size is a cheap operation once we
+ * have the file handle.
+ */
+const MAX_FILE_SIZE = 256 * 1024;
+
+/**
+ * Concurrency limit for file reads.
+ * Balances performance with file descriptor limits.
+ */
+const CONCURRENCY_LIMIT = 50;
+
+/**
+ * Maximum depth to scan from project root.
+ * Depth 0 = files in root directory
+ * Depth 2 = files in second-level subdirectories (e.g., src/lib/file.ts)
+ */
+const MAX_SCAN_DEPTH = 2;
+
+/**
+ * Directories that are always skipped regardless of .gitignore.
+ * These are common dependency/build/cache directories that should never contain DSNs.
+ * Added to the gitignore instance as built-in patterns.
+ */
+const ALWAYS_SKIP_DIRS = [
+  // Version control
+  ".git",
+  ".hg",
+  ".svn",
+  // IDE/Editor
+  ".idea",
+  ".vscode",
+  ".cursor",
+  // Node.js
+  "node_modules",
+  // Python
+  "__pycache__",
+  ".pytest_cache",
+  ".mypy_cache",
+  ".ruff_cache",
+  "venv",
+  ".venv",
+  // Java/Kotlin/Gradle
+  "build",
+  "target",
+  ".gradle",
+  // Go
+  "vendor",
+  // Ruby
+  ".bundle",
+  // General build outputs
+  "dist",
+  "out",
+  ".next",
+  ".nuxt",
+  ".output",
+  "coverage",
+];
+
+/**
+ * File extensions to scan for DSNs.
+ * Covers source code, config files, and data formats that might contain DSNs.
+ */
+const TEXT_EXTENSIONS = new Set([
+  // JavaScript/TypeScript ecosystem
+  ".ts",
+  ".tsx",
+  ".js",
+  ".jsx",
+  ".mjs",
+  ".cjs",
+  ".astro",
+  ".vue",
+  ".svelte",
+  // Python
+  ".py",
+  // Go
+  ".go",
+  // Ruby
+  ".rb",
+  ".erb",
+  // PHP
+  ".php",
+  // JVM languages
+  ".java",
+  ".kt",
+  ".kts",
+  ".scala",
+  ".groovy",
+  // .NET languages
+  ".cs",
+  ".fs",
+  ".vb",
+  // Rust
+  ".rs",
+  // Swift/Objective-C
+  ".swift",
+  ".m",
+  ".mm",
+  // Dart/Flutter
+  ".dart",
+  // Elixir/Erlang
+  ".ex",
+  ".exs",
+  ".erl",
+  // Lua
+  ".lua",
+  // Config/data formats
+  ".json",
+  ".yaml",
+  ".yml",
+  ".toml",
+  ".xml",
+  ".properties",
+  ".config",
+]);
+
+/**
+ * Common comment prefixes to detect commented-out DSNs.
+ * Lines starting with these (after trimming whitespace) are ignored.
+ */
+const COMMENT_PREFIXES = ["//", "#", "--", "<!--", "/*", "*", "'''", '"""'];
+
+/**
+ * Pattern to split paths on both forward and back slashes for cross-platform support.
+ */
+const PATH_SEPARATOR_PATTERN = /[/\\]/;
+
+/**
+ * Normalize path separators to forward slashes for cross-platform consistency.
+ * On POSIX systems, this is a no-op (identity function).
+ * On Windows, converts backslashes to forward slashes.
+ *
+ * This is needed for:
+ * 1. The `ignore` package pattern matching (requires forward slashes)
+ * 2. inferPackagePath() which splits by "/"
+ * 3. Consistent sourcePath values in DetectedDsn objects
+ */
+const normalizePath: (p: string) => string =
+  path.sep === path.posix.sep
+    ? (x) => x
+    : (x) => x.replaceAll(path.sep, path.posix.sep);
+
+/**
+ * Pattern to match Sentry DSN URLs.
+ * Captures the full DSN including protocol, public key, host, and project ID.
+ *
+ * Format: https://{PUBLIC_KEY}@{HOST}/{PROJECT_ID}
+ * Example: https://abc123def456@o123456.ingest.us.sentry.io/4507654321
+ *
+ * The public key is typically a 32-character hex string, but we accept any
+ * alphanumeric string to support test fixtures and edge cases.
+ *
+ * Uses 'g' flag for global matching - IMPORTANT: reset lastIndex before reuse
+ * or create new RegExp instances when needed.
+ */
+const DSN_PATTERN =
+  /https?:\/\/[a-z0-9]+@[a-z0-9.-]+(?:\.[a-z]+|:[0-9]+)\/\d+/gi;
+
+/**
+ * Extract DSN URLs from file content, filtering out those in commented lines.
+ *
+ * Algorithm:
+ * 1. Find all DSN matches in the content using regex
+ * 2. For each match, find the line it appears on
+ * 3. Check if that line is commented out
+ * 4. Validate the DSN host is acceptable
+ *
+ * @param content - File content to scan
+ * @param limit - Maximum number of DSNs to return (undefined = no limit)
+ * @returns Array of unique DSN strings found in non-commented lines
+ */
+export function extractDsnsFromContent(
+  content: string,
+  limit?: number
+): string[] {
+  const dsns = new Set<string>();
+
+  // Find all potential DSN matches
+  for (const match of content.matchAll(DSN_PATTERN)) {
+    const dsn = match[0];
+    const matchIndex = match.index;
+
+    // Skip if we've already found this DSN
+    if (dsns.has(dsn)) {
+      continue;
+    }
+
+    // Find the line this match appears on by looking backwards for newline
+    const lineStart = content.lastIndexOf("\n", matchIndex) + 1;
+    const lineEnd = content.indexOf("\n", matchIndex);
+    const line = content.slice(lineStart, lineEnd === -1 ? undefined : lineEnd);
+
+    // Skip if the line is commented
+    if (isCommentedLine(line.trim())) {
+      continue;
+    }
+
+    // Validate it's a DSN with an acceptable host
+    if (isValidDsnHost(dsn)) {
+      dsns.add(dsn);
+
+      // Early exit if we've reached the limit
+      if (limit !== undefined && dsns.size >= limit) {
+        break;
+      }
+    }
+  }
+
+  return [...dsns];
+}
+
+/**
+ * Extract the first DSN from file content.
+ * Used by cache verification to check if a DSN is still present in a file.
+ *
+ * @param content - File content
+ * @returns First DSN found or null
+ */
+export function extractFirstDsnFromContent(content: string): string | null {
+  const dsns = extractDsnsFromContent(content, 1);
+  return dsns[0] ?? null;
+}
+
+/**
+ * Scan a directory for all DSNs in source code files.
+ *
+ * Respects .gitignore, skips large files, and limits depth.
+ * Returns all unique DSNs found across all files.
+ *
+ * @param cwd - Directory to scan
+ * @returns Array of detected DSNs with source information
+ */
+export function scanCodeForDsns(cwd: string): Promise<DetectedDsn[]> {
+  return scanDirectory(cwd, false);
+}
+
+/**
+ * Scan a directory and return the first DSN found.
+ *
+ * Optimized for the common case of single-project repositories.
+ * Stops scanning as soon as a valid DSN is found.
+ *
+ * @param cwd - Directory to scan
+ * @returns First detected DSN or null if none found
+ */
+export async function scanCodeForFirstDsn(
+  cwd: string
+): Promise<DetectedDsn | null> {
+  const results = await scanDirectory(cwd, true);
+  return results[0] ?? null;
+}
+
+/**
+ * Check if a line is commented out based on common comment prefixes.
+ */
+function isCommentedLine(trimmedLine: string): boolean {
+  return COMMENT_PREFIXES.some((prefix) => trimmedLine.startsWith(prefix));
+}
+
+/**
+ * Get the expected Sentry host for DSN validation.
+ *
+ * When SENTRY_URL is set (self-hosted), only DSNs matching that host are valid.
+ * When not set (SaaS), only *.sentry.io DSNs are valid.
+ *
+ * @throws {ConfigError} If SENTRY_URL is set but not a valid URL
+ * @returns The expected host domain for DSN validation
+ */
+function getExpectedHost(): string {
+  const sentryUrl = process.env.SENTRY_URL;
+
+  if (sentryUrl) {
+    // Self-hosted: only accept DSNs matching the configured host
+    try {
+      const url = new URL(sentryUrl);
+      return url.host;
+    } catch {
+      // Invalid SENTRY_URL - throw immediately since nothing will work
+      throw new ConfigError(
+        `SENTRY_URL "${sentryUrl}" is not a valid URL`,
+        "Set SENTRY_URL to a valid URL (e.g., https://sentry.example.com) or unset it to use sentry.io"
+      );
+    }
+  }
+
+  // SaaS: only accept *.sentry.io
+  return DEFAULT_SENTRY_HOST;
+}
+
+/**
+ * Validate that a DSN has an acceptable Sentry host.
+ *
+ * When SENTRY_URL is set (self-hosted): DSNs matching host or any subdomain are valid
+ * When SENTRY_URL is not set (SaaS): only *.sentry.io DSNs are valid
+ *
+ * This ensures we don't detect SaaS DSNs when configured for self-hosted
+ * (they can't be queried against a self-hosted instance) and vice versa.
+ */
+function isValidDsnHost(dsn: string): boolean {
+  const parsed = parseDsn(dsn);
+  if (!parsed) {
+    return false;
+  }
+
+  const expectedHost = getExpectedHost();
+
+  // Accept exact match or any subdomain for both SaaS and self-hosted
+  // e.g., for sentry.io: accept sentry.io or o123.ingest.us.sentry.io
+  // e.g., for sentry.example.com: accept sentry.example.com or ingest.sentry.example.com
+  return (
+    parsed.host === expectedHost || parsed.host.endsWith(`.${expectedHost}`)
+  );
+}
+
+/**
+ * Create an ignore instance with built-in skip directories and .gitignore rules.
+ */
+async function createIgnoreFilter(cwd: string): Promise<Ignore> {
+  const ig = ignore();
+
+  // Add built-in skip directories first
+  ig.add(ALWAYS_SKIP_DIRS);
+
+  // Then add .gitignore rules if present
+  try {
+    const gitignorePath = path.join(cwd, ".gitignore");
+    const content = await Bun.file(gitignorePath).text();
+    ig.add(content);
+  } catch {
+    // No .gitignore, that's fine
+  }
+
+  return ig;
+}
+
+/**
+ * Check if a file should be scanned based on its extension.
+ */
+function shouldScanFile(filename: string): boolean {
+  const ext = path.extname(filename);
+  return ext !== "" && TEXT_EXTENSIONS.has(ext);
+}
+
+/**
+ * Get the depth of a path (number of directory separators).
+ * Uses regex to split on both forward and back slashes for cross-platform support.
+ */
+function getPathDepth(relativePath: string): number {
+  if (!relativePath) {
+    return 0;
+  }
+  return relativePath.split(PATH_SEPARATOR_PATTERN).length - 1;
+}
+
+/**
+ * Collect files to scan from a directory using recursive readdir.
+ *
+ * @param cwd - Root directory to scan
+ * @param ig - Ignore filter instance
+ * @returns Array of file paths relative to cwd
+ */
+async function collectFiles(cwd: string, ig: Ignore): Promise<string[]> {
+  const entries = await readdir(cwd, { withFileTypes: true, recursive: true });
+  const files: string[] = [];
+
+  for (const entry of entries) {
+    // Skip non-files
+    if (!entry.isFile()) {
+      continue;
+    }
+
+    // Build relative path - entry.parentPath is the directory containing the entry
+    const rawRelativePath = path.relative(
+      cwd,
+      path.join(entry.parentPath, entry.name)
+    );
+
+    // Check depth early before more expensive operations
+    // Uses raw path (may have backslashes on Windows) since getPathDepth handles both
+    if (getPathDepth(rawRelativePath) > MAX_SCAN_DEPTH) {
+      continue;
+    }
+
+    // Normalize to forward slashes for cross-platform consistency
+    const relativePath = normalizePath(rawRelativePath);
+
+    // Skip ignored paths (includes ALWAYS_SKIP_DIRS and .gitignore patterns)
+    if (ig.ignores(relativePath)) {
+      continue;
+    }
+
+    // Only include files with scannable extensions
+    if (shouldScanFile(entry.name)) {
+      files.push(relativePath);
+    }
+  }
+
+  return files;
+}
+
+/**
+ * Process a single file and extract DSNs.
+ *
+ * Note on Bun.file().size: This is a lazy property that reads file metadata
+ * (via stat) only when accessed, not the file content. This is verified in
+ * Bun's source code and is cheaper than a separate stat() call since it uses
+ * the already-created file handle.
+ *
+ * @param cwd - Root directory
+ * @param relativePath - Path relative to cwd
+ * @param limit - Maximum DSNs to extract (undefined = no limit)
+ * @returns Array of detected DSNs (may be empty)
+ */
+async function processFile(
+  cwd: string,
+  relativePath: string,
+  limit?: number
+): Promise<DetectedDsn[]> {
+  const filepath = path.join(cwd, relativePath);
+
+  try {
+    const file = Bun.file(filepath);
+
+    // Skip large files (Bun.file().size reads metadata, not content)
+    if (file.size > MAX_FILE_SIZE) {
+      // TODO: Add debug log when logging infrastructure is available
+      return [];
+    }
+
+    const content = await file.text();
+    const dsnStrings = extractDsnsFromContent(content, limit);
+
+    if (dsnStrings.length === 0) {
+      return [];
+    }
+
+    const packagePath = inferPackagePath(relativePath);
+
+    // Map DSN strings to DetectedDsn objects, filtering out any that fail to parse
+    return dsnStrings
+      .map((dsn) => createDetectedDsn(dsn, "code", relativePath, packagePath))
+      .filter((d): d is DetectedDsn => d !== null);
+  } catch {
+    // TODO: Add warning log for unreadable files when logging infrastructure is available
+    return [];
+  }
+}
+
+/**
+ * State for concurrent DSN scanning.
+ */
+type ScanState = {
+  results: Map<string, DetectedDsn>;
+  filesScanned: number;
+  earlyExit: boolean;
+};
+
+/**
+ * Process a file and add found DSNs to the scan state.
+ * Returns true if early exit should be triggered.
+ */
+async function processFileAndCollect(
+  cwd: string,
+  file: string,
+  stopOnFirst: boolean,
+  state: ScanState
+): Promise<boolean> {
+  state.filesScanned += 1;
+  const dsns = await processFile(cwd, file, stopOnFirst ? 1 : undefined);
+
+  for (const dsn of dsns) {
+    if (!state.results.has(dsn.raw)) {
+      state.results.set(dsn.raw, dsn);
+      // When stopOnFirst is true, processFile returns at most 1 DSN per file.
+      // This check triggers early exit when we find the first *unique* DSN,
+      // handling the case where the same DSN appears in multiple files.
+      if (stopOnFirst) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+
+/**
+ * Scan files concurrently and collect DSNs.
+ *
+ * @param cwd - Root directory
+ * @param files - Files to scan (relative paths)
+ * @param stopOnFirst - Whether to stop after finding the first DSN
+ * @returns Map of DSNs (keyed by raw string) and count of files scanned
+ */
+async function scanFilesForDsns(
+  cwd: string,
+  files: string[],
+  stopOnFirst: boolean
+): Promise<{ results: Map<string, DetectedDsn>; filesScanned: number }> {
+  const limit = pLimit(CONCURRENCY_LIMIT);
+  const state: ScanState = {
+    results: new Map(),
+    filesScanned: 0,
+    earlyExit: false,
+  };
+
+  // Create a rate-limited processor that handles early exit
+  const processWithLimit = (file: string) =>
+    limit(async () => {
+      if (state.earlyExit) {
+        return;
+      }
+
+      const shouldExit = await processFileAndCollect(
+        cwd,
+        file,
+        stopOnFirst,
+        state
+      );
+
+      if (shouldExit) {
+        state.earlyExit = true;
+        limit.clearQueue();
+      }
+    });
+
+  await Promise.all(files.map(processWithLimit));
+
+  return { results: state.results, filesScanned: state.filesScanned };
+}
+
+/**
+ * Main scan implementation with Sentry performance tracing and metrics.
+ */
+function scanDirectory(
+  cwd: string,
+  stopOnFirst: boolean
+): Promise<DetectedDsn[]> {
+  return Sentry.startSpan(
+    {
+      name: "scanCodeForDsns",
+      op: "dsn.detect.code",
+      attributes: {
+        "dsn.scan_dir": cwd,
+        "dsn.stop_on_first": stopOnFirst,
+        "dsn.max_depth": MAX_SCAN_DEPTH,
+      },
+      onlyIfParent: true,
+    },
+    async (span) => {
+      // Create ignore filter with built-in patterns and .gitignore
+      const ig = await createIgnoreFilter(cwd);
+
+      // Collect all files to scan
+      let files: string[];
+      try {
+        files = await collectFiles(cwd, ig);
+      } catch {
+        span.setStatus({ code: 2, message: "Directory scan failed" });
+        return [];
+      }
+
+      span.setAttribute("dsn.files_collected", files.length);
+      Sentry.metrics.distribution("dsn.files_collected", files.length, {
+        attributes: { stop_on_first: stopOnFirst },
+      });
+
+      if (files.length === 0) {
+        span.setStatus({ code: 1 });
+        return [];
+      }
+
+      // Scan files
+      const { results, filesScanned } = await scanFilesForDsns(
+        cwd,
+        files,
+        stopOnFirst
+      );
+
+      span.setAttributes({
+        "dsn.files_scanned": filesScanned,
+        "dsn.dsns_found": results.size,
+      });
+
+      Sentry.metrics.distribution("dsn.files_scanned", filesScanned, {
+        attributes: { stop_on_first: stopOnFirst },
+      });
+      Sentry.metrics.distribution("dsn.dsns_found", results.size, {
+        attributes: { stop_on_first: stopOnFirst },
+      });
+
+      span.setStatus({ code: 1 });
+
+      return [...results.values()];
+    }
+  );
+}
diff --git a/src/lib/dsn/detector.ts b/src/lib/dsn/detector.ts
index 9eab7a01..fa5ed4f0 100644
--- a/src/lib/dsn/detector.ts
+++ b/src/lib/dsn/detector.ts
@@ -1,31 +1,32 @@
 /**
  * DSN Detector
  *
- * Detects Sentry DSN with GitHub CLI-style caching.
+ * Detects Sentry DSN with GitHub CLI-style caching and project root detection.
  *
- * Fast path (cache hit): ~5ms - verify single file
- * Slow path (cache miss): ~2-5s - full scan
+ * Detection algorithm:
+ * 1. Find project root by walking up from cwd (checks .env for DSN at each level)
+ * 2. If DSN found during walk-up, return immediately (fast path)
+ * 3. Check cache for project root
+ * 4. Full scan from project root with depth limiting
  *
- * Detection priority (explicit code DSN wins):
- * 1. Source code (explicit DSN in Sentry.init, etc.)
- * 2. .env files (.env.local, .env, etc.)
- * 3. SENTRY_DSN environment variable
+ * Priority: .env with SENTRY_DSN > code > .env files > SENTRY_DSN env var
  */
 
 import { join } from "node:path";
 import { getCachedDsn, setCachedDsn } from "../db/dsn-cache.js";
+import {
+  extractFirstDsnFromContent,
+  scanCodeForDsns,
+  scanCodeForFirstDsn,
+} from "./code-scanner.js";
 import { detectFromEnv, SENTRY_DSN_ENV } from "./env.js";
 import {
   detectFromAllEnvFiles,
   detectFromEnvFiles,
   extractDsnFromEnvContent,
 } from "./env-file.js";
-import {
-  detectAllFromCode,
-  detectFromCode,
-  getDetectorForFile,
-} from "./languages/index.js";
 import { createDetectedDsn, parseDsn } from "./parser.js";
+import { findProjectRoot } from "./project-root.js";
 import type {
   CachedDsnEntry,
   DetectedDsn,
@@ -33,33 +34,38 @@ import type {
   DsnSource,
 } from "./types.js";
 
-// ─────────────────────────────────────────────────────────────────────────────
-// Main API
-// ─────────────────────────────────────────────────────────────────────────────
-
 /**
- * Detect DSN with caching support
+ * Detect DSN with project root detection and caching support.
  *
- * Fast path (cache hit): ~5ms
- * Slow path (cache miss): ~2-5s
+ * Algorithm:
+ * 1. Find project root by walking up from cwd (checks .env for SENTRY_DSN to stop walk)
+ * 2. Check cache for project root (fast path)
+ * 3. Full scan from project root with depth limiting (slow path)
  *
  * Priority: code > .env files > SENTRY_DSN env var
  *
- * @param cwd - Directory to search in
+ * Note: Finding a DSN in .env during walk-up stops the walk (determines project root)
+ * but does NOT short-circuit detection - we still scan for code DSNs which have
+ * higher priority.
+ *
+ * @param cwd - Directory to start searching from
  * @returns Detected DSN with source info, or null if not found
  */
 export async function detectDsn(cwd: string): Promise<DetectedDsn | null> {
-  // 1. Check cache for this directory (fast path)
-  const cached = await getCachedDsn(cwd);
+  // 1. Find project root (may find DSN in .env along the way, but we don't
+  //    return it immediately - code DSNs take priority)
+  const { projectRoot } = await findProjectRoot(cwd);
+
+  // 2. Check cache for project root (fast path)
+  const cached = await getCachedDsn(projectRoot);
 
   if (cached) {
-    // 2. Verify cached source file still has same DSN
-    const verified = await verifyCachedDsn(cwd, cached);
+    const verified = await verifyCachedDsn(projectRoot, cached);
     if (verified) {
       // Check if DSN changed
       if (verified.raw !== cached.dsn) {
         // DSN changed - update cache
-        await setCachedDsn(cwd, {
+        await setCachedDsn(projectRoot, {
           dsn: verified.raw,
           projectId: verified.projectId,
           orgId: verified.orgId,
@@ -78,12 +84,12 @@ export async function detectDsn(cwd: string): Promise<DetectedDsn | null> {
     // Cache invalid, fall through to full scan
   }
 
-  // 3. Full scan (cache miss): code → .env → env var
-  const detected = await fullScanFirst(cwd);
+  // 3. Full scan from project root (slow path)
+  const detected = await fullScanFirst(projectRoot);
 
   if (detected) {
-    // 4. Cache for next time (without resolved info yet)
-    await setCachedDsn(cwd, {
+    // Cache for next time (without resolved info yet)
+    await setCachedDsn(projectRoot, {
       dsn: detected.raw,
       projectId: detected.projectId,
       orgId: detected.orgId,
@@ -99,6 +105,7 @@ export async function detectDsn(cwd: string): Promise<DetectedDsn | null> {
  * Detect all DSNs in a directory (supports monorepos)
  *
  * Unlike detectDsn, this finds ALL DSNs from all sources.
+ * First finds project root, then scans from there with depth limiting.
  * Useful for monorepos with multiple Sentry projects.
  *
  * Collection order matches priority: code > .env files > env var
@@ -107,6 +114,9 @@ export async function detectDsn(cwd: string): Promise<DetectedDsn | null> {
  * @returns Detection result with all found DSNs and hasMultiple flag
  */
 export async function detectAllDsns(cwd: string): Promise<DsnDetectionResult> {
+  // Find project root first (may find DSN in .env during walk-up)
+  const { projectRoot, foundDsn } = await findProjectRoot(cwd);
+
   const allDsns: DetectedDsn[] = [];
   const seenRawDsns = new Set<string>();
 
@@ -118,19 +128,26 @@ export async function detectAllDsns(cwd: string): Promise<DsnDetectionResult> {
     }
   };
 
-  // 1. Check all code files (highest priority)
-  const codeDsns = await detectAllFromCode(cwd);
+  // 1. Check all code files from project root (highest priority)
+  const codeDsns = await scanCodeForDsns(projectRoot);
   for (const dsn of codeDsns) {
     addDsn(dsn);
   }
 
-  // 2. Check all .env files (includes monorepo packages/apps)
-  const envFileDsns = await detectFromAllEnvFiles(cwd);
+  // 2. Check all .env files from project root (includes monorepo packages/apps)
+  // Note: foundDsn from walk-up is already included in env file scan results
+  const envFileDsns = await detectFromAllEnvFiles(projectRoot);
   for (const dsn of envFileDsns) {
     addDsn(dsn);
   }
 
-  // 3. Check env var (lowest priority)
+  // 3. Add DSN found during walk-up if not already added (deduplication handles this)
+  // This ensures it's included even if env file scan missed it somehow
+  if (foundDsn) {
+    addDsn(foundDsn);
+  }
+
+  // 4. Check env var (lowest priority)
   const envDsn = detectFromEnv();
   if (envDsn) {
     addDsn(envDsn);
@@ -146,29 +163,45 @@ export async function detectAllDsns(cwd: string): Promise<DsnDetectionResult> {
   };
 }
 
-// ─────────────────────────────────────────────────────────────────────────────
-// Cache Verification
-// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Check if a higher-priority code DSN exists.
+ * Used to invalidate low-priority cached DSNs when code is added.
+ */
+function checkForHigherPriorityCodeDsn(
+  cwd: string
+): Promise<DetectedDsn | null> {
+  return scanCodeForFirstDsn(cwd);
+}
 
 /**
- * Verify cached DSN is still valid by reading ONLY the cached source file
- *
- * This is the key to fast cache hits - we only read ONE file.
- *
- * @param cwd - Directory
- * @param cached - Cached DSN entry
- * @returns Verified DSN or null if cache is invalid
+ * Verify cached env var DSN is still valid.
+ * Also checks for higher-priority code DSNs.
  */
-async function verifyCachedDsn(
+async function verifyEnvVarCache(
   cwd: string,
   cached: CachedDsnEntry
 ): Promise<DetectedDsn | null> {
-  // For env source, we already checked above in detectDsn
-  if (cached.source === "env") {
-    return null;
+  // First check if a code DSN exists (higher priority than env var)
+  const codeDsn = await checkForHigherPriorityCodeDsn(cwd);
+  if (codeDsn) {
+    return codeDsn;
+  }
+
+  // No code DSN, verify the env var is still set
+  const envDsn = detectFromEnv();
+  if (envDsn?.raw === cached.dsn) {
+    return envDsn; // Same DSN - cache valid
   }
+  return envDsn; // DSN changed or removed - return new value (may be null)
+}
 
-  // Need a source path to verify
+/**
+ * Verify cached file-based DSN is still valid.
+ */
+async function verifyFileDsnCache(
+  cwd: string,
+  cached: CachedDsnEntry
+): Promise<DetectedDsn | null> {
   if (!cached.sourcePath) {
     return null;
   }
@@ -177,60 +210,75 @@ async function verifyCachedDsn(
 
   try {
     const content = await Bun.file(filePath).text();
-    const foundDsn = extractDsnFromContent(
-      content,
-      cached.source,
-      cached.sourcePath
-    );
+    const foundDsn = extractDsnFromContent(content, cached.source);
 
     if (foundDsn === cached.dsn) {
-      // Same DSN - cache is valid!
       return createDetectedDsn(cached.dsn, cached.source, cached.sourcePath);
     }
 
     if (foundDsn && parseDsn(foundDsn)) {
-      // DSN changed - return new one (cache will be updated by caller)
       return createDetectedDsn(foundDsn, cached.source, cached.sourcePath);
     }
   } catch {
-    // File doesn't exist or can't read - cache is invalid
+    // File doesn't exist or can't read
   }
 
   return null;
 }
 
 /**
- * Extract DSN from content based on source type and file path.
+ * Verify cached DSN is still valid.
+ *
+ * For low-priority sources (env, env_file), also checks if higher-priority
+ * code DSNs have been added since caching to maintain correct priority order.
+ *
+ * @param cwd - Directory
+ * @param cached - Cached DSN entry
+ * @returns Verified DSN or null if cache is invalid
+ */
+async function verifyCachedDsn(
+  cwd: string,
+  cached: CachedDsnEntry
+): Promise<DetectedDsn | null> {
+  // Env var source (lowest priority) - check for higher-priority sources
+  if (cached.source === "env") {
+    return verifyEnvVarCache(cwd, cached);
+  }
+
+  // Env file source - check for higher-priority code DSNs first
+  if (cached.source === "env_file") {
+    const codeDsn = await checkForHigherPriorityCodeDsn(cwd);
+    if (codeDsn) {
+      return codeDsn;
+    }
+  }
+
+  // Verify file-based sources (code, env_file, config)
+  return verifyFileDsnCache(cwd, cached);
+}
+
+/**
+ * Extract DSN from content based on source type.
  *
  * @param content - File content
  * @param source - Source type (env_file, code, etc.)
- * @param sourcePath - Path to the file (used to determine language for code files)
  */
 function extractDsnFromContent(
   content: string,
-  source: DsnSource,
-  sourcePath?: string
+  source: DsnSource
 ): string | null {
   switch (source) {
     case "env_file":
       return extractDsnFromEnvContent(content);
     case "code": {
-      if (!sourcePath) {
-        return null;
-      }
-      // Find the right language detector based on file extension
-      const detector = getDetectorForFile(sourcePath);
-      return detector?.extractDsn(content) ?? null;
+      // Use language-agnostic DSN extraction
+      return extractFirstDsnFromContent(content);
     }
     default:
       return null;
   }
 }
 
-// ─────────────────────────────────────────────────────────────────────────────
-// Full Scan
-// ─────────────────────────────────────────────────────────────────────────────
-
 /**
  * Full scan to find first DSN (cache miss path)
  *
@@ -241,7 +289,7 @@ function extractDsnFromContent(
  */
 async function fullScanFirst(cwd: string): Promise<DetectedDsn | null> {
   // 1. Search source code first (explicit DSN = highest priority)
-  const codeDsn = await detectFromCode(cwd);
+  const codeDsn = await scanCodeForFirstDsn(cwd);
   if (codeDsn) {
     return codeDsn;
   }
@@ -261,10 +309,6 @@ async function fullScanFirst(cwd: string): Promise<DetectedDsn | null> {
   return null;
 }
 
-// ─────────────────────────────────────────────────────────────────────────────
-// Helpers
-// ─────────────────────────────────────────────────────────────────────────────
-
 /**
  * Get a human-readable description of where DSN was found
  *
diff --git a/src/lib/dsn/env-file.ts b/src/lib/dsn/env-file.ts
index 009c4da1..4992e747 100644
--- a/src/lib/dsn/env-file.ts
+++ b/src/lib/dsn/env-file.ts
@@ -15,10 +15,6 @@ import { scanSpecificFiles } from "./scanner.js";
 import type { DetectedDsn } from "./types.js";
 import { MONOREPO_ROOTS } from "./types.js";
 
-// ─────────────────────────────────────────────────────────────────────────────
-// Constants
-// ─────────────────────────────────────────────────────────────────────────────
-
 /**
  * .env file names to search (in priority order).
  *
@@ -41,10 +37,6 @@ export const ENV_FILES = [
  */
 const ENV_DSN_PATTERN = /^SENTRY_DSN\s*=\s*(['"]?)(.+?)\1\s*(?:#.*)?$/;
 
-// ─────────────────────────────────────────────────────────────────────────────
-// DSN Extraction
-// ─────────────────────────────────────────────────────────────────────────────
-
 /**
  * Extract SENTRY_DSN value from .env file content.
  *
@@ -85,10 +77,6 @@ export function extractDsnFromEnvContent(content: string): string | null {
 export const parseEnvFile = extractDsnFromEnvContent;
 export const extractDsnFromEnvFile = extractDsnFromEnvContent;
 
-// ─────────────────────────────────────────────────────────────────────────────
-// Detection Functions
-// ─────────────────────────────────────────────────────────────────────────────
-
 /**
  * Detect DSN from .env files in the given directory.
  *
@@ -148,10 +136,6 @@ export async function detectFromAllEnvFiles(
   return results;
 }
 
-// ─────────────────────────────────────────────────────────────────────────────
-// Monorepo Support
-// ─────────────────────────────────────────────────────────────────────────────
-
 /**
  * Detect DSN from .env files in monorepo package directories.
  *
diff --git a/src/lib/dsn/index.ts b/src/lib/dsn/index.ts
index 1c8e81ae..ace7ee28 100644
--- a/src/lib/dsn/index.ts
+++ b/src/lib/dsn/index.ts
@@ -17,48 +17,42 @@
  * }
  */
 
-// ─────────────────────────────────────────────────────────────────────────────
+// Cache Management
+export {
+  clearDsnCache,
+  getCachedDsn,
+  setCachedDsn,
+  updateCachedResolution,
+} from "../db/dsn-cache.js";
 // Main Detection API
-// ─────────────────────────────────────────────────────────────────────────────
-
 export {
   detectAllDsns,
   detectDsn,
   getDsnSourceDescription,
 } from "./detector.js";
 
-// ─────────────────────────────────────────────────────────────────────────────
-// Project Resolution
-// ─────────────────────────────────────────────────────────────────────────────
-
-export { getAccessibleProjects, resolveProject } from "./resolver.js";
-
-// ─────────────────────────────────────────────────────────────────────────────
 // Error Formatting
-// ─────────────────────────────────────────────────────────────────────────────
-
 export {
   formatConflictError,
   formatMultipleProjectsFooter,
   formatNoDsnError,
   formatResolutionError,
 } from "./errors.js";
-
-// ─────────────────────────────────────────────────────────────────────────────
-// Cache Management
-// ─────────────────────────────────────────────────────────────────────────────
-
+// Utilities (for advanced use)
 export {
-  clearDsnCache,
-  getCachedDsn,
-  setCachedDsn,
-  updateCachedResolution,
-} from "../db/dsn-cache.js";
-
-// ─────────────────────────────────────────────────────────────────────────────
+  createDetectedDsn,
+  createDsnFingerprint,
+  extractOrgIdFromHost,
+  inferPackagePath,
+  isValidDsn,
+  parseDsn,
+} from "./parser.js";
+// Project Root Detection
+export type { ProjectRootReason, ProjectRootResult } from "./project-root.js";
+export { findProjectRoot } from "./project-root.js";
+// Project Resolution
+export { getAccessibleProjects, resolveProject } from "./resolver.js";
 // Types
-// ─────────────────────────────────────────────────────────────────────────────
-
 export type {
   CachedDsnEntry,
   DetectedDsn,
@@ -68,16 +62,3 @@ export type {
   ResolvedProject,
   ResolvedProjectInfo,
 } from "./types.js";
-
-// ─────────────────────────────────────────────────────────────────────────────
-// Utilities (for advanced use)
-// ─────────────────────────────────────────────────────────────────────────────
-
-export {
-  createDetectedDsn,
-  createDsnFingerprint,
-  extractOrgIdFromHost,
-  inferPackagePath,
-  isValidDsn,
-  parseDsn,
-} from "./parser.js";
diff --git a/src/lib/dsn/languages/go.ts b/src/lib/dsn/languages/go.ts
deleted file mode 100644
index bc3f588a..00000000
--- a/src/lib/dsn/languages/go.ts
+++ /dev/null
@@ -1,52 +0,0 @@
-/**
- * Go DSN Detection
- *
- * Detects DSN from Go source code patterns.
- * Looks for sentry.Init(sentry.ClientOptions{Dsn: "..."}) and similar patterns.
- */
-
-import type { LanguageDetector } from "./types.js";
-
-/**
- * Regex pattern for DSN in Go struct initialization.
- * Matches: Dsn: "https://...@..." in sentry.ClientOptions{}
- */
-const DSN_PATTERN_STRUCT = /Dsn:\s*["'](https?:\/\/[^"']+@[^"']+)["']/s;
-
-/**
- * Generic pattern for dsn assignment
- * Matches: dsn := "..." or dsn = "..."
- */
-const DSN_PATTERN_ASSIGN = /dsn\s*:?=\s*["`](https?:\/\/[^"`]+@[^"`]+)["`]/is;
-
-/**
- * Extract DSN string from Go code content.
- *
- * @param content - Source code content
- * @returns DSN string or null if not found
- */
-export function extractDsnFromGo(content: string): string | null {
-  // Try struct field pattern first (most common)
-  const structMatch = content.match(DSN_PATTERN_STRUCT);
-  if (structMatch?.[1]) {
-    return structMatch[1];
-  }
-
-  // Try assignment pattern
-  const assignMatch = content.match(DSN_PATTERN_ASSIGN);
-  if (assignMatch?.[1]) {
-    return assignMatch[1];
-  }
-
-  return null;
-}
-
-/**
- * Go language detector.
- */
-export const goDetector: LanguageDetector = {
-  name: "Go",
-  extensions: [".go"],
-  skipDirs: ["vendor", ".git", "testdata"],
-  extractDsn: extractDsnFromGo,
-};
diff --git a/src/lib/dsn/languages/index.ts b/src/lib/dsn/languages/index.ts
deleted file mode 100644
index 0230db80..00000000
--- a/src/lib/dsn/languages/index.ts
+++ /dev/null
@@ -1,205 +0,0 @@
-/**
- * Language Detection Registry
- *
- * Unified scanner for detecting DSN from source code across all supported languages.
- * Uses a registry of language detectors to scan files by extension.
- *
- * ## Adding a New Language
- *
- * 1. Create `{lang}.ts` implementing `LanguageDetector`
- * 2. Import and add to `languageDetectors` array below
- * 3. Add tests in `test/lib/dsn/languages/{lang}.test.ts`
- *
- * @example
- * ```typescript
- * // languages/rust.ts
- * export const rustDetector: LanguageDetector = {
- *   name: "Rust",
- *   extensions: [".rs"],
- *   skipDirs: ["target"],
- *   extractDsn: (content) => { ... }
- * };
- * ```
- */
-
-import { extname, join } from "node:path";
-import { createDetectedDsn, inferPackagePath } from "../parser.js";
-import type { DetectedDsn } from "../types.js";
-import { goDetector } from "./go.js";
-import { javaDetector } from "./java.js";
-import { javascriptDetector } from "./javascript.js";
-import { phpDetector } from "./php.js";
-import { pythonDetector } from "./python.js";
-import { rubyDetector } from "./ruby.js";
-import type { LanguageDetector } from "./types.js";
-
-// ─────────────────────────────────────────────────────────────────────────────
-// Registry
-// ─────────────────────────────────────────────────────────────────────────────
-
-/**
- * All supported language detectors.
- *
- * Order matters for performance - most common languages first.
- * Add new detectors here after creating the detector file.
- */
-export const languageDetectors: LanguageDetector[] = [
-  javascriptDetector,
-  pythonDetector,
-  phpDetector,
-  rubyDetector,
-  goDetector,
-  javaDetector,
-];
-
-// ─────────────────────────────────────────────────────────────────────────────
-// Derived Configuration
-// ─────────────────────────────────────────────────────────────────────────────
-
-/** Map of file extension to detector for fast lookup */
-const extensionToDetector = new Map<string, LanguageDetector>();
-for (const detector of languageDetectors) {
-  for (const ext of detector.extensions) {
-    extensionToDetector.set(ext, detector);
-  }
-}
-
-/** Combined set of all skip directories from all detectors */
-const allSkipDirs = new Set<string>();
-for (const detector of languageDetectors) {
-  for (const dir of detector.skipDirs) {
-    allSkipDirs.add(dir);
-  }
-}
-
-/** All file extensions to scan */
-const allExtensions = languageDetectors.flatMap((d) => d.extensions);
-
-/** Glob pattern matching all supported file extensions */
-const globPattern = `**/*{${allExtensions.join(",")}}`;
-const codeGlob = new Bun.Glob(globPattern);
-
-// ─────────────────────────────────────────────────────────────────────────────
-// Public API
-// ─────────────────────────────────────────────────────────────────────────────
-
-/**
- * Get the appropriate detector for a file based on its extension.
- *
- * Used by cache verification to extract DSN from a specific file.
- *
- * @param filepath - File path to get detector for
- * @returns The matching detector, or undefined if no detector handles this extension
- */
-export function getDetectorForFile(
-  filepath: string
-): LanguageDetector | undefined {
-  const ext = extname(filepath);
-  return extensionToDetector.get(ext);
-}
-
-/**
- * Detect DSN from source code files in a directory.
- *
- * Scans all supported languages and returns the first DSN found.
- * This is the fast path for single-project detection.
- *
- * @param cwd - Directory to search in
- * @returns First detected DSN or null if not found
- */
-export async function detectFromCode(cwd: string): Promise<DetectedDsn | null> {
-  const results = await scanCodeFiles(cwd, true);
-  return results[0] ?? null;
-}
-
-/**
- * Detect DSN from ALL source code files.
- *
- * Unlike detectFromCode, this doesn't stop at the first match.
- * Useful for monorepos with multiple Sentry projects.
- *
- * @param cwd - Directory to search in
- * @returns Array of all detected DSNs with packagePath inferred
- */
-export function detectAllFromCode(cwd: string): Promise<DetectedDsn[]> {
-  return scanCodeFiles(cwd, false);
-}
-
-// ─────────────────────────────────────────────────────────────────────────────
-// Internal
-// ─────────────────────────────────────────────────────────────────────────────
-
-/**
- * Check if a path should be skipped during scanning.
- *
- * @param filepath - Relative file path to check
- * @returns True if any path segment matches a skip directory
- */
-function shouldSkipPath(filepath: string): boolean {
-  const parts = filepath.split("/");
-  return parts.some((part) => allSkipDirs.has(part));
-}
-
-/**
- * Process a single code file and extract DSN if present.
- *
- * @param cwd - Base directory
- * @param relativePath - Relative path to the file
- * @returns Detected DSN or null
- */
-async function processCodeFile(
-  cwd: string,
-  relativePath: string
-): Promise<DetectedDsn | null> {
-  const detector = getDetectorForFile(relativePath);
-  if (!detector) {
-    return null;
-  }
-
-  const filepath = join(cwd, relativePath);
-
-  try {
-    const content = await Bun.file(filepath).text();
-    const dsn = detector.extractDsn(content);
-
-    if (!dsn) {
-      return null;
-    }
-
-    const packagePath = inferPackagePath(relativePath);
-    return createDetectedDsn(dsn, "code", relativePath, packagePath);
-  } catch {
-    // Skip files we can't read
-    return null;
-  }
-}
-
-/**
- * Scan code files for DSNs.
- *
- * @param cwd - Directory to search in
- * @param stopOnFirst - Whether to stop after first match
- * @returns Array of detected DSNs
- */
-async function scanCodeFiles(
-  cwd: string,
-  stopOnFirst: boolean
-): Promise<DetectedDsn[]> {
-  const results: DetectedDsn[] = [];
-
-  for await (const relativePath of codeGlob.scan({ cwd, onlyFiles: true })) {
-    if (shouldSkipPath(relativePath)) {
-      continue;
-    }
-
-    const detected = await processCodeFile(cwd, relativePath);
-    if (detected) {
-      results.push(detected);
-      if (stopOnFirst) {
-        return results;
-      }
-    }
-  }
-
-  return results;
-}
diff --git a/src/lib/dsn/languages/java.ts b/src/lib/dsn/languages/java.ts
deleted file mode 100644
index ef36386b..00000000
--- a/src/lib/dsn/languages/java.ts
+++ /dev/null
@@ -1,77 +0,0 @@
-/**
- * Java/Kotlin DSN Detection
- *
- * Detects DSN from Java and Kotlin source code patterns.
- * Also checks sentry.properties files.
- * Looks for options.setDsn("...") and dsn=... patterns.
- */
-
-import type { LanguageDetector } from "./types.js";
-
-/**
- * Regex for Java/Kotlin code: options.setDsn("...")
- */
-const DSN_PATTERN_SET_DSN = /\.setDsn\s*\(\s*["']([^"']+)["']\s*\)/s;
-
-/**
- * Regex for sentry.properties file: dsn=...
- */
-const DSN_PATTERN_PROPERTIES = /^dsn\s*=\s*(.+)$/m;
-
-/**
- * Generic pattern for DSN in annotations or config
- * Matches: dsn = "..." or "dsn", "..."
- */
-const DSN_PATTERN_GENERIC =
-  /["']?dsn["']?\s*[=,]\s*["'](https?:\/\/[^"']+@[^"']+)["']/s;
-
-/**
- * Extract DSN string from Java/Kotlin code or properties content.
- *
- * @param content - Source code or properties content
- * @returns DSN string or null if not found
- */
-export function extractDsnFromJava(content: string): string | null {
-  // Try setDsn() pattern first (most common in Java)
-  const setDsnMatch = content.match(DSN_PATTERN_SET_DSN);
-  if (setDsnMatch?.[1]) {
-    return setDsnMatch[1];
-  }
-
-  // Try properties file pattern (dsn=...)
-  const propsMatch = content.match(DSN_PATTERN_PROPERTIES);
-  if (propsMatch?.[1]) {
-    const dsn = propsMatch[1].trim();
-    // Validate it looks like a DSN
-    if (dsn.startsWith("https://") && dsn.includes("@")) {
-      return dsn;
-    }
-  }
-
-  // Try generic pattern
-  const genericMatch = content.match(DSN_PATTERN_GENERIC);
-  if (genericMatch?.[1]) {
-    return genericMatch[1];
-  }
-
-  return null;
-}
-
-/**
- * Java/Kotlin language detector.
- */
-export const javaDetector: LanguageDetector = {
-  name: "Java",
-  extensions: [".java", ".kt", ".properties"],
-  skipDirs: [
-    "target",
-    "build",
-    ".gradle",
-    ".idea",
-    ".git",
-    "out",
-    "bin",
-    ".mvn",
-  ],
-  extractDsn: extractDsnFromJava,
-};
diff --git a/src/lib/dsn/languages/javascript.ts b/src/lib/dsn/languages/javascript.ts
deleted file mode 100644
index 43a90726..00000000
--- a/src/lib/dsn/languages/javascript.ts
+++ /dev/null
@@ -1,62 +0,0 @@
-/**
- * JavaScript/TypeScript DSN Detection
- *
- * Detects DSN from JavaScript and TypeScript source code patterns.
- * Looks for Sentry.init({ dsn: "..." }) and similar patterns.
- */
-
-import type { LanguageDetector } from "./types.js";
-
-/**
- * Regex patterns for extracting DSN from code.
- * DSN_PATTERN_INIT: Matches Sentry.init({ dsn: "..." })
- * DSN_PATTERN_GENERIC: Matches any dsn: "https://..." pattern
- */
-const DSN_PATTERN_INIT =
-  /Sentry\.init\s*\(\s*\{[^}]*dsn\s*:\s*["'`]([^"'`]+)["'`]/s;
-const DSN_PATTERN_GENERIC = /dsn\s*:\s*["'`](https?:\/\/[^"'`]+@[^"'`]+)["'`]/s;
-
-/**
- * Extract DSN string from JavaScript/TypeScript code content.
- *
- * @param content - Source code content
- * @returns DSN string or null if not found
- */
-export function extractDsnFromCode(content: string): string | null {
-  // Try Sentry.init pattern first (more specific)
-  const initMatch = content.match(DSN_PATTERN_INIT);
-  if (initMatch?.[1]) {
-    return initMatch[1];
-  }
-
-  // Try generic dsn: "..." pattern
-  const genericMatch = content.match(DSN_PATTERN_GENERIC);
-  if (genericMatch?.[1]) {
-    return genericMatch[1];
-  }
-
-  return null;
-}
-
-/**
- * JavaScript/TypeScript language detector.
- */
-export const javascriptDetector: LanguageDetector = {
-  name: "JavaScript",
-  extensions: [".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs"],
-  skipDirs: [
-    "node_modules",
-    ".git",
-    "dist",
-    "build",
-    ".next",
-    ".nuxt",
-    ".output",
-    "coverage",
-    ".turbo",
-    ".cache",
-    ".vercel",
-    ".netlify",
-  ],
-  extractDsn: extractDsnFromCode,
-};
diff --git a/src/lib/dsn/languages/php.ts b/src/lib/dsn/languages/php.ts
deleted file mode 100644
index 23188851..00000000
--- a/src/lib/dsn/languages/php.ts
+++ /dev/null
@@ -1,53 +0,0 @@
-/**
- * PHP DSN Detection
- *
- * Detects DSN from PHP source code patterns.
- * Looks for \Sentry\init(['dsn' => '...']) and similar patterns.
- */
-
-import type { LanguageDetector } from "./types.js";
-
-/**
- * Regex patterns for extracting DSN from PHP code.
- * Matches: \Sentry\init(['dsn' => '...']) or Sentry\init(["dsn" => "..."])
- */
-const DSN_PATTERN_INIT =
-  /\\?Sentry\\init\s*\(\s*\[[^\]]*['"]dsn['"]\s*=>\s*['"]([^'"]+)['"]/s;
-
-/**
- * Generic pattern for 'dsn' => '...' in PHP arrays
- */
-const DSN_PATTERN_GENERIC =
-  /['"]dsn['"]\s*=>\s*['"](https?:\/\/[^'"]+@[^'"]+)['"]/s;
-
-/**
- * Extract DSN string from PHP code content.
- *
- * @param content - Source code content
- * @returns DSN string or null if not found
- */
-export function extractDsnFromPhp(content: string): string | null {
-  // Try Sentry\init pattern first (more specific)
-  const initMatch = content.match(DSN_PATTERN_INIT);
-  if (initMatch?.[1]) {
-    return initMatch[1];
-  }
-
-  // Try generic 'dsn' => '...' pattern
-  const genericMatch = content.match(DSN_PATTERN_GENERIC);
-  if (genericMatch?.[1]) {
-    return genericMatch[1];
-  }
-
-  return null;
-}
-
-/**
- * PHP language detector.
- */
-export const phpDetector: LanguageDetector = {
-  name: "PHP",
-  extensions: [".php"],
-  skipDirs: ["vendor", ".git", "cache", "storage/framework"],
-  extractDsn: extractDsnFromPhp,
-};
diff --git a/src/lib/dsn/languages/python.ts b/src/lib/dsn/languages/python.ts
deleted file mode 100644
index e95debc4..00000000
--- a/src/lib/dsn/languages/python.ts
+++ /dev/null
@@ -1,69 +0,0 @@
-/**
- * Python DSN Detection
- *
- * Detects DSN from Python source code patterns.
- * Looks for sentry_sdk.init(dsn="...") and similar patterns.
- */
-
-import type { LanguageDetector } from "./types.js";
-
-/**
- * Regex patterns for extracting DSN from Python code.
- * Matches: sentry_sdk.init(dsn="...") or sentry_sdk.init(dsn='...')
- * Also matches keyword argument style: sentry_sdk.init(\n    dsn="...",\n)
- */
-const DSN_PATTERN_INIT =
-  /sentry_sdk\.init\s*\([^)]*dsn\s*=\s*["']([^"']+)["']/s;
-
-/**
- * Generic pattern for dsn= in Python (catches dict-style configs)
- * Matches: "dsn": "..." or 'dsn': '...' or dsn="..." or dsn='...'
- */
-const DSN_PATTERN_GENERIC =
-  /["']?dsn["']?\s*[:=]\s*["'](https?:\/\/[^"']+@[^"']+)["']/s;
-
-/**
- * Extract DSN string from Python code content.
- *
- * @param content - Source code content
- * @returns DSN string or null if not found
- */
-export function extractDsnFromPython(content: string): string | null {
-  // Try sentry_sdk.init pattern first (more specific)
-  const initMatch = content.match(DSN_PATTERN_INIT);
-  if (initMatch?.[1]) {
-    return initMatch[1];
-  }
-
-  // Try generic dsn pattern
-  const genericMatch = content.match(DSN_PATTERN_GENERIC);
-  if (genericMatch?.[1]) {
-    return genericMatch[1];
-  }
-
-  return null;
-}
-
-/**
- * Python language detector.
- */
-export const pythonDetector: LanguageDetector = {
-  name: "Python",
-  extensions: [".py"],
-  skipDirs: [
-    "venv",
-    ".venv",
-    "env",
-    ".env",
-    "__pycache__",
-    ".tox",
-    ".nox",
-    "site-packages",
-    ".pytest_cache",
-    ".mypy_cache",
-    ".ruff_cache",
-    "dist",
-    "build",
-  ],
-  extractDsn: extractDsnFromPython,
-};
diff --git a/src/lib/dsn/languages/ruby.ts b/src/lib/dsn/languages/ruby.ts
deleted file mode 100644
index 13f2d859..00000000
--- a/src/lib/dsn/languages/ruby.ts
+++ /dev/null
@@ -1,61 +0,0 @@
-/**
- * Ruby DSN Detection
- *
- * Detects DSN from Ruby source code patterns.
- * Looks for Sentry.init { |config| config.dsn = '...' } and similar patterns.
- */
-
-import type { LanguageDetector } from "./types.js";
-
-/**
- * Regex patterns for extracting DSN from Ruby code.
- * Matches: config.dsn = '...' or config.dsn = "..."
- */
-const DSN_PATTERN_CONFIG = /config\.dsn\s*=\s*['"]([^'"]+)['"]/s;
-
-/**
- * Generic pattern for dsn in Ruby hashes
- * Matches: dsn: '...' or :dsn => '...'
- */
-const DSN_PATTERN_HASH =
-  /(?:dsn:|:dsn\s*=>)\s*['"](https?:\/\/[^'"]+@[^'"]+)['"]/s;
-
-/**
- * Extract DSN string from Ruby code content.
- *
- * @param content - Source code content
- * @returns DSN string or null if not found
- */
-export function extractDsnFromRuby(content: string): string | null {
-  // Try config.dsn pattern first (most common in Sentry.init block)
-  const configMatch = content.match(DSN_PATTERN_CONFIG);
-  if (configMatch?.[1]) {
-    return configMatch[1];
-  }
-
-  // Try hash-style pattern
-  const hashMatch = content.match(DSN_PATTERN_HASH);
-  if (hashMatch?.[1]) {
-    return hashMatch[1];
-  }
-
-  return null;
-}
-
-/**
- * Ruby language detector.
- */
-export const rubyDetector: LanguageDetector = {
-  name: "Ruby",
-  extensions: [".rb"],
-  skipDirs: [
-    "vendor/bundle",
-    ".bundle",
-    "tmp",
-    "log",
-    ".git",
-    "coverage",
-    "pkg",
-  ],
-  extractDsn: extractDsnFromRuby,
-};
diff --git a/src/lib/dsn/languages/types.ts b/src/lib/dsn/languages/types.ts
deleted file mode 100644
index 6bbd22de..00000000
--- a/src/lib/dsn/languages/types.ts
+++ /dev/null
@@ -1,29 +0,0 @@
-/**
- * Language Detector Interface
- *
- * Common interface for all language-specific DSN detectors.
- * Each language implements this interface to detect DSNs from its source files.
- */
-
-/**
- * Language-specific DSN detector.
- * Each supported language provides a detector implementing this type.
- */
-export type LanguageDetector = {
-  /** Display name for the language (e.g., "Python", "JavaScript") */
-  name: string;
-
-  /** File extensions to scan (e.g., [".py"], [".ts", ".tsx"]) */
-  extensions: string[];
-
-  /** Directories to skip when scanning (e.g., ["node_modules", "venv"]) */
-  skipDirs: string[];
-
-  /**
-   * Extract DSN string from file content.
-   *
-   * @param content - File content to search
-   * @returns DSN string if found, null otherwise
-   */
-  extractDsn: (content: string) => string | null;
-};
diff --git a/src/lib/dsn/project-root.ts b/src/lib/dsn/project-root.ts
new file mode 100644
index 00000000..4172debc
--- /dev/null
+++ b/src/lib/dsn/project-root.ts
@@ -0,0 +1,610 @@
+/**
+ * Project Root Detection
+ *
+ * Walks up from starting directory to find project root, optionally
+ * detecting DSN along the way for early exit.
+ *
+ * Priority:
+ * 1. .env with SENTRY_DSN → immediate return
+ * 2. VCS/CI markers → definitive repo root (stop walking)
+ * 3. Language markers → closest to cwd wins
+ * 4. Build system markers → last resort
+ *
+ * Stops at: home directory or filesystem root
+ */
+
+import { stat } from "node:fs/promises";
+import { homedir } from "node:os";
+import { dirname, join, resolve } from "node:path";
+// biome-ignore lint/performance/noNamespaceImport: Sentry SDK recommends namespace import
+import * as Sentry from "@sentry/bun";
+import { ENV_FILES, extractDsnFromEnvContent } from "./env-file.js";
+import { createDetectedDsn } from "./parser.js";
+import type { DetectedDsn } from "./types.js";
+
+/** Why a directory was chosen as project root */
+export type ProjectRootReason =
+  | "env_dsn" // Found .env with SENTRY_DSN
+  | "vcs" // Version control (.git, .hg, etc.)
+  | "ci" // CI/CD markers (.github, etc.)
+  | "editorconfig" // .editorconfig with root=true
+  | "language" // Language/package marker
+  | "build_system" // Build system marker
+  | "fallback"; // No markers found, using cwd
+
+/** Result of project root detection */
+export type ProjectRootResult = {
+  /** The determined project root directory */
+  projectRoot: string;
+  /** DSN found in .env while walking up (early exit) */
+  foundDsn?: DetectedDsn;
+  /** Why this directory was chosen as root */
+  reason: ProjectRootReason;
+  /** Number of directories traversed to find root */
+  levelsTraversed: number;
+};
+
+/** VCS directories - definitive repo root */
+const VCS_MARKERS = [
+  ".git",
+  ".hg",
+  ".svn",
+  ".bzr",
+  "_darcs",
+  ".fossil",
+  ".pijul",
+] as const;
+
+/** CI/CD markers - definitive repo root */
+const CI_MARKERS = [
+  ".github",
+  ".gitlab-ci.yml",
+  ".circleci",
+  "Jenkinsfile",
+  ".travis.yml",
+  "azure-pipelines.yml",
+  ".buildkite",
+  "bitbucket-pipelines.yml",
+  ".drone.yml",
+  ".woodpecker.yml",
+  ".forgejo",
+  ".gitea",
+] as const;
+
+/** Language/package markers - strong project boundary */
+const LANGUAGE_MARKERS = [
+  // JavaScript/Node ecosystem
+  "package.json",
+  "deno.json",
+  "deno.jsonc",
+  // Python
+  "pyproject.toml",
+  "setup.py",
+  "setup.cfg",
+  "Pipfile",
+  // Go
+  "go.mod",
+  "go.work",
+  // Rust
+  "Cargo.toml",
+  // Ruby
+  "Gemfile",
+  // PHP
+  "composer.json",
+  // Java/JVM
+  "pom.xml",
+  "build.gradle",
+  "build.gradle.kts",
+  "settings.gradle",
+  "settings.gradle.kts",
+  "build.sbt",
+  // .NET
+  "global.json",
+  // Swift
+  "Package.swift",
+  // Elixir
+  "mix.exs",
+  // Dart/Flutter
+  "pubspec.yaml",
+  // Haskell
+  "stack.yaml",
+  "cabal.project",
+  // OCaml
+  "dune-project",
+  // Zig
+  "build.zig",
+  "build.zig.zon",
+  // Clojure
+  "project.clj",
+  "deps.edn",
+] as const;
+
+/** Glob patterns for language markers that need wildcard matching */
+const LANGUAGE_MARKER_GLOBS = [
+  "*.sln",
+  "*.csproj",
+  "*.fsproj",
+  "*.vbproj",
+  "*.cabal",
+  "*.opam",
+  "*.nimble",
+] as const;
+
+/** Build system markers - last resort */
+const BUILD_SYSTEM_MARKERS = [
+  "Makefile",
+  "GNUmakefile",
+  "makefile",
+  "CMakeLists.txt",
+  "BUILD",
+  "BUILD.bazel",
+  "WORKSPACE",
+  "WORKSPACE.bazel",
+  "MODULE.bazel",
+  "meson.build",
+  "Justfile",
+  "justfile",
+  "Taskfile.yml",
+  "Taskfile.yaml",
+  "SConstruct",
+  "xmake.lua",
+  "premake5.lua",
+  "premake4.lua",
+  "wscript",
+  "Earthfile",
+] as const;
+
+/**
+ * Regex for detecting root=true in .editorconfig.
+ * Leading whitespace is valid per EditorConfig spec (allows indentation).
+ */
+const EDITORCONFIG_ROOT_REGEX = /^\s*root\s*=\s*true\s*$/im;
+
+/**
+ * Wrap a file system operation with a span for tracing.
+ */
+function withFsSpan<T>(
+  operation: string,
+  fn: () => T | Promise<T>
+): Promise<T> {
+  return Sentry.startSpan(
+    {
+      name: operation,
+      op: "file",
+      onlyIfParent: true,
+    },
+    async (span) => {
+      try {
+        const result = await fn();
+        span.setStatus({ code: 1 }); // OK
+        return result;
+      } catch (error) {
+        span.setStatus({ code: 2 }); // Error
+        throw error;
+      }
+    }
+  );
+}
+
+/**
+ * Check if a path exists (file or directory) using stat.
+ */
+async function pathExists(filePath: string): Promise<boolean> {
+  try {
+    await stat(filePath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Check if any of the given paths exist in a directory.
+ * Runs checks in parallel and resolves as soon as any returns true.
+ *
+ * @param dir - Directory to check
+ * @param names - Array of file/directory names to check
+ * @returns True if any path exists
+ */
+function anyExists(dir: string, names: readonly string[]): Promise<boolean> {
+  if (names.length === 0) {
+    return Promise.resolve(false);
+  }
+
+  return new Promise((done) => {
+    let pending = names.length;
+
+    const checkDone = () => {
+      pending -= 1;
+      if (pending === 0) {
+        done(false);
+      }
+    };
+
+    for (const name of names) {
+      pathExists(join(dir, name))
+        .then((exists) => {
+          if (exists) {
+            done(true);
+          } else {
+            checkDone();
+          }
+        })
+        .catch(checkDone);
+    }
+  });
+}
+
+/**
+ * Check if any files matching glob patterns exist in a directory.
+ * Runs pattern checks in parallel and resolves as soon as any finds a match.
+ *
+ * @param dir - Directory to check
+ * @param patterns - Glob patterns to match
+ * @returns True if any matching file exists
+ */
+function anyGlobMatches(
+  dir: string,
+  patterns: readonly string[]
+): Promise<boolean> {
+  if (patterns.length === 0) {
+    return Promise.resolve(false);
+  }
+
+  return new Promise((done) => {
+    let pending = patterns.length;
+
+    const checkDone = () => {
+      pending -= 1;
+      if (pending === 0) {
+        done(false);
+      }
+    };
+
+    for (const pattern of patterns) {
+      const glob = new Bun.Glob(pattern);
+      (async () => {
+        for await (const _match of glob.scan({ cwd: dir, onlyFiles: true })) {
+          done(true);
+          return;
+        }
+        checkDone();
+      })().catch(checkDone);
+    }
+  });
+}
+
+/**
+ * Check if .editorconfig exists and contains root=true.
+ * Reads file directly and handles ENOENT gracefully.
+ *
+ * @param dir - Directory to check
+ * @returns True if .editorconfig with root=true found
+ */
+async function checkEditorConfigRoot(dir: string): Promise<boolean> {
+  const editorConfigPath = join(dir, ".editorconfig");
+  try {
+    const content = await Bun.file(editorConfigPath).text();
+    return EDITORCONFIG_ROOT_REGEX.test(content);
+  } catch {
+    // File doesn't exist or can't be read
+    return false;
+  }
+}
+
+/**
+ * Determine the type of repo root marker found.
+ * Returns in priority order: VCS > CI > editorconfig.
+ *
+ * Note: This only handles "definitive" repo root markers (VCS, CI, editorconfig).
+ * Language and build markers are handled separately in walkUpDirectories() because
+ * they indicate project boundaries but don't definitively mark the repository root.
+ */
+function getRepoRootType(
+  hasVcs: boolean,
+  hasCi: boolean,
+  hasEditorConfigRoot: boolean
+): "vcs" | "ci" | "editorconfig" | undefined {
+  if (hasVcs) {
+    return "vcs";
+  }
+  if (hasCi) {
+    return "ci";
+  }
+  if (hasEditorConfigRoot) {
+    return "editorconfig";
+  }
+  return;
+}
+
+/**
+ * Check if directory has VCS or CI/CD markers (definitive repo root)
+ *
+ * @param dir - Directory to check
+ * @returns Object with found status and marker type
+ */
+export function hasRepoRootMarker(
+  dir: string
+): Promise<{ found: boolean; type?: "vcs" | "ci" | "editorconfig" }> {
+  return withFsSpan("hasRepoRootMarker", async () => {
+    // Check all marker types in parallel
+    const [hasVcs, hasCi, hasEditorConfigRoot] = await Promise.all([
+      anyExists(dir, VCS_MARKERS),
+      anyExists(dir, CI_MARKERS),
+      checkEditorConfigRoot(dir),
+    ]);
+
+    const type = getRepoRootType(hasVcs, hasCi, hasEditorConfigRoot);
+    return type ? { found: true, type } : { found: false };
+  });
+}
+
+/**
+ * Check if directory has language/package markers
+ *
+ * @param dir - Directory to check
+ * @returns True if any language marker found
+ */
+export function hasLanguageMarker(dir: string): Promise<boolean> {
+  return withFsSpan("hasLanguageMarker", async () => {
+    // Check exact filenames first (more common), then glob patterns
+    if (await anyExists(dir, LANGUAGE_MARKERS)) {
+      return true;
+    }
+    return anyGlobMatches(dir, LANGUAGE_MARKER_GLOBS);
+  });
+}
+
+/**
+ * Check if directory has build system markers
+ *
+ * @param dir - Directory to check
+ * @returns True if any build system marker found
+ */
+export function hasBuildSystemMarker(dir: string): Promise<boolean> {
+  return withFsSpan("hasBuildSystemMarker", async () =>
+    anyExists(dir, BUILD_SYSTEM_MARKERS)
+  );
+}
+
+/**
+ * Check .env files in a directory for SENTRY_DSN.
+ * Reads files directly and handles ENOENT gracefully.
+ *
+ * @param dir - Directory to check
+ * @returns Detected DSN or null
+ */
+function checkEnvForDsn(dir: string): Promise<DetectedDsn | null> {
+  return withFsSpan("checkEnvForDsn", async () => {
+    // Check env files in priority order, stop on first DSN found
+    for (const filename of ENV_FILES) {
+      const filePath = join(dir, filename);
+      try {
+        const content = await Bun.file(filePath).text();
+        const dsn = extractDsnFromEnvContent(content);
+        if (dsn) {
+          return createDetectedDsn(dsn, "env_file", filename);
+        }
+      } catch {
+        // File doesn't exist or can't be read - continue to next file
+      }
+    }
+    return null;
+  });
+}
+
+/**
+ * Get the stop boundary for project root search.
+ * Returns home directory if it exists, otherwise filesystem root.
+ */
+export function getStopBoundary(): string {
+  try {
+    return homedir();
+  } catch {
+    return "/";
+  }
+}
+
+/**
+ * Process one directory level during the walk-up search
+ */
+async function processDirectoryLevel(
+  currentDir: string,
+  languageMarkerAt: string | null,
+  buildSystemAt: string | null
+): Promise<{
+  dsnResult: DetectedDsn | null;
+  repoRootResult: { found: boolean; type?: "vcs" | "ci" | "editorconfig" };
+  hasLang: boolean;
+  hasBuild: boolean;
+}> {
+  // Run all checks for this level in parallel
+  const [dsnResult, repoRootResult, hasLang, hasBuild] = await Promise.all([
+    checkEnvForDsn(currentDir),
+    hasRepoRootMarker(currentDir),
+    languageMarkerAt ? Promise.resolve(false) : hasLanguageMarker(currentDir),
+    buildSystemAt ? Promise.resolve(false) : hasBuildSystemMarker(currentDir),
+  ]);
+
+  return { dsnResult, repoRootResult, hasLang, hasBuild };
+}
+
+/**
+ * Determine the final project root from candidates
+ */
+function selectProjectRoot(
+  languageMarkerAt: string | null,
+  buildSystemAt: string | null,
+  fallback: string
+): { projectRoot: string; reason: ProjectRootReason } {
+  if (languageMarkerAt) {
+    return { projectRoot: languageMarkerAt, reason: "language" };
+  }
+  if (buildSystemAt) {
+    return { projectRoot: buildSystemAt, reason: "build_system" };
+  }
+  return { projectRoot: fallback, reason: "fallback" };
+}
+
+/** State tracked during directory walk-up */
+type WalkState = {
+  currentDir: string;
+  levelsTraversed: number;
+  languageMarkerAt: string | null;
+  buildSystemAt: string | null;
+};
+
+/**
+ * Create result when DSN is found in .env file
+ */
+function createDsnFoundResult(
+  currentDir: string,
+  dsnResult: DetectedDsn,
+  levelsTraversed: number
+): ProjectRootResult {
+  return {
+    projectRoot: currentDir,
+    foundDsn: dsnResult,
+    reason: "env_dsn",
+    levelsTraversed,
+  };
+}
+
+/**
+ * Create result when repo root marker is found.
+ * Maps marker type to reason (defaults to "vcs" for undefined).
+ */
+function createRepoRootResult(
+  currentDir: string,
+  markerType: "vcs" | "ci" | "editorconfig" | undefined,
+  levelsTraversed: number
+): ProjectRootResult {
+  return {
+    projectRoot: currentDir,
+    reason: markerType ?? "vcs",
+    levelsTraversed,
+  };
+}
+
+/**
+ * Walk up directories searching for project root.
+ *
+ * Loop logic:
+ * 1. Always process starting directory (do-while ensures this)
+ * 2. Stop at stopBoundary AFTER processing it (break before moving to parent)
+ * 3. Stop at filesystem root (parentDir === currentDir)
+ */
+async function walkUpDirectories(
+  resolvedStart: string,
+  stopBoundary: string
+): Promise<ProjectRootResult> {
+  const state: WalkState = {
+    currentDir: resolvedStart,
+    levelsTraversed: 0,
+    languageMarkerAt: null,
+    buildSystemAt: null,
+  };
+
+  // do-while ensures starting directory is always checked,
+  // even when it equals the stop boundary (e.g., user runs from home dir)
+  do {
+    state.levelsTraversed += 1;
+
+    const { dsnResult, repoRootResult, hasLang, hasBuild } =
+      await processDirectoryLevel(
+        state.currentDir,
+        state.languageMarkerAt,
+        state.buildSystemAt
+      );
+
+    // 1. Check for DSN in .env files - immediate return
+    if (dsnResult) {
+      return createDsnFoundResult(
+        state.currentDir,
+        dsnResult,
+        state.levelsTraversed
+      );
+    }
+
+    // 2. Check for VCS/CI markers - definitive root, stop walking
+    if (repoRootResult.found) {
+      return createRepoRootResult(
+        state.currentDir,
+        repoRootResult.type,
+        state.levelsTraversed
+      );
+    }
+
+    // 3. Remember language marker (closest to cwd wins)
+    if (!state.languageMarkerAt && hasLang) {
+      state.languageMarkerAt = state.currentDir;
+    }
+
+    // 4. Remember build system marker (last resort)
+    if (!state.buildSystemAt && hasBuild) {
+      state.buildSystemAt = state.currentDir;
+    }
+
+    // Move to parent directory (or stop if at boundary/root)
+    const parentDir = dirname(state.currentDir);
+    const shouldStop =
+      state.currentDir === stopBoundary || parentDir === state.currentDir;
+    if (shouldStop) {
+      break;
+    }
+    state.currentDir = parentDir;
+    // biome-ignore lint/correctness/noConstantCondition: loop exits via break
+  } while (true);
+
+  // Determine project root from candidates (priority order)
+  const selected = selectProjectRoot(
+    state.languageMarkerAt,
+    state.buildSystemAt,
+    resolvedStart
+  );
+
+  return {
+    projectRoot: selected.projectRoot,
+    reason: selected.reason,
+    levelsTraversed: state.levelsTraversed,
+  };
+}
+
+/**
+ * Find project root by walking up from starting directory.
+ *
+ * Checks for DSN in .env files at each level (early exit if found).
+ * Stops at VCS/CI markers (definitive repo root).
+ * Falls back to language markers, then build system markers.
+ *
+ * @param startDir - Directory to start searching from
+ * @returns Project root result with optional DSN
+ */
+export function findProjectRoot(startDir: string): Promise<ProjectRootResult> {
+  return Sentry.startSpan(
+    {
+      name: "findProjectRoot",
+      op: "dsn.detect",
+      attributes: {
+        "dsn.start_dir": startDir,
+      },
+      onlyIfParent: true,
+    },
+    async (span) => {
+      const resolvedStart = resolve(startDir);
+      const stopBoundary = getStopBoundary();
+
+      const result = await walkUpDirectories(resolvedStart, stopBoundary);
+
+      span.setAttributes({
+        "dsn.found": result.foundDsn !== undefined,
+        "dsn.reason": result.reason,
+        "dsn.levels_traversed": result.levelsTraversed,
+        "dsn.project_root": result.projectRoot,
+      });
+      span.setStatus({ code: 1 });
+
+      return result;
+    }
+  );
+}
diff --git a/src/lib/dsn/scanner.ts b/src/lib/dsn/scanner.ts
index 025c435c..e68a14ad 100644
--- a/src/lib/dsn/scanner.ts
+++ b/src/lib/dsn/scanner.ts
@@ -8,13 +8,7 @@
 import { join } from "node:path";
 import type { DetectedDsn } from "./types.js";
 
-// ─────────────────────────────────────────────────────────────────────────────
-// Types
-// ─────────────────────────────────────────────────────────────────────────────
-
-/**
- * Result of processing a single file for DSN extraction.
- */
+/** Result of processing a single file for DSN extraction. */
 export type FileProcessResult = {
   /** Extracted DSN string (null if not found) */
   dsn: string | null;
@@ -36,10 +30,6 @@ export type FileProcessor = (
   content: string
 ) => FileProcessResult | null;
 
-// ─────────────────────────────────────────────────────────────────────────────
-// Scanner
-// ─────────────────────────────────────────────────────────────────────────────
-
 /**
  * Scan specific files (not glob) and extract DSNs.
  *
@@ -68,14 +58,10 @@ export async function scanSpecificFiles(
 
   for (const filename of filenames) {
     const filepath = join(cwd, filename);
-    const file = Bun.file(filepath);
-
-    if (!(await file.exists())) {
-      continue;
-    }
 
     try {
-      const content = await file.text();
+      // Read file directly - handles ENOENT gracefully
+      const content = await Bun.file(filepath).text();
       const result = processFile(filename, content);
 
       if (result?.dsn) {
@@ -89,7 +75,7 @@ export async function scanSpecificFiles(
         }
       }
     } catch {
-      // Skip files we can't read
+      // File doesn't exist or can't be read - continue to next
     }
   }
 
diff --git a/src/lib/dsn/types.ts b/src/lib/dsn/types.ts
index 3364de1c..7e94a5f1 100644
--- a/src/lib/dsn/types.ts
+++ b/src/lib/dsn/types.ts
@@ -6,10 +6,6 @@
 
 import { z } from "zod";
 
-// ─────────────────────────────────────────────────────────────────────────────
-// Core Types
-// ─────────────────────────────────────────────────────────────────────────────
-
 /**
  * Source where DSN was detected from
  *
@@ -51,13 +47,7 @@ export type DetectedDsn = ParsedDsn & {
   resolved?: ResolvedProjectInfo;
 };
 
-// ─────────────────────────────────────────────────────────────────────────────
-// Resolution Types
-// ─────────────────────────────────────────────────────────────────────────────
-
-/**
- * Resolved project information from Sentry API
- */
+/** Resolved project information from Sentry API */
 export type ResolvedProjectInfo = {
   orgSlug: string;
   orgName: string;
@@ -65,19 +55,13 @@ export type ResolvedProjectInfo = {
   projectName: string;
 };
 
-/**
- * Full resolved project with DSN and source info
- */
+/** Full resolved project with DSN and source info */
 export type ResolvedProject = ResolvedProjectInfo & {
   dsn: DetectedDsn;
   /** Human-readable description of where DSN was found */
   sourceDescription: string;
 };
 
-// ─────────────────────────────────────────────────────────────────────────────
-// Cache Types
-// ─────────────────────────────────────────────────────────────────────────────
-
 /**
  * Cached DSN entry with full resolution info
  *
@@ -100,9 +84,7 @@ export type CachedDsnEntry = {
   cachedAt: number;
 };
 
-/**
- * Zod schema for ResolvedProjectInfo
- */
+/** Zod schema for ResolvedProjectInfo */
 export const ResolvedProjectInfoSchema = z.object({
   orgSlug: z.string(),
   orgName: z.string(),
@@ -110,9 +92,7 @@ export const ResolvedProjectInfoSchema = z.object({
   projectName: z.string(),
 });
 
-/**
- * Zod schema for cached DSN entries (for config validation)
- */
+/** Zod schema for cached DSN entries (for config validation) */
 export const CachedDsnEntrySchema = z.object({
   dsn: z.string(),
   projectId: z.string(),
@@ -123,10 +103,6 @@ export const CachedDsnEntrySchema = z.object({
   cachedAt: z.number(),
 });
 
-// ─────────────────────────────────────────────────────────────────────────────
-// Detection Result Types
-// ─────────────────────────────────────────────────────────────────────────────
-
 /**
  * Result of DSN detection with support for monorepos.
  *
@@ -144,10 +120,6 @@ export type DsnDetectionResult = {
   language?: string;
 };
 
-// ─────────────────────────────────────────────────────────────────────────────
-// Constants
-// ─────────────────────────────────────────────────────────────────────────────
-
 /**
  * Common monorepo root directories to scan for packages/apps with their own DSN.
  * Used by both env-file detection and package path inference.
diff --git a/test/lib/dsn/code-scanner.test.ts b/test/lib/dsn/code-scanner.test.ts
new file mode 100644
index 00000000..d89fa5b2
--- /dev/null
+++ b/test/lib/dsn/code-scanner.test.ts
@@ -0,0 +1,359 @@
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { mkdirSync, rmSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import {
+  extractDsnsFromContent,
+  extractFirstDsnFromContent,
+  scanCodeForDsns,
+  scanCodeForFirstDsn,
+} from "../../../src/lib/dsn/code-scanner.js";
+
+describe("Code Scanner", () => {
+  const testDir = join(import.meta.dir, ".test-code-scanner");
+
+  beforeEach(() => {
+    mkdirSync(testDir, { recursive: true });
+  });
+
+  afterEach(() => {
+    rmSync(testDir, { recursive: true, force: true });
+    delete process.env.SENTRY_URL;
+  });
+
+  describe("extractDsnsFromContent", () => {
+    test("extracts DSN from JavaScript code", () => {
+      const content = `
+        Sentry.init({
+          dsn: "https://abc123@o123.ingest.sentry.io/456"
+        });
+      `;
+      const dsns = extractDsnsFromContent(content);
+      expect(dsns).toEqual(["https://abc123@o123.ingest.sentry.io/456"]);
+    });
+
+    test("extracts DSN from Python code", () => {
+      const content = `
+        sentry_sdk.init(
+            dsn="https://abc123@o123.ingest.sentry.io/456"
+        )
+      `;
+      const dsns = extractDsnsFromContent(content);
+      expect(dsns).toEqual(["https://abc123@o123.ingest.sentry.io/456"]);
+    });
+
+    test("extracts DSN from Go code", () => {
+      const content = `
+        sentry.Init(sentry.ClientOptions{
+          Dsn: "https://abc123@o123.ingest.sentry.io/456",
+        })
+      `;
+      const dsns = extractDsnsFromContent(content);
+      expect(dsns).toEqual(["https://abc123@o123.ingest.sentry.io/456"]);
+    });
+
+    test("extracts DSN from constant assignment", () => {
+      const content = `
+        const SENTRY_DSN = "https://abc123@o123.ingest.sentry.io/456";
+      `;
+      const dsns = extractDsnsFromContent(content);
+      expect(dsns).toEqual(["https://abc123@o123.ingest.sentry.io/456"]);
+    });
+
+    test("extracts multiple DSNs", () => {
+      const content = `
+        const PROD_DSN = "https://prod@o123.ingest.sentry.io/111";
+        const DEV_DSN = "https://dev@o456.ingest.sentry.io/222";
+      `;
+      const dsns = extractDsnsFromContent(content);
+      expect(dsns).toHaveLength(2);
+      expect(dsns).toContain("https://prod@o123.ingest.sentry.io/111");
+      expect(dsns).toContain("https://dev@o456.ingest.sentry.io/222");
+    });
+
+    test("deduplicates DSNs", () => {
+      const content = `
+        const DSN1 = "https://abc@o123.ingest.sentry.io/456";
+        const DSN2 = "https://abc@o123.ingest.sentry.io/456";
+      `;
+      const dsns = extractDsnsFromContent(content);
+      expect(dsns).toHaveLength(1);
+    });
+
+    test("ignores single-line comments with //", () => {
+      const content = `
+        // const DSN = "https://abc123@o123.ingest.sentry.io/456";
+        const REAL_DSN = "https://real@o456.ingest.sentry.io/789";
+      `;
+      const dsns = extractDsnsFromContent(content);
+      expect(dsns).toEqual(["https://real@o456.ingest.sentry.io/789"]);
+    });
+
+    test("ignores Python/shell comments with #", () => {
+      const content = `
+        # DSN = "https://abc123@o123.ingest.sentry.io/456"
+        REAL_DSN = "https://real@o456.ingest.sentry.io/789"
+      `;
+      const dsns = extractDsnsFromContent(content);
+      expect(dsns).toEqual(["https://real@o456.ingest.sentry.io/789"]);
+    });
+
+    test("ignores HTML comments with <!--", () => {
+      const content = `
+        <!-- <script>const DSN = "https://abc123@o123.ingest.sentry.io/456";</script> -->
+        <script>const DSN = "https://real@o456.ingest.sentry.io/789";</script>
+      `;
+      const dsns = extractDsnsFromContent(content);
+      expect(dsns).toEqual(["https://real@o456.ingest.sentry.io/789"]);
+    });
+
+    test("ignores C-style block comment lines starting with /*", () => {
+      const content = `
+        /* const DSN = "https://abc123@o123.ingest.sentry.io/456"; */
+        const REAL_DSN = "https://real@o456.ingest.sentry.io/789";
+      `;
+      const dsns = extractDsnsFromContent(content);
+      expect(dsns).toEqual(["https://real@o456.ingest.sentry.io/789"]);
+    });
+
+    test("ignores JSDoc/multi-line comment continuation lines starting with *", () => {
+      const content = `
+        /**
+         * DSN: "https://abc123@o123.ingest.sentry.io/456"
+         */
+        const REAL_DSN = "https://real@o456.ingest.sentry.io/789";
+      `;
+      const dsns = extractDsnsFromContent(content);
+      expect(dsns).toEqual(["https://real@o456.ingest.sentry.io/789"]);
+    });
+
+    test("ignores SQL comments with --", () => {
+      const content = `
+        -- INSERT INTO config VALUES ('dsn', 'https://abc123@o123.ingest.sentry.io/456');
+        INSERT INTO config VALUES ('dsn', 'https://real@o456.ingest.sentry.io/789');
+      `;
+      const dsns = extractDsnsFromContent(content);
+      expect(dsns).toEqual(["https://real@o456.ingest.sentry.io/789"]);
+    });
+
+    test("ignores Python triple-quote docstrings", () => {
+      const content = `
+        '''https://abc123@o123.ingest.sentry.io/456'''
+        DSN = "https://real@o456.ingest.sentry.io/789"
+      `;
+      const dsns = extractDsnsFromContent(content);
+      expect(dsns).toEqual(["https://real@o456.ingest.sentry.io/789"]);
+    });
+
+    test("returns empty array for content without DSNs", () => {
+      const content = `
+        const config = { debug: true };
+      `;
+      const dsns = extractDsnsFromContent(content);
+      expect(dsns).toEqual([]);
+    });
+
+    test("only accepts *.sentry.io hosts for SaaS", () => {
+      const content = `
+        const REAL = "https://abc@o123.ingest.sentry.io/456";
+        const FAKE = "https://abc@fake.example.com/456";
+      `;
+      const dsns = extractDsnsFromContent(content);
+      expect(dsns).toEqual(["https://abc@o123.ingest.sentry.io/456"]);
+    });
+
+    test("accepts self-hosted DSNs when SENTRY_URL is set", () => {
+      process.env.SENTRY_URL = "https://sentry.mycompany.com:9000";
+      const content = `
+        const DSN = "https://abc@sentry.mycompany.com:9000/123";
+      `;
+      const dsns = extractDsnsFromContent(content);
+      expect(dsns).toEqual(["https://abc@sentry.mycompany.com:9000/123"]);
+    });
+
+    test("rejects SaaS DSNs when SENTRY_URL is set (self-hosted mode)", () => {
+      process.env.SENTRY_URL = "https://sentry.mycompany.com:9000";
+      const content = `
+        const SAAS_DSN = "https://abc@o123.ingest.sentry.io/456";
+        const SELF_HOSTED_DSN = "https://def@sentry.mycompany.com:9000/789";
+      `;
+      const dsns = extractDsnsFromContent(content);
+      // Only the self-hosted DSN should be accepted
+      expect(dsns).toEqual(["https://def@sentry.mycompany.com:9000/789"]);
+    });
+
+    test("throws ConfigError when SENTRY_URL is invalid", () => {
+      process.env.SENTRY_URL = "not-a-valid-url";
+      const content = `
+        const SAAS_DSN = "https://abc@o123.ingest.sentry.io/456";
+      `;
+
+      // Invalid SENTRY_URL should throw immediately since nothing will work
+      expect(() => extractDsnsFromContent(content)).toThrow(
+        /SENTRY_URL.*not a valid URL/
+      );
+    });
+  });
+
+  describe("extractFirstDsnFromContent", () => {
+    test("returns first DSN", () => {
+      const content = `
+        const DSN1 = "https://first@o123.ingest.sentry.io/111";
+        const DSN2 = "https://second@o456.ingest.sentry.io/222";
+      `;
+      const dsn = extractFirstDsnFromContent(content);
+      expect(dsn).toBe("https://first@o123.ingest.sentry.io/111");
+    });
+
+    test("returns null when no DSN found", () => {
+      const dsn = extractFirstDsnFromContent("no dsn here");
+      expect(dsn).toBeNull();
+    });
+  });
+
+  describe("scanCodeForFirstDsn", () => {
+    test("finds DSN in root file", async () => {
+      writeFileSync(
+        join(testDir, "config.ts"),
+        'const DSN = "https://abc@o123.ingest.sentry.io/456";'
+      );
+
+      const result = await scanCodeForFirstDsn(testDir);
+      expect(result?.raw).toBe("https://abc@o123.ingest.sentry.io/456");
+      expect(result?.source).toBe("code");
+      expect(result?.sourcePath).toBe("config.ts");
+    });
+
+    test("finds DSN in subdirectory", async () => {
+      mkdirSync(join(testDir, "src"), { recursive: true });
+      writeFileSync(
+        join(testDir, "src/sentry.ts"),
+        'Sentry.init({ dsn: "https://abc@o123.ingest.sentry.io/456" });'
+      );
+
+      const result = await scanCodeForFirstDsn(testDir);
+      expect(result?.raw).toBe("https://abc@o123.ingest.sentry.io/456");
+      expect(result?.sourcePath).toBe("src/sentry.ts");
+    });
+
+    test("returns null when no DSN found", async () => {
+      writeFileSync(join(testDir, "index.ts"), "console.log('hello');");
+
+      const result = await scanCodeForFirstDsn(testDir);
+      expect(result).toBeNull();
+    });
+
+    test("skips node_modules directory", async () => {
+      mkdirSync(join(testDir, "node_modules/some-package"), {
+        recursive: true,
+      });
+      writeFileSync(
+        join(testDir, "node_modules/some-package/index.js"),
+        'const DSN = "https://abc@o123.ingest.sentry.io/456";'
+      );
+
+      const result = await scanCodeForFirstDsn(testDir);
+      expect(result).toBeNull();
+    });
+
+    test("respects gitignore", async () => {
+      writeFileSync(join(testDir, ".gitignore"), "ignored/");
+      mkdirSync(join(testDir, "ignored"), { recursive: true });
+      writeFileSync(
+        join(testDir, "ignored/config.ts"),
+        'const DSN = "https://ignored@o123.ingest.sentry.io/456";'
+      );
+      writeFileSync(
+        join(testDir, "real.ts"),
+        'const DSN = "https://real@o456.ingest.sentry.io/789";'
+      );
+
+      const result = await scanCodeForFirstDsn(testDir);
+      expect(result?.raw).toBe("https://real@o456.ingest.sentry.io/789");
+    });
+
+    test("infers packagePath for monorepo structure", async () => {
+      // Use depth 2 (packages/frontend/sentry.ts) to stay within MAX_SCAN_DEPTH
+      mkdirSync(join(testDir, "packages/frontend"), { recursive: true });
+      writeFileSync(
+        join(testDir, "packages/frontend/sentry.ts"),
+        'const DSN = "https://abc@o123.ingest.sentry.io/456";'
+      );
+
+      const result = await scanCodeForFirstDsn(testDir);
+      expect(result?.packagePath).toBe("packages/frontend");
+    });
+
+    test("scans various file types", async () => {
+      // Test Python
+      writeFileSync(
+        join(testDir, "app.py"),
+        'sentry_sdk.init(dsn="https://py@o123.ingest.sentry.io/1")'
+      );
+
+      let result = await scanCodeForFirstDsn(testDir);
+      expect(result?.raw).toBe("https://py@o123.ingest.sentry.io/1");
+
+      // Clean and test Go
+      rmSync(join(testDir, "app.py"));
+      writeFileSync(
+        join(testDir, "main.go"),
+        'sentry.Init(sentry.ClientOptions{Dsn: "https://go@o123.ingest.sentry.io/2"})'
+      );
+
+      result = await scanCodeForFirstDsn(testDir);
+      expect(result?.raw).toBe("https://go@o123.ingest.sentry.io/2");
+
+      // Clean and test Ruby
+      rmSync(join(testDir, "main.go"));
+      writeFileSync(
+        join(testDir, "config.rb"),
+        'Sentry.init do |config|\n  config.dsn = "https://rb@o123.ingest.sentry.io/3"\nend'
+      );
+
+      result = await scanCodeForFirstDsn(testDir);
+      expect(result?.raw).toBe("https://rb@o123.ingest.sentry.io/3");
+    });
+  });
+
+  describe("scanCodeForDsns", () => {
+    test("finds all DSNs across multiple files", async () => {
+      mkdirSync(join(testDir, "src"), { recursive: true });
+      writeFileSync(
+        join(testDir, "src/frontend.ts"),
+        'const DSN = "https://frontend@o123.ingest.sentry.io/111";'
+      );
+      writeFileSync(
+        join(testDir, "src/backend.ts"),
+        'const DSN = "https://backend@o456.ingest.sentry.io/222";'
+      );
+
+      const results = await scanCodeForDsns(testDir);
+      expect(results).toHaveLength(2);
+
+      const dsns = results.map((r) => r.raw);
+      expect(dsns).toContain("https://frontend@o123.ingest.sentry.io/111");
+      expect(dsns).toContain("https://backend@o456.ingest.sentry.io/222");
+    });
+
+    test("deduplicates same DSN from multiple files", async () => {
+      writeFileSync(
+        join(testDir, "a.ts"),
+        'const DSN = "https://same@o123.ingest.sentry.io/456";'
+      );
+      writeFileSync(
+        join(testDir, "b.ts"),
+        'const DSN = "https://same@o123.ingest.sentry.io/456";'
+      );
+
+      const results = await scanCodeForDsns(testDir);
+      expect(results).toHaveLength(1);
+    });
+
+    test("returns empty array when no DSNs found", async () => {
+      writeFileSync(join(testDir, "index.ts"), "console.log('hello');");
+
+      const results = await scanCodeForDsns(testDir);
+      expect(results).toEqual([]);
+    });
+  });
+});
diff --git a/test/lib/dsn/detector.test.ts b/test/lib/dsn/detector.test.ts
index a0b83a02..a1c9b818 100644
--- a/test/lib/dsn/detector.test.ts
+++ b/test/lib/dsn/detector.test.ts
@@ -111,7 +111,8 @@ describe("DSN Detector (New Module)", () => {
         `Sentry.init({ dsn: "${codeDsn}" })`
       );
 
-      // Should return code DSN (highest priority)
+      // Code DSN takes priority over .env file DSN
+      // Priority order: code > env_file > env_var
       const result = await detectDsn(testDir);
       expect(result?.raw).toBe(codeDsn);
       expect(result?.source).toBe("code");
@@ -165,6 +166,72 @@ describe("DSN Detector (New Module)", () => {
       expect(result?.source).toBe("env");
     });
 
+    test("env var DSN is cached and verified without full scan", async () => {
+      const envVarDsn = "https://var@o111.ingest.sentry.io/111";
+      const changedDsn = "https://changed@o222.ingest.sentry.io/222";
+
+      // Only set env var
+      process.env.SENTRY_DSN = envVarDsn;
+
+      // First detection - should detect and cache
+      const result1 = await detectDsn(testDir);
+      expect(result1?.raw).toBe(envVarDsn);
+      expect(result1?.source).toBe("env");
+
+      // Verify it's cached
+      const cached = await getCachedDsn(testDir);
+      expect(cached?.dsn).toBe(envVarDsn);
+      expect(cached?.source).toBe("env");
+
+      // Second detection - should use cache verification (not full scan)
+      const result2 = await detectDsn(testDir);
+      expect(result2?.raw).toBe(envVarDsn);
+      expect(result2?.source).toBe("env");
+
+      // Change env var - should detect the change
+      process.env.SENTRY_DSN = changedDsn;
+      const result3 = await detectDsn(testDir);
+      expect(result3?.raw).toBe(changedDsn);
+      expect(result3?.source).toBe("env");
+
+      // Cache should be updated
+      const updatedCache = await getCachedDsn(testDir);
+      expect(updatedCache?.dsn).toBe(changedDsn);
+    });
+
+    test("cache verification respects priority when code DSN is added after env var", async () => {
+      const envVarDsn = "https://var@o111.ingest.sentry.io/111";
+      const codeDsn = "https://code@o222.ingest.sentry.io/222";
+
+      // First, detect with only env var
+      process.env.SENTRY_DSN = envVarDsn;
+      const result1 = await detectDsn(testDir);
+      expect(result1?.raw).toBe(envVarDsn);
+      expect(result1?.source).toBe("env");
+
+      // Verify it's cached
+      const cached = await getCachedDsn(testDir);
+      expect(cached?.source).toBe("env");
+
+      // Now add a code DSN (higher priority)
+      mkdirSync(join(testDir, "src"), { recursive: true });
+      writeFileSync(
+        join(testDir, "src/config.ts"),
+        `Sentry.init({ dsn: "${codeDsn}" })`
+      );
+
+      // Next detection should find the code DSN (higher priority)
+      // even though env var is still cached
+      const result2 = await detectDsn(testDir);
+      expect(result2?.raw).toBe(codeDsn);
+      expect(result2?.source).toBe("code");
+
+      // Cache should be updated to code DSN
+      const updatedCache = await getCachedDsn(testDir);
+      expect(updatedCache?.dsn).toBe(codeDsn);
+      expect(updatedCache?.source).toBe("code");
+    });
+
     test("skips node_modules and dist directories", async () => {
       const nodeModulesDsn = "https://nm@o111.ingest.sentry.io/111";
       const distDsn = "https://dist@o222.ingest.sentry.io/222";
@@ -245,7 +312,7 @@ describe("DSN Detector (New Module)", () => {
       const result = await detectAllDsns(testDir);
 
       expect(result.hasMultiple).toBe(true);
-      // Code DSN has higher priority, so it's first
+      // Code DSNs have highest priority (code > env_file > env_var)
       expect(result.primary?.raw).toBe(codeDsn);
       expect(result.all).toHaveLength(2);
     });
diff --git a/test/lib/dsn/languages/go.test.ts b/test/lib/dsn/languages/go.test.ts
deleted file mode 100644
index 22b8ac06..00000000
--- a/test/lib/dsn/languages/go.test.ts
+++ /dev/null
@@ -1,64 +0,0 @@
-/**
- * Go DSN Detector Tests
- *
- * Consolidated tests for extracting DSN from Go source code.
- * Tests cover: ClientOptions struct, variable assignment, raw string, env filtering, detector config.
- */
-
-import { describe, expect, test } from "bun:test";
-import {
-  extractDsnFromGo,
-  goDetector,
-} from "../../../../src/lib/dsn/languages/go.js";
-
-const TEST_DSN = "https://abc123@o456.ingest.sentry.io/789";
-
-describe("Go DSN Detector", () => {
-  test("extracts DSN from sentry.Init with ClientOptions", () => {
-    const code = `
-package main
-
-import "github.com/getsentry/sentry-go"
-
-func main() {
-	err := sentry.Init(sentry.ClientOptions{
-		Dsn:              "${TEST_DSN}",
-		Environment:      "production",
-		TracesSampleRate: 1.0,
-	})
-}
-`;
-    expect(extractDsnFromGo(code)).toBe(TEST_DSN);
-  });
-
-  test("extracts DSN from variable assignment", () => {
-    const code = `
-dsn := "${TEST_DSN}"
-sentry.Init(sentry.ClientOptions{Dsn: dsn})
-`;
-    expect(extractDsnFromGo(code)).toBe(TEST_DSN);
-  });
-
-  test("extracts DSN with backtick raw string literal", () => {
-    const code = `
-dsn := \`${TEST_DSN}\`
-`;
-    expect(extractDsnFromGo(code)).toBe(TEST_DSN);
-  });
-
-  test("returns null for DSN from os.Getenv", () => {
-    const code = `
-sentry.Init(sentry.ClientOptions{
-	Dsn: os.Getenv("SENTRY_DSN"),
-})
-`;
-    expect(extractDsnFromGo(code)).toBeNull();
-  });
-
-  test("detector has correct configuration", () => {
-    expect(goDetector.name).toBe("Go");
-    expect(goDetector.extensions).toContain(".go");
-    expect(goDetector.skipDirs).toContain("vendor");
-    expect(goDetector.extractDsn).toBe(extractDsnFromGo);
-  });
-});
diff --git a/test/lib/dsn/languages/java.test.ts b/test/lib/dsn/languages/java.test.ts
deleted file mode 100644
index 5d7812a8..00000000
--- a/test/lib/dsn/languages/java.test.ts
+++ /dev/null
@@ -1,69 +0,0 @@
-/**
- * Java/Kotlin DSN Detector Tests
- *
- * Consolidated tests for extracting DSN from Java/Kotlin source code and properties files.
- * Tests cover: Sentry.init, properties file, Kotlin pattern, env filtering, detector config.
- */
-
-import { describe, expect, test } from "bun:test";
-import {
-  extractDsnFromJava,
-  javaDetector,
-} from "../../../../src/lib/dsn/languages/java.js";
-
-const TEST_DSN = "https://abc123@o456.ingest.sentry.io/789";
-
-describe("Java DSN Detector", () => {
-  test("extracts DSN from Sentry.init with setDsn", () => {
-    const code = `
-import io.sentry.Sentry;
-
-public class SentryConfig {
-    public static void init() {
-        Sentry.init(options -> {
-            options.setDsn("${TEST_DSN}");
-            options.setEnvironment("production");
-        });
-    }
-}
-`;
-    expect(extractDsnFromJava(code)).toBe(TEST_DSN);
-  });
-
-  test("extracts DSN from sentry.properties file", () => {
-    const content = `
-# Sentry configuration
-dsn=${TEST_DSN}
-environment=production
-`;
-    expect(extractDsnFromJava(content)).toBe(TEST_DSN);
-  });
-
-  test("extracts DSN from Kotlin companion object", () => {
-    const code = `
-companion object {
-    const val dsn = "${TEST_DSN}"
-}
-`;
-    expect(extractDsnFromJava(code)).toBe(TEST_DSN);
-  });
-
-  test("returns null for DSN from System.getenv", () => {
-    const code = `
-Sentry.init(options -> {
-    options.setDsn(System.getenv("SENTRY_DSN"));
-});
-`;
-    expect(extractDsnFromJava(code)).toBeNull();
-  });
-
-  test("detector has correct configuration", () => {
-    expect(javaDetector.name).toBe("Java");
-    expect(javaDetector.extensions).toContain(".java");
-    expect(javaDetector.extensions).toContain(".kt");
-    expect(javaDetector.extensions).toContain(".properties");
-    expect(javaDetector.skipDirs).toContain("target");
-    expect(javaDetector.skipDirs).toContain("build");
-    expect(javaDetector.extractDsn).toBe(extractDsnFromJava);
-  });
-});
diff --git a/test/lib/dsn/languages/javascript.test.ts b/test/lib/dsn/languages/javascript.test.ts
deleted file mode 100644
index d4175315..00000000
--- a/test/lib/dsn/languages/javascript.test.ts
+++ /dev/null
@@ -1,64 +0,0 @@
-/**
- * JavaScript DSN Detector Tests
- *
- * Consolidated tests for extracting DSN from JavaScript/TypeScript source code.
- * Tests cover: basic init, config object, multiple DSNs, env filtering, detector config.
- */
-
-import { describe, expect, test } from "bun:test";
-import {
-  extractDsnFromCode,
-  javascriptDetector,
-} from "../../../../src/lib/dsn/languages/javascript.js";
-
-const TEST_DSN = "https://abc123@o456.ingest.sentry.io/789";
-
-describe("JavaScript DSN Detector", () => {
-  test("extracts DSN from basic Sentry.init", () => {
-    const code = `
-      import * as Sentry from "@sentry/react";
-
-      Sentry.init({
-        dsn: "${TEST_DSN}",
-        tracesSampleRate: 1.0,
-      });
-    `;
-    expect(extractDsnFromCode(code)).toBe(TEST_DSN);
-  });
-
-  test("extracts DSN from config object", () => {
-    const code = `
-      export const sentryConfig = {
-        dsn: "${TEST_DSN}",
-        enabled: true,
-      };
-    `;
-    expect(extractDsnFromCode(code)).toBe(TEST_DSN);
-  });
-
-  test("extracts first DSN when multiple exist", () => {
-    const dsn2 = "https://xyz@o999.ingest.sentry.io/111";
-    const code = `
-      Sentry.init({ dsn: "${TEST_DSN}" });
-      const backup = { dsn: "${dsn2}" };
-    `;
-    expect(extractDsnFromCode(code)).toBe(TEST_DSN);
-  });
-
-  test("returns null for DSN from env variable", () => {
-    const code = `
-      Sentry.init({
-        dsn: process.env.SENTRY_DSN,
-      });
-    `;
-    expect(extractDsnFromCode(code)).toBeNull();
-  });
-
-  test("detector has correct configuration", () => {
-    expect(javascriptDetector.name).toBe("JavaScript");
-    expect(javascriptDetector.extensions).toContain(".ts");
-    expect(javascriptDetector.extensions).toContain(".js");
-    expect(javascriptDetector.skipDirs).toContain("node_modules");
-    expect(javascriptDetector.extractDsn).toBe(extractDsnFromCode);
-  });
-});
diff --git a/test/lib/dsn/languages/php.test.ts b/test/lib/dsn/languages/php.test.ts
deleted file mode 100644
index d2126fa5..00000000
--- a/test/lib/dsn/languages/php.test.ts
+++ /dev/null
@@ -1,62 +0,0 @@
-/**
- * PHP DSN Detector Tests
- *
- * Consolidated tests for extracting DSN from PHP source code.
- * Tests cover: Sentry\init, Laravel config, multiline init, env filtering, detector config.
- */
-
-import { describe, expect, test } from "bun:test";
-import {
-  extractDsnFromPhp,
-  phpDetector,
-} from "../../../../src/lib/dsn/languages/php.js";
-
-const TEST_DSN = "https://abc123@o456.ingest.sentry.io/789";
-
-describe("PHP DSN Detector", () => {
-  test("extracts DSN from Sentry\\init", () => {
-    const code = `
-<?php
-\\Sentry\\init([
-    'dsn' => '${TEST_DSN}',
-    'environment' => 'production',
-]);
-`;
-    expect(extractDsnFromPhp(code)).toBe(TEST_DSN);
-  });
-
-  test("extracts DSN from Laravel config style", () => {
-    const code = `
-<?php
-return [
-    'sentry' => [
-        'dsn' => '${TEST_DSN}',
-    ],
-];
-`;
-    expect(extractDsnFromPhp(code)).toBe(TEST_DSN);
-  });
-
-  test("extracts DSN with double quotes", () => {
-    const code = `
-<?php
-\\Sentry\\init(["dsn" => "${TEST_DSN}"]);
-`;
-    expect(extractDsnFromPhp(code)).toBe(TEST_DSN);
-  });
-
-  test("returns null for DSN from env function", () => {
-    const code = `
-<?php
-\\Sentry\\init(['dsn' => env('SENTRY_DSN')]);
-`;
-    expect(extractDsnFromPhp(code)).toBeNull();
-  });
-
-  test("detector has correct configuration", () => {
-    expect(phpDetector.name).toBe("PHP");
-    expect(phpDetector.extensions).toContain(".php");
-    expect(phpDetector.skipDirs).toContain("vendor");
-    expect(phpDetector.extractDsn).toBe(extractDsnFromPhp);
-  });
-});
diff --git a/test/lib/dsn/languages/python.test.ts b/test/lib/dsn/languages/python.test.ts
deleted file mode 100644
index 1a27128d..00000000
--- a/test/lib/dsn/languages/python.test.ts
+++ /dev/null
@@ -1,69 +0,0 @@
-/**
- * Python DSN Detector Tests
- *
- * Consolidated tests for extracting DSN from Python source code.
- * Tests cover: basic init, dict config, Django settings, env filtering, detector config.
- */
-
-import { describe, expect, test } from "bun:test";
-import {
-  extractDsnFromPython,
-  pythonDetector,
-} from "../../../../src/lib/dsn/languages/python.js";
-
-const TEST_DSN = "https://abc123@o456.ingest.sentry.io/789";
-
-describe("Python DSN Detector", () => {
-  test("extracts DSN from basic sentry_sdk.init", () => {
-    const code = `
-import sentry_sdk
-
-sentry_sdk.init(
-    dsn="${TEST_DSN}",
-    traces_sample_rate=1.0,
-)
-`;
-    expect(extractDsnFromPython(code)).toBe(TEST_DSN);
-  });
-
-  test("extracts DSN from dict config", () => {
-    const code = `
-SENTRY_CONFIG = {
-    "dsn": "${TEST_DSN}",
-    "environment": "production",
-}
-`;
-    expect(extractDsnFromPython(code)).toBe(TEST_DSN);
-  });
-
-  test("extracts DSN from Django settings style", () => {
-    const code = `
-SENTRY_DSN = "${TEST_DSN}"
-
-LOGGING = {
-    "handlers": {
-        "sentry": {
-            "dsn": "${TEST_DSN}",
-        }
-    }
-}
-`;
-    expect(extractDsnFromPython(code)).toBe(TEST_DSN);
-  });
-
-  test("returns null for DSN from env variable", () => {
-    const code = `
-import os
-sentry_sdk.init(dsn=os.environ.get("SENTRY_DSN"))
-`;
-    expect(extractDsnFromPython(code)).toBeNull();
-  });
-
-  test("detector has correct configuration", () => {
-    expect(pythonDetector.name).toBe("Python");
-    expect(pythonDetector.extensions).toContain(".py");
-    expect(pythonDetector.skipDirs).toContain("venv");
-    expect(pythonDetector.skipDirs).toContain("__pycache__");
-    expect(pythonDetector.extractDsn).toBe(extractDsnFromPython);
-  });
-});
diff --git a/test/lib/dsn/languages/ruby.test.ts b/test/lib/dsn/languages/ruby.test.ts
deleted file mode 100644
index 643c4d31..00000000
--- a/test/lib/dsn/languages/ruby.test.ts
+++ /dev/null
@@ -1,63 +0,0 @@
-/**
- * Ruby DSN Detector Tests
- *
- * Consolidated tests for extracting DSN from Ruby source code.
- * Tests cover: Sentry.init block, Rails initializer, hash patterns, env filtering, detector config.
- */
-
-import { describe, expect, test } from "bun:test";
-import {
-  extractDsnFromRuby,
-  rubyDetector,
-} from "../../../../src/lib/dsn/languages/ruby.js";
-
-const TEST_DSN = "https://abc123@o456.ingest.sentry.io/789";
-
-describe("Ruby DSN Detector", () => {
-  test("extracts DSN from Sentry.init block", () => {
-    const code = `
-Sentry.init do |config|
-  config.dsn = '${TEST_DSN}'
-  config.traces_sample_rate = 1.0
-end
-`;
-    expect(extractDsnFromRuby(code)).toBe(TEST_DSN);
-  });
-
-  test("extracts DSN from Rails initializer style", () => {
-    const code = `
-Sentry.init do |config|
-  config.dsn = '${TEST_DSN}'
-  config.breadcrumbs_logger = [:active_support_logger]
-  config.traces_sample_rate = 0.5
-end
-`;
-    expect(extractDsnFromRuby(code)).toBe(TEST_DSN);
-  });
-
-  test("extracts DSN from symbol key hash", () => {
-    const code = `
-sentry_config = {
-  dsn: '${TEST_DSN}',
-  environment: 'production'
-}
-`;
-    expect(extractDsnFromRuby(code)).toBe(TEST_DSN);
-  });
-
-  test("returns null for DSN from ENV", () => {
-    const code = `
-Sentry.init do |config|
-  config.dsn = ENV['SENTRY_DSN']
-end
-`;
-    expect(extractDsnFromRuby(code)).toBeNull();
-  });
-
-  test("detector has correct configuration", () => {
-    expect(rubyDetector.name).toBe("Ruby");
-    expect(rubyDetector.extensions).toContain(".rb");
-    expect(rubyDetector.skipDirs).toContain("vendor/bundle");
-    expect(rubyDetector.extractDsn).toBe(extractDsnFromRuby);
-  });
-});
diff --git a/test/lib/dsn/project-root.test.ts b/test/lib/dsn/project-root.test.ts
new file mode 100644
index 00000000..c336a143
--- /dev/null
+++ b/test/lib/dsn/project-root.test.ts
@@ -0,0 +1,320 @@
+/**
+ * Project Root Detection Tests
+ *
+ * Tests for finding project root by walking up from a starting directory.
+ */
+
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { mkdirSync, rmSync, writeFileSync } from "node:fs";
+import { homedir, tmpdir } from "node:os";
+import { join } from "node:path";
+import {
+  findProjectRoot,
+  getStopBoundary,
+  hasBuildSystemMarker,
+  hasLanguageMarker,
+  hasRepoRootMarker,
+} from "../../../src/lib/dsn/project-root.js";
+
+// Test directory structure helper
+function createDir(path: string): void {
+  mkdirSync(path, { recursive: true });
+}
+
+function createFile(path: string, content = ""): void {
+  writeFileSync(path, content);
+}
+
+describe("project-root", () => {
+  let testDir: string;
+
+  beforeEach(() => {
+    // Create a unique temp directory for each test
+    testDir = join(
+      tmpdir(),
+      `sentry-cli-test-${Date.now()}-${Math.random().toString(36).slice(2)}`
+    );
+    createDir(testDir);
+  });
+
+  afterEach(() => {
+    // Clean up test directory
+    try {
+      rmSync(testDir, { recursive: true, force: true });
+    } catch {
+      // Ignore cleanup errors
+    }
+  });
+
+  describe("getStopBoundary", () => {
+    test("returns home directory", () => {
+      const boundary = getStopBoundary();
+      expect(boundary).toBe(homedir());
+    });
+  });
+
+  describe("hasRepoRootMarker", () => {
+    test("detects .git directory", async () => {
+      createDir(join(testDir, ".git"));
+      const result = await hasRepoRootMarker(testDir);
+      expect(result.found).toBe(true);
+      expect(result.type).toBe("vcs");
+    });
+
+    test("detects .hg directory", async () => {
+      createDir(join(testDir, ".hg"));
+      const result = await hasRepoRootMarker(testDir);
+      expect(result.found).toBe(true);
+      expect(result.type).toBe("vcs");
+    });
+
+    test("detects .github directory", async () => {
+      createDir(join(testDir, ".github"));
+      const result = await hasRepoRootMarker(testDir);
+      expect(result.found).toBe(true);
+      expect(result.type).toBe("ci");
+    });
+
+    test("detects .gitlab-ci.yml file", async () => {
+      createFile(join(testDir, ".gitlab-ci.yml"));
+      const result = await hasRepoRootMarker(testDir);
+      expect(result.found).toBe(true);
+      expect(result.type).toBe("ci");
+    });
+
+    test("detects .editorconfig with root=true", async () => {
+      createFile(
+        join(testDir, ".editorconfig"),
+        "root = true\n[*]\nindent_style = space"
+      );
+      const result = await hasRepoRootMarker(testDir);
+      expect(result.found).toBe(true);
+      expect(result.type).toBe("editorconfig");
+    });
+
+    test("ignores .editorconfig without root=true", async () => {
+      createFile(join(testDir, ".editorconfig"), "[*]\nindent_style = space");
+      const result = await hasRepoRootMarker(testDir);
+      expect(result.found).toBe(false);
+    });
+
+    test("returns found=false when no markers", async () => {
+      const result = await hasRepoRootMarker(testDir);
+      expect(result.found).toBe(false);
+    });
+  });
+
+  describe("hasLanguageMarker", () => {
+    test("detects package.json", async () => {
+      createFile(join(testDir, "package.json"), "{}");
+      expect(await hasLanguageMarker(testDir)).toBe(true);
+    });
+
+    test("detects pyproject.toml", async () => {
+      createFile(join(testDir, "pyproject.toml"), "");
+      expect(await hasLanguageMarker(testDir)).toBe(true);
+    });
+
+    test("detects go.mod", async () => {
+      createFile(join(testDir, "go.mod"), "module example.com/test");
+      expect(await hasLanguageMarker(testDir)).toBe(true);
+    });
+
+    test("detects Cargo.toml", async () => {
+      createFile(join(testDir, "Cargo.toml"), "");
+      expect(await hasLanguageMarker(testDir)).toBe(true);
+    });
+
+    test("detects .sln file (glob pattern)", async () => {
+      createFile(join(testDir, "MyProject.sln"), "");
+      expect(await hasLanguageMarker(testDir)).toBe(true);
+    });
+
+    test("detects .csproj file (glob pattern)", async () => {
+      createFile(join(testDir, "MyProject.csproj"), "");
+      expect(await hasLanguageMarker(testDir)).toBe(true);
+    });
+
+    test("returns false when no markers", async () => {
+      expect(await hasLanguageMarker(testDir)).toBe(false);
+    });
+  });
+
+  describe("hasBuildSystemMarker", () => {
+    test("detects Makefile", async () => {
+      createFile(join(testDir, "Makefile"), "");
+      expect(await hasBuildSystemMarker(testDir)).toBe(true);
+    });
+
+    test("detects CMakeLists.txt", async () => {
+      createFile(join(testDir, "CMakeLists.txt"), "");
+      expect(await hasBuildSystemMarker(testDir)).toBe(true);
+    });
+
+    test("detects BUILD.bazel", async () => {
+      createFile(join(testDir, "BUILD.bazel"), "");
+      expect(await hasBuildSystemMarker(testDir)).toBe(true);
+    });
+
+    test("returns false when no markers", async () => {
+      expect(await hasBuildSystemMarker(testDir)).toBe(false);
+    });
+  });
+
+  describe("findProjectRoot", () => {
+    describe("DSN detection in .env files", () => {
+      test("finds DSN in .env file and returns immediately", async () => {
+        const dsn = "https://abc123@o123.ingest.sentry.io/456";
+        createFile(join(testDir, ".env"), `SENTRY_DSN=${dsn}`);
+        createDir(join(testDir, "src", "lib"));
+
+        const result = await findProjectRoot(join(testDir, "src", "lib"));
+
+        expect(result.foundDsn).toBeDefined();
+        expect(result.foundDsn?.raw).toBe(dsn);
+        expect(result.reason).toBe("env_dsn");
+        expect(result.projectRoot).toBe(testDir);
+      });
+
+      test("finds DSN in .env.local (higher priority)", async () => {
+        const dsnLocal = "https://local@o123.ingest.sentry.io/456";
+        const dsnBase = "https://base@o123.ingest.sentry.io/789";
+        createFile(join(testDir, ".env.local"), `SENTRY_DSN=${dsnLocal}`);
+        createFile(join(testDir, ".env"), `SENTRY_DSN=${dsnBase}`);
+
+        const result = await findProjectRoot(testDir);
+
+        expect(result.foundDsn?.raw).toBe(dsnLocal);
+      });
+
+      test("finds DSN at intermediate level during walk-up", async () => {
+        const dsn = "https://abc123@o123.ingest.sentry.io/456";
+        // Create nested structure: testDir/packages/app/src
+        const packagesDir = join(testDir, "packages");
+        const appDir = join(packagesDir, "app");
+        const srcDir = join(appDir, "src");
+        createDir(srcDir);
+
+        // Put DSN in app directory
+        createFile(join(appDir, ".env"), `SENTRY_DSN=${dsn}`);
+
+        // Put .git at root
+        createDir(join(testDir, ".git"));
+
+        const result = await findProjectRoot(srcDir);
+
+        // Should find DSN at app level (immediate return)
+        expect(result.foundDsn).toBeDefined();
+        expect(result.foundDsn?.raw).toBe(dsn);
+        expect(result.reason).toBe("env_dsn");
+      });
+    });
+
+    describe("VCS marker detection", () => {
+      test("stops at .git directory", async () => {
+        createDir(join(testDir, ".git"));
+        createDir(join(testDir, "src", "lib", "utils"));
+
+        const result = await findProjectRoot(
+          join(testDir, "src", "lib", "utils")
+        );
+
+        expect(result.projectRoot).toBe(testDir);
+        expect(result.reason).toBe("vcs");
+        // Levels: utils(1) -> lib(2) -> src(3) -> testDir(4, found .git)
+        expect(result.levelsTraversed).toBe(4);
+      });
+
+      test("stops at .github directory", async () => {
+        createDir(join(testDir, ".github"));
+        createDir(join(testDir, "src"));
+
+        const result = await findProjectRoot(join(testDir, "src"));
+
+        expect(result.projectRoot).toBe(testDir);
+        expect(result.reason).toBe("ci");
+      });
+    });
+
+    describe("language marker detection", () => {
+      test("uses closest language marker to cwd", async () => {
+        // Root has package.json
+        createFile(join(testDir, "package.json"), "{}");
+
+        // Nested package also has package.json
+        const nestedDir = join(testDir, "packages", "frontend");
+        createDir(nestedDir);
+        createFile(join(nestedDir, "package.json"), "{}");
+
+        // Start from nested/src
+        const srcDir = join(nestedDir, "src");
+        createDir(srcDir);
+
+        const result = await findProjectRoot(srcDir);
+
+        // Should use the closest package.json (in packages/frontend)
+        expect(result.projectRoot).toBe(nestedDir);
+        expect(result.reason).toBe("language");
+      });
+
+      test("VCS marker takes precedence over language marker", async () => {
+        createDir(join(testDir, ".git"));
+        createFile(join(testDir, "package.json"), "{}");
+        createDir(join(testDir, "src"));
+
+        const result = await findProjectRoot(join(testDir, "src"));
+
+        // Should stop at .git even though package.json was also found
+        expect(result.projectRoot).toBe(testDir);
+        expect(result.reason).toBe("vcs");
+      });
+    });
+
+    describe("build system marker detection", () => {
+      test("uses build system marker as last resort", async () => {
+        createFile(join(testDir, "Makefile"), "");
+        createDir(join(testDir, "src"));
+
+        const result = await findProjectRoot(join(testDir, "src"));
+
+        expect(result.projectRoot).toBe(testDir);
+        expect(result.reason).toBe("build_system");
+      });
+
+      test("language marker takes precedence over build system", async () => {
+        createFile(join(testDir, "Makefile"), "");
+        createFile(join(testDir, "package.json"), "{}");
+        createDir(join(testDir, "src"));
+
+        const result = await findProjectRoot(join(testDir, "src"));
+
+        expect(result.reason).toBe("language");
+      });
+    });
+
+    describe("fallback behavior", () => {
+      test("returns cwd when no markers found", async () => {
+        const deepDir = join(testDir, "a", "b", "c");
+        createDir(deepDir);
+
+        const result = await findProjectRoot(deepDir);
+
+        // Should fall back to the starting directory
+        expect(result.projectRoot).toBe(deepDir);
+        expect(result.reason).toBe("fallback");
+      });
+    });
+
+    describe("levels traversed tracking", () => {
+      test("tracks correct number of levels", async () => {
+        createDir(join(testDir, ".git"));
+        createDir(join(testDir, "a", "b", "c", "d"));
+
+        const result = await findProjectRoot(join(testDir, "a", "b", "c", "d"));
+
+        // Levels: d(1) -> c(2) -> b(3) -> a(4) -> testDir(5, found .git)
+        expect(result.levelsTraversed).toBe(5);
+      });
+    });
+  });
+});