feat(cli): add sentry cli import for .sentryclirc migration (#975)

Add a one-time import path for users migrating from the old Rust-based
sentry-cli. Two complementary features:

1. `sentry cli import` — explicit command that scans for .sentryclirc
   files, shows what was found, and imports settings into SQLite with
   proper host scoping. Supports --yes (CI), --dry-run, --url (trust
   override), and --skip-validation.

2. Auto-detect middleware — when any command hits AuthError and a
   .sentryclirc token passes the trust gate, prompts to import before
   falling back to the OAuth login flow.

Security: content-based trust model (same-file rule). Token and URL
must originate from the same file — no path is inherently trusted.
SHA-256 file hashes stored at import time detect post-import tampering.
Auto-prompt disabled in CI (isatty check); project-local files excluded.

Also updates the login command's rcTokenHint to mention `sentry cli import`
as an alternative to `--token`.

Author: BYK

.lore.md

@@ -218,6 +218,143 @@ export async function runCli(cliArgs: string[]): Promise<void> {
     }
   };
 
+  /**
+   * Attempt to import `.sentryclirc` settings when the user is unauthenticated.
+   *
+   * Returns `"imported"` if a trusted token was found, imported, and validated.
+   * Returns `"declined"` if the user said no (marked as declined).
+   * Returns `"skip"` if no eligible files, trust gate fails, or any error.
+   */
+  /**
+   * Build a trusted import plan from non-project-local .sentryclirc files,
+   * or return null if no eligible import is available.
+   */
+  async function buildEligibleImportPlan() {
+    const { discoverRcFiles, buildImportPlan, isImportNeededAsync } =
+      await import("./lib/sentryclirc-import.js");
+
+    if (!(await isImportNeededAsync())) {
+      return null;
+    }
+    const files = await discoverRcFiles(process.cwd());
+    const eligible = files.filter((f) => f.location !== "project-local");
+    if (eligible.length === 0 || !eligible.some((f) => f.token)) {
+      return null;
+    }
+    const plan = buildImportPlan(eligible);
+    if (
+      !(
+        plan.trusted &&
+        plan.effective.token &&
+        plan.newFields.includes("token")
+      )
+    ) {
+      return null;
+    }
+    return plan;
+  }
+
+  async function tryRcImport(): Promise<"imported" | "declined" | "skip"> {
+    const plan = await buildEligibleImportPlan();
+    if (!plan) {
+      return "skip";
+    }
+
+    const source = plan.sources.find((s) => s.token)?.path ?? "~/.sentryclirc";
+    process.stderr.write(
+      `\nFound auth token in ${source}\n` +
+        "Import settings to the new CLI? This stores your token with proper host scoping.\n\n"
+    );
+
+    const consent = await promptImportConsent();
+    if (consent === "declined") {
+      const { markImportDeclined } = await import(
+        "./lib/sentryclirc-import.js"
+      );
+      markImportDeclined();
+      return "declined";
+    }
+    if (consent !== "accepted") {
+      return "skip";
+    }
+
+    const { executeImport } = await import("./lib/sentryclirc-import.js");
+    const result = await executeImport(plan, { validateToken: true });
+    return result.imported && result.tokenValid !== false ? "imported" : "skip";
+  }
+
+  /**
+   * Prompt the user to accept/decline the import.
+   * Returns "accepted", "declined" (explicit no), or "cancelled" (Ctrl+C).
+   * Only "declined" permanently suppresses future prompts.
+   */
+  async function promptImportConsent(): Promise<
+    "accepted" | "declined" | "cancelled"
+  > {
+    const { logger: logModule } = await import("./lib/logger.js");
+    const confirmed = await logModule
+      .withTag("import")
+      .prompt("Import from .sentryclirc?", { type: "confirm", initial: true });
+    if (confirmed === true) {
+      return "accepted";
+    }
+    // false = explicit "no"; Symbol(clack:cancel) = Ctrl+C
+    return confirmed === false ? "declined" : "cancelled";
+  }
+
+  /** Log import middleware errors at an appropriate level */
+  async function logImportError(importErr: unknown): Promise<void> {
+    const { logger: logModule } = await import("./lib/logger.js");
+    const { HostScopeError: HSE } = await import("./lib/errors.js");
+    const importLog = logModule.withTag("import");
+    if (importErr instanceof HSE) {
+      importLog.warn("Import middleware error", importErr);
+    } else {
+      importLog.debug("Import middleware error", importErr);
+    }
+  }
+
+  /**
+   * `.sentryclirc` import middleware.
+   *
+   * When a command fails with `not_authenticated` and a non-project-local
+   * `.sentryclirc` file has a token that passes the same-file trust gate,
+   * offers to import it into the new CLI's SQLite store. On success, retries
+   * the command. On decline, marks as declined (never asks again) and
+   * re-throws so the auto-auth middleware can offer OAuth login instead.
+   *
+   * Only fires in interactive TTYs (disabled in CI). Project-local files
+   * are excluded to avoid prompting in every cloned repo.
+   */
+  const rcImportMiddleware: ErrorMiddleware = async (next, argv) => {
+    try {
+      await next(argv);
+    } catch (err) {
+      let imported = false;
+      if (
+        err instanceof AuthError &&
+        err.reason === "not_authenticated" &&
+        !err.skipAutoAuth &&
+        isatty(0)
+      ) {
+        try {
+          imported = (await tryRcImport()) === "imported";
+        } catch (importErr) {
+          await logImportError(importErr);
+        }
+      }
+      if (imported) {
+        // Retry outside the import try/catch so retry errors propagate
+        // naturally instead of being swallowed and re-throwing the
+        // original AuthError.
+        process.stderr.write("Import successful! Retrying command...\n\n");
+        await next(argv);
+        return;
+      }
+      throw err;
+    }
+  };
+
   /**
    * Auto-authentication middleware.
    *
@@ -269,6 +406,7 @@ export async function runCli(cliArgs: string[]): Promise<void> {
    */
   const errorMiddlewares: ErrorMiddleware[] = [
     seerTrialMiddleware,
+    rcImportMiddleware,
     autoAuthMiddleware,
   ];
 

src/cli.ts

@@ -207,7 +207,8 @@ export function rcTokenHint(
     : ` --url ${effectiveHost}`;
   return (
     `Found a token in .sentryclirc (${rcConfig.sources.token}). ` +
-    `To skip OAuth next time: sentry auth login --token <token>${urlHint}`
+    "To import it: sentry cli import | " +
+    `To pass it directly: sentry auth login --token <token>${urlHint}`
   );
 }
 
@@ -374,6 +375,7 @@ export const loginCommand = buildCommand({
 
     refuseLoginToUntrustedHost(flags, effectiveHost, urlFromRc);
 
+    // Check if already authenticated and handle re-authentication
     if (isAuthenticated()) {
       const shouldProceed = await handleExistingAuth(flags.force);
       if (!shouldProceed) {