fix(test): adapt tests for buildCommand auth guard (#615)

## Summary

Fixes the ~200 test failures caused by the auth guard added in #611.
Meant to be merged into #612 so both the CI hang (dsn-cache timing +
telemetry beforeExit) and the auth guard breakage ship together.

## Problem

`buildCommand`'s new auth guard calls `getAuthConfig()` before every
command. Test environments had no auth token set, so all command tests
hit `AuthError("not_authenticated")` before the func body ran.

## Changes

**Global fix (test/preload.ts):**
- Set a fake `SENTRY_AUTH_TOKEN` in the test preload so the auth guard
passes for all tests. Real API calls are blocked by the global fetch
mock.

**Framework tests (test/lib/command.test.ts):**
- Add `auth: false` to all 29 test commands — these test flag handling,
telemetry, and output rendering, not authentication.

**Auth-specific tests (logout, refresh, whoami, project list):**
- Tests that verify unauthenticated behavior or `SENTRY_TOKEN` priority
now explicitly save/clear/restore `SENTRY_AUTH_TOKEN`.

## Test plan

- 215 tests across the 7 most-affected files pass with 0 failures
- `bun test test/commands` — 1209 pass
- Lint and typecheck pass

---------

Co-authored-by: Miguel Betegón <miguelbetegongarcia@gmail.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: 3 people

src/lib/telemetry.ts

@@ -275,7 +275,7 @@ const LIBRARY_EXCLUDED_INTEGRATIONS = new Set([
   ...EXCLUDED_INTEGRATIONS,
   "OnUncaughtException", // process.on('uncaughtException')
   "OnUnhandledRejection", // process.on('unhandledRejection')
-  "ProcessSession", // process.on('beforeExit')
+  "ProcessSession", // process.on('beforeExit') — anonymous handler, no cleanup
   "Http", // diagnostics_channel + trace headers
   "NodeFetch", // diagnostics_channel + trace headers
   "FunctionToString", // wraps Function.prototype.toString
@@ -355,13 +355,11 @@ export function initSentry(
   const libraryMode = options?.libraryMode ?? false;
   const environment = getEnv().NODE_ENV ?? "development";
 
-  // Close the previous client before re-initializing. LightNodeClient registers
-  // process.on('beforeExit', ...) listeners for client-report and log flushing
-  // via startClientReportTracking() and enableLogs. These are only removed by
-  // calling client.close(). Without this, re-initializing (e.g. initSentry(false)
-  // in test afterEach) accumulates stale listeners that keep the event loop alive
-  // after all tests complete, preventing the bun process from exiting.
-  // close(0) removes the listeners synchronously; we don't need to await the flush.
+  // Close the previous client to clean up its internal timers and beforeExit
+  // handlers (client report flusher interval, log flush listener). Without
+  // this, re-initializing the SDK (e.g., in tests) leaks setInterval handles
+  // that keep the event loop alive and prevent the process from exiting.
+  // close(0) removes listeners synchronously; we don't need to await the flush.
   Sentry.getClient()?.close(0);
 
   const client = Sentry.init({
@@ -383,10 +381,12 @@ export function initSentry(
     },
     environment,
     // Enable Sentry structured logs for non-exception telemetry (e.g., unexpected input warnings).
-    // Disabled in library mode — logs use timers/beforeExit that pollute the host process.
-    enableLogs: !libraryMode,
-    // Disable client reports in library mode — they use timers/beforeExit.
-    ...(libraryMode && { sendClientReports: false }),
+    // Disabled when telemetry is off or in library mode — the SDK registers
+    // beforeExit handlers for log flushing that keep the event loop alive.
+    enableLogs: enabled && !libraryMode,
+    // Disable client reports when telemetry is off or in library mode — the SDK
+    // registers a setInterval + beforeExit handler that keep the event loop alive.
+    ...((libraryMode || !enabled) && { sendClientReports: false }),
     // Sample all events for CLI telemetry (low volume)
     tracesSampleRate: 1,
     sampleRate: 1,
@@ -414,12 +414,7 @@ export function initSentry(
     },
   });
 
-  // Always remove the previous handler on re-init. The removal must happen
-  // unconditionally — not only when enabled=true — so that calling
-  // initSentry(false) to disable telemetry (e.g. in test afterEach) actually
-  // cleans up the handler registered by a prior initSentry(true) call.
-  // Without this, the stale handler keeps the event loop alive after all tests
-  // finish, preventing the process from exiting.
+  // Always remove our own previous handler on re-init.
   if (currentBeforeExitHandler) {
     process.removeListener("beforeExit", currentBeforeExitHandler);
     currentBeforeExitHandler = null;

test/commands/auth/logout.test.ts

@@ -126,6 +126,9 @@ describe("logoutCommand.func", () => {
     isAuthenticatedSpy.mockReturnValue(true);
     isEnvTokenActiveSpy.mockReturnValue(true);
     // Set env var directly — getActiveEnvVarName() reads env vars via getEnvToken()
+    // Clear SENTRY_AUTH_TOKEN so SENTRY_TOKEN takes priority
+    const savedAuthToken = process.env.SENTRY_AUTH_TOKEN;
+    delete process.env.SENTRY_AUTH_TOKEN;
     process.env.SENTRY_TOKEN = "sntrys_token_456";
     const { context } = createContext();
 
@@ -138,6 +141,9 @@ describe("logoutCommand.func", () => {
       expect(msg).toContain("SENTRY_TOKEN");
     } finally {
       delete process.env.SENTRY_TOKEN;
+      if (savedAuthToken !== undefined) {
+        process.env.SENTRY_AUTH_TOKEN = savedAuthToken;
+      }
     }
     expect(clearAuthSpy).not.toHaveBeenCalled();
   });

test/commands/auth/refresh.test.ts

@@ -85,6 +85,9 @@ describe("refreshCommand.func", () => {
   test("env token (SENTRY_TOKEN): throws AuthError with SENTRY_TOKEN in message", async () => {
     isEnvTokenActiveSpy.mockReturnValue(true);
     // Set env var directly — getActiveEnvVarName() reads env vars via getEnvToken()
+    // Clear SENTRY_AUTH_TOKEN so SENTRY_TOKEN takes priority
+    const savedAuthToken = process.env.SENTRY_AUTH_TOKEN;
+    delete process.env.SENTRY_AUTH_TOKEN;
     process.env.SENTRY_TOKEN = "sntrys_token_456";
 
     const { context } = createContext();
@@ -99,6 +102,9 @@ describe("refreshCommand.func", () => {
       expect((err as AuthError).message).not.toContain("SENTRY_AUTH_TOKEN");
     } finally {
       delete process.env.SENTRY_TOKEN;
+      if (savedAuthToken !== undefined) {
+        process.env.SENTRY_AUTH_TOKEN = savedAuthToken;
+      }
     }
 
     expect(refreshTokenSpy).not.toHaveBeenCalled();

test/commands/auth/whoami.test.ts

@@ -84,6 +84,26 @@ describe("whoamiCommand.func", () => {
   });
 
   describe("unauthenticated", () => {
+    let getAuthConfigSpy: ReturnType<typeof spyOn>;
+    let savedAuthToken: string | undefined;
+
+    beforeEach(() => {
+      // Clear env token and mock getAuthConfig so buildCommand's auth guard
+      // sees no credentials — this tests the unauthenticated path end-to-end.
+      savedAuthToken = process.env.SENTRY_AUTH_TOKEN;
+      delete process.env.SENTRY_AUTH_TOKEN;
+      getAuthConfigSpy = spyOn(dbAuth, "getAuthConfig").mockReturnValue(
+        undefined
+      );
+    });
+
+    afterEach(() => {
+      getAuthConfigSpy.mockRestore();
+      if (savedAuthToken !== undefined) {
+        process.env.SENTRY_AUTH_TOKEN = savedAuthToken;
+      }
+    });
+
     test("throws AuthError(not_authenticated) when no token stored", async () => {
       isAuthenticatedSpy.mockReturnValue(false);
 

test/commands/project/list.test.ts

@@ -969,8 +969,17 @@ describe("fetchOrgProjectsSafe", () => {
   test("propagates AuthError when not authenticated", async () => {
     // Clear auth token so the API client throws AuthError before making any request
     await clearAuth();
-
-    await expect(fetchOrgProjectsSafe("myorg")).rejects.toThrow(AuthError);
+    // Also clear env token — preload sets a fake one for the auth guard
+    const savedAuthToken = process.env.SENTRY_AUTH_TOKEN;
+    delete process.env.SENTRY_AUTH_TOKEN;
+
+    try {
+      await expect(fetchOrgProjectsSafe("myorg")).rejects.toThrow(AuthError);
+    } finally {
+      if (savedAuthToken !== undefined) {
+        process.env.SENTRY_AUTH_TOKEN = savedAuthToken;
+      }
+    }
   });
 });
 
@@ -1233,14 +1242,23 @@ describe("handleAutoDetect", () => {
     setDefaults("test-org");
     // Clear auth so getAuthToken() throws AuthError before any fetch
     await clearAuth();
-
-    await expect(
-      handleAutoDetect("/tmp/test-project", {
-        limit: 30,
-        json: true,
-        fresh: false,
-      })
-    ).rejects.toThrow(AuthError);
+    // Also clear env token — preload sets a fake one for the auth guard
+    const savedAuthToken = process.env.SENTRY_AUTH_TOKEN;
+    delete process.env.SENTRY_AUTH_TOKEN;
+
+    try {
+      await expect(
+        handleAutoDetect("/tmp/test-project", {
+          limit: 30,
+          json: true,
+          fresh: false,
+        })
+      ).rejects.toThrow(AuthError);
+    } finally {
+      if (savedAuthToken !== undefined) {
+        process.env.SENTRY_AUTH_TOKEN = savedAuthToken;
+      }
+    }
   });
 
   test("slow path: uses full fetch when platform filter is active", async () => {

test/lib/api-client.test.ts

@@ -107,6 +107,17 @@ function createMockFetch(
 describe("401 retry behavior", () => {
   // Note: These tests use rawApiRequest which goes to control silo (sentry.io)
   // and supports 401 retry with token refresh.
+  // Clear preload SENTRY_AUTH_TOKEN so the DB-stored token is used.
+  let savedAuthToken: string | undefined;
+  beforeEach(() => {
+    savedAuthToken = process.env.SENTRY_AUTH_TOKEN;
+    delete process.env.SENTRY_AUTH_TOKEN;
+  });
+  afterEach(() => {
+    if (savedAuthToken !== undefined) {
+      process.env.SENTRY_AUTH_TOKEN = savedAuthToken;
+    }
+  });
 
   test("retries request with new token on 401 response", async () => {
     const requests: RequestLog[] = [];