feat(cache): cache consent-revoked envelopes

When user consent is revoked, write envelopes to <database>/cache/
instead of discarding them, so they are picked up by the retry module
when consent is later given. Caching is conditional on the cache_keep
option being enabled.

- Modify sentry__capture_envelope() to cache instead of discard
- Guard sentry__capture_envelope() against NULL session_envelope
  in process_old_runs
- Add consent check to sentry__retry_send() via stored
  require_user_consent bool and db->user_consent atomic read

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: jpnurmi

examples/example.c

@@ -694,6 +694,9 @@ main(int argc, char **argv)
     if (has_arg(argc, argv, "log-attributes")) {
         sentry_options_set_logs_with_attributes(options, true);
     }
+    if (has_arg(argc, argv, "require-user-consent")) {
+        sentry_options_set_require_user_consent(options, true);
+    }
     if (has_arg(argc, argv, "cache-keep")) {
         sentry_options_set_cache_keep(options, true);
         sentry_options_set_cache_max_size(options, 4 * 1024 * 1024); // 4 MB
@@ -758,6 +761,13 @@ main(int argc, char **argv)
         return EXIT_FAILURE;
     }
 
+    if (has_arg(argc, argv, "user-consent-give")) {
+        sentry_user_consent_give();
+    }
+    if (has_arg(argc, argv, "user-consent-revoke")) {
+        sentry_user_consent_revoke();
+    }
+
     if (has_arg(argc, argv, "set-global-attribute")) {
         sentry_set_attribute("global.attribute.bool",
             sentry_value_new_attribute(sentry_value_new_bool(true), NULL));

src/sentry_core.c

@@ -502,13 +502,19 @@ void
 sentry__capture_envelope(
     sentry_transport_t *transport, sentry_envelope_t *envelope)
 {
-    bool has_consent = !sentry__should_skip_upload();
-    if (!has_consent) {
-        SENTRY_INFO("discarding envelope due to missing user consent");
-        sentry_envelope_free(envelope);
+    if (!sentry__should_skip_upload()) {
+        sentry__transport_send_envelope(transport, envelope);
         return;
     }
-    sentry__transport_send_envelope(transport, envelope);
+    bool cached = false;
+    SENTRY_WITH_OPTIONS (options) {
+        if (options->cache_keep) {
+            cached = sentry__run_write_cache(options->run, envelope, 0);
+        }
+    }
+    SENTRY_INFO(cached ? "caching envelope due to missing user consent"
+                       : "discarding envelope due to missing user consent");
+    sentry_envelope_free(envelope);
 }
 
 void

src/sentry_database.c

@@ -438,7 +438,9 @@ sentry__process_old_runs(const sentry_options_t *options, uint64_t last_crash)
     }
     sentry__pathiter_free(db_iter);
 
-    sentry__capture_envelope(options->transport, session_envelope);
+    if (session_envelope) {
+        sentry__capture_envelope(options->transport, session_envelope);
+    }
 }
 
 // Cache Pruning below is based on prune_crash_reports.cc from Crashpad

src/sentry_retry.c

@@ -28,6 +28,7 @@ typedef enum {
 struct sentry_retry_s {
     sentry_run_t *run;
     bool cache_keep;
+    long *user_consent;
     uint64_t startup_time;
     volatile long state;
     volatile long scheduled;
@@ -48,6 +49,8 @@ sentry__retry_new(const sentry_options_t *options)
     sentry__mutex_init(&retry->sealed_lock);
     retry->run = sentry__run_incref(options->run);
     retry->cache_keep = options->cache_keep;
+    retry->user_consent
+        = options->require_user_consent ? (long *)&options->user_consent : NULL;
     retry->startup_time = sentry__usec_time() / 1000;
     return retry;
 }
@@ -142,6 +145,12 @@ size_t
 sentry__retry_send(sentry_retry_t *retry, uint64_t before,
     sentry_retry_send_func_t send_cb, void *data)
 {
+    if (retry->user_consent
+        && sentry__atomic_fetch(retry->user_consent)
+            != SENTRY_USER_CONSENT_GIVEN) {
+        return 0;
+    }
+
     sentry_pathiter_t *piter
         = sentry__path_iter_directory(retry->run->cache_path);
     if (!piter) {

tests/test_integration_cache.py

@@ -263,3 +263,76 @@ def test_cache_max_items_with_retry(cmake, backend, unreachable_dsn):
     assert cache_dir.exists()
     cache_files = list(cache_dir.glob("*.envelope"))
     assert len(cache_files) <= 5
+
+
+def test_cache_consent_revoked(cmake, unreachable_dsn):
+    """With consent revoked and cache_keep, envelopes are cached to disk."""
+    tmp_path = cmake(["sentry_example"], {"SENTRY_BACKEND": "none"})
+    cache_dir = tmp_path.joinpath(".sentry-native/cache")
+    env = dict(os.environ, SENTRY_DSN=unreachable_dsn)
+
+    run(
+        tmp_path,
+        "sentry_example",
+        [
+            "log",
+            "cache-keep",
+            "require-user-consent",
+            "user-consent-revoke",
+            "capture-event",
+            "flush",
+        ],
+        env=env,
+    )
+
+    assert cache_dir.exists()
+    cache_files = list(cache_dir.glob("*.envelope"))
+    assert len(cache_files) == 1
+
+
+def test_cache_consent_revoked_no_cache_keep(cmake, unreachable_dsn):
+    """With consent revoked but no cache_keep, envelopes are discarded."""
+    tmp_path = cmake(["sentry_example"], {"SENTRY_BACKEND": "none"})
+    cache_dir = tmp_path.joinpath(".sentry-native/cache")
+    env = dict(os.environ, SENTRY_DSN=unreachable_dsn)
+
+    run(
+        tmp_path,
+        "sentry_example",
+        [
+            "log",
+            "require-user-consent",
+            "user-consent-revoke",
+            "capture-event",
+            "flush",
+        ],
+        env=env,
+    )
+
+    assert not cache_dir.exists() or len(list(cache_dir.glob("*.envelope"))) == 0
+
+
+def test_cache_consent_given_sends(cmake, httpserver):
+    """With consent given, envelopes are sent normally."""
+    from . import make_dsn
+
+    tmp_path = cmake(["sentry_example"], {"SENTRY_BACKEND": "none"})
+    env = dict(os.environ, SENTRY_DSN=make_dsn(httpserver))
+
+    httpserver.expect_request("/api/123456/envelope/").respond_with_data("OK")
+
+    run(
+        tmp_path,
+        "sentry_example",
+        [
+            "log",
+            "cache-keep",
+            "require-user-consent",
+            "user-consent-give",
+            "capture-event",
+            "flush",
+        ],
+        env=env,
+    )
+
+    assert len(httpserver.log) >= 1

tests/unit/test_cache.c

@@ -3,7 +3,7 @@
 #include "sentry_envelope.h"
 #include "sentry_options.h"
 #include "sentry_path.h"
-#include "sentry_string.h"
+#include "sentry_retry.h"
 #include "sentry_testsupport.h"
 #include "sentry_uuid.h"
 #include "sentry_value.h"
@@ -310,6 +310,83 @@ SENTRY_TEST(cache_max_items_with_retry)
     sentry_close();
 }
 
+SENTRY_TEST(cache_consent_revoked)
+{
+#if defined(SENTRY_PLATFORM_NX) || defined(SENTRY_PLATFORM_PS)
+    SKIP_TEST();
+#endif
+    SENTRY_TEST_OPTIONS_NEW(options);
+    sentry_options_set_dsn(options, "https://foo@sentry.invalid/42");
+    sentry_options_set_cache_keep(options, true);
+    sentry_options_set_require_user_consent(options, true);
+    sentry_init(options);
+    sentry_user_consent_revoke();
+
+    sentry_path_t *cache_path
+        = sentry__path_join_str(options->database_path, "cache");
+    TEST_ASSERT(!!cache_path);
+    sentry__path_remove_all(cache_path);
+
+    sentry_capture_event(
+        sentry_value_new_message_event(SENTRY_LEVEL_INFO, "test", "revoked"));
+
+    int count = 0;
+    bool is_retry_format = false;
+    sentry_pathiter_t *iter = sentry__path_iter_directory(cache_path);
+    const sentry_path_t *entry;
+    while (iter && (entry = sentry__pathiter_next(iter)) != NULL) {
+        if (sentry__path_ends_with(entry, ".envelope")) {
+            count++;
+            uint64_t ts;
+            int attempt;
+            const char *uuid;
+            is_retry_format = sentry__parse_cache_filename(
+                sentry__path_filename(entry), &ts, &attempt, &uuid);
+        }
+    }
+    sentry__pathiter_free(iter);
+    TEST_CHECK_INT_EQUAL(count, 1);
+    TEST_CHECK(is_retry_format);
+
+    sentry__path_free(cache_path);
+    sentry_close();
+}
+
+SENTRY_TEST(cache_consent_revoked_nocache)
+{
+#if defined(SENTRY_PLATFORM_NX) || defined(SENTRY_PLATFORM_PS)
+    SKIP_TEST();
+#endif
+    SENTRY_TEST_OPTIONS_NEW(options);
+    sentry_options_set_dsn(options, "https://foo@sentry.invalid/42");
+    sentry_options_set_cache_keep(options, false);
+    sentry_options_set_require_user_consent(options, true);
+    sentry_init(options);
+    sentry_user_consent_revoke();
+
+    sentry_path_t *cache_path
+        = sentry__path_join_str(options->database_path, "cache");
+    TEST_ASSERT(!!cache_path);
+    sentry__path_remove_all(cache_path);
+
+    sentry_capture_event(
+        sentry_value_new_message_event(SENTRY_LEVEL_INFO, "test", "revoked"));
+
+    int count = 0;
+    sentry_pathiter_t *iter = sentry__path_iter_directory(cache_path);
+    const sentry_path_t *entry;
+    while (iter && (entry = sentry__pathiter_next(iter)) != NULL) {
+        if (sentry__path_ends_with(entry, ".envelope")) {
+            count++;
+        }
+    }
+    sentry__pathiter_free(iter);
+    TEST_CHECK_INT_EQUAL(count, 0);
+
+    sentry__path_free(cache_path);
+    sentry_close();
+}
+
 SENTRY_TEST(cache_max_size_and_age)
 {
 #if defined(SENTRY_PLATFORM_NX) || defined(SENTRY_PLATFORM_PS)

tests/unit/test_retry.c

@@ -489,3 +489,48 @@ SENTRY_TEST(retry_trigger)
     sentry__retry_free(retry);
     sentry_close();
 }
+
+SENTRY_TEST(retry_consent)
+{
+#if defined(SENTRY_PLATFORM_NX) || defined(SENTRY_PLATFORM_PS)
+    SKIP_TEST();
+#endif
+    SENTRY_TEST_OPTIONS_NEW(options);
+    sentry_options_set_dsn(options, "https://foo@sentry.invalid/42");
+    sentry_options_set_http_retry(options, true);
+    sentry_options_set_require_user_consent(options, true);
+    sentry_init(options);
+    sentry_user_consent_revoke();
+
+    sentry_retry_t *retry = sentry__retry_new(options);
+    TEST_ASSERT(!!retry);
+
+    const sentry_path_t *cache_path = options->run->cache_path;
+    sentry__path_remove_all(cache_path);
+    sentry__path_create_dir_all(cache_path);
+
+    uint64_t old_ts
+        = sentry__usec_time() / 1000 - 10 * sentry__retry_backoff(0);
+    sentry_uuid_t event_id = sentry_uuid_new_v4();
+    write_retry_file(options->run, old_ts, 0, &event_id);
+
+    TEST_CHECK_INT_EQUAL(count_envelope_files(cache_path), 1);
+
+    // consent revoked: retry_send returns 0 without calling send_cb
+    retry_test_ctx_t ctx = { 200, 0 };
+    size_t remaining = sentry__retry_send(retry, 0, test_send_cb, &ctx);
+    TEST_CHECK_INT_EQUAL(ctx.count, 0);
+    TEST_CHECK_INT_EQUAL(remaining, 0);
+    TEST_CHECK_INT_EQUAL(count_envelope_files(cache_path), 1);
+
+    // give consent: retry_send sends and removes the file
+    sentry_user_consent_give();
+    ctx = (retry_test_ctx_t) { 200, 0 };
+    remaining = sentry__retry_send(retry, UINT64_MAX, test_send_cb, &ctx);
+    TEST_CHECK_INT_EQUAL(ctx.count, 1);
+    TEST_CHECK_INT_EQUAL(remaining, 0);
+    TEST_CHECK_INT_EQUAL(count_envelope_files(cache_path), 0);
+
+    sentry__retry_free(retry);
+    sentry_close();
+}

tests/unit/tests.inc

@@ -40,6 +40,8 @@ XX(bgworker_flush)
 XX(bgworker_task_delay)
 XX(breadcrumb_without_type_or_message_still_valid)
 XX(build_id_parser)
+XX(cache_consent_revoked)
+XX(cache_consent_revoked_nocache)
 XX(cache_keep)
 XX(cache_max_age)
 XX(cache_max_items)
@@ -197,6 +199,7 @@ XX(read_write_envelope_to_invalid_path)
 XX(recursive_paths)
 XX(retry_backoff)
 XX(retry_cache)
+XX(retry_consent)
 XX(retry_filename)
 XX(retry_make_cache_path)
 XX(retry_result)