feat(cache): write consent-revoked envelopes in retry format

Consent-revoked envelopes were cached as `<uuid>.envelope` which
`sentry__retry_send()` skips (filename ≤45 chars). Write them in
retry format (`<ts>-<count>-<uuid>.envelope`) so they're picked up
when consent is later given.

- Add `retry_count` param to `write_envelope()`, `sentry__run_write_cache()`,
  and `sentry__run_move_cache()`: >= 0 produces retry format, -1 plain format
- Add lock-free consent check to `sentry__retry_send()` using stored
  `user_consent` pointer (same pattern as the batcher)
- Make `sentry__retry_write_envelope` static; remove from public header
- Skip `sentry__capture_envelope()` in `process_old_runs` when consent missing

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: jpnurmi

src/sentry_database.c

@@ -369,8 +369,9 @@ sentry__process_old_runs(const sentry_options_t *options, uint64_t last_crash)
             continue;
         }
 
+        bool consent_missing = sentry__should_skip_upload();
         bool can_cache = options->cache_keep
-            && (sentry__should_skip_upload() || !options->http_retry
+            && (consent_missing || !options->http_retry
                 || !sentry__transport_can_retry(options->transport));
 
         sentry_pathiter_t *run_iter = sentry__path_iter_directory(run_dir);
@@ -415,11 +416,14 @@ sentry__process_old_runs(const sentry_options_t *options, uint64_t last_crash)
                     }
                 }
             } else if (sentry__path_ends_with(file, ".envelope")) {
-                sentry_envelope_t *envelope = sentry__envelope_from_path(file);
-                sentry__capture_envelope(options->transport, envelope);
-
+                if (!consent_missing) {
+                    sentry_envelope_t *envelope
+                        = sentry__envelope_from_path(file);
+                    sentry__capture_envelope(options->transport, envelope);
+                }
                 if (can_cache
-                    && sentry__run_move_cache(options->run, file, -1)) {
+                    && sentry__run_move_cache(
+                        options->run, file, consent_missing ? 0 : -1)) {
                     continue;
                 }
             }

src/sentry_retry.c

@@ -28,6 +28,7 @@ typedef enum {
 struct sentry_retry_s {
     sentry_run_t *run;
     bool cache_keep;
+    long *user_consent;
     uint64_t startup_time;
     volatile long state;
     volatile long scheduled;
@@ -49,6 +50,8 @@ sentry__retry_new(const sentry_options_t *options)
     sentry__mutex_init(&retry->sealed_lock);
     retry->run = sentry__run_incref(options->run);
     retry->cache_keep = options->cache_keep;
+    retry->user_consent
+        = options->require_user_consent ? (long *)&options->user_consent : NULL;
     retry->startup_time = sentry__usec_time() / 1000;
     return retry;
 }
@@ -141,6 +144,12 @@ size_t
 sentry__retry_send(sentry_retry_t *retry, uint64_t before,
     sentry_retry_send_func_t send_cb, void *data)
 {
+    if (retry->user_consent
+        && sentry__atomic_fetch(retry->user_consent)
+            != SENTRY_USER_CONSENT_GIVEN) {
+        return 0;
+    }
+
     sentry_pathiter_t *piter
         = sentry__path_iter_directory(retry->run->cache_path);
     if (!piter) {

tests/unit/test_cache.c

@@ -3,6 +3,7 @@
 #include "sentry_envelope.h"
 #include "sentry_options.h"
 #include "sentry_path.h"
+#include "sentry_retry.h"
 #include "sentry_testsupport.h"
 #include "sentry_uuid.h"
 #include "sentry_value.h"
@@ -73,20 +74,24 @@ SENTRY_TEST(cache_keep)
         sentry_envelope_write_to_path(envelope, old_envelope_path) == 0);
     sentry_envelope_free(envelope);
 
-    sentry_path_t *cached_envelope_path
-        = sentry__path_join_str(cache_path, envelope_filename);
-    TEST_ASSERT(!!cached_envelope_path);
-
     TEST_ASSERT(sentry__path_is_file(old_envelope_path));
-    TEST_ASSERT(!sentry__path_is_file(cached_envelope_path));
 
     sentry__process_old_runs(options, 0);
 
     TEST_ASSERT(!sentry__path_is_file(old_envelope_path));
-    TEST_ASSERT(sentry__path_is_file(cached_envelope_path));
+
+    int count = 0;
+    sentry_pathiter_t *iter = sentry__path_iter_directory(cache_path);
+    const sentry_path_t *entry;
+    while (iter && (entry = sentry__pathiter_next(iter)) != NULL) {
+        if (sentry__path_ends_with(entry, ".envelope")) {
+            count++;
+        }
+    }
+    sentry__pathiter_free(iter);
+    TEST_CHECK_INT_EQUAL(count, 1);
 
     sentry__path_free(old_envelope_path);
-    sentry__path_free(cached_envelope_path);
     sentry__path_free(old_run_path);
     sentry__path_free(cache_path);
     sentry_free(envelope_filename);
@@ -328,15 +333,22 @@ SENTRY_TEST(cache_consent_revoked)
         sentry_value_new_message_event(SENTRY_LEVEL_INFO, "test", "revoked"));
 
     int count = 0;
+    bool is_retry_format = false;
     sentry_pathiter_t *iter = sentry__path_iter_directory(cache_path);
     const sentry_path_t *entry;
     while (iter && (entry = sentry__pathiter_next(iter)) != NULL) {
         if (sentry__path_ends_with(entry, ".envelope")) {
             count++;
+            uint64_t ts;
+            int attempt;
+            const char *uuid;
+            is_retry_format = sentry__parse_cache_filename(
+                sentry__path_filename(entry), &ts, &attempt, &uuid);
         }
     }
     sentry__pathiter_free(iter);
     TEST_CHECK_INT_EQUAL(count, 1);
+    TEST_CHECK(is_retry_format);
 
     sentry__path_free(cache_path);
     sentry_close();
@@ -413,21 +425,32 @@ SENTRY_TEST(cache_consent_revoked_old_run)
         sentry_envelope_write_to_path(envelope, old_envelope_path) == 0);
     sentry_envelope_free(envelope);
 
-    sentry_path_t *cached_envelope_path
-        = sentry__path_join_str(cache_path, envelope_filename);
-    TEST_ASSERT(!!cached_envelope_path);
-
     TEST_ASSERT(sentry__path_is_file(old_envelope_path));
-    TEST_ASSERT(!sentry__path_is_file(cached_envelope_path));
 
     sentry__process_old_runs(options, 0);
 
     TEST_ASSERT(!sentry__path_is_file(old_envelope_path));
-    TEST_ASSERT(sentry__path_is_file(cached_envelope_path));
     TEST_ASSERT(!sentry__path_is_dir(old_run_path));
 
+    int count = 0;
+    bool is_retry_format = false;
+    sentry_pathiter_t *iter = sentry__path_iter_directory(cache_path);
+    const sentry_path_t *entry;
+    while (iter && (entry = sentry__pathiter_next(iter)) != NULL) {
+        if (sentry__path_ends_with(entry, ".envelope")) {
+            count++;
+            uint64_t ts;
+            int attempt;
+            const char *uuid;
+            is_retry_format = sentry__parse_cache_filename(
+                sentry__path_filename(entry), &ts, &attempt, &uuid);
+        }
+    }
+    sentry__pathiter_free(iter);
+    TEST_CHECK_INT_EQUAL(count, 1);
+    TEST_CHECK(is_retry_format);
+
     sentry__path_free(old_envelope_path);
-    sentry__path_free(cached_envelope_path);
     sentry__path_free(old_run_path);
     sentry__path_free(cache_path);
     sentry_free(envelope_filename);

tests/unit/test_retry.c

@@ -460,3 +460,48 @@ SENTRY_TEST(retry_trigger)
     sentry__retry_free(retry);
     sentry_close();
 }
+
+SENTRY_TEST(retry_consent)
+{
+#if defined(SENTRY_PLATFORM_NX) || defined(SENTRY_PLATFORM_PS)
+    SKIP_TEST();
+#endif
+    SENTRY_TEST_OPTIONS_NEW(options);
+    sentry_options_set_dsn(options, "https://foo@sentry.invalid/42");
+    sentry_options_set_http_retry(options, true);
+    sentry_options_set_require_user_consent(options, true);
+    sentry_init(options);
+    sentry_user_consent_revoke();
+
+    sentry_retry_t *retry = sentry__retry_new(options);
+    TEST_ASSERT(!!retry);
+
+    const sentry_path_t *cache_path = options->run->cache_path;
+    sentry__path_remove_all(cache_path);
+    sentry__path_create_dir_all(cache_path);
+
+    uint64_t old_ts
+        = sentry__usec_time() / 1000 - 10 * sentry__retry_backoff(0);
+    sentry_uuid_t event_id = sentry_uuid_new_v4();
+    write_retry_file(options->run, old_ts, 0, &event_id);
+
+    TEST_CHECK_INT_EQUAL(count_envelope_files(cache_path), 1);
+
+    // consent revoked: retry_send returns 0 without calling send_cb
+    retry_test_ctx_t ctx = { 200, 0 };
+    size_t remaining = sentry__retry_send(retry, 0, test_send_cb, &ctx);
+    TEST_CHECK_INT_EQUAL(ctx.count, 0);
+    TEST_CHECK_INT_EQUAL(remaining, 0);
+    TEST_CHECK_INT_EQUAL(count_envelope_files(cache_path), 1);
+
+    // give consent: retry_send sends and removes the file
+    sentry_user_consent_give();
+    ctx = (retry_test_ctx_t) { 200, 0 };
+    remaining = sentry__retry_send(retry, UINT64_MAX, test_send_cb, &ctx);
+    TEST_CHECK_INT_EQUAL(ctx.count, 1);
+    TEST_CHECK_INT_EQUAL(remaining, 0);
+    TEST_CHECK_INT_EQUAL(count_envelope_files(cache_path), 0);
+
+    sentry__retry_free(retry);
+    sentry_close();
+}

tests/unit/tests.inc

@@ -173,6 +173,7 @@ XX(read_write_envelope_to_invalid_path)
 XX(recursive_paths)
 XX(retry_backoff)
 XX(retry_cache)
+XX(retry_consent)
 XX(retry_filename)
 XX(retry_result)
 XX(retry_session)