Merge branch 'getsentry:master' into patch-2

Author: tonal

.agents/skills/code-review/SKILL.md

@@ -0,0 +1,102 @@
+---
+name: code-review
+description: Perform code reviews following Sentry engineering practices. Use when reviewing pull requests, examining code changes, or providing feedback on code quality. Covers security, performance, testing, and design review.
+---
+
+# Sentry Code Review
+
+Follow these guidelines when reviewing code for Sentry projects.
+
+## Review Checklist
+
+### Identifying Problems
+
+Look for these issues in code changes:
+
+- **Runtime errors**: Potential exceptions, null pointer issues, out-of-bounds access
+- **Performance**: Unbounded O(n²) operations, N+1 queries, unnecessary allocations
+- **Side effects**: Unintended behavioral changes affecting other components
+- **Backwards compatibility**: Breaking API changes without migration path
+- **ORM queries**: Complex Django ORM with unexpected query performance
+- **Security vulnerabilities**: Injection, XSS, access control gaps, secrets exposure
+
+### Design Assessment
+
+- Do component interactions make logical sense?
+- Does the change align with existing project architecture?
+- Are there conflicts with current requirements or goals?
+
+### Test Coverage
+
+Every PR should have appropriate test coverage:
+
+- Functional tests for business logic
+- Integration tests for component interactions
+- End-to-end tests for critical user paths
+
+Verify tests cover actual requirements and edge cases. Avoid excessive branching or looping in test code.
+
+### Long-Term Impact
+
+Flag for senior engineer review when changes involve:
+
+- Database schema modifications
+- API contract changes
+- New framework or library adoption
+- Performance-critical code paths
+- Security-sensitive functionality
+
+## Feedback Guidelines
+
+### Tone
+
+- Be polite and empathetic
+- Provide actionable suggestions, not vague criticism
+- Phrase as questions when uncertain: "Have you considered...?"
+
+### Approval
+
+- Approve when only minor issues remain
+- Don't block PRs for stylistic preferences
+- Remember: the goal is risk reduction, not perfect code
+
+## Common Patterns to Flag
+
+### Python/Django
+
+```python
+# Bad: N+1 query
+for user in users:
+    print(user.profile.name)  # Separate query per user
+
+# Good: Prefetch related
+users = User.objects.prefetch_related('profile')
+```
+
+### TypeScript/React
+
+```typescript
+// Bad: Missing dependency in useEffect
+useEffect(() => {
+  fetchData(userId);
+}, []);  // userId not in deps
+
+// Good: Include all dependencies
+useEffect(() => {
+  fetchData(userId);
+}, [userId]);
+```
+
+### Security
+
+```python
+# Bad: SQL injection risk
+cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
+
+# Good: Parameterized query
+cursor.execute("SELECT * FROM users WHERE id = %s", [user_id])
+```
+
+## References
+
+- [Sentry Code Review Guidelines](https://develop.sentry.dev/engineering-practices/code-review/)

.agents/skills/find-bugs/SKILL.md

@@ -0,0 +1,75 @@
+---
+name: find-bugs
+description: Find bugs, security vulnerabilities, and code quality issues in local branch changes. Use when asked to review changes, find bugs, security review, or audit code on the current branch.
+---
+
+# Find Bugs
+
+Review changes on this branch for bugs, security vulnerabilities, and code quality issues.
+
+## Phase 1: Complete Input Gathering
+
+1. Get the FULL diff: `git diff $(gh repo view --json defaultBranchRef --jq '.defaultBranchRef.name')...HEAD`
+2. If output is truncated, read each changed file individually until you have seen every changed line
+3. List all files modified in this branch before proceeding
+
+## Phase 2: Attack Surface Mapping
+
+For each changed file, identify and list:
+
+* All user inputs (request params, headers, body, URL components)
+* All database queries
+* All authentication/authorization checks
+* All session/state operations
+* All external calls
+* All cryptographic operations
+
+## Phase 3: Security Checklist (check EVERY item for EVERY file)
+
+* [ ] **Injection**: SQL, command, template, header injection
+* [ ] **XSS**: All outputs in templates properly escaped?
+* [ ] **Authentication**: Auth checks on all protected operations?
+* [ ] **Authorization/IDOR**: Access control verified, not just auth?
+* [ ] **CSRF**: State-changing operations protected?
+* [ ] **Race conditions**: TOCTOU in any read-then-write patterns?
+* [ ] **Session**: Fixation, expiration, secure flags?
+* [ ] **Cryptography**: Secure random, proper algorithms, no secrets in logs?
+* [ ] **Information disclosure**: Error messages, logs, timing attacks?
+* [ ] **DoS**: Unbounded operations, missing rate limits, resource exhaustion?
+* [ ] **Business logic**: Edge cases, state machine violations, numeric overflow?
+
+## Phase 4: Verification
+
+For each potential issue:
+
+* Check if it's already handled elsewhere in the changed code
+* Search for existing tests covering the scenario
+* Read surrounding context to verify the issue is real
+
+## Phase 5: Pre-Conclusion Audit
+
+Before finalizing, you MUST:
+
+1. List every file you reviewed and confirm you read it completely
+2. List every checklist item and note whether you found issues or confirmed it's clean
+3. List any areas you could NOT fully verify and why
+4. Only then provide your final findings
+
+## Output Format
+
+**Prioritize**: security vulnerabilities > bugs > code quality
+
+**Skip**: stylistic/formatting issues
+
+For each issue:
+
+* **File:Line** - Brief description
+* **Severity**: Critical/High/Medium/Low
+* **Problem**: What's wrong
+* **Evidence**: Why this is real (not already fixed, no existing test, etc.)
+* **Fix**: Concrete suggestion
+* **References**: OWASP, RFCs, or other standards if applicable
+
+If you find nothing significant, say so - don't invent issues.
+
+Do not make changes - just report findings. I'll decide what to address.

.agents/skills/security-review/LICENSE

@@ -0,0 +1,22 @@
+The reference material in this skill is derived from the OWASP Cheat Sheet Series.
+
+Source: https://cheatsheetseries.owasp.org/
+OWASP Foundation: https://owasp.org/
+
+Original content is licensed under:
+
+Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)
+https://creativecommons.org/licenses/by-sa/4.0/
+
+You are free to:
+- Share — copy and redistribute the material in any medium or format
+- Adapt — remix, transform, and build upon the material for any purpose,
+  even commercially
+
+Under the following terms:
+- Attribution — You must give appropriate credit, provide a link to the
+  license, and indicate if changes were made.
+- ShareAlike — If you remix, transform, or build upon the material, you
+  must distribute your contributions under the same license as the original.
+
+Full license text: https://creativecommons.org/licenses/by-sa/4.0/legalcode