Drop CI/local-run noise from production Sentry in report_to_sentry()

The discovery CI suite runs the real script against a loopback mock
gateway on clean GitHub-hosted runners, so every scan finds zero tools
and the previously log-only Sentry paths self-report to the production
project: no_tools_found / send-failure / timeout / signal events with
zero customer impact (DISCOVERY-TOOL-SCRIPT-17 / -13 / -12 / -D; 346
events observed in 24h).

Add a before_send-style guard at the top of report_to_sentry() that
drops an event carrying a CI fingerprint, using two event-level signals
measured 0-false-positive against those issues:
  - the report target (domain) is a loopback host -- normalized through
    the stdlib socket parsers so every spelling is caught (IPv4 dotted
    quad + shorthand like 127.1, ::1 and its expanded form, IPv4-mapped
    ::ffff:127.0.0.1), plus localhost / 0.0.0.0. A real install always
    points at the customer gateway URL, never loopback; an FQDN such as
    127.example.com is not a valid IP literal so it is never matched.
  - the OS account (system_user) is a GitHub-hosted-runner account
    (runner / runneradmin).

Keyed on the event context rather than a CI env var on purpose:
report_to_sentry()'s own dedup/cap/breaker tests run under CI and must
still exercise the transport, so an env-based unconditional drop would
break them. Bare-context extract/detect emits are out of scope here; the
fix for those is source-side (don't point the production DSN at CI runs).

The guard never raises and defaults to keeping the event, so a malformed
context can never suppress a genuine customer error.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: audit

scripts/coding_discovery_tools/ai_tools_discovery.py

@@ -736,7 +736,7 @@ def create_all_tool_detectors(os_name: Optional[str] = None) -> list:
             ToolDetectorFactory.create_roo_detector(os_name),
         ]
 
-        # Add Claude Cowork detector for macOS and Windows
+        # Add Claude Cowork detector for macOS, Windows, and Linux
         claude_cowork_detector = ToolDetectorFactory.create_claude_cowork_detector(os_name)
         if claude_cowork_detector is not None:
             detectors.append(claude_cowork_detector)

scripts/coding_discovery_tools/coding_tool_factory.py

@@ -3,16 +3,20 @@
 
 Cowork is the agentic feature of the Claude Desktop app. We treat it as a
 distinct tool from Claude Code (which is the CLI). A device is considered
-to have Cowork installed if the on-disk session tree exists at:
+to have Cowork installed if BOTH:
 
-    ~/.config/Claude/local-agent-mode-sessions/
+    - A Claude Desktop installation is discoverable on disk, AND
+    - The on-disk session tree exists at
+      ~/.config/Claude/local-agent-mode-sessions/
 
 (Claude Desktop is an Electron app and follows the XDG convention of
 storing its data under ~/.config/Claude/ on Linux.)
 
-If only the app is present (Cowork never enabled / never used), there is
-nothing on disk to report so we return None. When running as root we check
-every user's home (and /root) so MDM-style deployments are covered.
+If only the app is present (Cowork never enabled / never used) there is
+nothing on disk to report, and if only the sessions tree is present (app
+uninstalled, config residue left behind) it is not a real install — in both
+cases we return None. When running as root we check every user's home (and
+/root) so MDM-style deployments are covered.
 """
 
 import logging
@@ -52,17 +56,34 @@ def detect(self) -> Optional[Dict]:
         for user_home in get_linux_user_homes():
             sessions_dir = _sessions_dir_for_user(user_home)
             try:
-                if sessions_dir.exists() and sessions_dir.is_dir():
-                    app_install = self._find_install_dir()
-                    install_path = str(app_install) if app_install else str(sessions_dir)
-                    return {
-                        "name": self.tool_name,
-                        "version": self.get_version(),
-                        "install_path": install_path,
-                    }
+                if not (sessions_dir.exists() and sessions_dir.is_dir()):
+                    continue
             except OSError as e:
                 logger.debug(f"Error checking Cowork sessions dir {sessions_dir}: {e}")
                 continue
+
+            # Require the Claude Desktop install to be present. The per-user
+            # ``~/.config/Claude`` tree (which holds the sessions dir) survives
+            # an uninstall (anthropics/claude-code#25013), so reporting on the
+            # sessions dir alone produced false positives. Gate on a real
+            # install dir.
+            app_install = self._find_install_dir()
+            if app_install is None:
+                logger.debug(
+                    "Cowork sessions present under %s but no Claude Desktop "
+                    "install found; treating as residue (not installed).",
+                    user_home,
+                )
+                continue
+
+            return {
+                "name": self.tool_name,
+                "version": self.get_version(),
+                # Report the sessions dir (consistent with the macOS detector and
+                # the central ``_detect_claude_cowork`` path). ``app_install`` is
+                # the gate, not the reported path.
+                "install_path": str(sessions_dir),
+            }
         return None
 
     def get_version(self) -> Optional[str]:
@@ -74,7 +95,9 @@ def get_version(self) -> Optional[str]:
         """
         return None
 
-    def _find_install_dir(self) -> Optional[Path]:
+    def _find_install_dir(self, user_home: Optional[Path] = None) -> Optional[Path]:
+        # ``user_home`` is accepted for a uniform call signature with the central
+        # path; Linux install dirs are machine-global so it is unused here.
         for candidate in _candidate_install_dirs():
             try:
                 if candidate.exists() and candidate.is_dir():

scripts/coding_discovery_tools/linux/claude_cowork/claude_cowork.py

@@ -25,6 +25,8 @@ class LinuxJetBrainsDetector(BaseToolDetector):
     IDE_NAME_MAPPING = {
         "IntelliJIdea": "IntelliJ IDEA",
         "IdeaIC": "IntelliJ IDEA Community",
+        "IdeaIE": "IntelliJ IDEA Educational",
+        "Aqua": "Aqua",
         "PyCharm": "PyCharm",
         "PyCharmCE": "PyCharm Community",
         "WebStorm": "WebStorm",
@@ -38,7 +40,10 @@ class LinuxJetBrainsDetector(BaseToolDetector):
         "DataSpell": "DataSpell",
     }
 
-    SKIP_FOLDERS = {"consentOptions", "PrivacyPolicy", "Toolbox"}
+    SKIP_FOLDERS = {
+        "consent", "DeviceId", "JetBrainsClient",
+        "consentOptions", "PrivacyPolicy", "Toolbox",
+    }
 
     PLUGIN_NAME_OVERRIDES = {
         "ml-llm": "JetBrains AI Assistant",
@@ -149,7 +154,7 @@ def _parse_ide_name_and_version(self, folder_name: str) -> tuple:
 
     @staticmethod
     def _detect_plan(folder_name: str) -> str:
-        if "IdeaIC" in folder_name or "PyCharmCE" in folder_name:
+        if "IdeaIC" in folder_name or "IdeaIE" in folder_name or "PyCharmCE" in folder_name:
             return "Free"
         return "Licensed"
 

scripts/coding_discovery_tools/linux/jetbrains/jetbrains.py

@@ -9,6 +9,8 @@
 
 from ...coding_tool_base import BaseToolDetector
 from ...linux_extraction_helpers import get_linux_user_homes
+from ...user_tool_detector import find_junie_binary_for_user
+from ..jetbrains.jetbrains import LinuxJetBrainsDetector
 
 logger = logging.getLogger(__name__)
 
@@ -48,22 +50,75 @@ def get_version(self) -> Optional[str]:
         return None
 
     def _detect_junie_for_user(self, user_home: Path) -> Optional[Dict]:
-        """Detect Junie installation for a specific user."""
-        junie_dir = user_home / self.JUNIE_DIR_NAME
+        """Detect Junie installation for a specific user.
 
-        if not junie_dir.exists() or not junie_dir.is_dir():
+        Gates on a real install signal — the Junie CLI binary OR the Junie
+        plugin in a JetBrains IDE — not on the ``~/.junie`` directory, which is
+        user-authored guidelines residue that survives uninstall. ``~/.junie``
+        is still used as the version source.
+        """
+        junie_bin = find_junie_binary_for_user(user_home)
+        install_path: Optional[str] = junie_bin
+
+        if not install_path:
+            install_path = self._has_junie_jetbrains_plugin(user_home)
+
+        if not install_path:
             return None
 
-        logger.debug(f"Found Junie directory at: {junie_dir}")
+        logger.debug(f"Detected Junie install signal at: {install_path}")
 
-        version = self._get_version_from_config(junie_dir)
+        version = self._get_version_from_config(user_home / self.JUNIE_DIR_NAME)
 
         return {
             "name": self.tool_name,
             "version": version or "Unknown",
-            "install_path": str(junie_dir)
+            "install_path": install_path
         }
 
+    def _has_junie_jetbrains_plugin(self, user_home: Path) -> Optional[str]:
+        """Return an install_path if the Junie plugin is present in a JetBrains
+        IDE belonging to ``user_home``, else None.
+
+        Scoping matters: ``LinuxJetBrainsDetector.detect()`` ignores ``user_home``
+        and iterates every user home internally, so calling it would attribute
+        another user's Junie plugin to whichever user is currently being scanned
+        (cross-user false positive). Instead we drive the detector's per-user
+        config-dir scan for ``user_home`` only, then enrich with plugins. The
+        JetBrains detector itself is never modified — only its existing per-user
+        methods are reused read-only.
+        """
+        try:
+            jetbrains_detector = LinuxJetBrainsDetector()
+            scoped_ides = jetbrains_detector._scan_jetbrains_config_dir(user_home)
+        except (PermissionError, OSError) as e:
+            logger.debug(f"JetBrains scan for Junie failed under {user_home}: {e}")
+            return None
+
+        for ide in scoped_ides:
+            config_path = ide.get("config_path")
+            if not self._path_under_user_home(config_path, user_home):
+                continue
+            try:
+                plugins = jetbrains_detector._get_plugins(config_path)
+            except (PermissionError, OSError) as e:
+                logger.debug(f"Plugin scan for Junie failed under {config_path}: {e}")
+                continue
+            for plugin_name in plugins:
+                if "junie" in plugin_name.lower():
+                    return config_path
+        return None
+
+    @staticmethod
+    def _path_under_user_home(config_path: Optional[str], user_home: Path) -> bool:
+        """True if ``config_path`` is inside ``user_home`` (strict scoping guard)."""
+        if not config_path:
+            return False
+        try:
+            return Path(config_path).resolve().is_relative_to(user_home.resolve())
+        except (OSError, ValueError):
+            return False
+
     def _get_version_from_config(self, junie_dir: Path) -> Optional[str]:
         """Try to extract Junie version from configuration files."""
         config_files = [
@@ -76,7 +131,7 @@ def _get_version_from_config(self, junie_dir: Path) -> Optional[str]:
                 if config_file.exists():
                     with open(config_file, 'r', encoding='utf-8') as f:
                         data = json.load(f)
-                        if 'version' in data:
+                        if isinstance(data, dict) and isinstance(data.get('version'), str):
                             return data['version']
             except (json.JSONDecodeError, OSError, PermissionError) as e:
                 logger.debug(f"Could not read config file {config_file}: {e}")

scripts/coding_discovery_tools/linux/junie/junie.py

@@ -27,6 +27,8 @@ class MacOSJetBrainsDetector(BaseToolDetector):
     IDE_NAME_MAPPING = {
         "IntelliJIdea": "IntelliJ IDEA",
         "IdeaIC": "IntelliJ IDEA Community",
+        "IdeaIE": "IntelliJ IDEA Educational",
+        "Aqua": "Aqua",
         "PyCharm": "PyCharm",
         "PyCharmCE": "PyCharm Community",
         "WebStorm": "WebStorm",
@@ -42,6 +44,7 @@ class MacOSJetBrainsDetector(BaseToolDetector):
 
     # Folders to skip when scanning JetBrains directory
     SKIP_FOLDERS = {
+        "consent", "DeviceId", "JetBrainsClient",
         "consentOptions", "PrivacyPolicy", "Toolbox",
     }
 
@@ -193,8 +196,8 @@ def _parse_ide_name_and_version(self, folder_name: str) -> tuple:
 
     @staticmethod
     def _detect_plan(folder_name: str) -> str:
-        """Return 'Free' for Community editions, 'Licensed' otherwise."""
-        if "IdeaIC" in folder_name or "PyCharmCE" in folder_name:
+        """Return 'Free' for Community/Educational editions, 'Licensed' otherwise."""
+        if "IdeaIC" in folder_name or "IdeaIE" in folder_name or "PyCharmCE" in folder_name:
             return "Free"
         return "Licensed"
 

scripts/coding_discovery_tools/macos/jetbrains/jetbrains.py

@@ -7,7 +7,9 @@
 from typing import Optional, Dict, List
 
 from ...coding_tool_base import BaseToolDetector
+from ...macos.jetbrains.jetbrains import MacOSJetBrainsDetector
 from ...macos_extraction_helpers import is_running_as_root
+from ...user_tool_detector import find_junie_binary_for_user
 
 logger = logging.getLogger(__name__)
 
@@ -56,22 +58,74 @@ def get_version(self) -> Optional[str]:
     def _detect_junie_for_user(self, user_home: Path) -> Optional[Dict]:
         """
         Detect Junie installation for a specific user.
+
+        Gates on a real install signal — the Junie CLI binary OR the Junie
+        plugin in a JetBrains IDE — not on the ``~/.junie`` directory, which is
+        user-authored guidelines residue that survives uninstall. ``~/.junie``
+        is still used as the version source.
         """
-        junie_dir = user_home / self.JUNIE_DIR_NAME
+        junie_bin = find_junie_binary_for_user(user_home)
+        install_path: Optional[str] = junie_bin
+
+        if not install_path:
+            install_path = self._has_junie_jetbrains_plugin(user_home)
 
-        if not junie_dir.exists() or not junie_dir.is_dir():
+        if not install_path:
             return None
 
-        logger.debug(f"Found Junie directory at: {junie_dir}")
+        logger.debug(f"Detected Junie install signal at: {install_path}")
 
-        version = self._get_version_from_config(junie_dir)
+        version = self._get_version_from_config(user_home / self.JUNIE_DIR_NAME)
 
         return {
             "name": self.tool_name,
             "version": version or "Unknown",
-            "install_path": str(junie_dir)
+            "install_path": install_path
         }
 
+    def _has_junie_jetbrains_plugin(self, user_home: Path) -> Optional[str]:
+        """Return an install_path if the Junie plugin is present in a JetBrains
+        IDE belonging to ``user_home``, else None.
+
+        Scoping matters: ``MacOSJetBrainsDetector.detect()`` ignores ``user_home``
+        and, under root, scans every user under ``/Users``. Calling it here would
+        attribute another user's Junie plugin to whichever user is currently
+        being scanned (cross-user false positive). Instead we drive the
+        detector's per-user config-dir scan for ``user_home`` only, then enrich
+        with plugins. The JetBrains detector itself is never modified — only its
+        existing per-user methods are reused read-only.
+        """
+        try:
+            jetbrains_detector = MacOSJetBrainsDetector()
+            scoped_ides = jetbrains_detector._scan_jetbrains_config_dir(user_home)
+        except (PermissionError, OSError) as e:
+            logger.debug(f"JetBrains scan for Junie failed under {user_home}: {e}")
+            return None
+
+        for ide in scoped_ides:
+            config_path = ide.get("config_path")
+            if not self._path_under_user_home(config_path, user_home):
+                continue
+            try:
+                plugins = jetbrains_detector._get_plugins(config_path)
+            except (PermissionError, OSError) as e:
+                logger.debug(f"Plugin scan for Junie failed under {config_path}: {e}")
+                continue
+            for plugin_name in plugins:
+                if "junie" in plugin_name.lower():
+                    return config_path
+        return None
+
+    @staticmethod
+    def _path_under_user_home(config_path: Optional[str], user_home: Path) -> bool:
+        """True if ``config_path`` is inside ``user_home`` (strict scoping guard)."""
+        if not config_path:
+            return False
+        try:
+            return Path(config_path).resolve().is_relative_to(user_home.resolve())
+        except (OSError, ValueError):
+            return False
+
     def _get_version_from_config(self, junie_dir: Path) -> Optional[str]:
         """
         Try to extract Junie version from configuration files.
@@ -87,7 +141,7 @@ def _get_version_from_config(self, junie_dir: Path) -> Optional[str]:
                     import json
                     with open(config_file, 'r', encoding='utf-8') as f:
                         data = json.load(f)
-                        if 'version' in data:
+                        if isinstance(data, dict) and isinstance(data.get('version'), str):
                             return data['version']
             except (json.JSONDecodeError, OSError, PermissionError) as e:
                 logger.debug(f"Could not read config file {config_file}: {e}")