@tanagram/cli 0.4.18 → 0.4.20

package/commands/config.go

@@ -1,15 +1,21 @@
 package commands
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
+
+	"github.com/getsentry/sentry-go"
 )
 
 // ConfigClaude sets up the Claude Code hook in the specified settings file
-func ConfigClaude(settingsPath string) error {
+func ConfigClaude(ctx context.Context, settingsPath string) error {
+	span := sentry.StartSpan(ctx, "command.config_claude")
+	defer span.Finish()
+
 	settings, err := loadConfig(settingsPath)
 	if err != nil {
 		return fmt.Errorf("failed to load Claude settings: %w", err)
@@ -127,7 +133,9 @@ func ConfigClaude(settingsPath string) error {
 }
 
 // ConfigCursor sets up the Cursor hook in the specified settings file
-func ConfigCursor(hooksPath string) error {
+func ConfigCursor(ctx context.Context, hooksPath string) error {
+	span := sentry.StartSpan(ctx, "command.config_cursor")
+	defer span.Finish()
 
 	hooksConfig, err := loadConfig(hooksPath)
 	if err != nil {
@@ -222,7 +230,10 @@ func ConfigCursor(hooksPath string) error {
 }
 
 // ConfigList shows where Tanagram hooks are installed
-func ConfigList() error {
+func ConfigList(ctx context.Context) error {
+	span := sentry.StartSpan(ctx, "command.config_list")
+	defer span.Finish()
+
 	// Check user settings (~/.claude/settings.json)
 	userSettingsPath, err := GetHomeConfigPath(".claude", "settings.json")
 	if err != nil {
@@ -526,7 +537,7 @@ func printCursorHookStatus(status CursorHookStatus, path string) {
 // ensureClaudeConfigured checks if Claude Code hooks are configured,
 // and automatically sets them up if not. This is called on first run
 // of commands that need Claude Code integration.
-func ensureClaudeConfigured() error {
+func ensureClaudeConfigured(ctx context.Context) error {
 	settingsPath, err := GetHomeConfigPath(".claude", "settings.json")
 	if err != nil {
 		// Silently skip if we can't get home dir - not critical
@@ -543,7 +554,7 @@ func ensureClaudeConfigured() error {
 	// If file doesn't exist or hooks aren't configured, set them up
 	if !status.FileExists || !status.SessionStartHookExists || !status.StopHookExists {
 		fmt.Println("Setting up Claude Code integration...")
-		if err := ConfigClaude(settingsPath); err != nil {
+		if err := ConfigClaude(ctx, settingsPath); err != nil {
 			// Don't fail the command if hook setup fails - just warn
 			fmt.Fprintf(os.Stderr, "Warning: Failed to setup Claude Code hooks: %v\n", err)
 			fmt.Fprintf(os.Stderr, "You can manually setup hooks later with: tanagram config claude\n\n")
@@ -558,7 +569,7 @@ func ensureClaudeConfigured() error {
 // ensureCursorConfigured checks if Cursor hooks are configured,
 // and automatically sets them up if not. This is called on first run
 // of commands that need Cursor integration.
-func ensureCursorConfigured() error {
+func ensureCursorConfigured(ctx context.Context) error {
 	hooksPath, err := GetHomeConfigPath(".cursor", "hooks.json")
 	if err != nil {
 		// Silently skip if we can't get home dir - not critical
@@ -575,7 +586,7 @@ func ensureCursorConfigured() error {
 	// If file doesn't exist or hooks aren't configured, set them up
 	if !status.FileExists || !status.BeforeSubmitExists || !status.StopExists {
 		fmt.Println("Setting up Cursor integration...")
-		if err := ConfigCursor(hooksPath); err != nil {
+		if err := ConfigCursor(ctx, hooksPath); err != nil {
 			// Don't fail the command if hook setup fails - just warn
 			fmt.Fprintf(os.Stderr, "Warning: Failed to setup Cursor hooks: %v\n", err)
 			fmt.Fprintf(os.Stderr, "You can manually setup hooks later with: tanagram config cursor\n\n")
@@ -589,11 +600,11 @@ func ensureCursorConfigured() error {
 
 // EnsureHooksConfigured ensures that both Claude Code and Cursor hooks are configured.
 // This is a convenience function for commands that need both integrations.
-func EnsureHooksConfigured() error {
-	if err := ensureClaudeConfigured(); err != nil {
+func EnsureHooksConfigured(ctx context.Context) error {
+	if err := ensureClaudeConfigured(ctx); err != nil {
 		return err
 	}
-	if err := ensureCursorConfigured(); err != nil {
+	if err := ensureCursorConfigured(ctx); err != nil {
 		return err
 	}
 	return nil

package/commands/config_test.go

@@ -1,6 +1,7 @@
 package commands
 
 import (
+	"context"
 	"encoding/json"
 	"os"
 	"path/filepath"
@@ -27,7 +28,7 @@ func TestConfigClaude(t *testing.T) {
 	}()
 
 	t.Run("Create new config", func(t *testing.T) {
-		if err := ConfigClaude(settingsPath); err != nil {
+		if err := ConfigClaude(context.Background(), settingsPath); err != nil {
 			t.Fatalf("ConfigClaude() failed: %v", err)
 		}
 
@@ -43,7 +44,7 @@ func TestConfigClaude(t *testing.T) {
 
 	t.Run("Idempotency", func(t *testing.T) {
 		// Run it again (first time was in "Create new config")
-		if err := ConfigClaude(settingsPath); err != nil {
+		if err := ConfigClaude(context.Background(), settingsPath); err != nil {
 			t.Fatalf("ConfigClaude() failed on second run: %v", err)
 		}
 
@@ -96,7 +97,7 @@ func TestConfigClaude(t *testing.T) {
 			t.Fatalf("Failed to write settings: %v", err)
 		}
 
-		if err := ConfigClaude(settingsPath); err != nil {
+		if err := ConfigClaude(context.Background(), settingsPath); err != nil {
 			t.Fatalf("ConfigClaude() failed: %v", err)
 		}
 
@@ -174,7 +175,7 @@ func TestConfigClaude(t *testing.T) {
 			t.Fatalf("Failed to write settings: %v", err)
 		}
 
-		if err := ConfigClaude(settingsPath); err != nil {
+		if err := ConfigClaude(context.Background(), settingsPath); err != nil {
 			t.Fatalf("ConfigClaude() failed: %v", err)
 		}
 
@@ -234,7 +235,7 @@ func TestConfigCursor(t *testing.T) {
 	}()
 
 	t.Run("Create new config", func(t *testing.T) {
-		if err := ConfigCursor(hooksPath); err != nil {
+		if err := ConfigCursor(context.Background(), hooksPath); err != nil {
 			t.Fatalf("ConfigCursor() failed: %v", err)
 		}
 
@@ -250,7 +251,7 @@ func TestConfigCursor(t *testing.T) {
 
 	t.Run("Idempotency", func(t *testing.T) {
 		// Run it again
-		if err := ConfigCursor(hooksPath); err != nil {
+		if err := ConfigCursor(context.Background(), hooksPath); err != nil {
 			t.Fatalf("ConfigCursor() failed on second run: %v", err)
 		}
 
@@ -297,7 +298,7 @@ func TestConfigCursor(t *testing.T) {
 			t.Fatalf("Failed to write settings: %v", err)
 		}
 
-		if err := ConfigCursor(hooksPath); err != nil {
+		if err := ConfigCursor(context.Background(), hooksPath); err != nil {
 			t.Fatalf("ConfigCursor() failed: %v", err)
 		}
 
@@ -351,7 +352,7 @@ func TestConfigCursor(t *testing.T) {
 			t.Fatalf("Failed to write settings: %v", err)
 		}
 
-		if err := ConfigCursor(hooksPath); err != nil {
+		if err := ConfigCursor(context.Background(), hooksPath); err != nil {
 			t.Fatalf("ConfigCursor() failed: %v", err)
 		}
 
@@ -413,7 +414,7 @@ func TestEnsureHooksConfigured(t *testing.T) {
 	}()
 
 	t.Run("Fresh configuration", func(t *testing.T) {
-		if err := EnsureHooksConfigured(); err != nil {
+		if err := EnsureHooksConfigured(context.Background()); err != nil {
 			t.Fatalf("EnsureHooksConfigured() failed: %v", err)
 		}
 

package/commands/list.go

@@ -1,33 +1,45 @@
 package commands
 
 import (
+	"context"
 	"fmt"
 
+	"github.com/getsentry/sentry-go"
 	gitpkg "github.com/tanagram/cli/git"
 	"github.com/tanagram/cli/storage"
 )
 
 // List displays all cached policies (both local and cloud)
-func List() error {
+func List(ctx context.Context) error {
+	span := sentry.StartSpan(ctx, "command.list")
+	defer span.Finish()
+
 	// Find git root
+	findGitRootSpan := sentry.StartSpan(span.Context(), "storage.find_git_root")
 	gitRoot, err := storage.FindGitRoot()
+	findGitRootSpan.Finish()
 	if err != nil {
 		return err
 	}
 
 	// Load local cache
+	loadCacheSpan := sentry.StartSpan(span.Context(), "storage.load_cache")
 	cache, err := storage.LoadCache(gitRoot)
+	loadCacheSpan.Finish()
 	if err != nil {
 		return fmt.Errorf("failed to load cache: %w", err)
 	}
 
 	// Load local policies from cache
+	getPoliciesSpan := sentry.StartSpan(span.Context(), "cache.get_all_policies")
 	localPolicies, err := cache.GetAllPolicies()
+	getPoliciesSpan.Finish()
 	if err != nil {
 		return fmt.Errorf("failed to load local policies: %w", err)
 	}
 
 	// Try to load cloud policies for current repo
+	cloudPoliciesSpan := sentry.StartSpan(span.Context(), "storage.load_cloud_policies")
 	cloudPolicies := []storage.SimplifiedPolicy{}
 	var repoInfo *gitpkg.RepoInfo
 
@@ -40,6 +52,7 @@ func List() error {
 			cloudPolicies = repoFile.Policies
 		}
 	}
+	cloudPoliciesSpan.Finish()
 
 	// Check if we have any policies to display
 	if len(localPolicies) == 0 && len(cloudPolicies) == 0 {

package/commands/login.go

@@ -12,8 +12,11 @@ import (
 	"os"
 	"time"
 
+	"github.com/getsentry/sentry-go"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/pkg/browser"
 	"github.com/tanagram/cli/auth"
+	"github.com/tanagram/cli/utils"
 )
 
 // getWebAppURL returns the web app URL based on environment
@@ -45,7 +48,12 @@ func generateCodeChallenge(verifier string) string {
 }
 
 // Login implements the OAuth PKCE flow for CLI authentication
-func Login() error {
+func Login(ctx context.Context) error {
+	span := sentry.StartSpan(ctx, "command.login")
+	defer span.Finish()
+
+	utils.AddBreadcrumb("auth", "Starting OAuth PKCE login flow", sentry.LevelInfo, nil)
+
 	// Generate PKCE parameters
 	codeVerifier, err := generateCodeVerifier()
 	if err != nil {
@@ -301,15 +309,19 @@ func Login() error {
 	fmt.Println("Waiting for authentication...")
 
 	// Wait for callback or timeout
+	waitSpan := sentry.StartSpan(span.Context(), "auth.wait_for_callback")
 	var authCode string
 	select {
 	case authCode = <-codeChan:
 		// Success
 	case err := <-errChan:
+		waitSpan.Finish()
 		return err
 	case <-time.After(5 * time.Minute):
+		waitSpan.Finish()
 		return fmt.Errorf("authentication timeout - please try again")
 	}
+	waitSpan.Finish()
 
 	// Shutdown the callback server
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
@@ -328,9 +340,15 @@ func Login() error {
 	// Store session JWT in OS keyring
 	fmt.Println("Storing session token securely...")
 
+	storeTokenSpan := sentry.StartSpan(span.Context(), "auth.store_token")
 	if err := auth.SetAccessToken(sessionJWT); err != nil {
+		storeTokenSpan.Finish()
 		return fmt.Errorf("failed to store session token: %w", err)
 	}
+	storeTokenSpan.Finish()
+
+	// Set user context in Sentry from JWT claims
+	SetUserContextFromJWT(sessionJWT)
 
 	fmt.Println("\n✓ Successfully logged in to Tanagram")
 	fmt.Printf("Session token stored securely in OS keyring\n")
@@ -338,4 +356,42 @@ func Login() error {
 	return nil
 }
 
+type jwtClaims struct {
+	Subject string
+	Email   string
+}
+
+// SetUserContextFromJWT parses JWT claims and sets Sentry user context
+func SetUserContextFromJWT(sessionJWT string) {
+	if claims := parseJWTClaims(sessionJWT); claims != nil {
+		utils.SetUserContext(claims.Subject, claims.Email)
+		utils.AddBreadcrumb("auth", "Login successful", sentry.LevelInfo, map[string]interface{}{
+			"user_id": claims.Subject,
+		})
+	}
+}
+
+func parseJWTClaims(tokenString string) *jwtClaims {
+	parser := jwt.NewParser()
+	token, _, err := parser.ParseUnverified(tokenString, jwt.MapClaims{})
+	if err != nil {
+		return nil
+	}
+
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok {
+		return nil
+	}
+
+	result := &jwtClaims{}
+	if sub, ok := claims["sub"].(string); ok {
+		result.Subject = sub
+	}
+	if email, ok := claims["email"].(string); ok {
+		result.Email = email
+	}
+
+	return result
+}
+
 // Removed exchangeCodeForTokens - we receive the session JWT directly from the web app

package/commands/login_test.go

@@ -0,0 +1,132 @@
+package commands
+
+import (
+	"testing"
+	"time"
+
+	"github.com/getsentry/sentry-go"
+	"github.com/golang-jwt/jwt/v5"
+)
+
+func TestParseJWTClaims(t *testing.T) {
+	t.Run("valid JWT with sub and email", func(t *testing.T) {
+		// Create a real JWT token
+		token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+			"sub":   "user_12345",
+			"email": "test@example.com",
+			"iat":   time.Now().Unix(),
+			"exp":   time.Now().Add(time.Hour).Unix(),
+		})
+
+		// Sign with a test secret
+		tokenString, err := token.SignedString([]byte("test-secret"))
+		if err != nil {
+			t.Fatalf("Failed to sign token: %v", err)
+		}
+
+		claims := parseJWTClaims(tokenString)
+		if claims == nil {
+			t.Fatal("Expected claims, got nil")
+		}
+
+		if claims.Subject != "user_12345" {
+			t.Errorf("Expected Subject 'user_12345', got '%s'", claims.Subject)
+		}
+
+		if claims.Email != "test@example.com" {
+			t.Errorf("Expected Email 'test@example.com', got '%s'", claims.Email)
+		}
+	})
+
+	t.Run("valid JWT with only sub", func(t *testing.T) {
+		token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+			"sub": "user_67890",
+			"iat": time.Now().Unix(),
+		})
+
+		tokenString, err := token.SignedString([]byte("test-secret"))
+		if err != nil {
+			t.Fatalf("Failed to sign token: %v", err)
+		}
+
+		claims := parseJWTClaims(tokenString)
+		if claims == nil {
+			t.Fatal("Expected claims, got nil")
+		}
+
+		if claims.Subject != "user_67890" {
+			t.Errorf("Expected Subject 'user_67890', got '%s'", claims.Subject)
+		}
+
+		if claims.Email != "" {
+			t.Errorf("Expected empty Email, got '%s'", claims.Email)
+		}
+	})
+
+	t.Run("invalid JWT string", func(t *testing.T) {
+		claims := parseJWTClaims("not-a-valid-jwt")
+		if claims != nil {
+			t.Error("Expected nil for invalid JWT, got claims")
+		}
+	})
+
+	t.Run("empty JWT string", func(t *testing.T) {
+		claims := parseJWTClaims("")
+		if claims != nil {
+			t.Error("Expected nil for empty string, got claims")
+		}
+	})
+}
+
+func TestSetUserContextFromJWT(t *testing.T) {
+	t.Run("sets user context from valid JWT", func(t *testing.T) {
+		// Channel to capture the event
+		var capturedEvent *sentry.Event
+
+		// Initialize Sentry with a transport that captures events
+		err := sentry.Init(sentry.ClientOptions{
+			Dsn:         "https://test@test.ingest.sentry.io/123",
+			Environment: "test",
+			BeforeSend: func(event *sentry.Event, hint *sentry.EventHint) *sentry.Event {
+				capturedEvent = event
+				return nil // Don't actually send
+			},
+		})
+		if err != nil {
+			t.Fatalf("Failed to initialize Sentry: %v", err)
+		}
+		defer sentry.Flush(time.Second)
+
+		// Create a real JWT with user claims
+		token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+			"sub":   "user_abc123",
+			"email": "alice@tanagram.ai",
+			"iat":   time.Now().Unix(),
+			"exp":   time.Now().Add(time.Hour).Unix(),
+		})
+
+		tokenString, err := token.SignedString([]byte("test-secret"))
+		if err != nil {
+			t.Fatalf("Failed to sign token: %v", err)
+		}
+
+		// Call the function under test
+		SetUserContextFromJWT(tokenString)
+
+		// Capture an event to verify the user context was set
+		sentry.CaptureMessage("test event")
+		sentry.Flush(time.Second)
+
+		if capturedEvent == nil {
+			t.Fatal("Expected event to be captured")
+		}
+
+		if capturedEvent.User.ID != "user_abc123" {
+			t.Errorf("Expected user ID 'user_abc123', got '%s'", capturedEvent.User.ID)
+		}
+
+		if capturedEvent.User.Email != "alice@tanagram.ai" {
+			t.Errorf("Expected email 'alice@tanagram.ai', got '%s'", capturedEvent.User.Email)
+		}
+	})
+}