refactor(config): migrate storage from JSON to SQLite (#89)

## Summary

Migrates CLI configuration storage from `~/.sentry/config.json` to
`~/.sentry/cli.db` (SQLite) for better concurrency safety.

## Changes

- **New `src/lib/db/` module** with separate files for each domain:
  - `schema.ts` - DDL with schema versioning
  - `auth.ts` - Token management with refresh logic
  - `defaults.ts` - Default org/project settings
  - `project-cache.ts` - Project metadata cache (7-day TTL)
  - `dsn-cache.ts` - DSN resolution cache
  - `project-aliases.ts` - Short ID alias mappings
  - `migration.ts` - One-time JSON to SQLite migration

- **SQLite configuration**:
  - WAL mode for better concurrency
  - 100ms busy timeout (fast fail for CLI responsiveness)
  - Secure file permissions (0o600)

- **Node.js compatibility**: Added `bun:sqlite` → `node:sqlite` polyfill
for npm bundle

- **Backward compatible API**: Existing `src/lib/config.ts` re-exports
from new modules

## Migration

On first run after upgrade, the CLI automatically migrates data from
`config.json` to `cli.db` and deletes the old file.

Closes #76

Author: BYK

.github/workflows/ci.yml

@@ -37,7 +37,7 @@ jobs:
         id: cache
         with:
           path: node_modules
-          key: node-modules-${{ hashFiles('bun.lock') }}
+          key: node-modules-${{ hashFiles('bun.lock', 'patches/**') }}
       - if: steps.cache.outputs.cache-hit != 'true'
         run: bun install --frozen-lockfile
       - run: bun run lint
@@ -57,7 +57,7 @@ jobs:
         id: cache
         with:
           path: node_modules
-          key: node-modules-${{ hashFiles('bun.lock') }}
+          key: node-modules-${{ hashFiles('bun.lock', 'patches/**') }}
       - if: steps.cache.outputs.cache-hit != 'true'
         run: bun install --frozen-lockfile
       - name: Unit Tests
@@ -100,7 +100,7 @@ jobs:
         id: cache
         with:
           path: node_modules
-          key: node-modules-${{ matrix.os }}-${{ hashFiles('bun.lock') }}
+          key: node-modules-${{ matrix.os }}-${{ hashFiles('bun.lock', 'patches/**') }}
       - if: steps.cache.outputs.cache-hit != 'true'
         run: bun install --frozen-lockfile
       - name: Build
@@ -133,7 +133,7 @@ jobs:
         id: cache
         with:
           path: node_modules
-          key: node-modules-${{ hashFiles('bun.lock') }}
+          key: node-modules-${{ hashFiles('bun.lock', 'patches/**') }}
       - if: steps.cache.outputs.cache-hit != 'true'
         run: bun install --frozen-lockfile
       - name: Download Linux binary
@@ -167,7 +167,7 @@ jobs:
         id: cache
         with:
           path: node_modules
-          key: node-modules-${{ hashFiles('bun.lock') }}
+          key: node-modules-${{ hashFiles('bun.lock', 'patches/**') }}
       - if: steps.cache.outputs.cache-hit != 'true'
         run: bun install --frozen-lockfile
       - name: Bundle

biome.jsonc

@@ -25,6 +25,28 @@
           }
         }
       }
+    },
+    {
+      // SQLite operations are sync but we keep async signatures for API compatibility
+      "includes": ["src/lib/db/**/*.ts"],
+      "linter": {
+        "rules": {
+          "suspicious": {
+            "useAwait": "off"
+          }
+        }
+      }
+    },
+    {
+      // db/index.ts exports db connection utilities - not a barrel file but triggers the rule
+      "includes": ["src/lib/db/index.ts"],
+      "linter": {
+        "rules": {
+          "performance": {
+            "noBarrelFile": "off"
+          }
+        }
+      }
     }
   ]
 }

script/bundle.ts

@@ -29,8 +29,38 @@ if (!SENTRY_CLIENT_ID) {
   process.exit(1);
 }
 
+// Regex patterns for esbuild plugin (must be top-level for performance)
+const BUN_SQLITE_FILTER = /^bun:sqlite$/;
+const ANY_FILTER = /.*/;
+
+// Plugin to replace bun:sqlite with our node:sqlite polyfill
+const bunSqlitePlugin: Plugin = {
+  name: "bun-sqlite-polyfill",
+  setup(pluginBuild) {
+    // Intercept imports of "bun:sqlite" and redirect to our polyfill
+    pluginBuild.onResolve({ filter: BUN_SQLITE_FILTER }, () => ({
+      path: "bun:sqlite",
+      namespace: "bun-sqlite-polyfill",
+    }));
+
+    // Provide the polyfill content
+    pluginBuild.onLoad(
+      { filter: ANY_FILTER, namespace: "bun-sqlite-polyfill" },
+      () => ({
+        contents: `
+          // Use the polyfill injected by node-polyfills.ts
+          const polyfill = globalThis.__bun_sqlite_polyfill;
+          export const Database = polyfill.Database;
+          export default polyfill;
+        `,
+        loader: "js",
+      })
+    );
+  },
+};
+
 // Configure Sentry plugin for source map uploads (production builds only)
-const plugins: Plugin[] = [];
+const plugins: Plugin[] = [bunSqlitePlugin];
 
 if (process.env.SENTRY_AUTH_TOKEN) {
   console.log("  Sentry auth token found, source maps will be uploaded");

script/node-polyfills.ts

@@ -1,19 +1,66 @@
 /**
- * Node.js polyfills for Bun APIs
- *
- * Injected at esbuild bundle time to provide Node.js-compatible
- * implementations of Bun globals. This allows the same source code
- * to run on both Bun (native) and Node.js (polyfilled).
+ * Node.js polyfills for Bun APIs. Injected at bundle time via esbuild.
  */
 import { execSync, spawn as nodeSpawn } from "node:child_process";
 import { access, readFile, writeFile } from "node:fs/promises";
+import { DatabaseSync } from "node:sqlite";
 
 import { glob } from "tinyglobby";
 
 declare global {
   var Bun: typeof BunPolyfill;
 }
 
+type SqliteValue = string | number | bigint | null | Uint8Array;
+
+/** Wraps node:sqlite StatementSync to match bun:sqlite query() API. */
+class NodeStatementPolyfill {
+  private readonly stmt: ReturnType<DatabaseSync["prepare"]>;
+
+  constructor(stmt: ReturnType<DatabaseSync["prepare"]>) {
+    this.stmt = stmt;
+  }
+
+  get(...params: SqliteValue[]): Record<string, SqliteValue> | undefined {
+    return this.stmt.get(...params) as Record<string, SqliteValue> | undefined;
+  }
+
+  all(...params: SqliteValue[]): Record<string, SqliteValue>[] {
+    return this.stmt.all(...params) as Record<string, SqliteValue>[];
+  }
+
+  run(...params: SqliteValue[]): void {
+    this.stmt.run(...params);
+  }
+}
+
+/** Wraps node:sqlite DatabaseSync to match bun:sqlite Database API. */
+class NodeDatabasePolyfill {
+  private readonly db: DatabaseSync;
+
+  constructor(path: string) {
+    // SQLite configuration (busy_timeout, foreign_keys, WAL mode) is applied
+    // via PRAGMA statements in src/lib/db/index.ts after construction
+    this.db = new DatabaseSync(path);
+  }
+
+  exec(sql: string): void {
+    this.db.exec(sql);
+  }
+
+  query(sql: string): NodeStatementPolyfill {
+    return new NodeStatementPolyfill(this.db.prepare(sql));
+  }
+
+  close(): void {
+    this.db.close();
+  }
+}
+
+const bunSqlitePolyfill = { Database: NodeDatabasePolyfill };
+(globalThis as Record<string, unknown>).__bun_sqlite_polyfill =
+  bunSqlitePolyfill;
+
 const BunPolyfill = {
   file(path: string) {
     return {
@@ -58,8 +105,6 @@ const BunPolyfill = {
     opts?: { stdout?: "pipe" | "ignore"; stderr?: "pipe" | "ignore" }
   ) {
     const [command, ...args] = cmd;
-    // Map Bun's stdout/stderr options to Node's stdio array format
-    // Currently only supports "ignore" - "pipe" would require returning streams
     const stdio: ("pipe" | "ignore")[] = [
       "ignore", // stdin
       opts?.stdout ?? "ignore",

src/commands/auth/login.ts

@@ -3,12 +3,8 @@ import type { SentryContext } from "../../context.js";
 import { listOrganizations } from "../../lib/api-client.js";
 import { openBrowser } from "../../lib/browser.js";
 import { setupCopyKeyListener } from "../../lib/clipboard.js";
-import {
-  clearAuth,
-  getConfigPath,
-  isAuthenticated,
-  setAuthToken,
-} from "../../lib/config.js";
+import { clearAuth, isAuthenticated, setAuthToken } from "../../lib/db/auth.js";
+import { getDbPath } from "../../lib/db/index.js";
 import { AuthError } from "../../lib/errors.js";
 import { muted, success } from "../../lib/formatters/colors.js";
 import { formatDuration } from "../../lib/formatters/human.js";
@@ -74,7 +70,7 @@ export const loginCommand = buildCommand({
       }
 
       stdout.write(`${success("✓")} Authenticated with API token\n`);
-      stdout.write(`  Config saved to: ${getConfigPath()}\n`);
+      stdout.write(`  Config saved to: ${getDbPath()}\n`);
       return;
     }
 
@@ -138,7 +134,7 @@ export const loginCommand = buildCommand({
       await completeOAuthFlow(tokenResponse);
 
       stdout.write(`${success("✓")} Authentication successful!\n`);
-      stdout.write(`  Config saved to: ${getConfigPath()}\n`);
+      stdout.write(`  Config saved to: ${getDbPath()}\n`);
 
       if (tokenResponse.expires_in) {
         stdout.write(

src/commands/auth/logout.ts

@@ -6,7 +6,8 @@
 
 import { buildCommand } from "@stricli/core";
 import type { SentryContext } from "../../context.js";
-import { clearAuth, getConfigPath, isAuthenticated } from "../../lib/config.js";
+import { clearAuth, isAuthenticated } from "../../lib/db/auth.js";
+import { getDbPath } from "../../lib/db/index.js";
 import { success } from "../../lib/formatters/colors.js";
 
 export const logoutCommand = buildCommand({
@@ -28,6 +29,6 @@ export const logoutCommand = buildCommand({
 
     await clearAuth();
     stdout.write(`${success("✓")} Logged out successfully.\n`);
-    stdout.write(`  Credentials removed from: ${getConfigPath()}\n`);
+    stdout.write(`  Credentials removed from: ${getDbPath()}\n`);
   },
 });

src/commands/auth/refresh.ts

@@ -6,7 +6,7 @@
 
 import { buildCommand } from "@stricli/core";
 import type { SentryContext } from "../../context.js";
-import { readConfig, refreshToken } from "../../lib/config.js";
+import { getAuthConfig, refreshToken } from "../../lib/db/auth.js";
 import { AuthError } from "../../lib/errors.js";
 import { success } from "../../lib/formatters/colors.js";
 import { formatDuration } from "../../lib/formatters/human.js";
@@ -63,8 +63,8 @@ Examples:
     const { stdout } = this;
 
     // Pre-check for refresh token availability (better error message)
-    const config = await readConfig();
-    if (!config.auth?.refreshToken && config.auth?.token) {
+    const auth = await getAuthConfig();
+    if (!auth?.refreshToken && auth?.token) {
       throw new AuthError(
         "invalid",
         "No refresh token available. You may be using a manual API token.\n" +

src/commands/auth/status.ts

@@ -8,16 +8,19 @@ import { buildCommand } from "@stricli/core";
 import type { SentryContext } from "../../context.js";
 import { listOrganizations } from "../../lib/api-client.js";
 import {
-  getConfigPath,
+  type AuthConfig,
+  getAuthConfig,
+  isAuthenticated,
+} from "../../lib/db/auth.js";
+import {
   getDefaultOrganization,
   getDefaultProject,
-  isAuthenticated,
-  readConfig,
-} from "../../lib/config.js";
+} from "../../lib/db/defaults.js";
+import { getDbPath } from "../../lib/db/index.js";
 import { AuthError } from "../../lib/errors.js";
 import { error, success } from "../../lib/formatters/colors.js";
 import { formatExpiration, maskToken } from "../../lib/formatters/human.js";
-import type { SentryConfig, Writer } from "../../types/index.js";
+import type { Writer } from "../../types/index.js";
 
 type StatusFlags = {
   readonly showToken: boolean;
@@ -28,24 +31,22 @@ type StatusFlags = {
  */
 function writeTokenInfo(
   stdout: Writer,
-  config: SentryConfig,
+  auth: AuthConfig | undefined,
   showToken: boolean
 ): void {
-  if (!config.auth?.token) {
+  if (!auth?.token) {
     return;
   }
 
-  const tokenDisplay = showToken
-    ? config.auth.token
-    : maskToken(config.auth.token);
+  const tokenDisplay = showToken ? auth.token : maskToken(auth.token);
   stdout.write(`Token: ${tokenDisplay}\n`);
 
-  if (config.auth.expiresAt) {
-    stdout.write(`Expires: ${formatExpiration(config.auth.expiresAt)}\n`);
+  if (auth.expiresAt) {
+    stdout.write(`Expires: ${formatExpiration(auth.expiresAt)}\n`);
   }
 
   // Show refresh token status
-  if (config.auth.refreshToken) {
+  if (auth.refreshToken) {
     stdout.write(`Auto-refresh: ${success("enabled")}\n`);
   } else {
     stdout.write("Auto-refresh: disabled (no refresh token)\n");
@@ -119,18 +120,18 @@ export const statusCommand = buildCommand({
   async func(this: SentryContext, flags: StatusFlags): Promise<void> {
     const { stdout, stderr } = this;
 
-    const config = await readConfig();
+    const auth = await getAuthConfig();
     const authenticated = await isAuthenticated();
 
-    stdout.write(`Config file: ${getConfigPath()}\n\n`);
+    stdout.write(`Config: ${getDbPath()}\n\n`);
 
     if (!authenticated) {
       throw new AuthError("not_authenticated");
     }
 
     stdout.write(`Status: Authenticated ${success("✓")}\n\n`);
 
-    writeTokenInfo(stdout, config, flags.showToken);
+    writeTokenInfo(stdout, auth, flags.showToken);
     await writeDefaults(stdout);
     await verifyCredentials(stdout, stderr);
   },

src/commands/issue/list.ts

@@ -9,7 +9,10 @@ import { buildCommand, numberParser } from "@stricli/core";
 import type { SentryContext } from "../../context.js";
 import { buildOrgAwareAliases } from "../../lib/alias.js";
 import { listIssues } from "../../lib/api-client.js";
-import { clearProjectAliases, setProjectAliases } from "../../lib/config.js";
+import {
+  clearProjectAliases,
+  setProjectAliases,
+} from "../../lib/db/project-aliases.js";
 import { createDsnFingerprint } from "../../lib/dsn/index.js";
 import { AuthError, ContextError } from "../../lib/errors.js";
 import {

src/commands/issue/utils.ts

@@ -10,7 +10,7 @@ import {
   getIssue,
   getIssueByShortId,
 } from "../../lib/api-client.js";
-import { getProjectByAlias } from "../../lib/config.js";
+import { getProjectByAlias } from "../../lib/db/project-aliases.js";
 import { createDsnFingerprint, detectAllDsns } from "../../lib/dsn/index.js";
 import { ContextError } from "../../lib/errors.js";
 import { getProgressMessage } from "../../lib/formatters/seer.js";