feat(cache): scope response cache per active identity (#785) (#788)

## Summary

Cached GET responses now live in per-identity namespaces so switching
accounts never serves another user's data. `buildCacheKey(method, url)`
internally mixes in a fingerprint of the active bearer identity,
producing distinct cache files per account for the same URL.

**Identity fingerprint** — a memoized 16-char MD5 hex of `kind|secret`,
derived (in order) from:

- **OAuth** — the stored `refresh_token`. Hourly access-token rotation
keeps the same refresh_token, so the cache stays hot across refreshes.
If the OAuth server DOES rotate the refresh_token on refresh (per spec,
allowed), the fingerprint changes and the cache naturally re-populates
under the new identity.
- **Env token** — the raw `SENTRY_AUTH_TOKEN` / `SENTRY_TOKEN` value.
Env tokens don't rotate, so hashing the token is equivalent to hashing a
stable identity.
- **No token** — sentinel `"<anon>"` (angle brackets can't appear in a
real hex fingerprint, so no collision with a computed hash is possible).

Memoization is reset on `setAuthToken` and `clearAuth`. OAuth refresh
goes through `setAuthToken` so the fingerprint rotates correctly. MD5 is
intentional: this is a cache namespace, not authentication — collisions
are benign (two colliding identities would share cache space, like the
anonymous case). CodeQL flagged this as a weak-crypto/insufficient-hash
finding; dismissed as "won't fix" with context.

This fixes the stale-data bugs reported in #785:

- **#3** `auth whoami` no longer returns the previous user after `auth
login` / env-token swap.
- **#2** Post-mutation cache staleness is now bounded to a single
identity rather than leaking across accounts.

**Mutation hooks call `invalidateCachedResponsesMatching` for
same-identity freshness:**
`project create`, `project delete`, `issue resolve`, `issue unresolve`,
`issue merge` all flush the relevant detail and list endpoints
immediately. The sweep gates on an `identity` field persisted in every
cache entry so one identity's mutation can't evict another identity's
cache on a shared cache directory.

**Cache-key / query-param correctness:** `getIssue` / `getIssueInOrg`
pass `?collapse=stats&collapse=lifetime&...` so cached URLs carry query
strings. Using exact-match `invalidateCachedResponse(<base url without
params>)` would silently miss them. Mutation paths now use prefix-sweep
(`invalidateCachedResponsesMatching`) on the trailing-slash base URL —
which catches every cached variant regardless of query params.

**URL-construction helper:** Introduced `buildApiUrl(regionUrl,
...segments)` in `api/infrastructure.ts` to replace repeated
`${base}/api/0/path/${encodeURIComponent(slug)}/` template-string
building. Per-segment encoding means a slug containing a literal `/`
(rare but possible) now produces a correctly-encoded URL instead of a
silently-broken one.

Cache-invalidation helpers in `api/issues.ts` and `api/projects.ts` are
contractually no-throw — a post-mutation DB/FS failure inside the helper
can't turn a successful mutation into a user-visible error.

**Circular import note:** `db/auth.ts` previously imported
`clearResponseCache` statically; now that `response-cache.ts` imports
`getIdentityFingerprint` from `db/auth.ts`, that's resolved via a
dynamic `await import()` inside the (already-async) `clearAuth()`.

## Test plan

- `bun test test/lib/db/auth.test.ts` — `getIdentityFingerprint`
coverage: stability across OAuth access-token rotation, distinct
fingerprints per env token / per OAuth session, `SENTRY_FORCE_ENV_TOKEN`
switching the source, `kind`-prefix isolation (env/oauth with same
secret produce distinct fingerprints), expired access-only token
fall-through to env.
- `bun test test/lib/response-cache.test.ts` — identity isolation (two
different auth states never share a cache key for the same URL;
`invalidateCachedResponsesMatching` leaves other identities' cached
entries alone) plus a regression test for the query-param-variant case.
- `bun test test/lib/api/infrastructure.test.ts` — `buildApiUrl`
composition, trailing-slash normalization, reserved-char encoding
(slash, space), and the zero-segments edge case.
- `bun run typecheck`, `bun run lint` — clean.
- Full unit suite: 5527 passing.

Part of #785 (addresses items #2, #3, and half of #7 — the other half is
fixed by a Sentry backend change).

Author: BYK

AGENTS.md

@@ -165,6 +165,27 @@ export async function getOrgSdkConfig(orgSlug: string) {
   return getSdkConfig(regionUrl);
 }
 
+/**
+ * Build a full Sentry API URL from a region base and path segments.
+ *
+ * Each segment is passed through `encodeURIComponent`, so callers can
+ * pass user-supplied slugs directly without worrying about slashes,
+ * spaces, or other reserved characters. The `/api/0/` prefix and the
+ * required trailing slash are added automatically.
+ *
+ * @example
+ *   buildApiUrl(regionUrl, "organizations", orgSlug, "projects")
+ *   // → `${regionUrl.replace(/\/$/,"")}/api/0/organizations/<org>/projects/`
+ */
+export function buildApiUrl(regionUrl: string, ...segments: string[]): string {
+  const base = regionUrl.endsWith("/") ? regionUrl.slice(0, -1) : regionUrl;
+  if (segments.length === 0) {
+    return `${base}/api/0/`;
+  }
+  const path = segments.map(encodeURIComponent).join("/");
+  return `${base}/api/0/${path}/`;
+}
+
 /**
  * Extract the value of a named attribute from a Link header segment.
  * Parses `key="value"` pairs using string operations instead of regex

src/lib/api/infrastructure.ts

@@ -12,11 +12,14 @@ import type { SentryIssue } from "../../types/index.js";
 import { applyCustomHeaders } from "../custom-headers.js";
 import { ApiError, ValidationError } from "../errors.js";
 import { resolveOrgRegion } from "../region.js";
+import { invalidateCachedResponsesMatching } from "../response-cache.js";
+import { getApiBaseUrl } from "../sentry-client.js";
 
 import {
   API_MAX_PER_PAGE,
   apiRequest,
   apiRequestToRegion,
+  buildApiUrl,
   getOrgSdkConfig,
   MAX_PAGINATION_PAGES,
   type PaginatedResponse,
@@ -554,6 +557,7 @@ export async function updateIssueStatus(
   if (options?.statusDetails) {
     body.statusDetails = options.statusDetails;
   }
+
   if (options?.orgSlug) {
     // Region-aware org-scoped endpoint — preferred when org is known.
     const regionUrl = await resolveOrgRegion(options.orgSlug);
@@ -562,13 +566,22 @@ export async function updateIssueStatus(
       `/organizations/${encodeURIComponent(options.orgSlug)}/issues/${encodeURIComponent(issueId)}/`,
       { method: "PUT", body }
     );
+    await invalidateIssueCaches(regionUrl, options.orgSlug, issueId);
     return data;
   }
-  // Legacy global endpoint — works without org but not region-aware.
-  return apiRequest<SentryIssue>(`/issues/${encodeURIComponent(issueId)}/`, {
-    method: "PUT",
-    body,
-  });
+
+  // Legacy global endpoint — works without org but not region-aware,
+  // so we can only flush the legacy issue-detail URL. Region-scoped
+  // lists age out via their TTL. Prefix-sweep (not exact-match)
+  // because `getIssue` caches under `.../issues/{id}/?collapse=...`.
+  const legacyData = await apiRequest<SentryIssue>(
+    `/issues/${encodeURIComponent(issueId)}/`,
+    { method: "PUT", body }
+  );
+  await invalidateCachedResponsesMatching(
+    buildApiUrl(getApiBaseUrl(), "issues", issueId)
+  );
+  return legacyData;
 }
 
 /** Result of a successful issue-merge operation. */
@@ -612,6 +625,15 @@ export async function mergeIssues(
       method: "PUT",
       body: { merge: 1 },
     });
+    // Flush detail caches for every affected ID (detail-only avoids
+    // N+1 list scans) then sweep the org-wide list once.
+    const affectedIds = data.merge.children.toSpliced(0, 0, data.merge.parent);
+    await Promise.all(
+      affectedIds.map((id) =>
+        invalidateIssueDetailCaches(regionUrl, orgSlug, id)
+      )
+    );
+    await invalidateOrgIssueList(regionUrl, orgSlug);
     return data.merge;
   } catch (error) {
     // The bulk-mutate endpoint returns 204 when no matching issues are
@@ -671,3 +693,77 @@ export async function getSharedIssue(
 
   return (await response.json()) as { groupID: string };
 }
+
+/**
+ * Flush both the org-scoped and legacy detail endpoints for one issue,
+ * including all `collapse` query-param variants (`getIssueInOrg` caches
+ * responses under URLs like `.../issues/{id}/?collapse=stats&...` so
+ * exact-match invalidation would miss them). Does NOT sweep the
+ * org-wide list — callers must call {@link invalidateOrgIssueList}
+ * once per operation. Never throws.
+ */
+async function invalidateIssueDetailCaches(
+  regionUrl: string,
+  orgSlug: string,
+  issueId: string
+): Promise<void> {
+  try {
+    await Promise.all([
+      invalidateCachedResponsesMatching(
+        buildApiUrl(regionUrl, "organizations", orgSlug, "issues", issueId)
+      ),
+      // Legacy `/api/0/issues/{id}/` is stored under the non-region base
+      // (see `apiRequest` → `getApiBaseUrl`), NOT the org's region URL.
+      invalidateCachedResponsesMatching(
+        buildApiUrl(getApiBaseUrl(), "issues", issueId)
+      ),
+    ]);
+  } catch {
+    /* best-effort: mutation already succeeded upstream */
+  }
+}
+
+/**
+ * Flush detail + list caches for one issue. Use for single-issue
+ * mutations (resolve, unresolve); batch mutations should use the
+ * detail-only helper plus one final {@link invalidateOrgIssueList}.
+ *
+ * Minor redundancy: the org-scoped half of
+ * {@link invalidateIssueDetailCaches} is already a prefix of the
+ * {@link invalidateOrgIssueList} sweep. Accepted because the helpers
+ * are each also used solo elsewhere, and the extra directory walk is
+ * negligible.
+ *
+ * Never throws.
+ */
+async function invalidateIssueCaches(
+  regionUrl: string,
+  orgSlug: string,
+  issueId: string
+): Promise<void> {
+  try {
+    await Promise.all([
+      invalidateIssueDetailCaches(regionUrl, orgSlug, issueId),
+      invalidateOrgIssueList(regionUrl, orgSlug),
+    ]);
+  } catch {
+    /* best-effort: mutation already succeeded upstream */
+  }
+}
+
+/**
+ * Sweep every paginated variant of the org's issue-list endpoint.
+ * Never throws.
+ */
+async function invalidateOrgIssueList(
+  regionUrl: string,
+  orgSlug: string
+): Promise<void> {
+  try {
+    await invalidateCachedResponsesMatching(
+      buildApiUrl(regionUrl, "organizations", orgSlug, "issues")
+    );
+  } catch {
+    /* best-effort: mutation already succeeded upstream */
+  }
+}

src/lib/api/issues.ts

@@ -25,13 +25,19 @@ import { cacheProjectsForOrg } from "../db/project-cache.js";
 import { getCachedOrganizations } from "../db/regions.js";
 import { type AuthGuardSuccess, withAuthGuard } from "../errors.js";
 import { logger } from "../logger.js";
+import { resolveOrgRegion } from "../region.js";
+import {
+  invalidateCachedResponse,
+  invalidateCachedResponsesMatching,
+} from "../response-cache.js";
 import { getApiBaseUrl } from "../sentry-client.js";
 import { buildProjectUrl } from "../sentry-urls.js";
 import { isAllDigits } from "../utils.js";
 
 import {
   API_MAX_PER_PAGE,
   apiRequestToRegion,
+  buildApiUrl,
   getOrgSdkConfig,
   MAX_PAGINATION_PAGES,
   ORG_FANOUT_CONCURRENCY,
@@ -166,6 +172,7 @@ export async function createProject(
     body,
   });
   const data = unwrapResult(result, "Failed to create project");
+  await invalidateOrgProjectCache(orgSlug);
   return data as unknown as SentryProject;
 }
 
@@ -215,6 +222,46 @@ export async function deleteProject(
     },
   });
   unwrapResult(result, "Failed to delete project");
+  await invalidateProjectCaches(orgSlug, projectSlug);
+}
+
+/**
+ * Flush the project-detail GET and the org-wide project list so
+ * follow-up `project list` / `project view` reads don't see the
+ * deleted project. Never throws.
+ */
+async function invalidateProjectCaches(
+  orgSlug: string,
+  projectSlug: string
+): Promise<void> {
+  try {
+    const regionUrl = await resolveOrgRegion(orgSlug);
+    await Promise.all([
+      invalidateCachedResponse(
+        buildApiUrl(regionUrl, "projects", orgSlug, projectSlug)
+      ),
+      invalidateCachedResponsesMatching(
+        buildApiUrl(regionUrl, "organizations", orgSlug, "projects")
+      ),
+    ]);
+  } catch {
+    /* best-effort: mutation already succeeded */
+  }
+}
+
+/**
+ * Sweep every paginated variant of the org's project-list endpoint.
+ * Used by `project create`. Never throws.
+ */
+async function invalidateOrgProjectCache(orgSlug: string): Promise<void> {
+  try {
+    const regionUrl = await resolveOrgRegion(orgSlug);
+    await invalidateCachedResponsesMatching(
+      buildApiUrl(regionUrl, "organizations", orgSlug, "projects")
+    );
+  } catch {
+    /* best-effort: mutation already succeeded */
+  }
 }
 
 /** Result of searching for projects by slug across all organizations. */

src/lib/api/projects.ts

@@ -2,8 +2,8 @@
  * Authentication credential storage (single-row table pattern).
  */
 
+import { createHash } from "node:crypto";
 import { getEnv } from "../env.js";
-import { clearResponseCache } from "../response-cache.js";
 import { withDbSpan } from "../telemetry.js";
 import { getDatabase } from "./index.js";
 import { clearAllIssueOrgCache } from "./issue-org-cache.js";
@@ -221,6 +221,9 @@ export function setAuthToken(
       ["id"]
     );
   });
+  // Auth row changed — drop the memoized fingerprint so the next
+  // `getIdentityFingerprint()` call reflects the new row.
+  resetIdentityFingerprintCache();
 }
 
 export async function clearAuth(): Promise<void> {
@@ -235,10 +238,11 @@ export async function clearAuth(): Promise<void> {
     db.query("DELETE FROM pagination_cursors").run();
     clearAllIssueOrgCache();
   });
+  resetIdentityFingerprintCache();
 
-  // Clear cached API responses — they are tied to the current user's permissions.
-  // Awaited so cache is fully removed before the process exits.
+  // Dynamic import avoids the auth→response-cache→auth cycle.
   try {
+    const { clearResponseCache } = await import("../response-cache.js");
     await clearResponseCache();
   } catch {
     // Non-fatal: cache directory may not exist yet
@@ -250,6 +254,88 @@ export function isAuthenticated(): boolean {
   return !!token;
 }
 
+/** Fingerprint returned when no token is present (logged out, no env var). */
+export const ANON_IDENTITY = "<anon>";
+
+/** Memoized fingerprint. Identity doesn't change within a single CLI run. */
+let cachedFingerprint: string | undefined;
+
+/**
+ * Opaque fingerprint of the active bearer identity, used to namespace
+ * response-cache keys so entries never leak across accounts. Mirrors
+ * `getAuthConfig` precedence: forced env token > stored OAuth
+ * (refresh_token preferred for stability across access-token rotation,
+ * falling through expired access-only rows) > env token > anonymous.
+ *
+ * Memoized. Reset on every mutation point (`setAuthToken`,
+ * `clearAuth`), so both the common case (OAuth access-token refresh
+ * with a stable refresh_token — fingerprint unchanged in practice)
+ * and the uncommon case (server-rotated refresh_token — fingerprint
+ * changes, cache naturally re-populates under the new identity) work
+ * correctly. Tests that mutate auth state between cases call
+ * {@link resetIdentityFingerprintCache}.
+ */
+export function getIdentityFingerprint(): string {
+  if (cachedFingerprint === undefined) {
+    cachedFingerprint = computeIdentityFingerprint();
+  }
+  return cachedFingerprint;
+}
+
+/** Reset the memoized fingerprint. Tests only — call between auth-state mutations. */
+export function resetIdentityFingerprintCache(): void {
+  cachedFingerprint = undefined;
+}
+
+function computeIdentityFingerprint(): string {
+  // Forced env-token: matches what `refreshToken()` will actually send.
+  if (getEnv().SENTRY_FORCE_ENV_TOKEN?.trim()) {
+    const envToken = getRawEnvToken();
+    if (envToken) {
+      return hashIdentity("env", envToken);
+    }
+  }
+
+  const row = withDbSpan("getIdentityFingerprint", () => {
+    const db = getDatabase();
+    return db
+      .query("SELECT token, refresh_token, expires_at FROM auth WHERE id = 1")
+      .get() as
+      | {
+          token: string | null;
+          refresh_token: string | null;
+          expires_at: number | null;
+        }
+      | undefined;
+  });
+  // Prefer refresh_token: stable across access-token rotation.
+  if (row?.refresh_token) {
+    return hashIdentity("oauth", row.refresh_token);
+  }
+  // Access-only row: skip if expired (mirrors getAuthConfig).
+  if (row?.token && !(row.expires_at && Date.now() > row.expires_at)) {
+    return hashIdentity("oauth-access", row.token);
+  }
+
+  const envToken = getRawEnvToken();
+  if (envToken) {
+    return hashIdentity("env", envToken);
+  }
+  return ANON_IDENTITY;
+}
+
+/**
+ * 16-char MD5 hex of `kind|secret`. Not used for auth — just a cheap
+ * cache namespace. Collisions are benign (identities would share a
+ * cache slot, same as the anonymous case).
+ */
+function hashIdentity(kind: string, secret: string): string {
+  return createHash("md5")
+    .update(`${kind}|${secret}`)
+    .digest("hex")
+    .slice(0, 16);
+}
+
 /**
  * Check if usable OAuth credentials are stored in the database.
  *

src/lib/db/auth.ts

@@ -141,6 +141,8 @@ export function migrateFromJson(db: Database): void {
 
   try {
     if (oldConfig.auth?.token) {
+      // Direct write (not via setAuthToken) — safe only because migration
+      // runs during DB bootstrap, before getIdentityFingerprint() memoizes.
       db.query(`
         INSERT OR REPLACE INTO auth (id, token, refresh_token, expires_at, issued_at, updated_at)
         VALUES (1, ?, ?, ?, ?, ?)