feat(cli): add sentry cli import for .sentryclirc migration (#975)

Add a one-time import path for users migrating from the old Rust-based
sentry-cli. Two complementary features:

1. `sentry cli import` — explicit command that scans for .sentryclirc
   files, shows what was found, and imports settings into SQLite with
   proper host scoping. Supports --yes (CI), --dry-run, --url (trust
   override), and --skip-validation.

2. Auto-detect middleware — when any command hits AuthError and a
   .sentryclirc token passes the trust gate, prompts to import before
   falling back to the OAuth login flow.

Security: content-based trust model (same-file rule). Token and URL
must originate from the same file — no path is inherently trusted.
SHA-256 file hashes stored at import time detect post-import tampering.
Auto-prompt disabled in CI (isatty check); project-local files excluded.

Also updates the login command's rcTokenHint to mention `sentry cli import`
as an alternative to `--token`.

Author: BYK

src/cli.ts

@@ -218,6 +218,112 @@ export async function runCli(cliArgs: string[]): Promise<void> {
     }
   };
 
+  /**
+   * Attempt to import `.sentryclirc` settings when the user is unauthenticated.
+   *
+   * Returns `"imported"` if a trusted token was found, imported, and validated.
+   * Returns `"declined"` if the user said no (marked as declined).
+   * Returns `"skip"` if no eligible files, trust gate fails, or any error.
+   */
+  async function tryRcImport(): Promise<"imported" | "declined" | "skip"> {
+    const {
+      discoverRcFiles,
+      buildImportPlan,
+      executeImport,
+      isImportNeededAsync,
+      markImportDeclined,
+    } = await import("./lib/sentryclirc-import.js");
+
+    if (!(await isImportNeededAsync())) {
+      return "skip";
+    }
+
+    const files = await discoverRcFiles(process.cwd());
+    const eligible = files.filter((f) => f.location !== "project-local");
+    if (eligible.length === 0 || !eligible.some((f) => f.token)) {
+      return "skip";
+    }
+
+    const plan = buildImportPlan(eligible);
+    if (
+      !(
+        plan.trusted &&
+        plan.effective.token &&
+        plan.newFields.includes("token")
+      )
+    ) {
+      return "skip";
+    }
+
+    const source = plan.sources.find((s) => s.token)?.path ?? "~/.sentryclirc";
+    process.stderr.write(
+      `\nFound auth token in ${source}\n` +
+        "Import settings to the new CLI? This stores your token with proper host scoping.\n\n"
+    );
+
+    const { logger: logModule } = await import("./lib/logger.js");
+    const confirmed = await logModule
+      .withTag("import")
+      .prompt("Import from .sentryclirc?", { type: "confirm", initial: true });
+
+    if (confirmed !== true) {
+      markImportDeclined();
+      return "declined";
+    }
+
+    const result = await executeImport(plan, { validateToken: true });
+    return result.imported && result.tokenValid !== false ? "imported" : "skip";
+  }
+
+  /** Log import middleware errors at an appropriate level */
+  async function logImportError(importErr: unknown): Promise<void> {
+    const { logger: logModule } = await import("./lib/logger.js");
+    const { HostScopeError: HSE } = await import("./lib/errors.js");
+    const importLog = logModule.withTag("import");
+    if (importErr instanceof HSE) {
+      importLog.warn("Import middleware error", importErr);
+    } else {
+      importLog.debug("Import middleware error", importErr);
+    }
+  }
+
+  /**
+   * `.sentryclirc` import middleware.
+   *
+   * When a command fails with `not_authenticated` and a non-project-local
+   * `.sentryclirc` file has a token that passes the same-file trust gate,
+   * offers to import it into the new CLI's SQLite store. On success, retries
+   * the command. On decline, marks as declined (never asks again) and
+   * re-throws so the auto-auth middleware can offer OAuth login instead.
+   *
+   * Only fires in interactive TTYs (disabled in CI). Project-local files
+   * are excluded to avoid prompting in every cloned repo.
+   */
+  const rcImportMiddleware: ErrorMiddleware = async (next, argv) => {
+    try {
+      await next(argv);
+    } catch (err) {
+      if (
+        err instanceof AuthError &&
+        err.reason === "not_authenticated" &&
+        !err.skipAutoAuth &&
+        isatty(0)
+      ) {
+        try {
+          const outcome = await tryRcImport();
+          if (outcome === "imported") {
+            process.stderr.write("Import successful! Retrying command...\n\n");
+            await next(argv);
+            return;
+          }
+        } catch (importErr) {
+          await logImportError(importErr);
+        }
+      }
+      throw err;
+    }
+  };
+
   /**
    * Auto-authentication middleware.
    *
@@ -269,6 +375,7 @@ export async function runCli(cliArgs: string[]): Promise<void> {
    */
   const errorMiddlewares: ErrorMiddleware[] = [
     seerTrialMiddleware,
+    rcImportMiddleware,
     autoAuthMiddleware,
   ];
 

src/commands/auth/login.ts

@@ -207,7 +207,8 @@ export function rcTokenHint(
     : ` --url ${effectiveHost}`;
   return (
     `Found a token in .sentryclirc (${rcConfig.sources.token}). ` +
-    `To skip OAuth next time: sentry auth login --token <token>${urlHint}`
+    "To import it: sentry cli import | " +
+    `To pass it directly: sentry auth login --token <token>${urlHint}`
   );
 }
 
@@ -374,6 +375,7 @@ export const loginCommand = buildCommand({
 
     refuseLoginToUntrustedHost(flags, effectiveHost, urlFromRc);
 
+    // Check if already authenticated and handle re-authentication
     if (isAuthenticated()) {
       const shouldProceed = await handleExistingAuth(flags.force);
       if (!shouldProceed) {