AndyMik90 · AndyMik90 · Feb 18, 2026 · Feb 20, 2026 · Feb 20, 2026 · coderabbitai
diff --git a/.github/workflows/beta-release.yml b/.github/workflows/beta-release.yml
@@ -107,6 +107,9 @@ jobs:
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
           SENTRY_TRACES_SAMPLE_RATE: ${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}
           SENTRY_PROFILES_SAMPLE_RATE: ${{ secrets.SENTRY_PROFILES_SAMPLE_RATE }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
 
       - name: Package macOS (Intel)
         run: |
@@ -119,6 +122,9 @@ jobs:
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
           SENTRY_TRACES_SAMPLE_RATE: ${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}
           SENTRY_PROFILES_SAMPLE_RATE: ${{ secrets.SENTRY_PROFILES_SAMPLE_RATE }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
 
       - name: Submit notarization (async)
         id: notarize
@@ -180,6 +186,9 @@ jobs:
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
           SENTRY_TRACES_SAMPLE_RATE: ${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}
           SENTRY_PROFILES_SAMPLE_RATE: ${{ secrets.SENTRY_PROFILES_SAMPLE_RATE }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
 
       - name: Package macOS (Apple Silicon)
         run: |
@@ -192,6 +201,9 @@ jobs:
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
           SENTRY_TRACES_SAMPLE_RATE: ${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}
           SENTRY_PROFILES_SAMPLE_RATE: ${{ secrets.SENTRY_PROFILES_SAMPLE_RATE }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
 
       - name: Submit notarization (async)
         id: notarize
@@ -255,6 +267,9 @@ jobs:
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
           SENTRY_TRACES_SAMPLE_RATE: ${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}
           SENTRY_PROFILES_SAMPLE_RATE: ${{ secrets.SENTRY_PROFILES_SAMPLE_RATE }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
 
       - name: Package Windows
         shell: bash
@@ -268,6 +283,9 @@ jobs:
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
           SENTRY_TRACES_SAMPLE_RATE: ${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}
           SENTRY_PROFILES_SAMPLE_RATE: ${{ secrets.SENTRY_PROFILES_SAMPLE_RATE }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
 
       - name: Azure Login (OIDC)
         if: env.AZURE_CLIENT_ID != ''
@@ -436,6 +454,9 @@ jobs:
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
           SENTRY_TRACES_SAMPLE_RATE: ${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}
           SENTRY_PROFILES_SAMPLE_RATE: ${{ secrets.SENTRY_PROFILES_SAMPLE_RATE }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
 
       - name: Package Linux
         run: |
@@ -446,6 +467,9 @@ jobs:
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
           SENTRY_TRACES_SAMPLE_RATE: ${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}
           SENTRY_PROFILES_SAMPLE_RATE: ${{ secrets.SENTRY_PROFILES_SAMPLE_RATE }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
 
       - name: Verify Linux packages
         run: cd apps/frontend && npm run verify:linux

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -62,6 +62,9 @@ jobs:
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
           SENTRY_TRACES_SAMPLE_RATE: ${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}
           SENTRY_PROFILES_SAMPLE_RATE: ${{ secrets.SENTRY_PROFILES_SAMPLE_RATE }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
 
       - name: Package macOS (Intel)
         run: cd apps/frontend && npm run package:mac -- --x64
@@ -72,6 +75,9 @@ jobs:
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
           SENTRY_TRACES_SAMPLE_RATE: ${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}
           SENTRY_PROFILES_SAMPLE_RATE: ${{ secrets.SENTRY_PROFILES_SAMPLE_RATE }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
 
       - name: Submit notarization (async)
         id: notarize
@@ -130,6 +136,9 @@ jobs:
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
           SENTRY_TRACES_SAMPLE_RATE: ${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}
           SENTRY_PROFILES_SAMPLE_RATE: ${{ secrets.SENTRY_PROFILES_SAMPLE_RATE }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
 
       - name: Package macOS (Apple Silicon)
         run: cd apps/frontend && npm run package:mac -- --arm64
@@ -140,6 +149,9 @@ jobs:
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
           SENTRY_TRACES_SAMPLE_RATE: ${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}
           SENTRY_PROFILES_SAMPLE_RATE: ${{ secrets.SENTRY_PROFILES_SAMPLE_RATE }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
 
       - name: Submit notarization (async)
         id: notarize
@@ -200,6 +212,9 @@ jobs:
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
           SENTRY_TRACES_SAMPLE_RATE: ${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}
           SENTRY_PROFILES_SAMPLE_RATE: ${{ secrets.SENTRY_PROFILES_SAMPLE_RATE }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
 
       - name: Package Windows
         run: cd apps/frontend && npm run package:win
@@ -210,6 +225,9 @@ jobs:
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
           SENTRY_TRACES_SAMPLE_RATE: ${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}
           SENTRY_PROFILES_SAMPLE_RATE: ${{ secrets.SENTRY_PROFILES_SAMPLE_RATE }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
 
       - name: Azure Login (OIDC)
         if: env.AZURE_CLIENT_ID != ''
@@ -374,6 +392,9 @@ jobs:
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
           SENTRY_TRACES_SAMPLE_RATE: ${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}
           SENTRY_PROFILES_SAMPLE_RATE: ${{ secrets.SENTRY_PROFILES_SAMPLE_RATE }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
 
       - name: Package Linux
         run: cd apps/frontend && npm run package:linux
@@ -382,6 +403,9 @@ jobs:
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
           SENTRY_TRACES_SAMPLE_RATE: ${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}
           SENTRY_PROFILES_SAMPLE_RATE: ${{ secrets.SENTRY_PROFILES_SAMPLE_RATE }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
 
       - name: Verify Linux packages
         run: cd apps/frontend && npm run verify:linux

diff --git a/apps/frontend/electron.vite.config.ts b/apps/frontend/electron.vite.config.ts
@@ -1,5 +1,6 @@
 import { defineConfig, externalizeDepsPlugin } from 'electron-vite';
 import react from '@vitejs/plugin-react';
+import { sentryVitePlugin } from '@sentry/vite-plugin';
 import { resolve } from 'path';
 import { config as dotenvConfig } from 'dotenv';
 
@@ -21,38 +22,72 @@ const sentryDefines = {
   '__SENTRY_PROFILES_SAMPLE_RATE__': JSON.stringify(process.env.SENTRY_PROFILES_SAMPLE_RATE || '0.1'),
 };
 
+/**
+ * Sentry source map upload configuration.
+ *
+ * Uploads source maps during CI builds so production stack traces are readable.
+ * Only activates when SENTRY_AUTH_TOKEN is set (CI builds via GitHub secrets).
+ * Source maps are NOT shipped to users — they're uploaded to Sentry then stripped.
+ */
+const hasSentryUploadConfig = !!(
+  process.env.SENTRY_AUTH_TOKEN &&
+  process.env.SENTRY_ORG &&
+  process.env.SENTRY_PROJECT
+);
+
+function createSentryPlugin() {
+  if (!hasSentryUploadConfig) {
+    return [];
+  }
+  return [
+    sentryVitePlugin({
+      org: process.env.SENTRY_ORG,
+      project: process.env.SENTRY_PROJECT,
+      authToken: process.env.SENTRY_AUTH_TOKEN,
+      sourcemaps: {
+        filesToDeleteAfterUpload: ['**/*.js.map'],
+      },
+      telemetry: false,
+    }),
+  ];
+}
-function createSentryPlugin() {
-  if (!hasSentryUploadConfig) {
-    return [];
-  }
-  return [
-    sentryVitePlugin({
-      org: process.env.SENTRY_ORG,
-      project: process.env.SENTRY_PROJECT,
-      authToken: process.env.SENTRY_AUTH_TOKEN,
-      sourcemaps: {
-        filesToDeleteAfterUpload: ['**/*.js.map'],
-      },
-      telemetry: false,
-    }),
-  ];
-}
+function createSentryPlugin() {
+  if (!hasSentryUploadConfig) {
+    return [];
+  }
+  return [
+    sentryVitePlugin({
+      org: process.env.SENTRY_ORG!,
+      project: process.env.SENTRY_PROJECT!,
+      authToken: process.env.SENTRY_AUTH_TOKEN!,
+      sourcemaps: {
+        filesToDeleteAfterUpload: ['**/*.js.map'],
+      },
+      telemetry: false,
+    }),
+  ];
+}
-function createSentryPlugin() {
-  if (!hasSentryUploadConfig) {
-    return [];
-  }
-  return [
-    sentryVitePlugin({
-      org: process.env.SENTRY_ORG,
-      project: process.env.SENTRY_PROJECT,
-      authToken: process.env.SENTRY_AUTH_TOKEN,
-      sourcemaps: {
-        filesToDeleteAfterUpload: ['**/*.js.map'],
-      },
-      telemetry: false,
-    }),
-  ];
-}
+function createSentryPlugin() {
+  if (!hasSentryUploadConfig) {
+    return [];
+  }
+  return [
+    sentryVitePlugin({
+      org: process.env.SENTRY_ORG,
+      project: process.env.SENTRY_PROJECT,
+      authToken: process.env.SENTRY_AUTH_TOKEN,
+      sourcemaps: {
+        filesToDeleteAfterUpload: ['**/*.js.map'],
+      },
+      telemetry: false,
+      errorHandler: (err) => {
+        console.warn('[Sentry] Source map upload failed:', err.message);
+      },
+    }),
+  ];
+}
-function createSentryPlugin() {
-  if (!hasSentryUploadConfig) {
-    return [];
-  }
-  return [
-    sentryVitePlugin({
-      org: process.env.SENTRY_ORG,
-      project: process.env.SENTRY_PROJECT,
-      authToken: process.env.SENTRY_AUTH_TOKEN,
-      sourcemaps: {
-        filesToDeleteAfterUpload: ['**/*.js.map'],
-      },
-      telemetry: false,
-    }),
-  ];
-}
+function createSentryPlugin() {
+  if (!hasSentryUploadConfig) {
+    return [];
+  }
+  return [
+    sentryVitePlugin({
+      org: process.env.SENTRY_ORG!,
+      project: process.env.SENTRY_PROJECT!,
+      authToken: process.env.SENTRY_AUTH_TOKEN!,
+      sourcemaps: {
+        filesToDeleteAfterUpload: ['**/*.js.map'],
+      },
+      telemetry: false,
+    }),
+  ];
+}
-function createSentryPlugin() {
-  if (!hasSentryUploadConfig) {
-    return [];
-  }
-  return [
-    sentryVitePlugin({
-      org: process.env.SENTRY_ORG,
-      project: process.env.SENTRY_PROJECT,
-      authToken: process.env.SENTRY_AUTH_TOKEN,
-      sourcemaps: {
-        filesToDeleteAfterUpload: ['**/*.js.map'],
-      },
-      telemetry: false,
-    }),
-  ];
-}
+function createSentryPlugin() {
+  if (!hasSentryUploadConfig) {
+    return [];
+  }
+  return [
+    sentryVitePlugin({
+      org: process.env.SENTRY_ORG,
+      project: process.env.SENTRY_PROJECT,
+      authToken: process.env.SENTRY_AUTH_TOKEN,
+      sourcemaps: {
+        filesToDeleteAfterUpload: ['**/*.js.map'],
+      },
+      telemetry: false,
+      errorHandler: (err) => {
+        console.warn('[Sentry] Source map upload failed:', err.message);
+      },
+    }),
+  ];
+}
+
 export default defineConfig({
   main: {
     define: sentryDefines,
-    plugins: [externalizeDepsPlugin({
-      // Bundle these packages into the main process (they won't be in node_modules in packaged app)
-      exclude: [
-        'uuid',
-        'chokidar',
-        'dotenv',
-        'electron-log',
-        'proper-lockfile',
-        'semver',
-        'zod',
-        '@anthropic-ai/sdk',
-        'kuzu',
-        'electron-updater',
-        '@electron-toolkit/utils',
-        // Sentry and its transitive dependencies (opentelemetry -> debug -> ms)
-        '@sentry/electron',
-        '@sentry/core',
-        '@sentry/node',
-        '@sentry/utils',
-        '@opentelemetry/instrumentation',
-        'debug',
-        'ms',
-        // Minimatch for glob pattern matching in worktree handlers
-        'minimatch',
-        // XState for task state machine
-        'xstate'
-      ]
-    })],
+    plugins: [
+      externalizeDepsPlugin({
+        // Bundle these packages into the main process (they won't be in node_modules in packaged app)
+        exclude: [
+          'uuid',
+          'chokidar',
+          'dotenv',
+          'electron-log',
+          'proper-lockfile',
+          'semver',
+          'zod',
+          '@anthropic-ai/sdk',
+          'kuzu',
+          'electron-updater',
+          '@electron-toolkit/utils',
+          // Sentry and its transitive dependencies (opentelemetry -> debug -> ms)
+          '@sentry/electron',
+          '@sentry/core',
+          '@sentry/node',
+          '@sentry/utils',
+          '@opentelemetry/instrumentation',
+          'debug',
+          'ms',
+          // Minimatch for glob pattern matching in worktree handlers
+          'minimatch',
+          // XState for task state machine
+          'xstate'
+        ]
+      }),
+      ...createSentryPlugin(),
+    ],
     build: {
+      sourcemap: true,
       rollupOptions: {
         input: {
           index: resolve(__dirname, 'src/main/index.ts')
@@ -76,13 +111,14 @@ export default defineConfig({
     define: sentryDefines,
     root: resolve(__dirname, 'src/renderer'),
     build: {
+      sourcemap: true,
       rollupOptions: {
         input: {
           index: resolve(__dirname, 'src/renderer/index.html')
         }
       }
     },
-    plugins: [react()],
+    plugins: [react(), ...createSentryPlugin()],
     resolve: {
       alias: {
         '@': resolve(__dirname, 'src/renderer'),

diff --git a/apps/frontend/package.json b/apps/frontend/package.json
@@ -111,6 +111,7 @@
     "@electron-toolkit/utils": "^4.0.0",
     "@electron/rebuild": "^4.0.2",
     "@playwright/test": "^1.52.0",
+    "@sentry/vite-plugin": "^4.9.1",
     "@tailwindcss/postcss": "^4.1.17",
     "@testing-library/dom": "^10.0.0",
     "@testing-library/jest-dom": "^6.9.1",

diff --git a/apps/frontend/src/main/__tests__/sentry.test.ts b/apps/frontend/src/main/__tests__/sentry.test.ts
@@ -0,0 +1,81 @@
+/**
+ * Tests for Sentry utility functions
+ */
+
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import type { IpcMainInvokeEvent } from 'electron';
+
+const mockCaptureException = vi.fn();
+
+vi.mock('@sentry/electron/main', () => ({
+  init: vi.fn(),
+  addBreadcrumb: vi.fn(),
+  captureException: mockCaptureException,
+}));
+
+vi.mock('electron', () => ({
+  app: { isPackaged: false, getVersion: () => '0.0.0-test' },
+  ipcMain: { on: vi.fn(), handle: vi.fn() },
+  crashReporter: { start: vi.fn() },
+}));
+
+vi.mock('../settings-utils', () => ({
+  readSettingsFile: () => ({}),
+}));
+
+vi.mock('../../shared/constants', () => ({
+  DEFAULT_APP_SETTINGS: { sentryEnabled: true },
+}));
+
+vi.mock('../../shared/constants/ipc', () => ({
+  IPC_CHANNELS: {
+    SENTRY_STATE_CHANGED: 'sentry-state-changed',
+    GET_SENTRY_DSN: 'get-sentry-dsn',
+    GET_SENTRY_CONFIG: 'get-sentry-config',
+  },
+}));
+
+vi.mock('../../shared/utils/sentry-privacy', () => ({
+  processEvent: vi.fn((e) => e),
+  PRODUCTION_TRACE_SAMPLE_RATE: 0.1,
+}));
+
+describe('withSentryIpc', () => {
+  let withSentryIpc: typeof import('../sentry').withSentryIpc;
+  const fakeEvent = {} as IpcMainInvokeEvent;
+
+  beforeEach(async () => {
+    vi.clearAllMocks();
+    const mod = await import('../sentry');
+    withSentryIpc = mod.withSentryIpc;
+  });
-  beforeEach(async () => {
-    vi.clearAllMocks();
-    const mod = await import('../sentry');
-    withSentryIpc = mod.withSentryIpc;
-  });
+  beforeEach(async () => {
+    vi.clearAllMocks();
+    vi.resetModules();
+    const mod = await import('../sentry');
+    withSentryIpc = mod.withSentryIpc;
+  });
-  beforeEach(async () => {
-    vi.clearAllMocks();
-    const mod = await import('../sentry');
-    withSentryIpc = mod.withSentryIpc;
-  });
+  beforeEach(async () => {
+    vi.clearAllMocks();
+    vi.resetModules();
+    const mod = await import('../sentry');
+    withSentryIpc = mod.withSentryIpc;
+  });
+
+  it('passes through successful handler result', async () => {
+    const handler = vi.fn().mockResolvedValue('ok');
+    const wrapped = withSentryIpc('test-channel', handler);
+    const result = await wrapped(fakeEvent, 'arg1');
+    expect(result).toBe('ok');
+    expect(handler).toHaveBeenCalledWith(fakeEvent, 'arg1');
+  });
+
+  it('re-throws and captures exception on handler error', async () => {
+    const err = new Error('boom');
+    const handler = vi.fn().mockRejectedValue(err);
+    const wrapped = withSentryIpc('test-channel', handler);
+    await expect(wrapped(fakeEvent)).rejects.toThrow('boom');
+    expect(mockCaptureException).toHaveBeenCalledWith(
+      err,
+      { tags: { ipc_channel: 'test-channel' } }
+    );
+  });
+
+  it('tags error with the correct ipc_channel', async () => {
+    const handler = vi.fn().mockRejectedValue(new Error('fail'));
+    const wrapped = withSentryIpc('my-custom-channel', handler);
+    await expect(wrapped(fakeEvent)).rejects.toThrow('fail');
+    expect(mockCaptureException).toHaveBeenCalledWith(
+      expect.any(Error),
+      { tags: { ipc_channel: 'my-custom-channel' } }
+    );
+  });
+});