Merge pull request #21291 from getsentry/prepare-release/10.56.0

meta(changelog): Update changelog for 10.56.0

Author: Lms24

.agents/skills/linear-project-status/SKILL.md

@@ -0,0 +1,120 @@
+---
+name: linear-project-update
+description: Help the user draft and (with their explicit approval) post a status update to a Linear project they lead. Use whenever the user wants to "post a project update", "write a status update", "update my Linear project", "send a project update", or asks for help with weekly/biweekly project updates. Also trigger when the user pastes a Linear project URL and asks for an update, mentions wanting to write an update for their project, or wants help drafting a status message for stakeholders. Even when the user doesn't explicitly say "post" or "status update" — if the underlying request is "help me write an update for my Linear project", trigger this skill. The user always keeps final control of the words; this skill drafts a proposal and never posts without explicit confirmation in the same turn.
+argument-hint: <linear-project-url-or-id-or-slug-optional>
+---
+
+# Linear Project Update
+
+You are helping the user draft a status update for a Linear project they lead. The end-state is either (a) a posted update plus an optional target-date change, applied only with the user's explicit go-ahead in this turn, or (b) a draft the user takes and posts themselves.
+
+The user owns the words that go out under their name. Your job is to give them a strong starting point and clear options, then get out of the way. **Never post or change anything without explicit confirmation in this turn.**
+
+## Workflow
+
+### Step 1 — Resolve the project
+
+If the user provided a project (URL, slug, or UUID), pass whatever they gave you straight to `mcp__claude_ai_Linear__get_project` as `query` and extract the `id` (UUID) from the response. Linear's MCP accepts all three forms — don't try to parse URLs yourself.
+
+If they did not provide one, help them pick:
+
+1. **Get the current user's ID.** Call `mcp__claude_ai_Linear__get_user` with `query: "me"` and extract the `id` field. You'll need it for filtering in step 3.
+2. **List the user's projects.** Call `mcp__claude_ai_Linear__list_projects` with `member: "me"` and `orderBy: "updatedAt"`. The `member: "me"` filter returns projects the user is a member of _or_ leads — exactly the set you need, in a single call. In practice this returns a small list (usually <30 across all teams) and `hasNextPage` is false; paginate only if it isn't.
+
+   **Do not** list projects per team and filter client-side. `list_projects` has no direct `lead` filter, and big workspaces have hundreds of projects per team — paginating teams is slow, expensive, and unnecessary when `member: "me"` does the job in one call.
+
+3. **Filter to led + active projects.** From the response, keep only projects where `lead.id == <current-user-id>`. Then drop any with `status.type` of `completed` or `canceled` — updating a Done or Canceled project almost never makes sense, and surfacing them clutters the picker. (If after this filter you have zero projects, stop and tell the user; don't fabricate. Offer the URL fallback: "paste a project URL if you want to update one you don't lead.")
+4. **Fetch the last-update timestamp per project, in parallel.** The project payload doesn't carry it. For each surviving project, call `mcp__claude_ai_Linear__get_status_updates` with `type: "project", project: <uuid>, limit: 1, orderBy: "createdAt"` — all in the same turn, not sequentially.
+5. **Sort:**
+   - **In Progress / Started** first — most likely to be the target.
+   - Then other active statuses (Planned, Paused, Backlog).
+   - Within each band, put the project most likely to need an update first — typically the one with the longest gap since its last status update.
+6. **Present the list with `AskUserQuestion`.** Format each option so the user can see at a glance which projects need attention:
+
+   `<Project name> — status: <Status> · target: <YYYY-MM-DD or "—"> · last update: <X days ago or "never">`
+
+7. Once picked, continue with that project's UUID.
+
+### Step 2 — Audit project status
+
+Invoke the **`linear-project-status`** skill on the resolved project UUID. That skill produces the health verdict, top concerns, dimension breakdown, recent activity, and blocker analysis you'll need to write a useful update.
+
+Keep the audit output handy — you'll cite specifics in the proposal (e.g., "3 issues stale > 14 days", "target date in 12 days with 8 issues still open", "no movement on issues in the last 7 days"). Generic updates are useless; concrete ones build trust.
+
+### Step 3 — Gather additional context
+
+The audit tells you what Linear knows. The user knows what Linear doesn't. Ask once, broadly, rather than peppering them with separate questions:
+
+> "Anything I should know that isn't in Linear before I draft this? PTO or absences (yours or the team's), blockers, competing priorities, or general context you want stakeholders to hear. Or just say 'no' to skip."
+
+Wait for their reply. Treat any short negation as a valid skip — "no", "nope", "skip", "nothing", or an empty reply all mean "proceed without extra context". Don't re-prompt.
+
+### Step 4 — Draft the proposal
+
+Synthesize the audit + the user's context into two things: a target-date recommendation and an update body.
+
+#### Target date recommendation
+
+Recommend whatever the audit and the user's context actually support — but be cautious about small moves. A few-day push tends to signal indecision and erodes trust in the date.
+
+- **Realistic** (audit and remaining scope support it): recommend **no change**, even if the date feels a little uncomfortable. Say so explicitly: "Target stays at <date>."
+- **Unrealistic** (audit flagged target as `warn`/`bad`, or the date is already in the past): recommend a new date with real headroom given the open scope. Default to moving it out by at least a week — but if a shorter move genuinely fits the situation (e.g., a launch tied to a known external date a few days out, or the user's context makes a sub-week shift obviously right), recommend that and explain why.
+- **If you propose a sub-week move** (or the user later asks for one): flag it explicitly so they can reconsider. Something like: "This is only N days out from the current target — small moves often look like indecision. Want to either hold the date or push to <date-≥-1-week-out> instead?" Then defer to the user's call.
+
+When recommending any new date, justify it in one line tied to audit specifics: "8 of 15 issues still open with 5 days to target — propose pushing to <date>."
+
+#### Update body
+
+A good status update is:
+
+- **Short.** A few paragraphs at most. Stakeholders skim.
+- **Concrete.** "Shipped X and Y; in flight on Z; blocked on W" beats "made progress on several fronts".
+- **Honest about risks.** If the audit flagged a blocker or staleness, name it; don't paper over.
+- **Forward-looking.** What's the next deliverable and by when.
+
+Cover, in roughly this order:
+
+1. **Since the last update** — what shipped, what moved. Pull from the audit's recent-activity data and from the user-supplied context.
+2. **What's next** — the immediate next milestone or deliverable.
+3. **Risks / blockers** — name them. Use any blocker context the user provided.
+4. **Target date** — only mention if you're proposing a change, or if explicit reaffirmation is useful.
+
+**Match the user's voice.** Read the last 2–3 status updates on this project before drafting. If the user writes in conversational paragraphs, don't return a bulleted formal report. If they use bullets and headers, match that. Mismatched tone is the fastest way to make the user feel the draft isn't theirs.
+
+### Step 5 — Present and get the user's call
+
+Show both proposals together in the chat:
+
+```
+**Proposed target date:** <new date or "no change"> — <one-line reason>
+
+**Proposed update:**
+
+<draft body>
+```
+
+Then use `AskUserQuestion` to offer three choices:
+
+1. **Submit as-is** — post the update and apply the target-date change (if any).
+2. **Adjust first** — iterate on the draft with feedback, re-present, then ask again.
+3. **Stop here** — user takes the draft and handles it themselves.
+
+If they pick "Adjust first", treat it as collaborative editing, not a from-scratch rewrite. Preserve what they liked. Loop back through Step 5 after each revision.
+
+### Step 6 — Apply changes (only on explicit go-ahead)
+
+Only if the user explicitly approved in Step 5:
+
+1. If a target-date change was approved, call `mcp__claude_ai_Linear__save_project` with the new `targetDate`.
+2. Call `mcp__claude_ai_Linear__save_status_update` with the project ID and final body. Set `health` from the audit verdict (Green → `onTrack`, Yellow → `atRisk`, Red → `offTrack`); if Linear's MCP rejects those enum values, check the schema and pick the closest valid one rather than guessing repeatedly.
+3. Confirm both succeeded and link the user to the project's overview.
+
+If any call fails, surface the exact error and stop. Do not retry silently or fudge the user's understanding of what's actually in Linear.
+
+## What to never do
+
+- Post a status update or change a target date without the user's explicit "go" in this turn. A choice from earlier in the conversation does not count if the draft has since changed.
+- Move a target date by a few days "just to be safe" without flagging it. Small moves erode trust in the date; if you (or the user) propose one, explicitly surface it so they're making the call with eyes open.
+- Fabricate context — blockers, accomplishments, PTO, dates. If you don't know it, ask or omit it. Stakeholders will read this; wrong details damage the user's credibility.
+- Override the user's voice. Suggest a wording change once; if they push back, drop it.
+- Aim for comprehensive. A short, honest update beats a long one that buries the lede.

.agents/skills/linear-project-update/SKILL.md

@@ -82,6 +82,12 @@ Cross-repo searches (only when clearly relevant):
 
 **Shell safety:** Strip shell metacharacters from issue-derived search terms before use in commands.
 
+#### Changelog investigation (when a version is mentioned)
+
+If the issue states a version where the problem started (e.g. "works in 7.x, broken since 8.2.0"), **check `CHANGELOG.md`** for that version range.
+Use the **Grep** tool (pattern `^## ` on `CHANGELOG.md`) to list version headings, then use the **Read** tool to read the relevant entries. Do NOT use Bash `grep`/`head` — the native Grep/Read tools are read-only and require no extra Bash permissions in CI.
+Surface any relevant changelog delta in the triage report under **Root cause** or **Information gaps**. If nothing relevant is found, note that explicitly.
+
 ### Step 4: Related Issues & PRs
 
 - Search for duplicate or related issues: `gh api search/issues -X GET -f "q=<terms>+repo:getsentry/sentry-javascript+type:issue"` and use the **Write** tool to save the command output to `search.json` in the workspace root

.agents/skills/triage-issue/SKILL.md

@@ -121,7 +121,7 @@ def is_non_latin(c: str) -> bool:
     (r"\b(admin|developer|system)[\s_-]mode", 8, "Mode manipulation"),
 
     # Sensitive file paths (10 points) - legitimate issues rarely reference these
-    (r"(~/\.aws/|~/\.ssh/|/root/|/etc/passwd|/etc/shadow)", 10, "System credentials path"),
+    (r"(~/\.aws/|~/\.ssh/|(?<!\w)/root/|/etc/passwd|/etc/shadow)", 10, "System credentials path"),
     (r"(\.aws/credentials|id_rsa|\.ssh/id_)", 10, "Credentials file reference"),
 
     # Environment variable exfiltration (8 points)

.agents/skills/triage-issue/scripts/detect_prompt_injection.py

@@ -9,6 +9,8 @@ description: Vendor an OpenTelemetry instrumentation package into the Sentry Jav
 
 Copy upstream OTel instrumentation TypeScript source into a `vendored/` directory, remove the npm dependency, and ensure builds and tests pass. No logic changes — the vendored code must behave identically to the original.
 
+**Scope of this rule:** "No logic changes" applies **only to the initial vendoring PR**. After a package has been vendored, the `vendored/` directory is Sentry-owned source and follow-up PRs may refactor, simplify, replace upstream utilities with Sentry equivalents (e.g. `@opentelemetry/core` → `@sentry/core`), or otherwise diverge from upstream. Such cleanup is desired, not discouraged.
+
 ## 1. Research
 
 Find upstream source files:

.agents/skills/vendor-otel/SKILL.md

@@ -16,6 +16,9 @@ targets:
   - name: npm
     id: '@sentry/node-core'
     includeNames: /^sentry-node-core-\d.*\.tgz$/
+  - name: npm
+    id: '@sentry-internal/server-utils'
+    includeNames: /^sentry-internal-server-utils-\d.*\.tgz$/
   ## 1.3 Browser Utils package
   - name: npm
     id: '@sentry-internal/browser-utils'

.craft.yml

@@ -537,7 +537,7 @@ jobs:
       - name: Set up Deno
         uses: denoland/setup-deno@v2.0.4
         with:
-          deno-version: v2.1.5
+          deno-version: ${{ matrix.deno-version || 'v2.8.0' }}
       - name: Restore caches
         uses: ./.github/actions/restore-cache
         with:
@@ -984,7 +984,7 @@ jobs:
           node-version-file: 'dev-packages/e2e-tests/test-applications/${{ matrix.test-application }}/package.json'
       - name: Set up Bun
         if:
-          contains(fromJSON('["node-exports-test-app","nextjs-16-bun", "elysia-bun", "hono-4"]'),
+          contains(fromJSON('["node-exports-test-app","nextjs-16-bun", "elysia-bun", "hono-4", "bun-bytecode"]'),
           matrix.test-application)
         uses: oven-sh/setup-bun@v2
         with:
@@ -996,10 +996,12 @@ jobs:
           use-installer: true
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Set up Deno
-        if: matrix.test-application == 'deno' || matrix.test-application == 'deno-streamed'
+        if:
+          matrix.test-application == 'deno' || matrix.test-application == 'deno-streamed' || matrix.test-application ==
+          'deno-redis'
         uses: denoland/setup-deno@v2.0.4
         with:
-          deno-version: ${{ matrix.deno-version || 'v2.1.5' }}
+          deno-version: ${{ matrix.deno-version || 'v2.8.0' }}
       - name: Restore caches
         uses: ./.github/actions/restore-cache
         with:
@@ -1122,7 +1124,7 @@ jobs:
         if: matrix.test-application == 'deno' || matrix.test-application == 'deno-streamed'
         uses: denoland/setup-deno@v2.0.4
         with:
-          deno-version: ${{ matrix.deno-version || 'v2.1.5' }}
+          deno-version: ${{ matrix.deno-version || 'v2.8.0' }}
       - name: Restore caches
         uses: ./.github/actions/restore-cache
         with:

.github/workflows/build.yml

@@ -74,6 +74,7 @@ jobs:
             Do NOT use `python3 -c` or other inline Python in Bash, only the provided scripts are allowed.
             Do NOT attempt to delete (`rm`) temporary files you create.
           claude_args: |
+            --model claude-opus-4-8
             --max-turns 50 --allowedTools "Write,Bash(gh api *),Bash(gh pr list *),Bash(npm info *),Bash(npm ls *),Bash(python3 .claude/skills/triage-issue/scripts/post_linear_comment.py *),Bash(python3 .claude/skills/triage-issue/scripts/parse_gh_issues.py *),Bash(python3 .claude/skills/triage-issue/scripts/detect_prompt_injection.py *),Bash(python3 .claude/skills/triage-issue/scripts/write_job_summary.py *)"
 
       - name: Post triage job summary

.github/workflows/triage-issue.yml

@@ -68,6 +68,7 @@ packages/**/*.junit.xml
 # Local Claude Code settings that should not be committed
 .claude/settings.local.json
 .claude/worktrees
+.claude/scheduled_tasks.lock
 
 # Triage report
 **/triage_report.md

.gitignore

@@ -3,7 +3,7 @@
   "plugins": ["typescript", "import", "jsdoc", "vitest"],
   "rules": {
     "no-unused-vars": [
-      "warn",
+      "error",
       { "argsIgnorePattern": "^_", "varsIgnorePattern": "^_", "caughtErrorsIgnorePattern": "^_" }
     ],
 
@@ -55,7 +55,7 @@
         "typescript/prefer-optional-chain": ["error"],
         "typescript/no-redundant-type-constituents": "off",
         "typescript/restrict-template-expressions": "off",
-        "typescript/await-thenable": "warn",
+        "typescript/await-thenable": "error",
         "typescript/no-base-to-string": "off"
       }
     },