Merge remote-tracking branch 'origin/master' into jpnurmi/feat/native-metrics

Author: jpnurmi

AGENTS.md

@@ -63,3 +63,12 @@ When writing requirements in `develop-docs/`:
      This document uses key words such as "MUST", "SHOULD", and "MAY" as defined in [RFC 2119](https://www.ietf.org/rfc/rfc2119.txt) to indicate requirement levels.
    </Alert>
    ```
+
+## Plan Mode
+
+- Make the plan extremely concise. Sacrifice grammar for the sake of concision.
+- At the end of each plan, give me a list of unresolved questions to answer, if any.
+
+## Pull Request generation 
+
+Use .github/PULL_REQUEST_TEMPLATE.md and add Co-Authored-By: Claude

develop-docs/engineering-practices/ai-assisted-development.mdx

@@ -137,7 +137,7 @@ When a task spans multiple repositories, use `/add-dir` in Claude Code to add ad
 
 ### Managing Context
 
-Long sessions accumulate irrelevant context that can degrade performance. Use `/clear` between unrelated tasks to reset the context window. Use `/compact` to summarize and condense the current conversation. Give sessions descriptive names so you can `/resume` them later.
+Long sessions accumulate irrelevant context that can degrade performance. Use `/clear` between unrelated tasks to reset the context window. Use `/compact` to condense the conversation, or `/compact [instructions]` to preserve specific information like core definitions or debugging notes. Give sessions descriptive names so you can `/resume` them later.
 
 ### Todo Lists
 

develop-docs/sdk/data-model/envelope-items.mdx

@@ -260,12 +260,12 @@ Use this to explicitly link a related error in the feedback UI.
 : _UUID String, optional._ The identifier of a related Session Replay in the same
 project. Sentry uses this ID to render a Replay clip in the feedback UI.
 
-**Attaching Screenshots:**
+**Attaching Files:**
 
-You can associate screenshots with a feedback by sending image data as
+You can attach files of any type to a feedback (screenshots, logs, documents, etc.) by sending them as
 [attachment items](/sdk/data-model/envelope-items/#attachment), with `event_id`
-corresponding to the feedback item. We recommend sending the items in the same
-Envelope.
+corresponding to the feedback item. We recommend sending the attachment items in the same
+Envelope as the feedback item.
 
 **Constraints:**
 

develop-docs/sdk/expected-features/data-handling.mdx

@@ -13,6 +13,12 @@ In the event that API returns data considered PII, we guard that behind a flag c
 This is an option in the SDK called [_send-default-pii_](https://docs.sentry.io/platforms/python/configuration/options/#send-default-pii)
 and is **disabled by default**. That means that data that is naturally sensitive is not sent by default.
 
+<Alert level="info">
+
+When a user manually sets the data on the scope (user, contexts, tags, data, request, response, etc.), this data should not be gated by the _Send Default PII_ flag and should always be attached to all outgoing telemetry. This also applies to the data that the user manually sets on a span, log, metric and other types of telemetry (directly or, for example, via `BeforeSend`).
+
+</Alert>
+
 Certain sensitive data must never be sent through SDK instrumentation, regardless of any configuration:
 
 - HTTP Headers: The keys of known sensitive headers are added, while their values must be replaced with `"[Filtered]"`.
@@ -26,7 +32,6 @@ Some examples of data guarded by `send_default_pii: false`:
 - When attaching data of HTTP requests and/or responses to events
   - Request Body: "raw" HTTP bodies (bodies which cannot be parsed as JSON or FormData) are removed
   - HTTP Headers: header values, containing information about the user are replaced with `"[Filtered]"`
-  - _Note_ that if a user explicitly sets a request on the scope, nothing is stripped from that request. The above rules only apply to integrations that come with the SDK.
 - User-specific information (e.g. the current user ID according to the used web-framework) is not collected and therefore not sent at all.
 - On desktop applications
   - The username logged in the device is not included. This is often a person's name.

develop-docs/sdk/expected-features/environment-variables.mdx

@@ -0,0 +1,76 @@
+---
+title: Environment Variables
+sidebar_order: 10
+description: >-
+  Common environment variables that Sentry SDKs should support for configuration
+  without code changes.
+---
+
+<Alert>
+This document uses key words such as "MUST", "SHOULD", and "MAY" as defined in [RFC 2119](https://www.ietf.org/rfc/rfc2119.txt) to indicate requirement levels.
+</Alert>
+
+Sentry SDKs **SHOULD** support a set of common environment variables that allow users to configure SDK behavior without modifying their code. This is particularly useful for containerized deployments, serverless environments, or when users need to adjust settings without redeploying their application.
+
+## Supported Environment Variables
+
+The following environment variables **SHOULD** be supported across Sentry server-side SDKs:
+
+| Variable | Description |
+|----------|-------------|
+| `SENTRY_DSN` | The Data Source Name that tells the SDK where to send events. |
+| `SENTRY_RELEASE` | The release version of the application. Used to associate events with source maps and track regressions. |
+| `SENTRY_ENVIRONMENT` | The environment name, such as `production`, `staging`, or `development`. |
+| `SENTRY_SAMPLE_RATE` | Controls the percentage of error events sent to Sentry (0.0 to 1.0). |
+| `SENTRY_TRACES_SAMPLE_RATE` | Controls the percentage of transactions sent for tracing (0.0 to 1.0). |
+| `SENTRY_PROFILES_SAMPLE_RATE` | Controls the percentage of transactions that include profiling data (0.0 to 1.0). Requires tracing to be enabled. |
+| `SENTRY_DEBUG` | Enables debug mode for troubleshooting SDK issues. |
+
+SDKs **MAY** support additional SDK-specific environment variables beyond this common set. Any additional environment variables **SHOULD** be documented in the SDK's user-facing documentation.
+
+<Alert>
+Some SDKs may also offer additional SDK-specific environment variables beyond this common set. Check the [platform-specific documentation](https://docs.sentry.io/platforms/) for the full list of supported options.
+</Alert>
+
+## Precedence
+
+When both environment variables and code-based configuration are present, **code-based configuration MUST take precedence**. If the user explicitly passes a value to the SDK's init function, the environment variable **MUST** be ignored.
+
+To use environment variables, users omit the option from their init call and the SDK reads from the environment automatically:
+
+```javascript
+// SDK will read from SENTRY_DSN automatically
+Sentry.init({
+  // dsn omitted, will use SENTRY_DSN
+});
+```
+
+```python
+import sentry_sdk
+
+# SDK will read from SENTRY_DSN automatically
+sentry_sdk.init(
+    # dsn omitted, will use SENTRY_DSN
+)
+```
+
+```go
+import "github.com/getsentry/sentry-go"
+
+// SDK will read from SENTRY_DSN automatically
+sentry.Init(sentry.ClientOptions{
+    // Dsn omitted, will use SENTRY_DSN
+})
+```
+
+```php
+\Sentry\init([
+    // dsn omitted, will use SENTRY_DSN
+]);
+```
+
+## Client-Side Considerations
+
+Environment variables work differently in client-side environments like web browsers, where the concept of environment variables doesn't exist at runtime. For frontend SDKs, values **MUST** be injected by users at build time or configured directly in code.
+
+For server-side SDKs (Node.js, Python, Ruby, Java, .NET, Go, PHP, etc.), environment variables are read at runtime when the SDK initializes.

develop-docs/sdk/expected-features/index.mdx

@@ -77,6 +77,12 @@ Backend SDKs (typically used in server applications) should have backpressure ma
 
 See <Link to="/sdk/telemetry/traces/backpressure/">Backpressure Management</Link> for details.
 
+## Environment Variables
+
+Server-side SDKs should support common environment variables for configuration without code changes, including `SENTRY_DSN`, `SENTRY_RELEASE`, `SENTRY_ENVIRONMENT`, and sample rate options.
+
+See <Link to="/sdk/expected-features/environment-variables">Environment Variables</Link> for details.
+
 ## Debug Mode
 
 Every SDK must implement a debug mode, which is disabled by default. Users can enable it by setting the option `debug` to `true`. If the debug mode is enabled, the SDK prints out useful debugging information for two main purposes:

develop-docs/sdk/platform-specifics/python-sdk/ci.mdx

@@ -4,20 +4,19 @@ description: Our test setup and how our CI files are generated.
 sidebar_order: 20
 ---
 
-The GitHub workflow files for testing specific integration groups (like AI, Web Frameworks, Databases, etc.) are generated by [this script](https://github.com/getsentry/sentry-python/blob/master/scripts/split-tox-gh-actions/split-tox-gh-actions.py). Essentially, the script scans our `tox.ini` and generates the group test CI YAML files in `.github/workflows`.
+Our test suite consists of a common part that tests basic SDK functionality, and an integrations part that tests individual integrations.
 
-There are multiple components to this:
-* `tox.ini` is where the configuration (what to test and what versions) is read from
-* `scripts/split-tox-gh-actions/split-tox-gh-actions.py` is the script that defines the [test groups](https://github.com/getsentry/sentry-python/blob/0f3e5db0c8aabcad0baf0e8b2d3e31e27e839b3e/scripts/split-tox-gh-actions/split-tox-gh-actions.py#L57) and generates the resulting YAML files
-* `scripts/split-tox-gh-actions/templates` contains the jinja2 template snippets used to generate the YAML files
-* `.github/workflows/test-integrations-*.yml` are the resulting workflow configuration YAMLs
-
-If you update any of the components without keeping the rest in sync, for instance by making a change in one of the `test-integrations-*.yml` files that is not reflected in the templates in `scripts/split-tox-gh-actions/templates`, CI will error out as it actually checks if everything is in sync, meaning it runs the `split-tox-gh-actions.py` script and compares the result with the committed YAMLs.
+Since the number of integrations to test is so large, the tests in CI are split into multiple groups (roughly by integration type) so that they can run in parallel. So there is, for example, [a GitHub workflow](https://github.com/getsentry/sentry-python/blob/master/.github/workflows/test-integrations-flags.yml) that runs all our feature flag integrations, and [another one](https://github.com/getsentry/sentry-python/blob/master/.github/workflows/test-integrations-graphql.yml) that runs the test suites of all GraphQL integrations, and so on. These workflow YAMLs are auto-generated by [this script](https://github.com/getsentry/sentry-python/blob/master/scripts/split-tox-gh-actions/split-tox-gh-actions.py).
 
-## AWS Lambda Test Suite
+The ultimate source of truth of what should be tested and on which versions (both Python versions as well as package versions) is stored in [`tox.ini`](https://github.com/getsentry/sentry-python/blob/master/tox.ini). This file is also auto-generated each week by a GitHub cron job that scans PyPI for new releases and updates the test matrix with them. The script that does this lives in [`scripts/populate_tox`](https://github.com/getsentry/sentry-python/tree/master/scripts/populate_tox) and is often referred to as "toxgen".
 
-The AWS Lambda test suite will fail by default on new PRs. If you are an external contributor, this is not something you have to worry about, unless you've made changes actually affecting the AWS Lambda integration. It's a security precaution on our part.
+## The Big Picture
 
-Sensitive test suites (currently only AWS Lambda) require maintainer review to ensure that tests do not compromise our secrets. This review must be repeated after any code revisions.
+There are multiple components to the test setup that runs in CI:
+* on a weekly basis, [`scripts/populate_tox`](https://github.com/getsentry/sentry-python/tree/master/scripts/populate_tox) creates a PR that updates `tox.ini` with new releases
+* `tox.ini` is where the configuration (what to test and what versions) is stored and read from
+* `scripts/split-tox-gh-actions/split-tox-gh-actions.py` is the script that defines the [test groups](https://github.com/getsentry/sentry-python/blob/0f3e5db0c8aabcad0baf0e8b2d3e31e27e839b3e/scripts/split-tox-gh-actions/split-tox-gh-actions.py#L57) and generates the resulting YAML files
+* `scripts/split-tox-gh-actions/templates` contains the jinja2 template snippets used to generate the YAML files
+* `.github/workflows/test-integrations-*.yml` are the resulting workflow configuration YAMLs
 
-Before running sensitive test suites, maintainers need to carefully check the PR. Then they will apply the `Trigger: tests using secrets` label. The label will be removed after any code changes to enforce our policy requiring maintainers to review all code revisions before running sensitive tests.
+If you update any of the components without keeping the rest in sync, for instance by making a change in one of the `test-integrations-*.yml` files that is not reflected in the templates in `scripts/split-tox-gh-actions/templates`, they will be overwritten next time they're auto-generated.

develop-docs/sdk/processes/basics.mdx

@@ -4,6 +4,10 @@ description: So you want to develop an SDK?  Before you get started here are som
 sidebar_order: 1
 ---
 
+<Alert>
+  This document uses key words such as "MUST", "SHOULD", and "MAY" as defined in [RFC 2119](https://www.ietf.org/rfc/rfc2119.txt) to indicate requirement levels.
+</Alert>
+
 ## Run a Local Relay
 
 You do not need a local Sentry for SDK development but you will want to run a local
@@ -39,9 +43,18 @@ a good idea to refer to already existing Sentry SDKs for input.  In particular t
 transport design is not part of the documentation but generally quite similar between
 SDKs.
 
-## Type out context in Relay
+## Define Conventions and Types Before Shipping
+
+Before shipping new or changed SDK behavior, make sure the relevant definitions exist outside your SDK first:
+
+- **Semantic conventions:** New or changed attributes **MUST** first be defined in [sentry-conventions](https://github.com/getsentry/sentry-conventions/). If the convention you need doesn't exist yet, open a PR there to propose it. Only after the convention has been merged should you implement it in an SDK. This ensures all SDKs use consistent naming and semantics.
+
+  The merge process for sentry-conventions PRs:
+  1. Open a PR with the proposed convention.
+  2. Get an approval from at least one code owner.
+  3. Wait at least 3 business days after the first approval to give other code owners a chance to review.
 
-To have a better understanding of various [context](https://develop.sentry.dev/sdk/data-model/event-payloads/contexts/) our SDKs emit, any newly added context should also be typed out in [Relay](https://github.com/getsentry/relay/tree/master/relay-event-schema/src/protocol/contexts).
+- **Context types:** Any newly added [context](https://develop.sentry.dev/sdk/data-model/event-payloads/contexts/) **SHOULD** also be typed out in [Relay](https://github.com/getsentry/relay/tree/master/relay-event-schema/src/protocol/contexts) so that the schema stays in sync with what SDKs emit.
 
 ## Join us on Discord
 

develop-docs/sdk/processes/releases.mdx

@@ -85,7 +85,9 @@ Nice!
 This file is used to trigger the release from the GitHub UI.
 
 You'll notice it uses `vars.SENTRY_RELEASE_BOT_CLIENT_ID` and `secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY` -- these should be
-available to your repository automatically!
+available to your repository automatically! These are needed because
+[GitHub prevents `GITHUB_TOKEN` from triggering downstream workflows](https://docs.github.com/en/actions/reference/events-that-trigger-workflows),
+which is required for creating publish request issues in `getsentry/publish`.
 
 ```yaml
 name: Release
@@ -95,7 +97,7 @@ on:
     inputs:
       version:
         description: Version to release
-        required: true
+        required: false
       force:
         description: Force a release even when there are release-blockers (optional)
         required: false
@@ -111,28 +113,29 @@ jobs:
         with:
           app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
           private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v6
         with:
           token: ${{ steps.token.outputs.token }}
           fetch-depth: 0
       - name: Prepare release
-        uses: getsentry/action-prepare-release@v1
+        uses: getsentry/craft@v2
         env:
           GITHUB_TOKEN: ${{ steps.token.outputs.token }}
         with:
           version: ${{ github.event.inputs.version }}
           force: ${{ github.event.inputs.force }}
 ```
 
+For full details on all available options including auto-versioning, changelog preview,
+and more, see [Craft's GitHub Actions documentation](https://craft.sentry.dev/github-actions/).
+If your repository is outside the `getsentry` organization, you can use the simpler
+[reusable workflow](https://craft.sentry.dev/github-actions/#option-1-reusable-workflow-recommended)
+which handles token management automatically via `secrets: inherit`.
+
 ### Commit + PR
 
 **Commit those three files and make a pull request.**
 
-Here's [an example PR] and the [follow-up to fix `fetch-depth`].
-
-[an example PR]: https://github.com/getsentry/uwsgi-dogstatsd-plugin/pull/2
-[follow-up to fix `fetch-depth`]: https://github.com/getsentry/uwsgi-dogstatsd-plugin/pull/3
-
 ## Setting Up Permissions
 
 Give the following teams access to your repository:
@@ -158,6 +161,37 @@ add a label to.
 
 [issue in `publish`]: https://github.com/getsentry/publish/issues
 
+## Calendar Versioning (CalVer)
+
+To enable calendar versioning for your SDK, add the following to your `.craft.yml`:
+
+```yaml
+versioning:
+  policy: calver
+  calver:
+    format: "%y.%-m" # e.g., 24.12 for December 2024
+    offset: 14 # Days to look back for date calculation (optional)
+```
+
+See the [Craft CalVer documentation](https://craft.sentry.dev/configuration/#calendar-versioning-calver) for more details.
+
+## Merge Target
+
+By default, all releases are merged to the default branch of your repository (usually `main`). To override this, pass the `merge_target` input in your release workflow:
+
+```yaml
+- name: Prepare release
+  uses: getsentry/craft@v2
+  env:
+    GITHUB_TOKEN: ${{ steps.token.outputs.token }}
+  with:
+    version: ${{ github.event.inputs.version }}
+    merge_target: ${{ github.event.inputs.merge_target }}
+```
+
+Make sure to also add a `merge_target` input to your workflow's `workflow_dispatch.inputs` block.
+The same input is available in the [reusable workflow](https://craft.sentry.dev/github-actions/#option-1-reusable-workflow-recommended) as well.
+
 ## Version name conventions
 
 To keep versioning consistent across SDKs, we generally follow [semantic versioning (semver)](https://semver.org/), with language- or platform-specific conventions around semver (if applicable).
@@ -227,7 +261,7 @@ You can opt your repo into using the config from a specific merge target branch
 
 ### 1. Release Preparation:
 
-Add `craft_config_from_merge_target: true` when calling `getsentry/action-prepare-release` in your repo's release workflow:
+Add `craft_config_from_merge_target: true` when calling `getsentry/craft` in your repo's release workflow:
 
 ```yml
 # ...
@@ -238,12 +272,14 @@ jobs:
     steps:
       # ...
       - name: Prepare release
-        uses: getsentry/action-prepare-release@v1
+        uses: getsentry/craft@v2
         with:
           # ...
           craft_config_from_merge_target: true
 ```
 
+This input is also available in the [reusable workflow](https://craft.sentry.dev/github-actions/#option-1-reusable-workflow-recommended).
+
 ### 2. Publish Configuration
 
 Add the branch(es) you want to take the config from to the `publish.yml` workflow in `getsentry/publish`: