feat: add distributed tracing for Sentry backend

[BYK]

Inject sentry-trace and baggage headers into all outgoing Sentry API requests so CLI traces connect to backend traces.

What

Manual header injection in prepareHeaders() is required because Bun's fetch doesn't fire undici diagnostics channels, so the SDK's nativeNodeFetchIntegration auto-injection cannot work.

Changes

• telemetry.ts: Add getSentryTracePropagationTargets() matching *.sentry.io, sentry.io, and self-hosted URLs. Update tracePropagationTargets from [] to use the new function.
• sentry-client.ts: Import getTraceData from @sentry/bun and inject sentry-trace/baggage headers in prepareHeaders(). When telemetry is disabled, getTraceData() returns {} so no headers are injected.
• telemetry.test.ts: Add tests for URL pattern matching (SaaS regional, bare sentry.io, non-sentry URLs, self-hosted, no SaaS duplication).

Closes #389

[github-actions]

Semver Impact of This PR

🟡 Minor (new features)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

New Features ✨

• (dashboard) Add dashboard list, view, and create commands by betegon in #406
• (upgrade) Add --offline flag and automatic offline fallback by BYK in #450

• Add distributed tracing for Sentry backend by BYK in #455

• Add project delete command by MathurAditya724 in #397
• Add sentry schema command for API introspection by BYK in #437

Bug Fixes 🐛

• (dsn) Prevent hang during DSN auto-detection in repos with test fixtures by BYK in #445
• (formatters) Pad priority labels for consistent TRIAGE column alignment by MathurAditya724 in #449
• (upgrade) Remove hard chain depth cap for nightly delta upgrades by BYK in #444

Internal Changes 🔧

• Cache org listing in listOrganizations + DSN shortcut for issue view by betegon in #446

---

_{🤖 This preview updates automatically when you update the PR.}

[github-actions]

Codecov Results 📊

✅ 116 passed | Total: 116 | Pass Rate: 100% | Execution Time: 0ms

📊 Comparison with Base Branch

Metric	Change
Total Tests	—
Passed Tests	—
Failed Tests	—
Skipped Tests	—

✨ No test changes detected

All tests are passing successfully.

✅ Patch coverage is 90.91%. Project has 1138 uncovered lines.
❌ Project coverage is 95.19%. Comparing base (base) to head (head).

Files with missing lines (2)

File	Patch %	Lines
telemetry.ts	91.65%	⚠️ 37 Missing
sentry-client.ts	93.42%	⚠️ 15 Missing

Coverage diff

@@            Coverage Diff             @@
##          main       #PR       +/-##
==========================================
- Coverage    95.21%    95.19%    -0.02%
==========================================
  Files          175       175         —
  Lines        23653     23673       +20
  Branches         0         0         —
==========================================
+ Hits         22519     22535       +16
- Misses        1134      1138        +4
- Partials         0         0         —

---

Generated by Codecov Action

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[BYK]

Re: Seer review on getTraceData() when telemetry is disabled

This is a false positive. When SENTRY_CLI_NO_TELEMETRY=1:

1. initSentry() is called with enabled: false
2. Sentry.init({ enabled: false }) disables the SDK entirely
3. getTraceData() returns {} (empty object) — no headers are injected

Verified empirically:

$ bun -e "import * as Sentry from '@sentry/bun'; Sentry.init({ dsn: '...', enabled: false }); console.log(Sentry.getTraceData());"
{}

The comment in the code already documents this: "When telemetry is disabled, getTraceData() returns {} — no headers injected."

[BYK]

Re: Cursor Bugbot — regex TLD boundary

Good catch! Fixed by adding (\/|$) anchors to both regexes:

-const SENTRY_SAAS_SUBDOMAIN_RE = /^https:\/\/[^/]*\.sentry\.io/;
-const SENTRY_SAAS_ROOT_RE = /^https:\/\/sentry\.io/;
+const SENTRY_SAAS_SUBDOMAIN_RE = /^https:\/\/[^/]*\.sentry\.io(\/|$)/;
+const SENTRY_SAAS_ROOT_RE = /^https:\/\/sentry\.io(\/|$)/;

Added a test confirming sentry.io.evil.com and us.sentry.io.evil.com are rejected.