From 17373da1a5f37d2c79697ef547c3639a185028ad Mon Sep 17 00:00:00 2001
From: "bert.hausmans" <bert@hausmans.nl>
Date: Thu, 7 May 2026 17:59:58 +0200
Subject: [PATCH] feat: sourcemap upload to GlitchTip in deploy.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

WS-7 PR-3 commit 3, RFC §3.5.

- deploy.sh: export VITE_SENTRY_RELEASE=crewli-app@<short-sha> before
  the Vite build so the release identifier is inlined into the bundle
  via import.meta.env.
- New step 4a after the build: when SENTRY_AUTH_TOKEN and
  VITE_SENTRY_DSN_FRONTEND are present, upload sourcemaps via
  `npx @sentry/cli@latest sourcemaps upload` to project crewli-app
  with --url-prefix=~/assets/ matching Vite's default asset path.
  Soft-fails with a warning so deploy can still succeed if GlitchTip
  is unreachable.
- Always run `find apps/app/dist -name '*.map' -delete` after upload
  (or after skipped upload). No public-mapped sources reach nginx —
  RFC §3.5 invariant.
- .gitignore: defensive `apps/app/dist/**/*.map` exclusion (dist/ is
  already broadly ignored; this is belt-and-suspenders against
  accidental commits of build output).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .gitignore |  5 +++++
 deploy.sh  | 25 +++++++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/.gitignore b/.gitignore
index 7b8ab70f..0f4834fe 100644
--- a/.gitignore
+++ b/.gitignore
@@ -64,3 +64,8 @@ docs/.vitepress/cache
 # GlitchTip
 docker/glitchtip/.env
 backups/
+
+# WS-7 RFC §3.5: Vite sourcemaps are uploaded to GlitchTip and stripped
+# from dist/ before deploy. Defensive exclusion in case dist/ is ever
+# committed by mistake (it's already covered by `dist/` above).
+apps/app/dist/**/*.map
diff --git a/deploy.sh b/deploy.sh
index 29df22a7..72e81dd1 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -94,6 +94,9 @@ else
 fi
 
 echo "→ Building frontend assets (apps/app)..."
+# WS-7 RFC §3.4 — release identifier is injected at build-time so Vite
+# inlines it into import.meta.env.VITE_SENTRY_RELEASE for the bundle.
+export VITE_SENTRY_RELEASE="crewli-app@$(git rev-parse --short HEAD)"
 npm run build -w apps/app
 
 if [ ! -f "apps/app/dist/index.html" ]; then
@@ -101,6 +104,28 @@ if [ ! -f "apps/app/dist/index.html" ]; then
     exit 1
 fi
 
+# ──────────────────────────────────────────
+# 4a. Sourcemap upload to GlitchTip + scrub from dist/
+# ──────────────────────────────────────────
+# WS-7 RFC §3.5: maps generated by Vite, uploaded to GlitchTip so stack
+# traces are readable in the UI, then DELETED from dist/ before nginx
+# serves them. No public-mapped sources on production.
+if [ -n "${SENTRY_AUTH_TOKEN:-}" ] && [ -n "${VITE_SENTRY_DSN_FRONTEND:-}" ]; then
+    SENTRY_ORG_VAL="${SENTRY_ORG:-crewli}"
+    echo "→ Uploading sourcemaps for release ${VITE_SENTRY_RELEASE} to project crewli-app..."
+    npx --yes @sentry/cli@latest sourcemaps upload \
+        --org "$SENTRY_ORG_VAL" \
+        --project crewli-app \
+        --release "$VITE_SENTRY_RELEASE" \
+        --url-prefix "~/assets/" \
+        apps/app/dist/assets || echo "⚠️  Sourcemap upload failed; continuing deploy."
+else
+    echo "→ SENTRY_AUTH_TOKEN or VITE_SENTRY_DSN_FRONTEND unset — skipping sourcemap upload."
+fi
+
+echo "→ Stripping *.map files from dist/ (RFC §3.5: no public-mapped sources)..."
+find apps/app/dist -name '*.map' -type f -delete
+
 # ──────────────────────────────────────────
 # 5. Run migrations
 # ──────────────────────────────────────────