feat(auth): hint when env token is shadowed by stored OAuth (#785)

[BYK]

Summary

The most painful UX item from #785: a user sets SENTRY_AUTH_TOKEN (e.g. from a Stripe Projects or Vercel integration) but also has a stored OAuth login from sentry auth login. The CLI silently prefers the stored login — the user's 30 minutes of debugging invariably ends at discovering SENTRY_FORCE_ENV_TOKEN=1.

Surface the collision on stderr the first time an authenticated command hits the API:

[info] [auth] Detected SENTRY_AUTH_TOKEN env var but using stored login for alice.
              Set SENTRY_FORCE_ENV_TOKEN=1 to prefer the env var.

Gating:

• Fires only when an env token is set AND a stored OAuth login exists AND SENTRY_FORCE_ENV_TOKEN is not set.
• Fires at most once per process (module-local latch).
• Fires inside authenticatedFetch, so local-only commands (sentry help, sentry cli upgrade) stay quiet.

User label resolution prefers username → email → name → "stored OAuth user" fallback, matching what sentry auth whoami shows when the cache is cold.

Test plan

• New test/lib/auth-hint.test.ts covers: fires on collision, silent without env token, silent without stored OAuth, silent under SENTRY_FORCE_ENV_TOKEN, once-per-process latch, user label fallbacks, SENTRY_TOKEN legacy var support.
• bun run typecheck, bun run lint — clean.
• Full unit suite: 5269 passing.

Part of #785 (addresses item #4).

[github-actions]

Semver Impact of This PR

🟡 Minor (new features)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

New Features ✨

• (auth) Hint when env token is shadowed by stored OAuth (CLI UX: cache invalidation, env var discoverability, and error message improvements #785) by BYK in #790

• (issue) Add resolve, unresolve (reopen), and merge commands by BYK in #778

Bug Fixes 🐛

• (error-reporting) Fall back to message prefix for ValidationError without field by BYK in #776
• (hex-id) Auto-recover malformed hex IDs in view commands (CLI-16G) by BYK in #777
• (init) Force process exit after wizard completes by betegon in #782

Internal Changes 🔧

• (init) Trim deprecated --features help entries by MathurAditya724 in #781
• Regenerate docs by github-actions[bot] in 58a84035

---

_{🤖 This preview updates automatically when you update the PR.}

[github-actions]

PR Preview Action v1.8.1
🚀 View preview at https://cli.sentry.dev/_preview/pr-790/
Built to branch gh-pages at 2026-04-20 17:16 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[github-actions]

Codecov Results 📊

✅ 138 passed | Total: 138 | Pass Rate: 100% | Execution Time: 0ms

📊 Comparison with Base Branch

Metric	Change
Total Tests	—
Passed Tests	—
Failed Tests	—
Skipped Tests	—

✨ No test changes detected

All tests are passing successfully.

✅ Patch coverage is 95.12%. Project has 1699 uncovered lines.
✅ Project coverage is 95.55%. Comparing base (base) to head (head).

Files with missing lines (1)

File	Patch %	Lines
src/lib/auth-hint.ts	94.87%	⚠️ 2 Missing

Coverage diff

@@            Coverage Diff             @@
##          main       #PR       +/-##
==========================================
+ Coverage    95.52%    95.55%    +0.03%
==========================================
  Files          262       263        +1
  Lines        38174     38210       +36
  Branches         0         0         —
==========================================
+ Hits         36464     36511       +47
- Misses        1710      1699       -11
- Partials         0         0         —

---

Generated by Codecov Action