Add --dry-run flag to mutating commands (sentry api, project create) #349
Description
Summary
Add a --dry-run flag to mutating commands (sentry api, sentry project create, and future write commands) so agents and users can preview what would happen without executing the action.
Motivation
From You Need to Rewrite Your CLI for AI Agents (Justin Poehnelt, Google DevRel):
"
--dry-runvalidates the request locally without hitting the API. Agents can 'think out loud' before acting. This is especially important for mutating operations — create, update, delete — where the cost of a hallucinated parameter isn't a bad error message, it's data loss."
Current state
sentry cli fix --dry-runalready exists and is well-implemented — shows what would be repaired without making changes. This is the pattern to follow.- No other mutating command has
--dry-run.
Mutating commands (current and planned)
| Command | Risk | Dry-run value |
|---|---|---|
sentry api -X POST/PUT/DELETE |
High — arbitrary API calls | Very high |
sentry project create |
Medium — creates a resource | Medium |
sentry cli upgrade |
Medium — replaces binary | Medium |
Future: sentry issue update (#80) |
Medium — changes issue state | High |
Future: sentry team create (#80) |
Medium — creates a resource | Medium |
Proposed behavior
sentry api --dry-run
Show the fully resolved request without sending it:
$ sentry api /organizations/my-org/issues/ -X POST --data '{"status":"resolved"}' --dry-run
Dry run — no request sent.
Method: POST
URL: https://us.sentry.io/api/0/organizations/my-org/issues/
Headers: Authorization: Bearer sntrys_***
Content-Type: application/json
User-Agent: sentry-cli/0.13.0
Body: {"status": "resolved"}This validates:
- Endpoint normalization (trailing slash)
- Method validation
- Body construction from
--field/--data/--input - Header construction
- Auth token availability
sentry project create --dry-run
Validate inputs and show what would be created:
$ sentry project create my-app python --dry-run
Dry run — no project created.
Organization: my-org
Team: my-team
Name: my-app
Platform: pythonImplementation
Phase 1: sentry api --dry-run
Highest value. The sentry api command is the most powerful and most dangerous — agents can construct arbitrary API calls. Add a --dry-run boolean flag that:
- Resolves the endpoint, method, body, and headers
- Prints the resolved request to stdout (JSON when
--jsonis set) - Exits with code 0 without calling
rawApiRequest
Phase 2: Shared --dry-run infrastructure
Extract a reusable pattern for dry-run across commands. The existing sentry cli fix implementation can be the reference.
Phase 3: Apply to all mutating commands
Add --dry-run to project create and future write commands as they're implemented.
Non-goal: Response sanitization
The article also discusses response sanitization (filtering API responses through a prompt-injection detector). This is less applicable to Sentry: our data is primarily internal (error messages, stack traces, code snippets) rather than user-generated content like emails that could contain prompt injection. We should revisit this if/when the CLI processes user-generated content (e.g., issue comments, feedback).
References
- Safety Rails: Dry-Run + Response Sanitization — Justin Poehnelt
- Existing implementation:
sentry cli fix --dry-run(src/commands/cli/fix.ts) - Feature parity issue: Achieve feature parity with Sentry MCP server #80 (more mutating commands coming)