feat(debug-files): scan inside .zip archives on upload

[BYK]

Summary

Adds ZIP archive scanning to sentry debug-files upload, matching the legacy sentry-cli behavior (try_open_zip / walk_difs_zip). This is Tier B of the debug-files upload roadmap (Tier A core upload landed in #1139, limits + --derived-data in #1140).

.zip files encountered during a scan are now expanded in memory and their entries run through the same filter pipeline (--type/--id/feature filters, size gate) as on-disk files. Pass --no-zips to skip them.

# .zip archives are scanned in place by default
sentry debug-files upload ./symbols.zip
sentry debug-files upload ./build            # finds DIFs in any *.zip under ./build

# opt out
sentry debug-files upload ./build --no-zips

Implementation

• New src/lib/dif/zip.ts — readZipDifEntries():
  • Detects archives by .zip extension and PK local-header magic (a misnamed non-archive falls back to normal parsing; a real DIF named foo.zip still works).
  • Extracts entries with fflate.unzipSync.
  • Zip-bomb guard: the pre-decompression filter rejects entries whose declared uncompressed size exceeds the server's max_file_size (or omitted = no gate) before inflation, so oversized entries are never materialized. Directory/empty entries are dropped.
  • Malformed/unreadable archives are skipped (debug log), never thrown.
  • Nested archives are not recursed (a .zip inside a .zip is an opaque, non-object entry), matching the legacy tool.
• prepareDifs() gains a scanZips option (default true). The on-disk per-file logic is extracted into prepareFileDif(), and the parse step into a shared difFromBuffer() so on-disk files and in-memory ZIP entries share the same parse + filter path. Entry display paths are synthetic "<zip>/<entry>" so logs and DIF names stay meaningful.
• upload command — adds the --no-zips flag and threads scanZips: !flags["no-zips"] through.

Notes / scope

• fflate added as a devDependency (bundled at build time; check:deps passes).
• The whole archive is read into memory (fflate's unzipSync is non-streaming); typical symbol zips are tens/hundreds of MB. Per-entry decompression remains bounded by the size gate.
• Still deferred (Tier C): --symbol-maps (BCSymbolMap) and --il2cpp-mapping line mappings — these need new symbolic WASM exports.

Testing

• test/lib/dif/zip.test.ts — 12 unit tests (magic/extension detection, malformed input, size gate, no-recursion, scanZips toggle, --type filtering, container not double-counted, misnamed-archive fallback). Archives built in memory with fflate.zipSync — no binary fixtures.
• test/commands/debug-files/upload.test.ts — 2 command-level tests (.zip scanned by default; --no-zips ignores entries).
• All 99 dif + debug-files tests pass; typecheck, lint, check:deps, check:patches, check:fragments clean.

[github-actions]

PR Preview Action v1.8.1
🚀 View preview at https://cli.sentry.dev/_preview/pr-1141/
Built to branch gh-pages at 2026-06-26 10:02 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[github-actions]

Codecov Results 📊

✅ Patch coverage is 89.80%. Project has 5114 uncovered lines.
✅ Project coverage is 81.52%. Comparing base (base) to head (head).

Files with missing lines (2)

File	Patch %	Lines
src/lib/dif/zip.ts	89.83%	⚠️ 6 Missing and 1 partials
src/lib/dif/scan.ts	89.74%	⚠️ 4 Missing and 2 partials

Coverage diff

@@            Coverage Diff             @@
##          main       #PR       +/-##
==========================================
+ Coverage    81.48%    81.52%    +0.04%
==========================================
  Files          396       397        +1
  Lines        27588     27671       +83
  Branches     17912     17966       +54
==========================================
+ Hits         22478     22557       +79
- Misses        5110      5114        +4
- Partials      1866      1868        +2

---

Generated by Codecov Action

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 4a41f2e. Configure here.}

[BYK]

CI status: all green except an external Anthropic API outage

Every check passes except E2E Tests, which fails only on test/e2e/skill-eval.test.ts (the LLM-driven skill eval). The failure is an upstream outage, not a code issue:

[planner] API error: Invalid response body while trying to fetch
https://api.anthropic.com/v1/messages: Premature close

• All 126 non-LLM E2E tests pass; only the 2 skill-eval cases fail, both with the same Premature close error talking to api.anthropic.com.
• Reproduced identically across 3 runs over ~25 min — api.anthropic.com is currently flaky/down.
• Green here: Lint & Typecheck, Unit Tests, Validate generated files, Build npm (22/24), Build Binary, Build Docs, warden, CodeQL, dependency-review.

This PR does not touch the skill or any LLM path. Will re-run once the Anthropic API recovers.

[BYK]

Correction: the Premature close E2E failure was not an Anthropic outage — it's the Node.js ERR_STREAM_PREMATURE_CLOSE regression from the CVE-2026-48931 security release (24.17.0 / 22.23.0), the same bug we hit in Craft/GCS. The http.Agent fix added a data listener on idle sockets that makes keep-alive fetch reuse throw a false Premature close, which the skill-eval planner trips. Fixed in 24.18.0 (nodejs/node#64004).

The E2E job used floating node-version: "24", which silently reuses the runner's pre-cached buggy 24.17.0. Pinned it to 24.18.0 in d7175e2. Re-running now.