refactor: use native Sentry device flow, remove oauth-proxy

Sentry now supports RFC 8628 Device Authorization Grant natively,
so we no longer need our custom oauth-proxy server.

Changes:
- Delete apps/oauth-proxy/ entirely
- Update oauth.ts to use Sentry's /oauth/device/code/ endpoint
- Move openBrowser to lib/browser.ts for reusability
- Remove duplicate DeviceCodeResponse type (use types/oauth.ts)
- Update DEVELOPMENT.md and README.md for new flow
- Add .env.example template

The CLI now communicates directly with Sentry using public client
authentication (no client_secret needed per RFC 8628 §5.6).

Author: betegon

.env.example

@@ -0,0 +1,3 @@
+# Copy this to .env.local and fill in your values
+SENTRY_CLIENT_ID=your-sentry-oauth-client-id
+# SENTRY_URL=https://sentry.io  # Uncomment for self-hosted

DEVELOPMENT.md

@@ -1,7 +1,5 @@
 # Development Guide
 
-This guide explains how to develop and test the Sentry CLI and OAuth proxy locally.
-
 ## Prerequisites
 
 - [Bun](https://bun.sh/) installed
@@ -11,8 +9,6 @@ This guide explains how to develop and test the Sentry CLI and OAuth proxy local
 
 ```
 sentry-cli-next/
-├── apps/
-│   └── oauth-proxy/     # Hono server for device flow OAuth
 └── packages/
     └── cli/             # The Sentry CLI
 ```
@@ -25,75 +21,54 @@ sentry-cli-next/
 bun install
 ```
 
-2. Create a `.env` file in the project root:
+2. Create a `.env.local` file in the project root:
 
 ```
 SENTRY_CLIENT_ID=your-sentry-oauth-client-id
-SENTRY_CLIENT_SECRET=your-sentry-oauth-client-secret
 ```
 
-Get these from your Sentry OAuth application settings.
-
-## Running Locally
-
-Open two terminal windows:
+Get the client ID from your Sentry OAuth application settings.
 
-**Terminal 1 - OAuth Proxy:**
+**Note:** No client secret is needed - the CLI uses OAuth 2.0 Device Authorization Grant (RFC 8628) which is designed for public clients.
 
-```bash
-cd apps/oauth-proxy
-bun run dev
-```
-
-This starts the proxy on `http://127.0.0.1:8723` (matching your Sentry OAuth app's redirect URI).
-
-**Terminal 2 - CLI:**
+## Running Locally
 
 ```bash
 cd packages/cli
-SENTRY_OAUTH_PROXY_URL=http://127.0.0.1:8723 bun run src/bin.ts auth login
+bun run --env-file=../../.env.local src/bin.ts auth login
 ```
 
 ## Testing the Device Flow
 
-1. Start the OAuth proxy (see above)
-
-2. Run the CLI login command:
+1. Run the CLI login command:
 
 ```bash
 cd packages/cli
-SENTRY_OAUTH_PROXY_URL=http://127.0.0.1:8723 bun run src/bin.ts auth login
+bun run --env-file=../../.env.local src/bin.ts auth login
 ```
 
-3. You'll see output like:
+2. You'll see output like:
 
 ```
 Starting authentication...
 
-To authenticate, visit:
-  http://127.0.0.1:8723/device/authorize
-
-And enter code: ABCD-1234
+Opening browser...
+If it doesn't open, visit: https://sentry.io/oauth/device/
+Code: ABCD-EFGH
 
-Waiting for authorization (press Ctrl+C to cancel)...
+Waiting for authorization...
 ```
 
-4. Open the URL in your browser and enter the code
-
-5. You'll be redirected to Sentry to authorize
-
-6. After authorizing, the CLI will receive the token and save it
+3. The browser will open to Sentry's device authorization page
+4. Enter the code and authorize the application
+5. The CLI will automatically receive the token and save it
 
 ## Sentry OAuth App Configuration
 
-When creating your Sentry OAuth application, set:
-
-- **Redirect URI**:
+When creating your Sentry OAuth application:
 
-  - For local development: `http://127.0.0.1:8723/callback`
-  - For production: `https://your-vercel-app.vercel.app/callback`
-
-- **Scopes**: Select the scopes your CLI needs:
+- **Redirect URI**: Not required for device flow
+- **Scopes**: The CLI requests these scopes:
   - `project:read`, `project:write`
   - `org:read`
   - `event:read`, `event:write`
@@ -102,28 +77,25 @@ When creating your Sentry OAuth application, set:
 
 ## Environment Variables
 
-### OAuth Proxy
-
-| Variable               | Description                    |
-| ---------------------- | ------------------------------ |
-| `SENTRY_CLIENT_ID`     | Sentry OAuth app client ID     |
-| `SENTRY_CLIENT_SECRET` | Sentry OAuth app client secret |
+| Variable           | Description                          | Default              |
+| ------------------ | ------------------------------------ | -------------------- |
+| `SENTRY_CLIENT_ID` | Sentry OAuth app client ID           | (required)           |
+| `SENTRY_URL`       | Sentry instance URL (for self-hosted)| `https://sentry.io`  |
 
-### CLI
+## Building
 
-| Variable                 | Description     | Default                        |
-| ------------------------ | --------------- | ------------------------------ |
-| `SENTRY_OAUTH_PROXY_URL` | OAuth proxy URL | `https://sry-oauth.vercel.app` |
+```bash
+cd packages/cli
+bun run build
+```
 
-## Deploying the OAuth Proxy
+## Architecture
 
-```bash
-cd apps/oauth-proxy
-bunx vercel
+The CLI uses the OAuth 2.0 Device Authorization Grant ([RFC 8628](https://datatracker.ietf.org/doc/html/rfc8628)) for authentication. This flow is designed for CLI tools and other devices that can't easily handle browser redirects:
 
-# Set environment variables in Vercel dashboard or via CLI:
-bunx vercel env add SENTRY_CLIENT_ID
-bunx vercel env add SENTRY_CLIENT_SECRET
-```
+1. CLI requests a device code from Sentry
+2. User is shown a code and URL to visit
+3. CLI polls Sentry until the user authorizes
+4. CLI receives access token and stores it locally
 
-After deployment, update the default `OAUTH_PROXY_URL` in `packages/cli/src/lib/oauth.ts` to your Vercel URL.
+No proxy server is needed - the CLI communicates directly with Sentry.

README.md

@@ -61,19 +61,15 @@ sentry api /organizations/ --include                    # Show headers
 
 ## Development
 
-This is a Turborepo monorepo with:
-- `packages/cli` - The Sentry CLI
-- `apps/oauth-proxy` - OAuth proxy server (deployed on Vercel)
-
 ```bash
 bun install
-bun run dev --help                    # Run CLI in dev mode
-
-# Build
 cd packages/cli
-bun run build                         # Build binary
+bun run --env-file=../../.env.local src/bin.ts --help    # Run CLI in dev mode
+bun run build                                             # Build binary
 ```
 
+See [DEVELOPMENT.md](DEVELOPMENT.md) for detailed development instructions.
+
 ## Config
 
 Stored in `~/.sentry-cli-next/config.json` (mode 600).