Merge branch 'master' into feat-reorder-sidebar

Author: markstory

apps/changelog/package.json

@@ -21,7 +21,7 @@
     "@radix-ui/react-icons": "^1.3.0",
     "@radix-ui/react-toolbar": "^1.0.4",
     "@radix-ui/themes": "^2.0.3",
-    "@sentry/nextjs": "8.34.0",
+    "@sentry/nextjs": "8.36.0-beta.0",
     "@spotlightjs/spotlight": "^2.1.1",
     "next": "15.0.0-rc.1",
     "next-auth": "^4.24.5",
@@ -63,4 +63,4 @@
     "@types/react": "npm:[email protected]",
     "@types/react-dom": "npm:[email protected]"
   }
-}
+}

develop-docs/backend/api/public.mdx

@@ -436,7 +436,7 @@ within that endpoint can change at any time. This is a relic from migrating the
 our prior approach. Note that, going forward, we recommend new endpoints always provide response
 schema.
 
-** Can customers use private endpoints?**
+**Can customers use private endpoints?**
 
 Yes, if they wish. However private endpoints are liable to change without notice at any time,
 potentially breaking the customer's code. Please be careful using them.

develop-docs/sdk/philosophy.mdx

@@ -5,6 +5,10 @@ sidebar_order: 2
 
 This document sets some general guidance for how to approach SDK development at Sentry. It should aid both internal and external developers to understand what motivations go into the design of the SDKs and why we're deciding in certain ways.
 
+## Trust is #1
+
+Sentry’s mission is to “Enable developers to ship with confidence” and their journey always starts with our SDKs. Above everything else, we need to make sure that our customers can rely on the stability of our SDKs because they depend on them. We are committed to having the most stable SDKs on the market and will own up to our mistakes with transparency and clarity.
+
 ## Dependencies Cost
 
 Dependencies come with a cost and that cost is high. Every dependency we use increases the surface area of the SDK and add more licensing, maintenance and security concerns. We understand that dependencies are necessary for supporting integrations, but dependencies must never be required for the base line functionality of an SDK. Obviously every rule also has exceptions and on some platforms we won't be able to work without a base level of dependencies. A good example is Python where we require an external library for HTTP requests to safely send HTTP requests.

docs/platforms/android/session-replay/index.mdx

@@ -94,34 +94,41 @@ Sampling begins as soon as a session starts. `sessionSampleRate` is evaluated fi
 
 ## Privacy
 
-The SDK is recording and aggressively redacting all text and images. We plan to add fine controls for redacting, but in this version, we just allow either on or off. The default is on. Please don’t turn it off if you have sensitive data in your app. Before the Beta is complete, we'll give you the controls you need.
+The SDK is recording and aggressively masking all text, images and webviews. Please don’t turn it off if you have sensitive data in your app.
+However, if you're working on a mobile app that's free of PII or other types of private data, you can opt out of the default text and image masking settings. To learn more about Session Replay privacy, [read our docs](/platforms/android/session-replay/privacy/).
 
 <Note>
 
-Jetpack Compose views are not yet redacted. This is being [tracked here](https://github.com/getsentry/sentry-java/issues/3577).
-If you encounter any other data not being redacted with the default settings, please let us know through a [GitHub issue](https://github.com/getsentry/sentry-java/issues/new?assignees=&labels=Platform%3A+Android%2CType%3A+Bug&projects=&template=bug_report_android.yml).
+If you find that any other data isn't being masked with the default settings, please let us know by creating a [GitHub issue](https://github.com/getsentry/sentry-java/issues/new?assignees=&labels=Platform%3A+Android%2CType%3A+Bug&projects=&template=bug_report_android.yml).
 
 </Note>
 
-To disable redaction altogether (not to be used on applications with sensitive data):
+To disable masking altogether (not to be used on applications with sensitive data):
 
 ```kotlin
-options.experimental.sessionReplay.redactAllText = false
-options.experimental.sessionReplay.redactAllImages = false
+options.experimental.sessionReplay.maskAllText = false
+options.experimental.sessionReplay.maskAllImages = false
+// if you're on version < 7.15.0
+// options.experimental.sessionReplay.redactAllText = false
+// options.experimental.sessionReplay.redactAllImages = false
 ```
 
 ## Error Linking
 
-Errors that happen on the page while a replay is running will be linked to the replay, making it possible to jump between related issues and replays. However, it's **possible** that in some cases the error count reported on the **Replays Details** page won't match the actual errors that have been captured. That's because errors can be lost, and while this is uncommon, there are a few reasons why it could happen:
+Errors that happen while a replay is running will be linked to the replay, making it possible to jump between related issues and replays. However, it's **possible** that in some cases the error count reported on the **Replays Details** page won't match the actual errors that have been captured. That's because errors can be lost, and while this is uncommon, there are a few reasons why it could happen:
 
 - The replay was rate-limited and couldn't be accepted.
 - The replay was deleted by a member of your org.
 - There were network errors and the replay wasn't saved.
 
 ## FAQ
 
+Q: Why are parts of my replay not masked?
+A: Text fields, input fields, images, video players and webviews are all masked by default. Local assets, such as colors or vector drawables, aren't masked because the likelihood of these assets containing PII is low. If you encounter a view/component that should be masked by default, consider opening a [GitHub issue](https://github.com/getsentry/sentry-java/issues).
+
 Q: Does Session Replay work with Jetpack Compose?
-A: Yes, but we're still adding support for redaction for Jetpack Compose views. Redaction will be added during the Beta program and after GA these views will be masked by default.
+A: Yes, by default, text, input field, and image composables should be masked. Masking within embedded Android views (`AndroidView`)
+in Compose isn't currently supported. If you encounter composables that aren't masked but should be, consider opening a [GitHub issue](https://github.com/getsentry/sentry-java/issues).
 
 Q: What's the lowest version of Android supported?
 A: Recording only happens on Android 8 (API level 26) or newer. For devices running an older version, SDK features other than recording work normally.

docs/platforms/android/session-replay/privacy/img/session-replay-redacted.jpg

@@ -0,0 +1,155 @@
+---
+title: Privacy
+sidebar_order: 5501
+notSupported:
+description: "Learn how to mask parts of your app's data in Session Replay."
+---
+
+<Alert>
+
+Using custom masking in your Session Replays may accidentally expose sensitive customer data. Before publishing an App with Session Replay enabled, make sure to test it thoroughly to ensure that no sensitive data is exposed.
+
+
+</Alert>
+
+By default, our Session Replay SDK masks all text content, images, webviews, and user input. This helps ensure that no sensitive data is exposed. You can also manually choose which parts of your app's data you want to mask by using the different options listed below.
+
+To disable the default masking behavior (not to be used on applications with sensitive data):
+
+```kotlin
+options.experimental.sessionReplay.maskAllText = false
+options.experimental.sessionReplay.maskAllImages = false
+// if you're on version < 7.15.0
+// options.experimental.sessionReplay.redactAllText = false
+// options.experimental.sessionReplay.redactAllImages = false
+```
+
+|Session Replay Unmasked        |  Session Replay Masked                   |
+|:-----------------------------:|:---------------------------------------: |
+|![session replay unmasked](./img/session-replay.jpg)  |![session replay masked](./img/session-replay-redacted.jpg) |
+
+
+_Make sure your Sentry Android SDK version is at least 7.15.0._
+
+## Mask by View Class
+
+You can choose which type of view you want to mask or unmask by using the `addMaskViewClass` or `addUnmaskViewClass` options.
+
+Let's say you have:
+- A custom view that you want to mask
+- A `TextView` subclass (which normally would be masked) that you don't want to mask
+
+You can set the options like this:
+
+```kotlin
+options.experimental.sessionReplay.addMaskViewClass("com.example.MyCustomView")
+options.experimental.sessionReplay.addUnmaskViewClass("com.example.MyCustomTextView")
+```
+
+<Note>
+
+If you're using a code obfuscation tool (R8/ProGuard), adjust your proguard rules accordingly so your custom view class names don't get minified.
+
+</Note>
+
+### Class Hierarchy
+
+The masking behavior applies to classes and their subclasses. This means if you add a view via `addMaskViewClass` (for example, `TextView`, which is the default behavior), its respective subclasses (`RadioButton`, `CheckBox`, `EditText`, and so on) will also be masked. For example, you can do the following:
+
+```kotlin
+options.experimental.sessionReplay.addMaskViewClass("android.widget.TextView") // mask TextView and all its subclasses
+options.experimental.sessionReplay.addUnmaskViewClass("android.widget.RadioButton") // but unmask RadioButton and all its subclasses
+```
+
+## Mask by View Instance
+
+You can also choose to mask or unmask a specific view instance by using tags like this:
+
+```xml
+<View
+  android:id="@+id/my_view"
+  android:layout_width="wrap_content"
+  android:layout_height="wrap_content"
+  android:tag="sentry-mask|sentry-unmask"
+/>
+```
+
+```kotlin
+view.tag = "sentry-mask|sentry-unmask"
+```
+
+If your view already has a tag assigned, you can set the masking tag by a sentry-specific id:
+
+```xml
+<View
+  android:id="@+id/my_view"
+  android:layout_width="wrap_content"
+  android:layout_height="wrap_content">
+
+  <tag android:id="@id/sentry_privacy" android:value="mask|unmask"/>
+</View>
+```
+
+```kotlin
+  view.setTag(io.sentry.android.replay.R.id.sentry_privacy, "mask|unmask")
+```
+
+We also provide convenient extension functions for Kotlin:
+
+```kotlin
+view.sentryReplayMask()
+// or
+view.sentryReplayUnmask()
+```
+
+## Jetpack Compose
+
+We only support masking specific composables in Jetpack Compose. Since composables are functions, not classes, masking by view class isn't possible.
+
+In the example below, we want the "Hello" message to be captured in the replay, but not the custom composable. (By default, all text composables are masked.)
+
+```kotlin
+import io.sentry.android.replay.sentryReplayMask
+import io.sentry.android.replay.sentryReplayUnmask
+
+Column(
+  verticalArrangement = Arrangement.Center,
+  horizontalAlignment = Alignment.CenterHorizontally,
+  modifier = Modifier.fillMaxSize()
+) {
+  MyCustomComposable(
+    modifier = Modifier.fillMaxWidth().sentryReplayMask()
+    ...
+  )
+  Text("Hello", modifier = Modifier.sentryReplayUnmask())
+}
+```
+
+Currently, we don't support masking anything within embedded Android views (`AndroidView`), but you can still mask the entire view as follows:
+
+```kotlin
+import io.sentry.android.replay.sentryReplayMask
+
+AndroidView(
+  modifier = Modifier.sentryReplayMask(),
+  factory = { context -> ... }
+)
+```
+
+## General Masking Rules
+
+
+### View Groups
+
+- If a `ViewGroup` is marked as masked, **all its child views will also be masked**, even if some views would normally not be masked. This prioritizes safety and ensures no sensitive information is unintentionally exposed.
+
+- If a `ViewGroup` is marked as unmasked, **its child views don't automatically inherit this behavior**. You'll need to explicitly mark each child view as unmasked if you want them to appear in the replay.
+
+### Masking Priority
+
+Masking and unmasking rules are applied in the following order:
+
+  1. Check if a view is marked as `unmasked` via a tag/extension or function/modifier.
+  2. Check if a view is marked as `masked` via a tag/extension or function/modifier.
+  3. Check if a view's class is marked as unmasked via `addUnmaskViewClass`.
+  4. Check if a view's class is marked as masked via `addMaskViewClass`.

docs/platforms/android/session-replay/privacy/img/session-replay.jpg

@@ -139,7 +139,7 @@ This feature is experimental and may have bugs.
 
 </Note>
 
-As of version 8.37.0, you can enable AppHangsV2, which is available on iOS and tvOS. The main difference is that AppHangsV2 differentiates between fully-blocking and non-fully-blocking app hangs, which you might choose to ignore. A fully-blocking app hang is when the main thread is stuck completely, and the app can't render a single frame. A non-fully-blocking app hang is when the app appears stuck to the user, but can still render a few frames. Fully-blocking app hangs are more actionable because the stacktrace shows the exact blocking location on the main thread. Non-fully-blocking app hangs can have a stacktrace that doesn't highlight the exact blocking location, since the main thread isn't completely blocked.
+As of version 8.39.0-beta.1, you can enable AppHangsV2, which is available on iOS and tvOS. The main difference is that AppHangsV2 differentiates between fully-blocking and non-fully-blocking app hangs, which you might choose to ignore. A fully-blocking app hang is when the main thread is stuck completely, and the app can't render a single frame. A non-fully-blocking app hang is when the app appears stuck to the user, but can still render a few frames. Fully-blocking app hangs are more actionable because the stacktrace shows the exact blocking location on the main thread. Non-fully-blocking app hangs can have a stacktrace that doesn't highlight the exact blocking location, since the main thread isn't completely blocked.
 
 To enable the feature:
 

docs/platforms/android/session-replay/privacy/index.mdx

@@ -92,7 +92,7 @@ options.experimental.sessionReplay.redactAllImages = false
 
 ## Error Linking
 
-Errors that happen on the page while a replay is running will be linked to the replay, making it possible to jump between related issues and replays. However, it's **possible** that in some cases the error count reported on the **Replays Details** page won't match the actual errors that have been captured. That's because errors can be lost, and while this is uncommon, there are a few reasons why it could happen:
+Errors that happen while a replay is running will be linked to the replay, making it possible to jump between related issues and replays. However, it's **possible** that in some cases the error count reported on the **Replays Details** page won't match the actual errors that have been captured. That's because errors can be lost, and while this is uncommon, there are a few reasons why it could happen:
 
 - The replay was rate-limited and couldn't be accepted.
 - The replay was deleted by a member of your org.

docs/platforms/apple/common/configuration/app-hangs.mdx

@@ -0,0 +1,101 @@
+---
+title: Set Up Session Replay
+sidebar_order: 5500
+notSupported:
+description: "Learn how to enable the Mobile Session Replay Beta in your app."
+---
+
+<Note>
+
+Mobile support for Session Replay is in Beta. Features available in Beta are still work-in-progress and may have bugs. We recognize the irony.
+
+If you have any questions, feedback or would like to report a bug, please open a [GitHub issue](https://github.com/getsentry/sentry-dart/issues/new?template=BUG_REPORT.yml) with a link to a relevant replay in Sentry if possible.
+
+</Note>
+
+[Session Replay](/product/explore/session-replay/) helps you get to the root cause of an error or latency issue faster by providing you with a reproduction of what was happening in the user's device before, during, and after the issue. You can rewind and replay your application's state and see key user interactions, like taps, swipes, network requests, and console entries, in a single UI.
+
+By default, our Session Replay SDK masks all text content, images, and user input, giving you heightened confidence that no sensitive data will leave the device. To learn more, see [product docs](/product/explore/session-replay/).
+
+## Pre-requisites
+
+Make sure your Sentry Flutter SDK version is at least 8.9.0, which is required for Session Replay. 
+You can update your `pubspec.yaml` to the matching version:
+
+```yaml
+dependencies:
+  sentry_flutter: ^8.9.0
+```
+
+## Setup
+
+To set up the integration, add the following to your Sentry initialization:
+
+```dart
+await SentryFlutter.init(
+  (options) {
+    ...
+    options.experimental.replay.sessionSampleRate = 1.0;
+    options.experimental.replay.onErrorSampleRate = 1.0;
+  },
+  appRunner: () => runApp(MyApp()),
+);
+```
+
+## Verify
+
+While you're testing, we recommend that you set <PlatformIdentifier name="replays-session-sample-rate" /> to `1.0`. This ensures that every user session will be sent to Sentry.
+
+Once testing is complete, **we recommend lowering this value in production**. We still recommend keeping <PlatformIdentifier name="replays-on-error-sample-rate" /> set to `1.0`.
+
+## Sampling
+
+Sampling allows you to control how much of your website's traffic will result in a Session Replay. There are two sample rates you can adjust to get the replays relevant to you:
+
+1. <PlatformIdentifier name="replays-session-sample-rate" /> - The sample rate for
+   replays that begin recording immediately and last the entirety of a user's session.
+2. <PlatformIdentifier name="replays-on-error-sample-rate" /> - The sample rate for
+   replays that are recorded when an error happens. This type of replay will record
+   up to a minute of events prior to the error and continue recording until the session
+   ends.
+
+Sampling starts as soon as a session begins. The <PlatformIdentifier name="replays-session-sample-rate" /> is then evaluated. If the session is sampled, replay recording will start immediately. If not, <PlatformIdentifier name="replays-on-error-sample-rate" /> will be evaluated. If the session is sampled at this point, the replay will be buffered and will only be uploaded to Sentry if an error occurs. 
+
+## Privacy
+
+The SDK is recording and aggressively redacting (masking) all text and images, according to the configuration in `options.experimental.replay`.
+You can tune this and add custom masking rules to fit your needs. For example, you can explicitly mask or unmask widgets by type,
+or you can even have a callback to decide whether a specific widget instance should be masked:
+
+```dart
+  options.experimental.replay.mask<IconButton>();
+  options.experimental.replay.unmask<Image>();
+  options.experimental.replay.maskCallback<Text>(
+      (Element element, Text widget) =>
+          (widget.data?.contains('secret') ?? false)
+              ? SentryMaskingDecision.mask
+              : SentryMaskingDecision.continueProcessing);
+```
+
+You can find more details in the documentation for each method.
+
+<Note>
+
+If you find that data isn't being redacted with the default settings, please let us know by creating a [GitHub issue](https://github.com/getsentry/sentry-dart/issues/new?template=BUG_REPORT.yml).
+
+</Note>
+
+To disable redaction altogether (not to be used on applications with sensitive data):
+
+```dart
+  options.experimental.replay.maskAllText = false;
+  options.experimental.replay.maskAllImages = false;
+```
+
+## Error Linking
+
+Errors that happen while a replay is running will be linked to the replay, making it possible to jump between related issues and replays. However, it's **possible** that in some cases the error count reported on the **Replays Details** page won't match the actual errors that have been captured. That's because errors can be lost, and while this is uncommon, there are a few reasons why it could happen:
+
+- The replay was rate-limited and couldn't be accepted.
+- The replay was deleted by a member of your org.
+- There were network errors and the replay wasn't saved.