fix(auth): only treat 401/403 as an invalid token on login (CLI-19)

[BYK]

Summary

sentry auth login --token <t> saves the token and validates it via
getUserRegions(). The validation was wrapped in a blind catch {} that, on
any failure, cleared the token and threw AuthError("invalid", "Invalid API token…").

So a transient network blip, a 5xx server error, or a parse failure was:

• reported to the user as a bad token (misleading — the token may be fine),
• discarded (no diagnostics — a silent-catch anti-pattern flagged by
  AGENTS.md), and
• caused a possibly-valid token to be wiped.

This made CLI-19 a catch-all
bucket (~90 users).

Fix

• Discriminate the failure (handleTokenValidationError): only a 401/403
  ApiError means the supplied token is invalid/insufficient — clear it and
  raise AuthError("invalid"). Any other error keeps the token and is re-thrown
  unchanged, so the user sees the real failure and it's classified accurately
  (network → silenced per CLI-16W; 5xx → captured as a real server issue).
• Silence all AuthError reasons in classifySilenced instead of just
  not_authenticated/expired. Now that invalid is precise (a genuine
  bad-token user error), all three are expected auth states the user must act
  on — not CLI bugs. Volume stays visible via the cli.error.silenced metric.

Extracted the discrimination into a helper to keep func under the cognitive
complexity limit.

Test plan

• login: 401 → clears auth + throws AuthError; non-401 (503) → keeps token
  and re-throws the original cause (new test).
• classifySilenced / reportCliError: AuthError("invalid") → silenced
  (auth_expected, auth_reason: invalid) instead of captured.
• vitest run test/lib/{errors,error-reporting,telemetry}.test.ts test/commands/auth/
  → 326 passed; biome check clean.

Fixes CLI-19

[linear-code]

CLI-19

[github-actions]

PR Preview Action v1.8.1
🚀 View preview at https://cli.sentry.dev/_preview/pr-1153/
Built to branch gh-pages at 2026-06-27 00:00 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[github-actions]

Codecov Results 📊

✅ Patch coverage is 100.00%. Project has 5132 uncovered lines.
✅ Project coverage is 81.47%. Comparing base (base) to head (head).

Coverage diff

@@            Coverage Diff             @@
##          main       #PR       +/-##
==========================================
+ Coverage    81.47%    81.47%        —%
==========================================
  Files          397       397         —
  Lines        27699     27702        +3
  Branches     17989     17991        +2
==========================================
+ Hits         22568     22570        +2
- Misses        5131      5132        +1
- Partials      1861      1862        +1

---

Generated by Codecov Action