fix(tls): apply custom CA certificates to all fetch call sites (CLI-1KW)

[BYK]

Summary

• Add customFetch() wrapper in custom-ca.ts that auto-injects TLS options, and apply it to all 11 previously-uncovered fetch() call sites
• Pass caCerts through Sentry.init({ transportOptions }) for the telemetry transport (uses http.request(), not fetch())
• Add log.debug() to previously-silent catch blocks in delta-upgrade, release-notes, and readiness modules

Problem

CLI-1K6 added custom CA certificate support for corporate TLS-intercepting proxies but only wired it into 2 of 13 fetch call sites (sentry-client.ts and oauth.ts). Users behind proxies still hit ApiError: TLS certificate error on:

• Shared issue URL resolution (issues.ts:getSharedIssue)
• CLI upgrade/version-check (binary.ts, ghcr.ts, delta-upgrade.ts)
• Release notes/changelog (release-notes.ts)
• Init wizard (wizard-runner.ts, readiness.ts)
• Telemetry transport (telemetry.ts → zstd-transport.ts)

Approach

Rather than sprinkling ...getCustomTlsOptions() at each site, a thin customFetch() wrapper centralizes the TLS injection — easy to audit, impossible to forget for future call sites.

For the telemetry transport (which uses Node's http.request(), not fetch()), the existing options.caCerts plumbing was already in place in zstd-transport.ts but Sentry.init() never provided the value. Added getCustomCaCerts() accessor and wired it through transportOptions.

Files changed (10)

File	Change
src/lib/custom-ca.ts	Add customFetch(), getCustomCaCerts()
src/lib/api/issues.ts	Use customFetch + SaaS warning + TLS error handling
src/lib/binary.ts	Use customFetch + TLS error branch
src/lib/ghcr.ts	Use customFetch at 3 call sites
src/lib/delta-upgrade.ts	Use customFetch + log.debug in catches
src/lib/release-notes.ts	Use customFetch + log.debug in catch
src/lib/init/wizard-runner.ts	Use customFetch in Mastra wrapper
src/lib/init/readiness.ts	Use customFetch + log.debug in catch
src/lib/telemetry.ts	Pass caCerts to Sentry.init()
test/lib/custom-ca.test.ts	Tests for customFetch and getCustomCaCerts

Fixes CLI-1KW

[github-actions]

PR Preview Action v1.8.1
🚀 View preview at https://cli.sentry.dev/_preview/pr-966/
Built to branch gh-pages at 2026-05-15 12:50 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[github-actions]

Codecov Results 📊

✅ 6969 passed | Total: 6969 | Pass Rate: 100% | Execution Time: 0ms

📊 Comparison with Base Branch

Metric	Change
Total Tests	📈 +6
Passed Tests	📈 +6
Failed Tests	—
Skipped Tests	—

All tests are passing successfully.

❌ Patch coverage is 69.35%. Project has 14094 uncovered lines.
❌ Project coverage is 77.11%. Comparing base (base) to head (head).

Files with missing lines (5)

File	Patch %	Lines
src/lib/api/issues.ts	35.29%	⚠️ 11 Missing
src/lib/release-notes.ts	40.00%	⚠️ 3 Missing
src/lib/telemetry.ts	40.00%	⚠️ 3 Missing
src/lib/binary.ts	80.00%	⚠️ 1 Missing
src/lib/init/wizard-runner.ts	50.00%	⚠️ 1 Missing

Coverage diff

@@            Coverage Diff             @@
##          main       #PR       +/-##
==========================================
- Coverage    77.12%    77.11%    -0.01%
==========================================
  Files          320       320         —
  Lines        61522     61570       +48
  Branches         0         0         —
==========================================
+ Hits         47447     47476       +29
- Misses       14075     14094       +19
- Partials         0         0         —

---

Generated by Codecov Action