feat: Implement strict trace continuation

[giortzisg]

Summary

Implements strict trace continuation to validate org IDs in distributed traces, preventing trace continuation from unknown third-party services.

• Parse org_id from DSN host (e.g., o1 in https://key@o1.ingest.us.sentry.io/123 yields org ID "1")
• Add OrgId config option to manually override DSN-parsed value
• Add StrictTraceContinuation bool config option (default false)
• Propagate sentry-org_id in outgoing baggage via DynamicSamplingContext
• Validate org IDs in Hub.ContinueTrace():
  • Mismatched org IDs always start a new trace (regardless of setting)
  • Missing incoming org_id + StrictTraceContinuation: true -> start new trace
  • Missing incoming org_id + StrictTraceContinuation: false -> continue trace (default behavior)

Changes

Source files:

• src/Sentry/Dsn.cs - Parse org ID from DSN host subdomain
• src/Sentry/SentryOptions.cs - Add StrictTraceContinuation and OrgId options, GetEffectiveOrgId() helper
• src/Sentry/DynamicSamplingContext.cs - Add org_id to outgoing baggage in all DSC factory methods
• src/Sentry/Internal/Hub.cs - Add ShouldContinueTrace() validation logic in ContinueTrace()

Test files:

• test/Sentry.Tests/Protocol/DsnTests.cs - Tests for DSN org ID parsing
• test/Sentry.Tests/HubTests.cs - Comprehensive [Theory] tests for all org ID validation scenarios

Snapshot files:

• Updated 4 API approval snapshot files with new OrgId and StrictTraceContinuation properties

References

• Go implementation: feat: add StrictTraceContinuation option sentry-go#1210
• JS implementation: feat(core): Implement strictTraceContinuation sentry-javascript#16313
• Python implementation: Add org_id support sentry-python#5166

Closes #4963

[github-actions]

Semver Impact of This PR

⚪ None (no version bump detected)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

Breaking Changes 🛠

• The _Metrics_ APIs are now stable: removed Experimental from SentrySdk, SentryOptions and IHub by Flash0ver in #5023

Features ✨

• Report a new _Diagnostic_ (SENTRY1001) when a Metrics-API is invoked with an unsupported numeric type by Flash0ver in #4840

• feat: Implement strict trace continuation by giortzisg in #4981

Fixes 🐛

• fix: include Data set via ITransactionTracer in SentryTransaction by Flash0ver in #4148
• fix: CaptureFeedback now applies event processors by jamescrosswell in #4942

Dependencies ⬆️

Deps

• chore(deps): update Cocoa SDK to v9.7.0 by github-actions in #5015
• chore(deps): update Java SDK to v8.35.0 by github-actions in #5017
• chore(deps): replaced the heavy protobuf-javalite 3.25.8 dependency with a light-weight epitaph 0.1.0 alternative on Android (getsentry/sentry-java#5157) by github-actions in #5017
• chore(deps): update CLI to v3.3.3 by github-actions in #5002
• chore(deps): update Cocoa SDK to v9.6.0 by github-actions in #4958

Other

• ref: Use .NET 6.0 ArgumentNullException throw helpers by copilot-swe-agent in #4985

---

_{🤖 This preview updates automatically when you update the PR.}

[github-actions]

	Messages
📖	Do not forget to update Sentry-docs with your feature once the pull request gets approved.

Generated by 🚫 dangerJS against b178f46

[jamescrosswell]

@giortzisg I've added some context to AGENTS.md in #5035, which should give the agent enough context to be able to correct this PR (once that's been merged into main/this PR).

[codecov]

Codecov Report

❌ Patch coverage is 94.82759% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.07%. Comparing base (a4a8ded) to head (2366084).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
src/Sentry/SentryOptions.cs	71.42%	1 Missing and 1 partial ⚠️
src/Sentry/SentryPropagationContext.cs	85.71%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4981      +/-   ##
==========================================
+ Coverage   74.03%   74.07%   +0.04%     
==========================================
  Files         499      499              
  Lines       18044    18100      +56     
  Branches     3510     3527      +17     
==========================================
+ Hits        13358    13408      +50     
- Misses       3830     3832       +2     
- Partials      856      860       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jamescrosswell]

@giortzisg / @Flash0ver this looks good to me. OK to merge?

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Duplicate org ID validation creates inconsistent defense layers

Medium Severity

The org ID mismatch check in CreateFromHeaders duplicates logic already in Hub.ShouldContinueTrace(). Since CreateFromHeaders is only called from Hub.ContinueTrace() (confirmed by grep), and the Hub already nulls both headers when validation fails, this check is unreachable dead code in practice. Worse, the CreateFromHeaders version is incomplete — it handles only the mismatch case but not StrictTraceContinuation scenarios (missing org IDs). This inconsistency creates maintenance risk if one check is updated without the other, and could mislead developers into thinking CreateFromHeaders provides complete org ID validation.

Additional Locations (1)

• src/Sentry/Internal/Hub.cs#L377-L409