fix: replace sentry cdn script injection with bundled package initialization in HyperLoader

[aritro2002]

Type of Change

• Bugfix
• New feature
• Enhancement
• Refactoring
• Dependency updates
• Documentation
• CI/CD

Description

Fixes a CSP violation that occurred when the Google Pay fullscreen iframe attempted to inject the Sentry CDN script.
Problem:
When the Google Pay button was clicked, a fullscreen iframe was mounted loading fullscreenIndex.html. This iframe includes the HyperLoader chunk (Hyper.bs.js), which at module load time attempted to dynamically inject an external <script> tag pointing to the Sentry CDN URL (https://js-de.sentry-cdn.com/...). Since fullscreenIndex.html has a strict SDK-controlled CSP meta tag and the Sentry CDN domain was not in authorizedScriptSources, the browser blocked the script with:
Loading the script 'https://js-de.sentry-cdn.com/...' violates the following Content Security Policy directive: "script-src ..."
Root Cause Analysis:
The CDN injection in Hyper.res was always redundant. Its onload callback called Sentry.initiateSentryJs which itself uses the @sentry/browser npm package — already bundled into the SDK. The CDN script was fetched but never actually used. Meanwhile, the app chunk (Index.res) always initialized Sentry correctly via the bundled package directly.
Fix:
Replaced the CDN <script> tag injection block with a direct call to Sentry.initiateSentryJs(~dsn=GlobalVars.sentryDSN), guarded by a check that sentryDSN is defined. This uses the bundled @sentry/browser package — no external network request, no CSP dependency.

Changes Summary

Modified Files:

• src/hyper-loader/Hyper.res - Removed CDN script injection; replaced with direct call to Sentry.initiateSentryJs using bundled package
• src/hyper-loader/Hyper.bs.js - Auto-generated from Hyper.res by ReScript compiler

How did you test it?

• Ran npm run re:build — compiled successfully with no errors
• Verified generated Hyper.bs.js no longer references sentryScriptUrl and calls initiateSentryJs directly
• Manually tested Google Pay flow: fullscreen iframe mounts without CSP errors in console
• Sentry initializes correctly in both parent page and fullscreen iframe contexts
• Used this code snippet to generate error

try {
            Js.log("kowkcwpokcfw")
            Js.Exn.raiseError("-- Sentry Test Error")
          } catch {
          | err => Sentry.captureException(err)
          }

before:

Screen.Recording.2026-06-04.at.2.58.45.pm.mov

after:
https://github.com/user-attachments/assets/02eb0d9a-7b44-4449-a602-492c8e96235c

Checklist

• I ran npm run re:build
• I reviewed submitted code
• I added unit tests for my changes where possible

[semanticdiff-com]

Review changes with  

[github-actions]

🚫 Missing Linked Issue

Hi 👋 This pull request does not appear to be linked to any open issue yet.

Linking your PR to an issue helps keep the project tidy and ensures the issue is closed automatically.

✔️ How to fix this

• Add a keyword like Fixes #123 or Closes #456 to your PR description or a commit message.
• Or link it manually using the "Linked issues" panel in the PR sidebar.

✅ Tip: You can link multiple issues.
🚫 Note: If only one issue is linked, it must be open for this check to pass.

Once linked, this check will pass automatically on your next push or when you re-run the workflow.

Thanks for helping maintainers! 🙌

[XyneSpaces]

Automated PR review completed. No issues found.

[XyneSpaces]

💡 Sentry initialization now properly uses bundled package

Removing the CDN script injection and using the bundled @sentry/browser package directly is the correct fix for CSP violations in the fullscreen iframe context.

Verification: The change from dynamic script injection to direct Sentry.initiateSentryJs() call eliminates the external network request that was triggering CSP blocks. The typeof !== #undefined guard ensures we don't attempt initialization when Sentry is not configured.

One consideration: Ensure that the GlobalVars.sentryDSN value is properly sanitized/validated before being passed to initiateSentryJs, though this appears to be handled elsewhere in the codebase.