fix(resolve): address review comments and add tests for fuzzy project recovery

[BYK]

Summary

Follow-up to PR #728 — addresses 3 missed review comments and adds unit tests for patch coverage.

Review fixes

• Seer (misleading error after recovery): tryFuzzyProjectRecovery now returns a discriminated result type (match | suggestions | none) instead of logging/throwing. Callers only warn after confirming the recovered project is accessible.
• Seer (recursive call references wrong slug): If the recursive handleProjectSearch call fails, the error references the original slug the user typed, not the recovered one.
• Cursor (JSON mode gets exception): When multiple fuzzy matches are found, suggestions are returned instead of thrown — callers pass them to ResolutionError for human mode or return { items: [] } for JSON mode.

Coverage

• 8 new unit tests for tryFuzzyProjectRecovery covering: single match, multiple matches, no matches, empty orgs, API failures, cross-org search, slug deduplication, partial org failures

[github-actions]

Semver Impact of This PR

🟢 Patch (bug fixes)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

New Features ✨

• (cli) Add sentry cli defaults command for persistent settings by BYK in #721

Bug Fixes 🐛

Resolve

• Address review comments and add tests for fuzzy project recovery by BYK in #732

• Fuzzy auto-recovery for project slug resolution by BYK in #728

Upgrade

• Detect npm install method from node_modules path by BYK in #723
• Add shell option on Windows for .cmd package managers by BYK in #722

Other

• (dashboard) Remove overly restrictive dataset-display cross-validation by BYK in #720
• (init) Remove JSON minification that breaks edit-based codemods by betegon in #719
• (issue) Support share issue URLs by BYK in #718
• (issue-list) Auto-correct AND and reject OR in --query to prevent 400 by BYK in #727
• (telemetry) Rename isClientApiError to isUserApiError and exclude 400 by BYK in #729

Internal Changes 🔧

• Regenerate skill files by github-actions[bot] in ca16b2ff

---

_{🤖 This preview updates automatically when you update the PR.}

[github-actions]

PR Preview Action v1.8.1
🚀 View preview at https://cli.sentry.dev/_preview/pr-732/
Built to branch gh-pages at 2026-04-13 15:56 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[github-actions]

Codecov Results 📊

✅ 134 passed | Total: 134 | Pass Rate: 100% | Execution Time: 0ms

📊 Comparison with Base Branch

Metric	Change
Total Tests	—
Passed Tests	—
Failed Tests	—
Skipped Tests	—

✨ No test changes detected

All tests are passing successfully.

❌ Patch coverage is 66.15%. Project has 1632 uncovered lines.
✅ Project coverage is 95.25%. Comparing base (base) to head (head).

Files with missing lines (2)

File	Patch %	Lines
src/lib/resolve-target.ts	65.12%	⚠️ 15 Missing
src/lib/org-list.ts	68.18%	⚠️ 7 Missing

Coverage diff

@@            Coverage Diff             @@
##          main       #PR       +/-##
==========================================
+ Coverage    95.19%    95.25%    +0.06%
==========================================
  Files          234       234         —
  Lines        34349     34355        +6
  Branches         0         0         —
==========================================
+ Hits         32697     32723       +26
- Misses        1652      1632       -20
- Partials         0         0         —

---

Generated by Codecov Action

[sentry]

Bug: The resolveOrgProjectTarget function logs a fuzzy-match warning before verifying project accessibility, leading to potentially misleading warnings followed by permission errors.
_{Severity: MEDIUM}

Suggested Fix

Before logging the fuzzy match warning in resolveOrgProjectTarget, add a call to getProject() to verify that the user has access to the recovered project. The warning should only be logged if the accessibility check succeeds, which would align its behavior with the resolveProjectBySlug function.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: src/lib/resolve-target.ts#L1493-L1496

Potential issue: In the `resolveOrgProjectTarget` function, when a fuzzy project match
is found, a warning is logged to the user before verifying that the user has access to
the recovered project. This is inconsistent with another code path in the same PR,
`resolveProjectBySlug`, which correctly verifies access first. This can lead to a
confusing user experience where a user is told a similar project will be used, but then
the command fails with a permission error because the recovered project is inaccessible
to them.

[BYK]

Valid observation about the inconsistency. In this code path (resolveOrgProjectTarget), the function returns just { org, project } — it doesn't need projectData and doesn't call getProject. The downstream command (trace/span/log list) will make its own API call and surface any permission error directly.

Adding a getProject check here would add an extra API call on a path that works ~99% of the time (fuzzy match found = project exists in that org). The risk is a brief misleading warning followed by a clear 403 error. I'll leave this as-is for now since the edge case is very narrow and the downstream error is still actionable.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit b9e42a5. Configure here.}

[cursor]

Fuzzy recovery warns without verifying project accessibility

Medium Severity

resolveOrgProjectTarget emits the "Using similar project" log.warn() and returns the fuzzy-matched slugs without first verifying that the recovered project is accessible. In contrast, resolveProjectBySlug correctly calls getProject() via withAuthGuard and only warns after confirming proj.ok. If the matched project turns out to be inaccessible, the user sees a misleading recovery message followed by an unrelated downstream error. The same issue exists in tryFuzzyRecoveryForList, which warns before the caller's recursive handleProjectSearch call verifies the project. The PR description explicitly states "callers only warn after confirming the recovered project is accessible."

Additional Locations (1)

• src/lib/org-list.ts#L673-L678

 

^{Reviewed by Cursor Bugbot for commit b9e42a5. Configure here.}

[BYK]

Same point as the Seer comment above — replied there with rationale. resolveOrgProjectTarget returns { org, project } without needing projectData, and the downstream command's API call will surface any permission error directly. Adding a getProject() check here would add an extra API call for a very narrow edge case.

For tryFuzzyRecoveryForList in org-list.ts, the caller's recursive handleProjectSearch does call findProjectsBySlug which verifies the project exists. If it doesn't exist, the recursion guard (_isRecoveryAttempt=true) prevents looping and falls through to the error.