fix(init): reject ambiguous bare target and validate org/project slugs

Bare strings like 'sentry init acme' are ambiguous (could be org or
project slug). Now throws a ContextError with a disambiguation hint
telling users to use 'acme/' for org or 'acme/<project>' for both.

Also validates explicit org and project slugs via validateResourceId
to catch malformed input (control chars, whitespace, etc.) early
before API calls.

Author: MathurAditya724

src/commands/init.ts

@@ -7,7 +7,7 @@
  *
  * Supports org/project positional syntax to pin org and/or project name:
  *   sentry init                    — auto-detect everything
- *   sentry init acme               — explicit org, wizard picks project name
+ *   sentry init acme/              — explicit org, wizard picks project name
  *   sentry init acme/my-app        — explicit org + project name override
  *   sentry init --directory ./dir  — specify project directory
  */
@@ -18,6 +18,7 @@ import { parseOrgProjectArg } from "../lib/arg-parsing.js";
 import { buildCommand } from "../lib/command.js";
 import { ContextError } from "../lib/errors.js";
 import { runWizard } from "../lib/init/wizard-runner.js";
+import { validateResourceId } from "../lib/input-validation.js";
 
 const FEATURE_DELIMITER = /[,+ ]+/;
 
@@ -39,7 +40,7 @@ export const initCommand = buildCommand<InitFlags, [string?], SentryContext>({
       "If omitted, the org is auto-detected from config defaults.\n\n" +
       "Examples:\n" +
       "  sentry init\n" +
-      "  sentry init acme\n" +
+      "  sentry init acme/\n" +
       "  sentry init acme/my-app\n" +
       "  sentry init acme/my-app --directory ./my-project\n" +
       "  sentry init --directory ./my-project",
@@ -50,7 +51,7 @@ export const initCommand = buildCommand<InitFlags, [string?], SentryContext>({
       parameters: [
         {
           placeholder: "target",
-          brief: "<org>/<project>, <org>, or omit for auto-detect",
+          brief: "<org>/<project>, <org>/, or omit for auto-detect",
           parse: String,
           optional: true,
         },
@@ -115,15 +116,14 @@ export const initCommand = buildCommand<InitFlags, [string?], SentryContext>({
         explicitProject = parsed.project;
         break;
       case "org-all":
-        // "acme/" or bare "acme" — org only, no project name override
         explicitOrg = parsed.org;
         break;
       case "project-search":
-        // Bare string without "/" — could be an org slug or a project name.
-        // Treat it as an org slug since `sentry init <org>` is the primary use case.
-        // Users who want to override the project name should use org/project syntax.
-        explicitOrg = parsed.projectSlug;
-        break;
+        // Bare string without "/" is ambiguous — could be an org or project slug.
+        // Require the trailing slash to disambiguate (consistent with other commands).
+        throw new ContextError("Target", `sentry init ${parsed.projectSlug}/`, [
+          `'${parsed.projectSlug}' is ambiguous. Use '${parsed.projectSlug}/' for org or '${parsed.projectSlug}/<project>' for org + project.`,
+        ]);
       case "auto-detect":
         // No target provided — auto-detect everything
         break;
@@ -133,6 +133,14 @@ export const initCommand = buildCommand<InitFlags, [string?], SentryContext>({
       }
     }
 
+    // Validate explicit org slug format before passing to API calls
+    if (explicitOrg) {
+      validateResourceId(explicitOrg, "organization slug");
+    }
+    if (explicitProject) {
+      validateResourceId(explicitProject, "project name");
+    }
+
     await runWizard({
       directory: targetDir,
       yes: flags.yes,

test/commands/init.test.ts

@@ -8,6 +8,7 @@
 import { afterEach, beforeEach, describe, expect, spyOn, test } from "bun:test";
 import path from "node:path";
 import { initCommand } from "../../src/commands/init.js";
+import { ContextError } from "../../src/lib/errors.js";
 // biome-ignore lint/performance/noNamespaceImport: spyOn requires object reference
 import * as wizardRunner from "../../src/lib/init/wizard-runner.js";
 
@@ -193,19 +194,18 @@ describe("init command func", () => {
       expect(capturedArgs?.project).toBe("my-app");
     });
 
-    test("parses bare string as org (no project override)", async () => {
+    test("throws on bare string (ambiguous — could be org or project)", async () => {
       const ctx = makeContext();
-      await func.call(
-        ctx,
-        {
-          yes: true,
-          "dry-run": false,
-        },
-        "acme"
-      );
-
-      expect(capturedArgs?.org).toBe("acme");
-      expect(capturedArgs?.project).toBeUndefined();
+      expect(
+        func.call(
+          ctx,
+          {
+            yes: true,
+            "dry-run": false,
+          },
+          "acme"
+        )
+      ).rejects.toThrow(ContextError);
     });
 
     test("parses org/ as org-only (no project override)", async () => {
@@ -258,5 +258,39 @@ describe("init command func", () => {
       expect(capturedArgs?.project).toBe("my-app");
       expect(capturedArgs?.team).toBe("backend");
     });
+
+    test("rejects org slug with invalid characters", async () => {
+      const ctx = makeContext();
+      expect(
+        func.call(
+          ctx,
+          {
+            yes: true,
+            "dry-run": false,
+          },
+          "acme corp/"
+        )
+      ).rejects.toThrow();
+    });
+
+    test("error message for bare string includes disambiguation hint", async () => {
+      const ctx = makeContext();
+      try {
+        await func.call(
+          ctx,
+          {
+            yes: true,
+            "dry-run": false,
+          },
+          "myorg"
+        );
+        expect.unreachable("should have thrown");
+      } catch (error) {
+        expect(error).toBeInstanceOf(ContextError);
+        const msg = (error as ContextError).message;
+        expect(msg).toContain("myorg/");
+        expect(msg).toContain("myorg/<project>");
+      }
+    });
   });
 });