fix(dashboard): normalize numeric org IDs from DSN auto-detection (#447)

When the project cache is cold, resolveOrgFromDsn returns bare numeric
org IDs (e.g., "1169445") extracted from DSN hosts. Dashboard API
endpoints reject these with 404/403, while other commands using
resolveAllTargets work because they do a full project API lookup.

Add normalizeNumericOrg() to resolveOrg() that converts bare numeric
IDs to slugs via the org regions DB cache or listOrganizationsUncached
API fallback. Also normalize explicit org args in dashboard commands
via resolveEffectiveOrg to handle o-prefixed DSN forms.

Closes #447

Author: BYK

AGENTS.md

@@ -905,6 +905,9 @@ mock.module("./some-module", () => ({
 <!-- lore:019cce8d-f2c5-726e-8a04-3f48caba45ec -->
 * **Input validation layer: src/lib/input-validation.ts guards CLI arg parsing**: Four validators in \`src/lib/input-validation.ts\` guard against agent-hallucinated inputs: \`rejectControlChars\` (ASCII < 0x20), \`rejectPreEncoded\` (%XX), \`validateResourceId\` (rejects ?, #, %, whitespace), \`validateEndpoint\` (rejects \`..\` traversal). Applied in \`parseSlashOrgProject\`, bare-slug path in \`parseOrgProjectArg\`, \`parseIssueArg\`, and \`normalizeEndpoint\` (api.ts). NOT applied in \`parseSlashSeparatedArg\` for no-slash plain IDs — those may contain structural separators (newlines for log view batch IDs) that callers split downstream. Validation targets user-facing parse boundaries only; env vars and DB cache values are trusted.
 
+<!-- lore:019cafbb-24ad-75a3-b037-5efbe6a1e85d -->
+* **DSN org prefix normalization in arg-parsing.ts**: DSN org ID normalization has four code paths: (1) \`extractOrgIdFromHost\` in \`dsn/parser.ts\` strips \`o\` prefix during DSN parsing → bare \`"1081365"\`. (2) \`stripDsnOrgPrefix()\` strips \`o\` from user-typed inputs like \`o1081365/\`, applied in \`parseOrgProjectArg()\` and \`resolveEffectiveOrg()\`. (3) \`normalizeNumericOrg()\` in \`resolve-target.ts\` handles bare numeric IDs from cold-cache DSN detection — checks \`getOrgByNumericId()\` from DB cache, falls back to \`listOrganizationsUncached()\` to populate the mapping. Called from \`resolveOrg()\` step 4 (DSN auto-detect path). (4) Dashboard's \`resolveOrgFromTarget()\` pipes explicit org through \`resolveEffectiveOrg()\` for \`o\`-prefixed forms. Critical: many API endpoints reject numeric org IDs with 404/403 — always normalize to slugs before API calls.
+
 <!-- lore:019cd2d1-aa47-7fc1-92f9-cc6c49b19460 -->
 * **Magic @ selectors resolve issues dynamically via sort-based list API queries**: Magic \`@\` selectors (\`@latest\`, \`@most\_frequent\`) in \`parseIssueArg\` are detected early (before \`validateResourceId\`) because \`@\` is not in the forbidden charset. \`SELECTOR\_MAP\` provides case-insensitive matching with common variations (\`@mostfrequent\`, \`@most-frequent\`). Resolution in \`resolveSelector\` (issue/utils.ts) maps selectors to \`IssueSort\` values (\`date\`, \`freq\`), calls \`listIssuesPaginated\` with \`perPage: 1\` and \`query: 'is:unresolved'\`. Supports org-prefixed form: \`sentry/@latest\`. Unrecognized \`@\`-prefixed strings fall through to suffix-only parsing (not an error). The \`ParsedIssueArg\` union includes \`{ type: 'selector'; selector: IssueSelector; org?: string }\`.
 

src/commands/dashboard/resolve.ts

@@ -13,6 +13,7 @@ import {
 import type { parseOrgProjectArg } from "../../lib/arg-parsing.js";
 import { ContextError, ValidationError } from "../../lib/errors.js";
 import { fuzzyMatch } from "../../lib/fuzzy.js";
+import { resolveEffectiveOrg } from "../../lib/region.js";
 import { resolveOrg } from "../../lib/resolve-target.js";
 import { setOrgProjectContext } from "../../lib/telemetry.js";
 import { isAllDigits } from "../../lib/utils.js";
@@ -59,9 +60,11 @@ export async function resolveOrgFromTarget(
 ): Promise<string> {
   switch (parsed.type) {
     case "explicit":
-    case "org-all":
-      setOrgProjectContext([parsed.org], []);
-      return parsed.org;
+    case "org-all": {
+      const org = await resolveEffectiveOrg(parsed.org);
+      setOrgProjectContext([org], []);
+      return org;
+    }
     case "project-search":
     case "auto-detect": {
       // resolveOrg already sets telemetry context

src/lib/resolve-target.ts

@@ -32,6 +32,7 @@ import {
   setCachedProject,
   setCachedProjectByDsnKey,
 } from "./db/project-cache.js";
+import { getOrgByNumericId } from "./db/regions.js";
 import type { DetectedDsn, DsnDetectionResult } from "./dsn/index.js";
 import {
   detectAllDsns,
@@ -251,6 +252,48 @@ export async function resolveOrgFromDsn(
   };
 }
 
+/**
+ * Normalize a bare numeric org ID to an org slug.
+ *
+ * When the project cache is cold, resolveOrgFromDsn returns the raw numeric
+ * org ID from the DSN host (e.g., "1169445"). Many API endpoints reject
+ * numeric IDs (dashboards return 404/403). This resolves them:
+ *
+ * 1. Local DB cache lookup (getOrgByNumericId — fast, no API call)
+ * 2. Refresh org list via listOrganizationsUncached to populate mapping
+ * 3. Falls back to original ID if resolution fails
+ *
+ * Non-numeric identifiers (already slugs) are returned unchanged.
+ *
+ * @param orgId - Raw org identifier from DSN (numeric ID or slug)
+ * @returns Org slug for API calls
+ */
+async function normalizeNumericOrg(orgId: string): Promise<string> {
+  if (!isAllDigits(orgId)) {
+    return orgId;
+  }
+
+  // Fast path: check local DB cache for numeric ID → slug mapping
+  const cached = getOrgByNumericId(orgId);
+  if (cached) {
+    return cached.slug;
+  }
+
+  // Slow path: fetch org list to populate numeric ID → slug mapping.
+  // resolveEffectiveOrg doesn't handle bare numeric IDs (only o-prefixed),
+  // so we do a targeted refresh via listOrganizationsUncached().
+  try {
+    const { listOrganizationsUncached } = await import("./api-client.js");
+    await listOrganizationsUncached();
+  } catch {
+    return orgId;
+  }
+
+  // Retry cache after refresh
+  const afterRefresh = getOrgByNumericId(orgId);
+  return afterRefresh?.slug ?? orgId;
+}
+
 /**
  * Resolve a DSN without orgId by searching for the project via DSN public key.
  * Uses the /api/0/projects?query=dsn:<key> endpoint.
@@ -1019,7 +1062,12 @@ export async function resolveOrg(
   try {
     const result = await resolveOrgFromDsn(cwd);
     if (result) {
-      setOrgProjectContext([result.org], []);
+      // resolveOrgFromDsn may return a bare numeric org ID when the project
+      // cache is cold. Normalize to a slug so API endpoints that reject
+      // numeric IDs (e.g., dashboards) work correctly.
+      const resolvedOrg = await normalizeNumericOrg(result.org);
+      setOrgProjectContext([resolvedOrg], []);
+      return { org: resolvedOrg, detectedFrom: result.detectedFrom };
     }
     return result;
   } catch {

test/commands/dashboard/resolve.test.ts

@@ -17,6 +17,8 @@ import * as apiClient from "../../../src/lib/api-client.js";
 import { parseOrgProjectArg } from "../../../src/lib/arg-parsing.js";
 import { ContextError, ValidationError } from "../../../src/lib/errors.js";
 // biome-ignore lint/performance/noNamespaceImport: needed for spyOn mocking
+import * as region from "../../../src/lib/region.js";
+// biome-ignore lint/performance/noNamespaceImport: needed for spyOn mocking
 import * as resolveTarget from "../../../src/lib/resolve-target.js";
 
 // ---------------------------------------------------------------------------
@@ -327,26 +329,46 @@ describe("resolveDashboardId", () => {
 
 describe("resolveOrgFromTarget", () => {
   let resolveOrgSpy: ReturnType<typeof spyOn>;
+  let resolveEffectiveOrgSpy: ReturnType<typeof spyOn>;
 
   beforeEach(() => {
     resolveOrgSpy = spyOn(resolveTarget, "resolveOrg");
+    // Default: resolveEffectiveOrg returns the input unchanged
+    resolveEffectiveOrgSpy = spyOn(
+      region,
+      "resolveEffectiveOrg"
+    ).mockImplementation((slug: string) => Promise.resolve(slug));
   });
 
   afterEach(() => {
     resolveOrgSpy.mockRestore();
+    resolveEffectiveOrgSpy.mockRestore();
   });
 
-  test("explicit type returns org directly", async () => {
+  test("explicit type normalizes org via resolveEffectiveOrg", async () => {
     const parsed = parseOrgProjectArg("my-org/my-project");
     const org = await resolveOrgFromTarget(
       parsed,
       "/tmp",
       "sentry dashboard view"
     );
     expect(org).toBe("my-org");
+    expect(resolveEffectiveOrgSpy).toHaveBeenCalledWith("my-org");
     expect(resolveOrgSpy).not.toHaveBeenCalled();
   });
 
+  test("explicit type with o-prefixed numeric ID resolves to slug", async () => {
+    resolveEffectiveOrgSpy.mockResolvedValue("my-org");
+    const parsed = parseOrgProjectArg("o1169445/my-project");
+    const org = await resolveOrgFromTarget(
+      parsed,
+      "/tmp",
+      "sentry dashboard list"
+    );
+    expect(org).toBe("my-org");
+    expect(resolveEffectiveOrgSpy).toHaveBeenCalledWith("o1169445");
+  });
+
   test("auto-detect with null resolveOrg throws ContextError", async () => {
     resolveOrgSpy.mockResolvedValue(null);
     const parsed = parseOrgProjectArg(undefined);
@@ -355,4 +377,16 @@ describe("resolveOrgFromTarget", () => {
       resolveOrgFromTarget(parsed, "/tmp", "sentry dashboard view")
     ).rejects.toThrow(ContextError);
   });
+
+  test("auto-detect delegates to resolveOrg", async () => {
+    resolveOrgSpy.mockResolvedValue({ org: "detected-org" });
+    const parsed = parseOrgProjectArg(undefined);
+    const org = await resolveOrgFromTarget(
+      parsed,
+      "/tmp",
+      "sentry dashboard list"
+    );
+    expect(org).toBe("detected-org");
+    expect(resolveOrgSpy).toHaveBeenCalled();
+  });
 });

test/isolated/resolve-target.test.ts

@@ -59,6 +59,10 @@ const mockGetProject = mock(() =>
 );
 const mockFindProjectByDsnKey = mock(() => Promise.resolve(null));
 const mockFindProjectsByPattern = mock(() => Promise.resolve([]));
+const mockListOrganizationsUncached = mock(() => Promise.resolve([]));
+const mockGetOrgByNumericId = mock(
+  () => undefined as { slug: string; regionUrl: string } | undefined
+);
 
 // Mock all dependency modules
 mock.module("../../src/lib/db/defaults.js", () => ({
@@ -91,10 +95,38 @@ mock.module("../../src/lib/db/dsn-cache.js", () => ({
   setCachedDsn: mockSetCachedDsn,
 }));
 
+mock.module("../../src/lib/db/regions.js", () => ({
+  getOrgByNumericId: mockGetOrgByNumericId,
+  getOrgRegion: mock(() => {
+    /* returns undefined */
+  }),
+  setOrgRegion: mock(() => {
+    /* no-op */
+  }),
+  setOrgRegions: mock(() => {
+    /* no-op */
+  }),
+  clearOrgRegions: mock(() => {
+    /* no-op */
+  }),
+  getAllOrgRegions: mock(() => new Map()),
+  getCachedOrganizations: mock(() => []),
+  getCachedOrgRole: mock(() => {
+    /* returns undefined */
+  }),
+  disableOrgCache: mock(() => {
+    /* no-op */
+  }),
+  enableOrgCache: mock(() => {
+    /* no-op */
+  }),
+}));
+
 mock.module("../../src/lib/api-client.js", () => ({
   getProject: mockGetProject,
   findProjectByDsnKey: mockFindProjectByDsnKey,
   findProjectsByPattern: mockFindProjectsByPattern,
+  listOrganizationsUncached: mockListOrganizationsUncached,
 }));
 
 import { ContextError } from "../../src/lib/errors.js";
@@ -124,6 +156,8 @@ function resetAllMocks() {
   mockGetProject.mockReset();
   mockFindProjectByDsnKey.mockReset();
   mockFindProjectsByPattern.mockReset();
+  mockListOrganizationsUncached.mockReset();
+  mockGetOrgByNumericId.mockReset();
 
   // Set sensible defaults
   mockGetDefaultOrganization.mockReturnValue(null);
@@ -146,6 +180,8 @@ function resetAllMocks() {
   mockGetCachedProjectByDsnKey.mockReturnValue(null);
   mockGetCachedDsn.mockReturnValue(null);
   mockFindProjectsByPattern.mockResolvedValue([]);
+  mockListOrganizationsUncached.mockResolvedValue([]);
+  mockGetOrgByNumericId.mockReturnValue(undefined);
 }
 
 // ============================================================================
@@ -223,6 +259,88 @@ describe("resolveOrg", () => {
     expect(result?.org).toBe("123");
   });
 
+  test("normalizes numeric orgId to slug via DB cache", async () => {
+    mockGetDefaultOrganization.mockReturnValue(null);
+    mockDetectDsn.mockResolvedValue({
+      raw: "https://abc@o1169445.ingest.us.sentry.io/456",
+      protocol: "https",
+      publicKey: "abc",
+      host: "o1169445.ingest.us.sentry.io",
+      projectId: "456",
+      orgId: "1169445",
+      source: "env",
+    });
+    mockGetCachedProject.mockReturnValue(null);
+    mockGetOrgByNumericId.mockReturnValue({
+      slug: "my-org",
+      regionUrl: "https://us.sentry.io",
+    });
+
+    const result = await resolveOrg({ cwd: "/test" });
+
+    expect(result).not.toBeNull();
+    expect(result?.org).toBe("my-org");
+    expect(mockGetOrgByNumericId).toHaveBeenCalledWith("1169445");
+  });
+
+  test("normalizes numeric orgId via API when DB cache misses", async () => {
+    mockGetDefaultOrganization.mockReturnValue(null);
+    mockDetectDsn.mockResolvedValue({
+      raw: "https://abc@o1169445.ingest.us.sentry.io/456",
+      protocol: "https",
+      publicKey: "abc",
+      host: "o1169445.ingest.us.sentry.io",
+      projectId: "456",
+      orgId: "1169445",
+      source: "env",
+    });
+    mockGetCachedProject.mockReturnValue(null);
+
+    // First call returns undefined (cache miss), second call returns slug
+    // (after listOrganizationsUncached populates the cache)
+    let callCount = 0;
+    mockGetOrgByNumericId.mockImplementation(() => {
+      callCount += 1;
+      if (callCount >= 2) {
+        return { slug: "my-org", regionUrl: "https://us.sentry.io" };
+      }
+      return;
+    });
+    mockListOrganizationsUncached.mockResolvedValue([]);
+
+    const result = await resolveOrg({ cwd: "/test" });
+
+    expect(result).not.toBeNull();
+    expect(result?.org).toBe("my-org");
+    expect(mockListOrganizationsUncached).toHaveBeenCalled();
+  });
+
+  test("skips normalization for non-numeric org slug from DSN cache", async () => {
+    mockGetDefaultOrganization.mockReturnValue(null);
+    mockDetectDsn.mockResolvedValue({
+      raw: "https://abc@o123.ingest.sentry.io/456",
+      protocol: "https",
+      publicKey: "abc",
+      host: "o123.ingest.sentry.io",
+      projectId: "456",
+      orgId: "123",
+      source: "env",
+    });
+    mockGetCachedProject.mockReturnValue({
+      orgSlug: "cached-org",
+      orgName: "Cached Organization",
+      projectSlug: "project",
+      projectName: "Project",
+    });
+
+    const result = await resolveOrg({ cwd: "/test" });
+
+    expect(result).not.toBeNull();
+    expect(result?.org).toBe("cached-org");
+    // getOrgByNumericId should not be called because "cached-org" is not all digits
+    expect(mockGetOrgByNumericId).not.toHaveBeenCalled();
+  });
+
   test("returns null when no org found from any source", async () => {
     mockGetDefaultOrganization.mockReturnValue(null);
     mockDetectDsn.mockResolvedValue(null);