test: add coverage for org-scoped member project creation fallback

Adds 10 new tests across three files to bring coverage from ~57% to
target 80% for the new fallback paths:

create-sentry-project.test.ts:
- fallback to createProjectWithAutoTeam on 403 from team-based creation
- suppressFallback:true (isExplicitTeam) prevents fallback for --team flag
- policy 403 (disabled this feature) skips fallback without round-trip
- 409 from fallback surfaces friendly 'already exists' error

preflight.test.ts:
- isExplicitTeam:true when --team flag provided
- isExplicitTeam:false when no flag (auto-selected team)
- resolveTeam 403 swallowed, context.team:undefined (enables fallback downstream)

api-client.coverage.test.ts:
- createProjectWithAutoTeam happy path (POST url, DSN, team_slug in result)
- 403 from disabled org policy propagated
- DSN:null when key fetch returns empty list

Author: betegon

test/lib/api-client.coverage.test.ts

@@ -14,6 +14,7 @@ import {
   apiRequest,
   apiRequestToRegion,
   createProject,
+  createProjectWithAutoTeam,
   createTeam,
   getCurrentUser,
   getDetailedTrace,
@@ -35,6 +36,7 @@ import {
   listTeamsPaginated,
   listTraceLogs,
   listTransactions,
+  MEMBER_PROJECT_CREATION_DISABLED_DETAIL,
   rawApiRequest,
   tryGetPrimaryDsn,
   updateIssueStatus,
@@ -680,6 +682,84 @@ describe("projects.ts", () => {
     });
   });
 
+  describe("createProjectWithAutoTeam", () => {
+    const autoTeamProject = {
+      id: "99",
+      slug: "auto-proj",
+      name: "Auto Project",
+      platform: "node",
+      dateCreated: "2026-01-01T00:00:00Z",
+      team_slug: "team-testuser",
+    };
+    const dsnKeys = [
+      {
+        id: "k1",
+        isActive: true,
+        dsn: { public: "https://key@o1.ingest.sentry.io/99", secret: "" },
+      },
+    ];
+
+    test("POSTs to /organizations/{org}/projects/ and returns project with DSN and team_slug", async () => {
+      globalThis.fetch = mockFetch(async (input, init) => {
+        const req = new Request(input!, init);
+        if (req.url.includes("/projects/") && req.method === "POST") {
+          return new Response(JSON.stringify(autoTeamProject), {
+            status: 201,
+            headers: { "Content-Type": "application/json" },
+          });
+        }
+        // DSN key fetch
+        return new Response(JSON.stringify(dsnKeys), {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        });
+      });
+
+      const result = await createProjectWithAutoTeam("test-org", {
+        name: "Auto Project",
+      });
+      expect(result.project.slug).toBe("auto-proj");
+      expect(result.team_slug).toBe("team-testuser");
+      expect(result.dsn).toContain("key");
+      expect(result.url).toContain("auto-proj");
+    });
+
+    test("propagates 403 when org has disabled member project creation", async () => {
+      globalThis.fetch = mockFetch(
+        async () =>
+          new Response(
+            JSON.stringify({ detail: MEMBER_PROJECT_CREATION_DISABLED_DETAIL }),
+            { status: 403, headers: { "Content-Type": "application/json" } }
+          )
+      );
+
+      await expect(
+        createProjectWithAutoTeam("test-org", { name: "Blocked" })
+      ).rejects.toMatchObject({ status: 403 });
+    });
+
+    test("returns dsn:null when DSN fetch fails", async () => {
+      globalThis.fetch = mockFetch(async (input, init) => {
+        const req = new Request(input!, init);
+        if (req.method === "POST") {
+          return new Response(JSON.stringify(autoTeamProject), {
+            status: 201,
+            headers: { "Content-Type": "application/json" },
+          });
+        }
+        return new Response("[]", {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        });
+      });
+
+      const result = await createProjectWithAutoTeam("test-org", {
+        name: "Auto Project",
+      });
+      expect(result.dsn).toBeNull();
+    });
+  });
+
   describe("getProjectKeys", () => {
     test("returns project client keys", async () => {
       const keys = [

test/lib/init/preflight.test.ts

@@ -437,4 +437,40 @@ describe("resolveInitContext", () => {
 
     expect(context?.authToken).toBe("sntrys_test");
   });
+
+  test("sets isExplicitTeam:true when --team flag is provided", async () => {
+    resolveOrCreateTeamSpy.mockResolvedValue({
+      slug: "backend",
+      source: "explicit",
+    } as any);
+
+    const { ui } = createMockUI();
+    const context = await resolveInitContext(
+      makeOptions({ team: "backend" }),
+      ui
+    );
+
+    expect(context?.isExplicitTeam).toBe(true);
+    expect(context?.team).toBe("backend");
+  });
+
+  test("sets isExplicitTeam:false when no --team flag is provided", async () => {
+    const { ui } = createMockUI();
+    const context = await resolveInitContext(makeOptions(), ui);
+
+    expect(context?.isExplicitTeam).toBe(false);
+  });
+
+  test("swallows 403 from listTeams and resolves context with team:undefined", async () => {
+    resolveOrCreateTeamSpy.mockRejectedValueOnce(
+      new ApiError("Forbidden", 403, "No team:read access")
+    );
+
+    const { ui } = createMockUI();
+    const context = await resolveInitContext(makeOptions(), ui);
+
+    // 403 is swallowed so the wizard can proceed to the org-scoped fallback
+    expect(context).not.toBeNull();
+    expect(context?.team).toBeUndefined();
+  });
 });

test/lib/init/tools/create-sentry-project.test.ts

@@ -297,6 +297,114 @@ describe("createSentryProject", () => {
     expect(createSentryProjectTool.describe(makePayload())).toContain("my-app");
   });
 
+  // ── org-scoped fallback (createProjectWithAutoTeam) ─────────────────────
+
+  test("falls back to org-scoped endpoint on 403 from team-based creation", async () => {
+    const createProjectWithAutoTeamSpy = vi
+      .spyOn(apiClient, "createProjectWithAutoTeam")
+      .mockResolvedValue({
+        project: {
+          id: "42",
+          slug: "my-app",
+          name: "my-app",
+          platform: "javascript-react",
+          dateCreated: "2026-04-16T00:00:00Z",
+        } as any,
+        dsn: "https://abc@o1.ingest.sentry.io/42",
+        url: "https://sentry.io/settings/acme/projects/my-app/",
+        team_slug: "team-testuser",
+      });
+    getProjectSpy.mockRejectedValueOnce(new ApiError("Not found", 404));
+    createProjectWithDsnSpy.mockRejectedValueOnce(
+      new ApiError("Forbidden", 403, "No project:write access")
+    );
+
+    const result = await createSentryProject(makePayload(), {
+      dryRun: false,
+      org: "acme",
+      team: undefined,
+      project: undefined,
+    });
+
+    expect(result.ok).toBe(true);
+    expect(createProjectWithAutoTeamSpy).toHaveBeenCalledWith("acme", {
+      name: "my-app",
+      platform: "javascript-react",
+    });
+    createProjectWithAutoTeamSpy.mockRestore();
+  });
+
+  test("suppresses fallback when team was set via --team (isExplicitTeam)", async () => {
+    const createProjectWithAutoTeamSpy = vi
+      .spyOn(apiClient, "createProjectWithAutoTeam")
+      .mockResolvedValue({} as any);
+    getProjectSpy.mockRejectedValueOnce(new ApiError("Not found", 404));
+    createProjectWithDsnSpy.mockRejectedValueOnce(
+      new ApiError("Forbidden", 403, "No project:write access")
+    );
+
+    const result = await createSentryProject(makePayload(), {
+      dryRun: false,
+      org: "acme",
+      team: "backend",
+      isExplicitTeam: true,
+      project: undefined,
+    });
+
+    expect(result.ok).toBe(false);
+    expect(createProjectWithAutoTeamSpy).not.toHaveBeenCalled();
+    createProjectWithAutoTeamSpy.mockRestore();
+  });
+
+  test("does not fall back on policy 403 (disabled this feature) — avoids wasted round-trip", async () => {
+    const createProjectWithAutoTeamSpy = vi
+      .spyOn(apiClient, "createProjectWithAutoTeam")
+      .mockResolvedValue({} as any);
+    getProjectSpy.mockRejectedValueOnce(new ApiError("Not found", 404));
+    createProjectWithDsnSpy.mockRejectedValueOnce(
+      new ApiError(
+        "Forbidden",
+        403,
+        "Your organization has disabled this feature for members."
+      )
+    );
+
+    const result = await createSentryProject(makePayload(), {
+      dryRun: false,
+      org: "acme",
+      team: undefined,
+      project: undefined,
+    });
+
+    expect(result.ok).toBe(false);
+    expect(createProjectWithAutoTeamSpy).not.toHaveBeenCalled();
+    expect(result.error).toContain("disabled for members");
+    createProjectWithAutoTeamSpy.mockRestore();
+  });
+
+  test("surfaces friendly 409 error when fallback project already exists", async () => {
+    const createProjectWithAutoTeamSpy = vi
+      .spyOn(apiClient, "createProjectWithAutoTeam")
+      .mockRejectedValue(new ApiError("Conflict", 409, "Slug already in use"));
+    getProjectSpy.mockRejectedValueOnce(new ApiError("Not found", 404));
+    createProjectWithDsnSpy.mockRejectedValueOnce(
+      new ApiError("Forbidden", 403, "No project:write access")
+    );
+
+    const result = await createSentryProject(makePayload(), {
+      dryRun: false,
+      org: "acme",
+      team: undefined,
+      project: undefined,
+    });
+
+    expect(result.ok).toBe(false);
+    expect(result.error).toContain("already exists");
+    createProjectWithAutoTeamSpy.mockRestore();
+  });
+
+  // ── dry-run ──────────────────────────────────────────────────────────────
+
   test("uses the final project slug for deferred team resolution in dry-run mode", async () => {
     getProjectSpy.mockRejectedValueOnce(new ApiError("Not found", 404));