@unifiedmemory/cli 1.3.12 → 1.3.14

package/commands/org.js

@@ -1,115 +1,30 @@
 import chalk from 'chalk';
-import { updateSelectedOrg, getSelectedOrg, saveToken, getToken } from '../lib/token-storage.js';
-import { loadAndRefreshToken } from '../lib/token-validation.js';
-import { refreshAccessToken } from '../lib/token-refresh.js';
-import { getUserOrganizations, getOrganizationsFromToken, getOrgScopedToken } from '../lib/clerk-api.js';
-import { parseJWT } from '../lib/jwt-utils.js';
-import { promptOrganizationSelection, displayOrganizationSelection } from '../lib/org-selection-ui.js';
+import { getOrgContext } from '../lib/token-storage.js';
 
 /**
  * Switch organization context
+ * Re-runs the login flow which shows the org picker on the frontend
  */
 export async function switchOrg() {
-  // Load token and refresh if expired
-  const tokenData = await loadAndRefreshToken();
+  console.log(chalk.blue('\n🔄 Opening browser to select organization...\n'));
 
-  const userId = tokenData.decoded?.sub;
-  const accessToken = tokenData.idToken || tokenData.accessToken;
-
-  if (!userId || !accessToken) {
-    console.error(chalk.red('❌ Invalid session'));
-    console.log(chalk.gray('Run `um login` to re-authenticate'));
-    process.exit(1);
-  }
-
-  console.log(chalk.blue('\n🔍 Fetching organizations...'));
-
-  // First try to get organizations from JWT token
-  let memberships = tokenData.decoded
-    ? getOrganizationsFromToken(tokenData.decoded)
-    : [];
-
-  // If not in JWT, fetch from Clerk Frontend API
-  if (memberships.length === 0) {
-    const sessionToken = accessToken;
-    memberships = await getUserOrganizations(userId, sessionToken);
-  }
-
-  if (memberships.length === 0) {
-    console.log(chalk.yellow('\n⚠️  No organizations found'));
-    console.log(chalk.gray('You are using a personal account context.'));
-    console.log(chalk.gray('Create an organization at https://unifiedmemory.ai to collaborate with your team.'));
-    process.exit(0);
-  }
-
-  // Get current selection
-  const currentOrg = getSelectedOrg();
-
-  // Prompt user to select
-  const selectedOrg = await promptOrganizationSelection(memberships, currentOrg);
-
-  // Update selected organization with org-scoped token
-  if (selectedOrg) {
-    try {
-      // Get session ID from current token
-      const sessionId = tokenData.decoded?.sid || tokenData.originalSid;
-      const currentToken = tokenData.idToken || tokenData.accessToken;
-
-      if (sessionId) {
-        console.log(chalk.cyan('\n🔄 Getting organization-scoped token...'));
-        const orgToken = await getOrgScopedToken(sessionId, selectedOrg.id, currentToken);
-
-        // Update with org-scoped token
-        saveToken({
-          ...tokenData,
-          idToken: orgToken.jwt,
-          decoded: parseJWT(orgToken.jwt),
-          selectedOrg: selectedOrg,
-          originalSid: sessionId
-        });
-
-        console.log(chalk.green(`\n✅ Switched to organization: ${chalk.bold(selectedOrg.name)}`));
-        console.log(chalk.gray(`   Organization ID: ${selectedOrg.id}`));
-        console.log(chalk.gray(`   Your role: ${selectedOrg.role}`));
-        console.log(chalk.gray('   ✓ Token updated with organization context'));
-      } else {
-        // Fall back to just updating selectedOrg (recovery will try later)
-        updateSelectedOrg(selectedOrg);
-        console.log(chalk.green(`\n✅ Switched to organization: ${chalk.bold(selectedOrg.name)}`));
-        console.log(chalk.gray(`   Organization ID: ${selectedOrg.id}`));
-        console.log(chalk.gray(`   Your role: ${selectedOrg.role}`));
-        console.log(chalk.yellow('   ⚠️  No session ID available - token lacks org claims'));
-        console.log(chalk.gray('   Try: um login'));
-      }
-    } catch (error) {
-      console.error(chalk.yellow(`\n⚠️  Failed to get org-scoped token: ${error.message}`));
-      updateSelectedOrg(selectedOrg);
-      console.log(chalk.green(`\n✅ Switched to organization: ${chalk.bold(selectedOrg.name)}`));
-      console.log(chalk.gray(`   Organization ID: ${selectedOrg.id}`));
-      console.log(chalk.gray(`   Your role: ${selectedOrg.role}`));
-      console.log(chalk.gray('   Saved org selection, but token may need refresh'));
-      console.log(chalk.gray('   Try: um org fix'));
-    }
-  } else {
-    updateSelectedOrg(null);
-    console.log(chalk.green('\n✅ Switched to personal account context'));
-  }
-
-  console.log(chalk.gray('\nRun `um status` to verify your current context'));
+  // Re-use login flow - frontend will show org picker
+  const { login } = await import('./login.js');
+  await login();
 }
 
 /**
- * Show current organization
+ * Show current organization context from JWT
  */
 export async function showOrg() {
-  const selectedOrg = getSelectedOrg();
+  const orgContext = getOrgContext();
 
   console.log(chalk.blue('\n📋 Current Organization Context\n'));
 
-  if (selectedOrg) {
-    console.log(chalk.green(`  ${selectedOrg.name} (${selectedOrg.slug})`));
-    console.log(chalk.gray(`  ID: ${selectedOrg.id}`));
-    console.log(chalk.gray(`  Role: ${selectedOrg.role}`));
+  if (orgContext) {
+    console.log(chalk.green(`  ${orgContext.name}${orgContext.slug ? ` (${orgContext.slug})` : ''}`));
+    console.log(chalk.gray(`  ID: ${orgContext.id}`));
+    console.log(chalk.gray(`  Role: ${orgContext.role || 'member'}`));
   } else {
     console.log(chalk.cyan('  Personal Account'));
     console.log(chalk.gray('  (no organization selected)'));
@@ -119,90 +34,23 @@ export async function showOrg() {
 }
 
 /**
- * Fix organization token if API calls fail with org mismatch
- * Attempts to get org-scoped token for the currently selected organization
+ * Fix organization token - deprecated
+ * JWT is now the single source of truth, so this is no longer needed.
+ * Kept for backwards compatibility but just shows a message.
  */
 export async function fixOrg() {
-  const tokenData = getToken();
-
-  if (!tokenData) {
-    console.error(chalk.red('❌ Not authenticated. Run: um login'));
-    return;
-  }
-
-  if (!tokenData.selectedOrg) {
-    console.error(chalk.yellow('⚠️  No organization selected. Run: um org switch'));
-    return;
-  }
-
-  console.log(chalk.blue('\n🔧 Organization Token Fix\n'));
-  console.log(chalk.gray(`  Selected org: ${tokenData.selectedOrg.name}`));
-  console.log(chalk.gray(`  Org ID: ${tokenData.selectedOrg.id}`));
-
-  // Check if already has org claims
-  if (tokenData.decoded?.o?.o_id) {
-    console.log(chalk.green('\n✓ Token already has organization claims'));
-    console.log(chalk.gray(`  Org in token: ${tokenData.decoded.o.o_id}`));
-    if (tokenData.decoded.o.o_id === tokenData.selectedOrg.id) {
-      console.log(chalk.green('  ✓ Org matches selected organization'));
-    } else {
-      console.log(chalk.yellow('  ⚠️  Org mismatch - token has different org than selected'));
-      console.log(chalk.gray('  Run: um org switch'));
-    }
-    return;
-  }
+  const orgContext = getOrgContext();
 
-  console.log(chalk.yellow('\n⚠️  Token missing org claims. Attempting fix...'));
+  console.log(chalk.blue('\n🔧 Organization Token Check\n'));
 
-  // Try to get session ID
-  let sessionId = tokenData.decoded?.sid || tokenData.originalSid;
-  let currentToken = tokenData.idToken || tokenData.accessToken;
-
-  // If no sessionId, try OAuth refresh first
-  if (!sessionId && tokenData.refresh_token) {
-    console.log(chalk.gray('  Refreshing token to obtain session ID...'));
-    try {
-      const refreshed = await refreshAccessToken(tokenData);
-      sessionId = refreshed.decoded?.sid;
-      currentToken = refreshed.idToken || refreshed.accessToken;
-
-      if (sessionId) {
-        console.log(chalk.gray('  ✓ Got session ID from refresh'));
-      }
-    } catch (error) {
-      console.error(chalk.red(`  Refresh failed: ${error.message}`));
-    }
-  }
-
-  if (!sessionId) {
-    console.error(chalk.red('\n❌ Cannot obtain session ID'));
-    console.log(chalk.gray('  The token does not contain a session ID needed for org-scoped tokens.'));
-    console.log(chalk.gray('  Run: um login'));
-    return;
+  if (orgContext) {
+    console.log(chalk.green('✓ Token has organization claims'));
+    console.log(chalk.gray(`  Organization: ${orgContext.name}`));
+    console.log(chalk.gray(`  ID: ${orgContext.id}`));
+  } else {
+    console.log(chalk.cyan('✓ Token is for personal account context'));
   }
 
-  // Get org-scoped token
-  try {
-    console.log(chalk.cyan('\n🔄 Getting organization-scoped token...'));
-    const orgToken = await getOrgScopedToken(
-      sessionId,
-      tokenData.selectedOrg.id,
-      currentToken
-    );
-
-    const decoded = parseJWT(orgToken.jwt);
-    saveToken({
-      ...tokenData,
-      idToken: orgToken.jwt,
-      decoded: decoded,
-      originalSid: sessionId
-    });
-
-    console.log(chalk.green('\n✅ Token fixed with organization claims'));
-    console.log(chalk.gray(`  Org: ${tokenData.selectedOrg.name}`));
-    console.log(chalk.gray(`  Org ID in token: ${decoded?.o?.o_id || 'N/A'}`));
-  } catch (error) {
-    console.error(chalk.red(`\n❌ Failed to get org token: ${error.message}`));
-    console.log(chalk.gray('\nYou may need to run: um login'));
-  }
+  console.log(chalk.gray('\nJWT is now the single source of truth for org context.'));
+  console.log(chalk.gray('Use `um org switch` to change organization.'));
 }

package/commands/record.js

@@ -28,27 +28,30 @@ export async function record(summary, options = {}) {
       throw new Error('Invalid project configuration: missing project_id');
     }
 
-    // 3. Build auth headers
+    // 3. Build auth headers (JWT is single source of truth)
     const authHeaders = {
       'Authorization': `Bearer ${tokenData.idToken || tokenData.accessToken}`,
     };
 
-    // Add org context
-    if (tokenData.selectedOrg?.id) {
-      authHeaders['X-Org-Id'] = tokenData.selectedOrg.id;
-    } else if (tokenData.decoded?.sub) {
-      authHeaders['X-Org-Id'] = tokenData.decoded.sub;
-    }
-
-    // Add user ID
+    // Add user ID (always present)
     if (tokenData.decoded?.sub) {
       authHeaders['X-User-Id'] = tokenData.decoded.sub;
     }
 
-    // 4. Build auth context for parameter injection
+    // Only add X-Org-Id if JWT has org claims
+    // NO FALLBACK - gateway handles personal context
+    if (tokenData.decoded?.o?.o_id) {
+      authHeaders['X-Org-Id'] = tokenData.decoded.o.o_id;
+    }
+
+    // 4. Build auth context for parameter injection (from JWT claims)
     const authContext = {
       decoded: tokenData.decoded,
-      selectedOrg: tokenData.selectedOrg
+      orgContext: tokenData.decoded?.o ? {
+        id: tokenData.decoded.o.o_id,
+        name: tokenData.decoded.o.o_name,
+        role: tokenData.decoded.o.o_role,
+      } : null
     };
 
     // 5. Prepare tool arguments

package/commands/usage.js

@@ -0,0 +1,163 @@
+import chalk from 'chalk';
+import { loadAndRefreshToken } from '../lib/token-validation.js';
+import { config } from '../lib/config.js';
+
+/**
+ * Show current usage and quota allowances
+ */
+export async function usage() {
+  // Load token and refresh if expired
+  const tokenData = await loadAndRefreshToken();
+
+  const accessToken = tokenData.idToken || tokenData.accessToken;
+
+  if (!accessToken) {
+    console.error(chalk.red('❌ Not authenticated'));
+    console.log(chalk.gray('Run `um login` to authenticate'));
+    process.exit(1);
+  }
+
+  console.log(chalk.blue('\n📊 Usage & Quota\n'));
+
+  try {
+    // Build headers with org context (selectedOrgId fallback for when JWT has no org claims)
+    const userId = tokenData.decoded?.sub;
+    const orgId = tokenData.decoded?.o?.o_id || tokenData.selectedOrgId;
+
+    const headers = {
+      'Authorization': `Bearer ${accessToken}`,
+    };
+    if (userId) headers['X-User-Id'] = userId;
+    if (orgId) headers['X-Org-Id'] = orgId;
+
+    // Fetch quota usage from API gateway
+    const response = await fetch(`${config.apiEndpoint}/v1/quota/usage`, { headers });
+
+    if (!response.ok) {
+      if (response.status === 401) {
+        console.error(chalk.red('❌ Authentication failed'));
+        console.log(chalk.gray('Run `um login` to re-authenticate'));
+        process.exit(1);
+      }
+      throw new Error(`API returned ${response.status}: ${response.statusText}`);
+    }
+
+    const data = await response.json();
+    displayUsage(data, tokenData);
+
+  } catch (error) {
+    console.error(chalk.red('❌ Failed to fetch usage data:'), error.message);
+    process.exit(1);
+  }
+}
+
+/**
+ * Display formatted usage information
+ */
+function displayUsage(quotaData, tokenData) {
+  const { quota_type, usage, period } = quotaData;
+  const { used, total, percentage_used, remaining } = usage;
+
+  // Display account context (use selectedOrgName fallback for when JWT has no org claims)
+  console.log(chalk.yellow('Account:'));
+  if (quota_type === 'organization') {
+    // Get org name from JWT claims, fallback to selectedOrgName from login state
+    const orgName = tokenData.decoded?.o?.o_name || tokenData.selectedOrgName || 'Organization';
+    console.log(chalk.white(`  Organization: ${orgName}`));
+  } else {
+    console.log(chalk.white('  Personal Account'));
+  }
+  console.log('');
+
+  // Handle special cases
+  if (total === 0) {
+    console.log(chalk.yellow('Monthly Queries:'));
+    console.log(chalk.yellow('  No active subscription'));
+    console.log(chalk.gray('  Start at: https://unifiedmemory.ai/pricing'));
+    console.log('');
+    return;
+  }
+
+  if (total < 0 || total > 1000000) {
+    console.log(chalk.yellow('Monthly Queries:'));
+    console.log(chalk.green('  Unlimited ♾️'));
+    console.log('');
+    return;
+  }
+
+  // Determine color based on usage percentage
+  const color = getColorForUsage(percentage_used);
+  const colorFn = getChalkFunction(color);
+
+  // Display usage count and percentage
+  console.log(chalk.yellow('Monthly Queries:'));
+  console.log(colorFn(`  ${used.toLocaleString()} / ${total.toLocaleString()} (${percentage_used.toFixed(1)}%)`));
+
+  // Display progress bar
+  const progressBar = buildProgressBar(percentage_used, 20);
+  console.log(colorFn(`  [${progressBar}]`));
+
+  // Display remaining quota
+  console.log(colorFn(`  Remaining: ${remaining.toLocaleString()} queries`));
+
+  // Display reset date if available
+  if (period?.next_reset_date) {
+    const resetDate = new Date(period.next_reset_date);
+    const formattedDate = resetDate.toLocaleDateString('en-US', {
+      month: 'numeric',
+      day: 'numeric',
+      year: 'numeric'
+    });
+    console.log(chalk.gray(`  Resets: ${formattedDate}`));
+  }
+
+  console.log('');
+
+  // Show upgrade prompt if at or above threshold
+  if (percentage_used >= 90) {
+    console.log(chalk.red('⚠️  Running low on quota!'));
+    console.log(chalk.gray('Upgrade your plan: https://unifiedmemory.ai/pricing'));
+    console.log('');
+  }
+}
+
+/**
+ * Get color category based on usage percentage
+ * @param {number} percentage - Usage percentage (0-100)
+ * @returns {string} - Color category: 'green', 'yellow', or 'red'
+ */
+function getColorForUsage(percentage) {
+  if (percentage >= 90) return 'red';
+  if (percentage >= 70) return 'yellow';
+  return 'green';
+}
+
+/**
+ * Get chalk color function based on color name
+ * @param {string} color - Color name
+ * @returns {Function} - Chalk color function
+ */
+function getChalkFunction(color) {
+  switch (color) {
+    case 'red':
+      return chalk.red;
+    case 'yellow':
+      return chalk.yellow;
+    case 'green':
+      return chalk.green;
+    default:
+      return chalk.white;
+  }
+}
+
+/**
+ * Build a text-based progress bar
+ * @param {number} percentage - Usage percentage (0-100)
+ * @param {number} length - Total length of the bar in characters
+ * @returns {string} - Progress bar string
+ */
+function buildProgressBar(percentage, length) {
+  const filled = Math.round((percentage / 100) * length);
+  const empty = length - filled;
+  return '█'.repeat(filled) + '░'.repeat(empty);
+}

package/index.js

@@ -11,8 +11,10 @@ import { login } from './commands/login.js';
 import { init } from './commands/init.js';
 import { switchOrg, showOrg, fixOrg } from './commands/org.js';
 import { record } from './commands/record.js';
+import { usage } from './commands/usage.js';
+import { debugAuth } from './commands/debug.js';
 import { config } from './lib/config.js';
-import { getSelectedOrg } from './lib/token-storage.js';
+import { getOrgContext } from './lib/token-storage.js';
 import { loadAndRefreshToken } from './lib/token-validation.js';
 import { showWelcome } from './lib/welcome.js';
 
@@ -74,7 +76,8 @@ program
     try {
       // Try to load and refresh token if expired
       const tokenData = await loadAndRefreshToken(false);
-      const selectedOrg = getSelectedOrg();
+      // Get org context from JWT claims (single source of truth)
+      const orgContext = getOrgContext();
 
       console.log(chalk.blue('\n📋 UnifiedMemory Status\n'));
 
@@ -94,10 +97,10 @@ program
       }
 
       console.log(chalk.yellow('\nOrganization Context:'));
-      if (selectedOrg) {
-        console.log(chalk.green(`  ${selectedOrg.name} (${selectedOrg.slug})`));
-        console.log(chalk.gray(`  ID: ${selectedOrg.id}`));
-        console.log(chalk.gray(`  Role: ${selectedOrg.role}`));
+      if (orgContext) {
+        console.log(chalk.green(`  ${orgContext.name}${orgContext.slug ? ` (${orgContext.slug})` : ''}`));
+        console.log(chalk.gray(`  ID: ${orgContext.id}`));
+        console.log(chalk.gray(`  Role: ${orgContext.role || 'member'}`));
       } else {
         console.log(chalk.cyan('  Personal Account'));
       }
@@ -128,6 +131,34 @@ program
     }
   });
 
+// Usage command
+program
+  .command('usage')
+  .description('Show current usage and quota allowances')
+  .action(async () => {
+    try {
+      await usage();
+      process.exit(0);
+    } catch (error) {
+      console.error(chalk.red('Failed to show usage:'), error.message);
+      process.exit(1);
+    }
+  });
+
+// Debug command
+program
+  .command('debug')
+  .description('Debug authentication and token issues')
+  .action(async () => {
+    try {
+      await debugAuth();
+      process.exit(0);
+    } catch (error) {
+      console.error(chalk.red('Debug failed:'), error.message);
+      process.exit(1);
+    }
+  });
+
 // Organization management
 const orgCommand = program
   .command('org')

package/lib/clerk-api.js

@@ -121,30 +121,27 @@ export function formatOrganization(membership) {
 }
 
 /**
- * Get an organization-scoped JWT token via backend API
+ * Get a JWT token with specific org context via backend API
  * @param {string} sessionId - Session ID from JWT sid claim
- * @param {string} orgId - Organization ID to set as active
+ * @param {string|null} orgId - Organization ID to set as active, or null for personal context
  * @param {string} currentToken - Current session token (for authentication)
- * @returns {Promise<{jwt: string, org_id: string}>} New token with org context
+ * @returns {Promise<{jwt: string, org_id: string|null}>} New token with specified context
  */
 export async function getOrgScopedToken(sessionId, orgId, currentToken) {
   if (!sessionId) {
     throw new Error('Session ID is required');
   }
-  if (!orgId) {
-    throw new Error('Organization ID is required');
-  }
   if (!currentToken) {
     throw new Error('Current token is required');
   }
+  // orgId can be null for personal context
 
-  console.log(chalk.gray(`Requesting org-scoped token from backend...`));
+  const contextDesc = orgId ? `org ${orgId}` : 'personal context';
+  console.log(chalk.gray(`Requesting token for ${contextDesc}...`));
   console.log(chalk.gray(`  Session: ${sessionId}`));
-  console.log(chalk.gray(`  Org: ${orgId}`));
 
   // Call backend API which proxies to Clerk Backend API
   const apiUrl = `${config.apiEndpoint}/v1/auth/org-token`;
-  console.log(chalk.gray(`Calling backend API: ${apiUrl}`));
 
   const response = await fetch(apiUrl, {
     method: 'POST',
@@ -154,7 +151,7 @@ export async function getOrgScopedToken(sessionId, orgId, currentToken) {
     },
     body: JSON.stringify({
       session_id: sessionId,
-      org_id: orgId
+      org_id: orgId  // null for personal context
     })
   });
 
@@ -162,11 +159,11 @@ export async function getOrgScopedToken(sessionId, orgId, currentToken) {
     const errorText = await response.text();
     console.error(chalk.red(`Backend API failed: ${response.status}`));
     console.error(chalk.gray(errorText));
-    throw new Error(`Failed to get org-scoped token: ${response.status} - ${errorText}`);
+    throw new Error(`Failed to get token: ${response.status} - ${errorText}`);
   }
 
   const tokenData = await response.json();
-  console.log(chalk.gray('✓ Received org-scoped token from backend'));
+  console.log(chalk.gray(`✓ Received token for ${contextDesc}`));
 
   return tokenData;
 }

package/lib/config.js

@@ -19,7 +19,13 @@ export const config = {
 
   // OAuth flow configuration (localhost defaults for callback server)
   redirectUri: process.env.REDIRECT_URI || 'http://localhost:3333/callback',
-  port: parseInt(process.env.PORT || '3333', 10)
+  port: parseInt(process.env.PORT || '3333', 10),
+
+  // OAuth success page configuration (optional website link for account management)
+  oauthSuccessUrl: process.env.OAUTH_SUCCESS_URL || 'https://unifiedmemory.ai/oauth/callback',
+
+  // Frontend URL for CLI auth page (org picker)
+  frontendUrl: process.env.FRONTEND_URL || 'https://unifiedmemory.ai'
 };
 
 // Validation function - validates configuration values
@@ -41,5 +47,19 @@ export function validateConfig() {
     throw new Error('CLERK_CLIENT_ID cannot be empty');
   }
 
+  // Validate oauthSuccessUrl format if provided
+  try {
+    new URL(config.oauthSuccessUrl);
+  } catch (e) {
+    throw new Error(`OAUTH_SUCCESS_URL must be a valid URL (got: ${config.oauthSuccessUrl})`);
+  }
+
+  // Validate frontendUrl format
+  try {
+    new URL(config.frontendUrl);
+  } catch (e) {
+    throw new Error(`FRONTEND_URL must be a valid URL (got: ${config.frontendUrl})`);
+  }
+
   return true;
 }

package/lib/mcp-proxy.js

@@ -82,8 +82,9 @@ function transformToolSchema(tool) {
 
 /**
  * Inject context parameters into tool arguments
+ * JWT is the single source of truth for org context
  * @param {Object} args - Tool arguments from AI agent
- * @param {Object} authContext - Auth context with user/org info
+ * @param {Object} authContext - Auth context with user/org info (from JWT claims)
  * @param {Object|null} projectContext - Project config from .um/config.json
  * @returns {Object} - Arguments with injected context params
  */
@@ -101,21 +102,19 @@ function injectContextParams(args, authContext, projectContext) {
     injected.headers = {};
   }
 
-  // Inject user ID from decoded JWT
+  // Inject user ID from decoded JWT (always present)
   if (authContext?.decoded?.sub) {
     injected.pathParams.user = authContext.decoded.sub;
     injected.headers['X-User-Id'] = authContext.decoded.sub;
   }
 
-  // Inject org ID (from selectedOrg or fallback to user ID for personal account)
-  if (authContext?.selectedOrg?.id) {
-    injected.pathParams.org = authContext.selectedOrg.id;
-    injected.headers['X-Org-Id'] = authContext.selectedOrg.id;
-  } else if (authContext?.decoded?.sub) {
-    // Fallback to user ID for personal account context
-    injected.pathParams.org = authContext.decoded.sub;
-    injected.headers['X-Org-Id'] = authContext.decoded.sub;
+  // ONLY inject org ID if JWT has org claims
+  // NO FALLBACK - gateway handles personal context by using userId
+  if (authContext?.orgContext?.id) {
+    injected.pathParams.org = authContext.orgContext.id;
+    injected.headers['X-Org-Id'] = authContext.orgContext.id;
   }
+  // For personal context: no X-Org-Id header set, gateway falls back to userId
 
   // Inject project ID from project config
   if (projectContext?.project_id) {