@unifiedmemory/cli 1.3.13 → 1.3.14

package/.env.example

@@ -45,6 +45,16 @@
 # Default: https://unifiedmemory.ai/oauth/callback
 # OAUTH_SUCCESS_URL=https://unifiedmemory.ai/oauth/callback
 
+# ============================================
+# Frontend URL (CLI Auth Page)
+# ============================================
+# URL of the frontend app that hosts the CLI auth page with org picker
+# During login, the browser opens this URL where users can select an organization
+# before being redirected to Clerk OAuth
+# Default: https://unifiedmemory.ai
+# For local development: http://localhost:3000
+# FRONTEND_URL=https://unifiedmemory.ai
+
 # ============================================
 # Clerk Client Secret (Optional)
 # ============================================

package/README.md

@@ -106,6 +106,34 @@ Project Configuration:
   ✓ Configured: My Project (proj_xxx)
 ```
 
+### `um usage`
+Check your current usage and quota allowances.
+
+```bash
+um usage
+```
+
+**Example output:**
+```
+📊 Usage & Quota
+
+Account:
+  Organization: My Team
+
+Monthly Queries:
+  450 / 1,000 (45.0%)
+  [█████████░░░░░░░░░░░]
+  Remaining: 550 queries
+  Resets: 2/1/2026
+```
+
+Context-aware: Shows personal or organization quota based on current context (`um org switch`).
+
+**Color indicators:**
+- 🟢 Green: <70% usage
+- 🟡 Yellow: 70-89% usage
+- 🔴 Red: ≥90% usage (with upgrade prompt)
+
 ### `um org switch`
 Switch between your organizations or personal account.
 

package/commands/debug.js

@@ -0,0 +1,67 @@
+import chalk from 'chalk';
+import { getToken, getOrgContext } from '../lib/token-storage.js';
+import { isTokenExpired } from '../lib/token-refresh.js';
+
+/**
+ * Debug authentication and token issues
+ * Displays comprehensive diagnostics about the current token state
+ * JWT is the single source of truth for org context
+ */
+export async function debugAuth() {
+  console.log(chalk.blue('\n🔍 Token Diagnostics\n'));
+
+  const tokenData = getToken();
+
+  if (!tokenData) {
+    console.log(chalk.red('❌ No token found'));
+    console.log(chalk.gray('   Run: um login'));
+    return;
+  }
+
+  // Check expiration
+  const expired = isTokenExpired(tokenData);
+  console.log(chalk.yellow('Token Expiration:'));
+  console.log(expired ? chalk.red('  ❌ Expired') : chalk.green('  ✓ Valid'));
+  if (tokenData.decoded?.exp) {
+    const expDate = new Date(tokenData.decoded.exp * 1000);
+    console.log(chalk.gray(`  Expires: ${expDate.toLocaleString()}`));
+  }
+
+  // Check org context from JWT claims (single source of truth)
+  console.log(chalk.yellow('\nOrganization Context (from JWT):'));
+  const orgContext = getOrgContext();
+
+  if (orgContext) {
+    console.log(chalk.green(`  ✓ Organization: ${orgContext.name} (${orgContext.id})`));
+    console.log(chalk.gray(`    Role: ${orgContext.role || 'member'}`));
+    if (orgContext.slug) {
+      console.log(chalk.gray(`    Slug: ${orgContext.slug}`));
+    }
+  } else {
+    console.log(chalk.cyan('  Personal Account (no org claims in JWT)'));
+  }
+
+  // Check session ID
+  console.log(chalk.yellow('\nSession ID:'));
+  const hasSid = tokenData.decoded?.sid;
+  console.log(hasSid ? chalk.green('  ✓ Present') : chalk.yellow('  ⚠ Missing'));
+  if (hasSid) {
+    console.log(chalk.gray(`  SID: ${tokenData.decoded.sid}`));
+  } else {
+    console.log(chalk.gray('  Note: Some org-scoped tokens may not have sid'));
+  }
+
+  // Check user ID
+  console.log(chalk.yellow('\nUser ID:'));
+  if (tokenData.decoded?.sub) {
+    console.log(chalk.green(`  ✓ ${tokenData.decoded.sub}`));
+  } else {
+    console.log(chalk.red('  ❌ Missing'));
+  }
+
+  // Check refresh token
+  console.log(chalk.yellow('\nRefresh Token:'));
+  console.log(tokenData.refresh_token ? chalk.green('  ✓ Present') : chalk.red('  ❌ Missing'));
+
+  console.log('');
+}

package/commands/init.js

@@ -65,8 +65,9 @@ export async function init(options = {}) {
   }
 
   console.log(chalk.green(`✓ Logged in as: ${authData.user_id}`));
-  if (authData.org_id) {
-    console.log(chalk.green(`✓ Organization: ${authData.org_id}`));
+  if (authData.org_id && authData.org_id !== authData.user_id) {
+    const orgDisplay = authData.org_name || authData.org_id;
+    console.log(chalk.green(`✓ Organization: ${orgDisplay}`));
   }
 
   // Step 1.5: Check for existing config
@@ -166,14 +167,17 @@ async function ensureAuthenticated(options) {
   if (stored && stored.decoded) {
     console.log(chalk.gray('Using saved session'));
 
-    // Extract user_id and org_id from token
+    // Extract user_id and org_id from JWT claims, with selectedOrgId fallback
     const userId = stored.decoded.sub;
-    const orgId = stored.selectedOrg?.id || userId; // Fallback to user_id if no org
+    // Use org from JWT o.* claims, fallback to selectedOrgId from login, then userId for personal context
+    const orgId = stored.decoded.o?.o_id || stored.selectedOrgId || userId;
+    const orgName = stored.decoded.o?.o_name || stored.selectedOrgName || null;
     const expirationTime = stored.decoded.exp * 1000;
 
     return {
       user_id: userId,
       org_id: orgId,
+      org_name: orgName,
       access_token: stored.idToken || stored.accessToken,
       api_url: 'https://rose-asp-main-1c0b114.d2.zuplo.dev',
       expires_at: expirationTime,
@@ -189,14 +193,17 @@ async function ensureAuthenticated(options) {
     return null;
   }
 
-  // Extract from saved token
+  // Extract from saved token (JWT claims with selectedOrgId fallback)
   const savedToken = getToken();
   const userId = savedToken?.decoded?.sub;
-  const orgId = savedToken?.selectedOrg?.id || userId;
+  // Use org from JWT o.* claims, fallback to selectedOrgId from login, then userId for personal context
+  const orgId = savedToken?.decoded?.o?.o_id || savedToken?.selectedOrgId || userId;
+  const orgName = savedToken?.decoded?.o?.o_name || savedToken?.selectedOrgName || null;
 
   return {
     user_id: userId,
     org_id: orgId,
+    org_name: orgName,
     access_token: savedToken.idToken || savedToken.accessToken,
     api_url: 'https://rose-asp-main-1c0b114.d2.zuplo.dev',
     expires_at: savedToken.decoded?.exp * 1000,
@@ -244,10 +251,12 @@ async function selectOrCreateProject(authData, options) {
           return null;
         }
 
-        // Update authData with fresh credentials
+        // Update authData with fresh credentials (JWT claims with selectedOrgId fallback)
         const savedToken = getToken();
         authData.user_id = savedToken.decoded.sub;
-        authData.org_id = savedToken.selectedOrg?.id || authData.user_id;
+        // Use org from JWT o.* claims, fallback to selectedOrgId from login, then userId for personal context
+        authData.org_id = savedToken.decoded?.o?.o_id || savedToken?.selectedOrgId || authData.user_id;
+        authData.org_name = savedToken.decoded?.o?.o_name || savedToken?.selectedOrgName || null;
         authData.access_token = savedToken.idToken || savedToken.accessToken;
         authData.expires_at = savedToken.decoded?.exp * 1000;
 

package/commands/login.js

@@ -3,12 +3,9 @@ import { URL } from 'url';
 import open from 'open';
 import chalk from 'chalk';
 import crypto from 'crypto';
-import inquirer from 'inquirer';
 import { config, validateConfig } from '../lib/config.js';
-import { saveToken, updateSelectedOrg } from '../lib/token-storage.js';
-import { getUserOrganizations, getOrganizationsFromToken, getOrgScopedToken } from '../lib/clerk-api.js';
+import { saveToken } from '../lib/token-storage.js';
 import { parseJWT } from '../lib/jwt-utils.js';
-import { promptOrganizationSelection, displayOrganizationSelection } from '../lib/org-selection-ui.js';
 
 function generateRandomState() {
   // Use cryptographically secure random bytes for CSRF protection
@@ -38,11 +35,10 @@ export async function login() {
   const state = generateRandomState();
   const pkce = generatePKCE();
 
-  // Build OAuth2 authorization URL with PKCE
-  const authUrl = new URL(`https://${config.clerkDomain}/oauth/authorize`);
+  // Build URL to frontend CLI auth page (which shows org picker before Clerk OAuth)
+  const authUrl = new URL(`${config.frontendUrl}/cli-auth`);
   authUrl.searchParams.append('client_id', config.clerkClientId);
   authUrl.searchParams.append('redirect_uri', config.redirectUri);
-  authUrl.searchParams.append('response_type', 'code');
   authUrl.searchParams.append('scope', 'openid profile email');
   authUrl.searchParams.append('state', state);
   authUrl.searchParams.append('code_challenge', pkce.challenge);
@@ -76,7 +72,23 @@ export async function login() {
           return;
         }
 
-        if (returnedState !== state) {
+        // Parse state to extract CSRF token, org_id, and org_name
+        // State format: base64({ csrf: string, org_id: string|null, org_name: string|null })
+        let csrfState = returnedState;
+        let selectedOrgId = null;
+        let selectedOrgName = null;
+
+        try {
+          const stateData = JSON.parse(atob(returnedState));
+          csrfState = stateData.csrf;
+          selectedOrgId = stateData.org_id;
+          selectedOrgName = stateData.org_name;
+        } catch (e) {
+          // Old format - state is just the CSRF token
+          csrfState = returnedState;
+        }
+
+        if (csrfState !== state) {
           res.writeHead(400, { 'Content-Type': 'text/html' });
           res.end(`
             <html>
@@ -242,10 +254,12 @@ export async function login() {
           `);
 
           // Parse JWT for user info - do not log tokens
+          // The id_token should already have org claims because the frontend
+          // called setActive() before OAuth redirect
           const tokenToParse = tokenData.id_token || tokenData.access_token;
           const decoded = parseJWT(tokenToParse);
 
-          // Save token (save both access_token and id_token if available)
+          // Save token with selected org from state (since JWT doesn't have org claims)
           saveToken({
             accessToken: tokenData.access_token,
             idToken: tokenData.id_token,
@@ -253,7 +267,10 @@ export async function login() {
             tokenType: tokenData.token_type || 'Bearer',
             expiresIn: tokenData.expires_in,
             receivedAt: Date.now(),
-            decoded: decoded
+            decoded: decoded,
+            sessionId: decoded?.sid,
+            selectedOrgId: selectedOrgId,  // From state parameter
+            selectedOrgName: selectedOrgName,  // From state parameter
           });
 
           console.log(chalk.green('\n✅ Authentication successful!'));
@@ -269,95 +286,30 @@ export async function login() {
             }
           }
 
-          // Close server first
-          server.close(async () => {
+          // Close server and display org context
+          server.close(() => {
             console.log(chalk.gray('✓ Callback server closed'));
 
-            // Prompt for organization selection
-            try {
-              const userId = decoded?.sub;
-              if (userId) {
-                // First try to get organizations from JWT token
-                let memberships = getOrganizationsFromToken(decoded);
-
-                // If not in JWT, fetch from Clerk Frontend API
-                if (memberships.length === 0) {
-                  const sessionToken = tokenData.id_token || tokenData.access_token;
-                  memberships = await getUserOrganizations(userId, sessionToken);
-                }
-
-                console.log(chalk.blue('\n🔍 Checking for organizations...'));
-                const selectedOrg = await promptOrganizationSelection(memberships);
-                displayOrganizationSelection(selectedOrg);
-
-                if (selectedOrg) {
-                  // Get org-scoped JWT from Clerk
-                  try {
-                    console.log(chalk.cyan('\n🔄 Getting organization-scoped token...'));
-
-                    const sessionId = decoded.sid;
-                    if (!sessionId) {
-                      throw new Error('No session ID found in token');
-                    }
-
-                    const orgToken = await getOrgScopedToken(
-                      sessionId,
-                      selectedOrg.id,
-                      tokenData.id_token
-                    );
-
-                    // Update saved token with org-scoped version
-                    // Preserve originalSid for recovery purposes (org-scoped token won't have sid)
-                    saveToken({
-                      accessToken: tokenData.access_token,
-                      idToken: orgToken.jwt,
-                      refresh_token: tokenData.refresh_token,
-                      tokenType: 'Bearer',
-                      expiresIn: tokenData.expires_in,
-                      receivedAt: Date.now(),
-                      decoded: parseJWT(orgToken.jwt),
-                      selectedOrg: selectedOrg,
-                      originalSid: decoded.sid  // Preserve session ID from original OAuth token
-                    });
-
-                    console.log(chalk.green(`\n✅ Using organization context: ${chalk.bold(selectedOrg.name)}`));
-                    console.log(chalk.gray(`   Organization ID: ${selectedOrg.id}`));
-                    console.log(chalk.gray(`   Your role: ${selectedOrg.role}`));
-                    console.log(chalk.gray('   ✓ Token updated with organization context'));
-                  } catch (error) {
-                    console.error(chalk.yellow('\n⚠️  Failed to get org-scoped token:'), error.message);
-                    console.log(chalk.gray('   Continuing with original token (may have limited org access)'));
-
-                    // Save token with selectedOrg AND originalSid for recovery
-                    // This allows token-validation.js to retry getting org-scoped token later
-                    saveToken({
-                      accessToken: tokenData.access_token,
-                      idToken: tokenData.id_token,
-                      refresh_token: tokenData.refresh_token,
-                      tokenType: 'Bearer',
-                      expiresIn: tokenData.expires_in,
-                      receivedAt: Date.now(),
-                      decoded: decoded,
-                      selectedOrg: selectedOrg,
-                      originalSid: decoded.sid  // Preserve session ID for recovery
-                    });
-
-                    console.log(chalk.green(`\n✅ Using organization context: ${chalk.bold(selectedOrg.name)}`));
-                    console.log(chalk.gray(`   Organization ID: ${selectedOrg.id}`));
-                    console.log(chalk.gray(`   Your role: ${selectedOrg.role}`));
-                    console.log(chalk.yellow('   ⚠️  Token lacks org claims - recovery will be attempted on next use'));
-                  }
-                } else {
-                  console.log(chalk.green('\n✅ Using personal account context'));
-                }
-
-                console.log(chalk.gray('\nYou can switch organizations anytime with: um org switch'));
+            // Display organization context - prefer JWT claims, fall back to selected org from state
+            // Support both flat claims (org_id) and nested claims (o.o_id) from Clerk JWT templates
+            const jwtOrgId = decoded?.org_id || decoded?.o?.o_id;
+            const orgId = jwtOrgId || selectedOrgId;
+            const orgName = decoded?.org_name || decoded?.o?.o_name || selectedOrgName;
+            const orgSlug = decoded?.org_slug || decoded?.o?.o_slug;
+            const orgRole = decoded?.org_role || decoded?.o?.o_role;
+
+            if (orgId) {
+              console.log(chalk.green(`\n✅ Organization context: ${chalk.bold(orgName || orgSlug || orgId)}`));
+              console.log(chalk.gray(`   Organization ID: ${orgId}`));
+              if (orgRole) {
+                console.log(chalk.gray(`   Your role: ${orgRole}`));
               }
-            } catch (error) {
-              console.log(chalk.yellow('\n⚠️  Could not fetch organizations. Continuing with personal account context.'));
-              console.log(chalk.gray(`Error: ${error.message}`));
+            } else {
+              console.log(chalk.green('\n✅ Using personal account context'));
             }
 
+            console.log(chalk.gray('\nYou can switch organizations anytime with: um org switch'));
+
             resolve(tokenData);
           });
         } catch (error) {

package/commands/org.js

@@ -1,115 +1,30 @@
 import chalk from 'chalk';
-import { updateSelectedOrg, getSelectedOrg, saveToken, getToken } from '../lib/token-storage.js';
-import { loadAndRefreshToken } from '../lib/token-validation.js';
-import { refreshAccessToken } from '../lib/token-refresh.js';
-import { getUserOrganizations, getOrganizationsFromToken, getOrgScopedToken } from '../lib/clerk-api.js';
-import { parseJWT } from '../lib/jwt-utils.js';
-import { promptOrganizationSelection, displayOrganizationSelection } from '../lib/org-selection-ui.js';
+import { getOrgContext } from '../lib/token-storage.js';
 
 /**
  * Switch organization context
+ * Re-runs the login flow which shows the org picker on the frontend
  */
 export async function switchOrg() {
-  // Load token and refresh if expired
-  const tokenData = await loadAndRefreshToken();
+  console.log(chalk.blue('\n🔄 Opening browser to select organization...\n'));
 
-  const userId = tokenData.decoded?.sub;
-  const accessToken = tokenData.idToken || tokenData.accessToken;
-
-  if (!userId || !accessToken) {
-    console.error(chalk.red('❌ Invalid session'));
-    console.log(chalk.gray('Run `um login` to re-authenticate'));
-    process.exit(1);
-  }
-
-  console.log(chalk.blue('\n🔍 Fetching organizations...'));
-
-  // First try to get organizations from JWT token
-  let memberships = tokenData.decoded
-    ? getOrganizationsFromToken(tokenData.decoded)
-    : [];
-
-  // If not in JWT, fetch from Clerk Frontend API
-  if (memberships.length === 0) {
-    const sessionToken = accessToken;
-    memberships = await getUserOrganizations(userId, sessionToken);
-  }
-
-  if (memberships.length === 0) {
-    console.log(chalk.yellow('\n⚠️  No organizations found'));
-    console.log(chalk.gray('You are using a personal account context.'));
-    console.log(chalk.gray('Create an organization at https://unifiedmemory.ai to collaborate with your team.'));
-    process.exit(0);
-  }
-
-  // Get current selection
-  const currentOrg = getSelectedOrg();
-
-  // Prompt user to select
-  const selectedOrg = await promptOrganizationSelection(memberships, currentOrg);
-
-  // Update selected organization with org-scoped token
-  if (selectedOrg) {
-    try {
-      // Get session ID from current token
-      const sessionId = tokenData.decoded?.sid || tokenData.originalSid;
-      const currentToken = tokenData.idToken || tokenData.accessToken;
-
-      if (sessionId) {
-        console.log(chalk.cyan('\n🔄 Getting organization-scoped token...'));
-        const orgToken = await getOrgScopedToken(sessionId, selectedOrg.id, currentToken);
-
-        // Update with org-scoped token
-        saveToken({
-          ...tokenData,
-          idToken: orgToken.jwt,
-          decoded: parseJWT(orgToken.jwt),
-          selectedOrg: selectedOrg,
-          originalSid: sessionId
-        });
-
-        console.log(chalk.green(`\n✅ Switched to organization: ${chalk.bold(selectedOrg.name)}`));
-        console.log(chalk.gray(`   Organization ID: ${selectedOrg.id}`));
-        console.log(chalk.gray(`   Your role: ${selectedOrg.role}`));
-        console.log(chalk.gray('   ✓ Token updated with organization context'));
-      } else {
-        // Fall back to just updating selectedOrg (recovery will try later)
-        updateSelectedOrg(selectedOrg);
-        console.log(chalk.green(`\n✅ Switched to organization: ${chalk.bold(selectedOrg.name)}`));
-        console.log(chalk.gray(`   Organization ID: ${selectedOrg.id}`));
-        console.log(chalk.gray(`   Your role: ${selectedOrg.role}`));
-        console.log(chalk.yellow('   ⚠️  No session ID available - token lacks org claims'));
-        console.log(chalk.gray('   Try: um login'));
-      }
-    } catch (error) {
-      console.error(chalk.yellow(`\n⚠️  Failed to get org-scoped token: ${error.message}`));
-      updateSelectedOrg(selectedOrg);
-      console.log(chalk.green(`\n✅ Switched to organization: ${chalk.bold(selectedOrg.name)}`));
-      console.log(chalk.gray(`   Organization ID: ${selectedOrg.id}`));
-      console.log(chalk.gray(`   Your role: ${selectedOrg.role}`));
-      console.log(chalk.gray('   Saved org selection, but token may need refresh'));
-      console.log(chalk.gray('   Try: um org fix'));
-    }
-  } else {
-    updateSelectedOrg(null);
-    console.log(chalk.green('\n✅ Switched to personal account context'));
-  }
-
-  console.log(chalk.gray('\nRun `um status` to verify your current context'));
+  // Re-use login flow - frontend will show org picker
+  const { login } = await import('./login.js');
+  await login();
 }
 
 /**
- * Show current organization
+ * Show current organization context from JWT
  */
 export async function showOrg() {
-  const selectedOrg = getSelectedOrg();
+  const orgContext = getOrgContext();
 
   console.log(chalk.blue('\n📋 Current Organization Context\n'));
 
-  if (selectedOrg) {
-    console.log(chalk.green(`  ${selectedOrg.name} (${selectedOrg.slug})`));
-    console.log(chalk.gray(`  ID: ${selectedOrg.id}`));
-    console.log(chalk.gray(`  Role: ${selectedOrg.role}`));
+  if (orgContext) {
+    console.log(chalk.green(`  ${orgContext.name}${orgContext.slug ? ` (${orgContext.slug})` : ''}`));
+    console.log(chalk.gray(`  ID: ${orgContext.id}`));
+    console.log(chalk.gray(`  Role: ${orgContext.role || 'member'}`));
   } else {
     console.log(chalk.cyan('  Personal Account'));
     console.log(chalk.gray('  (no organization selected)'));
@@ -119,90 +34,23 @@ export async function showOrg() {
 }
 
 /**
- * Fix organization token if API calls fail with org mismatch
- * Attempts to get org-scoped token for the currently selected organization
+ * Fix organization token - deprecated
+ * JWT is now the single source of truth, so this is no longer needed.
+ * Kept for backwards compatibility but just shows a message.
  */
 export async function fixOrg() {
-  const tokenData = getToken();
-
-  if (!tokenData) {
-    console.error(chalk.red('❌ Not authenticated. Run: um login'));
-    return;
-  }
-
-  if (!tokenData.selectedOrg) {
-    console.error(chalk.yellow('⚠️  No organization selected. Run: um org switch'));
-    return;
-  }
-
-  console.log(chalk.blue('\n🔧 Organization Token Fix\n'));
-  console.log(chalk.gray(`  Selected org: ${tokenData.selectedOrg.name}`));
-  console.log(chalk.gray(`  Org ID: ${tokenData.selectedOrg.id}`));
-
-  // Check if already has org claims
-  if (tokenData.decoded?.o?.o_id) {
-    console.log(chalk.green('\n✓ Token already has organization claims'));
-    console.log(chalk.gray(`  Org in token: ${tokenData.decoded.o.o_id}`));
-    if (tokenData.decoded.o.o_id === tokenData.selectedOrg.id) {
-      console.log(chalk.green('  ✓ Org matches selected organization'));
-    } else {
-      console.log(chalk.yellow('  ⚠️  Org mismatch - token has different org than selected'));
-      console.log(chalk.gray('  Run: um org switch'));
-    }
-    return;
-  }
+  const orgContext = getOrgContext();
 
-  console.log(chalk.yellow('\n⚠️  Token missing org claims. Attempting fix...'));
+  console.log(chalk.blue('\n🔧 Organization Token Check\n'));
 
-  // Try to get session ID
-  let sessionId = tokenData.decoded?.sid || tokenData.originalSid;
-  let currentToken = tokenData.idToken || tokenData.accessToken;
-
-  // If no sessionId, try OAuth refresh first
-  if (!sessionId && tokenData.refresh_token) {
-    console.log(chalk.gray('  Refreshing token to obtain session ID...'));
-    try {
-      const refreshed = await refreshAccessToken(tokenData);
-      sessionId = refreshed.decoded?.sid;
-      currentToken = refreshed.idToken || refreshed.accessToken;
-
-      if (sessionId) {
-        console.log(chalk.gray('  ✓ Got session ID from refresh'));
-      }
-    } catch (error) {
-      console.error(chalk.red(`  Refresh failed: ${error.message}`));
-    }
-  }
-
-  if (!sessionId) {
-    console.error(chalk.red('\n❌ Cannot obtain session ID'));
-    console.log(chalk.gray('  The token does not contain a session ID needed for org-scoped tokens.'));
-    console.log(chalk.gray('  Run: um login'));
-    return;
+  if (orgContext) {
+    console.log(chalk.green('✓ Token has organization claims'));
+    console.log(chalk.gray(`  Organization: ${orgContext.name}`));
+    console.log(chalk.gray(`  ID: ${orgContext.id}`));
+  } else {
+    console.log(chalk.cyan('✓ Token is for personal account context'));
   }
 
-  // Get org-scoped token
-  try {
-    console.log(chalk.cyan('\n🔄 Getting organization-scoped token...'));
-    const orgToken = await getOrgScopedToken(
-      sessionId,
-      tokenData.selectedOrg.id,
-      currentToken
-    );
-
-    const decoded = parseJWT(orgToken.jwt);
-    saveToken({
-      ...tokenData,
-      idToken: orgToken.jwt,
-      decoded: decoded,
-      originalSid: sessionId
-    });
-
-    console.log(chalk.green('\n✅ Token fixed with organization claims'));
-    console.log(chalk.gray(`  Org: ${tokenData.selectedOrg.name}`));
-    console.log(chalk.gray(`  Org ID in token: ${decoded?.o?.o_id || 'N/A'}`));
-  } catch (error) {
-    console.error(chalk.red(`\n❌ Failed to get org token: ${error.message}`));
-    console.log(chalk.gray('\nYou may need to run: um login'));
-  }
+  console.log(chalk.gray('\nJWT is now the single source of truth for org context.'));
+  console.log(chalk.gray('Use `um org switch` to change organization.'));
 }

package/commands/record.js

@@ -28,27 +28,30 @@ export async function record(summary, options = {}) {
       throw new Error('Invalid project configuration: missing project_id');
     }
 
-    // 3. Build auth headers
+    // 3. Build auth headers (JWT is single source of truth)
     const authHeaders = {
       'Authorization': `Bearer ${tokenData.idToken || tokenData.accessToken}`,
     };
 
-    // Add org context
-    if (tokenData.selectedOrg?.id) {
-      authHeaders['X-Org-Id'] = tokenData.selectedOrg.id;
-    } else if (tokenData.decoded?.sub) {
-      authHeaders['X-Org-Id'] = tokenData.decoded.sub;
-    }
-
-    // Add user ID
+    // Add user ID (always present)
     if (tokenData.decoded?.sub) {
       authHeaders['X-User-Id'] = tokenData.decoded.sub;
     }
 
-    // 4. Build auth context for parameter injection
+    // Only add X-Org-Id if JWT has org claims
+    // NO FALLBACK - gateway handles personal context
+    if (tokenData.decoded?.o?.o_id) {
+      authHeaders['X-Org-Id'] = tokenData.decoded.o.o_id;
+    }
+
+    // 4. Build auth context for parameter injection (from JWT claims)
     const authContext = {
       decoded: tokenData.decoded,
-      selectedOrg: tokenData.selectedOrg
+      orgContext: tokenData.decoded?.o ? {
+        id: tokenData.decoded.o.o_id,
+        name: tokenData.decoded.o.o_name,
+        role: tokenData.decoded.o.o_role,
+      } : null
     };
 
     // 5. Prepare tool arguments