ellf-cli 5.0.18__tar.gz → 6.0.0__tar.gz

{ellf_cli-5.0.18/ellf_cli.egg-info → ellf_cli-6.0.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ellf-cli
-Version: 5.0.18
+Version: 6.0.0
 Summary: Ellf Command Line Interface
 Home-page: https://prodi.gy
 Author: ExplosionAI GmbH

{ellf_cli-5.0.18 → ellf_cli-6.0.0}/README.md

@@ -1069,11 +1069,22 @@ Log in to your Ellf account. You normally don't need to call this manually. It w
 | Argument | Type | Description | Default |
 | --- | --- | --- | --- |
 | `--no-cluster` | `bool` | Don't use a cluster | `False` |
+| `--no-org` | `bool` | Skip the organization selection step (stay in the org that the device-flow login lands in) | `False` |
 | `--no-browser` | `bool` | Don't open a browser, just print the login URL | `False` |
+| `--org` | `str` | Name or ID of the organization to log into. If omitted: auto-select when only one is available, or prompt interactively | `None` |
 | `--cluster` | `str` | Name or ID of the cluster to log into. If omitted: auto-select when only one is available, or prompt interactively | `None` |
 | `--json` | `bool` | Output the result as JSON | `False` |
 | `--claude` | `bool` | Install Ellf Claude Code skills and transcript hook into ~/.claude/ | `False` |
 
+### `ellf logout`
+
+Log out by deleting locally-stored auth tokens. PAM bearer tokens can't be revoked server-side, so this is a local operation: subsequent commands will trigger a fresh device-flow login. The cached tokens would have expired on their own within roughly an hour. Use ``--all`` to also reset the saved defaults (active org, cluster, project, etc.), e.g. when handing the machine to a different user.
+
+| Argument | Type | Description | Default |
+| --- | --- | --- | --- |
+| `--all` | `bool` | Also clear saved defaults (broker host, active org/cluster/project/task/agent), not just the auth tokens | `False` |
+| `--json` | `bool` | Output the result as JSON | `False` |
+
 ### `ellf info`
 
 Print information about the CLI

{ellf_cli-5.0.18 → ellf_cli-6.0.0}/ellf_cli/about.json

@@ -1,7 +1,7 @@
 {
   "title": "Ellf CLI",
   "name": "ellf-cli",
-  "version": "5.0.18",
+  "version": "6.0.0",
   "summary": "Ellf Command Line Interface",
   "uri": "https://prodi.gy",
   "prog": "ellf",

{ellf_cli-5.0.18 → ellf_cli-6.0.0}/ellf_cli/auth.py

@@ -169,6 +169,8 @@ class AuthState(Protocol):
 
     def set_active_cluster(self, cluster_id: UUID, broker_url: URL) -> None: ...
 
+    def set_active_org(self, org_id: UUID) -> AccessTokenCredential: ...
+
     def get_id_token(self, force_refresh: bool = False) -> str: ...
 
     def get_api_token(self, force_refresh: bool = False) -> AccessTokenCredential: ...
@@ -208,7 +210,11 @@ class AuthStateImpl:
         # PAM lookup-by-address every time the user runs an ellf command.
         # `auth.cluster_id` falls back to the address lookup only if this is None.
         self._cluster_id = settings.cluster_id
-        self._org_id = None
+        # Seed org_id from saved settings too: the user's api_token already
+        # carries the org_id in its `oid` claim, but we don't decode the JWT
+        # here. The saved setting reflects whatever was chosen at the last
+        # `ellf login` and stays in sync via set_active_org.
+        self._org_id = settings.org_id
         self._secrets_path = ctx.secrets_path
         self._saved_settings_path = ctx.saved_settings_path
         self._client = None
@@ -379,6 +385,44 @@ class AuthStateImpl:
         self._cluster_id = cluster_id
         self._cluster_client = None
 
+    def set_active_org(self, org_id: UUID) -> AccessTokenCredential:
+        """Exchange the current api_token for one scoped to ``org_id``.
+
+        PAM tokens carry an org_id claim (each user-org pair is a separate
+        ``models.User`` record), so "switching org" is a token-exchange,
+        not a local-only change. We POST to ``/v1/token/switch-org`` with
+        the current api_token and persist the response in secrets. Any
+        cached cluster-scoped broker tokens are dropped because they were
+        derived from the old api_token's org.
+
+        Persisting ``org_id`` to ``SavedSettings`` is the caller's
+        responsibility.
+        """
+        api_token = self.get_api_token().access_token
+        res = httpx.post(
+            str(self.pam_url / "api/v1/token/switch-org"),
+            headers={"authorization": f"Bearer {api_token}"},
+            json={"org_id": str(org_id)},
+            timeout=AUTH_REQUEST_TIMEOUT_SECONDS,
+        )
+        if res.status_code != 200:
+            err = _format_http_error(res)
+            if res.status_code == 401:
+                raise EllfIDTokenError(err)
+            raise EllfError(Messages.E137.format(org_id=org_id) + f": {err}")
+        data = res.json()
+        new_token = AccessTokenCredential(access_token=data["access_token"])
+        self.secrets.api_token = new_token
+        # Broker tokens were minted for the previous org; clear them so
+        # the next get_cluster_token re-issues against the new org.
+        self.secrets.broker_tokens = {}
+        if self._secrets_path is not None:
+            self.secrets.save(self._secrets_path)
+        self._org_id = org_id
+        self._client = None
+        self._cluster_client = None
+        return new_token
+
     @staticmethod
     def _check_token_expired(
         token: AccessTokenCredential | BrokerAccessTokenCredential | str,

ellf_cli-6.0.0/ellf_cli/commands/_org_select.py

@@ -0,0 +1,86 @@
+from __future__ import annotations
+
+import builtins
+import sys
+from typing import Union
+from uuid import UUID
+
+from wasabi import msg
+
+from ellf_pam_sdk import Client
+from ellf_pam_sdk.models import OrgMembership
+
+from ..errors import CLIError
+from ..messages import Messages
+from ..ui import isatty
+
+
+def list_person_orgs(client: Client) -> builtins.list[OrgMembership]:
+    """Return all org memberships for the authenticated person.
+
+    The PAM ``org.all()`` listing is org-scoped by the api_token, so it
+    only returns the *current* org. To enumerate everywhere this person
+    can sign in we hit ``/api/v1/person/orgs`` directly — the same
+    endpoint the web app's org switcher uses.
+    """
+    response = client._sync_client.post("/api/v1/person/orgs")
+    response.raise_for_status()
+    return [OrgMembership.model_validate(row) for row in response.json()]
+
+
+def _match_org(
+    orgs: builtins.list[OrgMembership],
+    name_or_id: Union[str, UUID],
+) -> OrgMembership | None:
+    if isinstance(name_or_id, UUID):
+        for o in orgs:
+            if o.org_id == name_or_id:
+                return o
+        return None
+    needle = str(name_or_id)
+    for o in orgs:
+        if str(o.org_id) == needle or o.org_name == needle:
+            return o
+    return None
+
+
+def _prompt_for_org(orgs: builtins.list[OrgMembership]) -> OrgMembership:
+    if not isatty(sys.stdin) or not isatty(sys.stdout):
+        raise CLIError(Messages.E136)
+    msg.info("Multiple organizations are available:")
+    for idx, org in enumerate(orgs, start=1):
+        print(f"  [{idx}] {org.org_name}  ({org.org_id})")
+    while True:
+        raw = input(f"Pick an organization [1-{len(orgs)}]: ").strip()
+        if raw.isdigit():
+            choice = int(raw)
+            if 1 <= choice <= len(orgs):
+                return orgs[choice - 1]
+        matched = _match_org(orgs, raw)
+        if matched is not None:
+            return matched
+        msg.warn(f"Invalid selection: {raw!r}")
+
+
+def select_org(
+    client: Client,
+    name_or_id: Union[str, UUID, None] = None,
+) -> OrgMembership:
+    """Pick an org the current person belongs to.
+
+    When ``name_or_id`` is provided, looks it up exactly. Otherwise:
+    auto-selects the only org, or prompts in a TTY when there are
+    multiple. Raises ``CLIError`` if the person has no orgs or the
+    caller is non-interactive with multiple orgs.
+    """
+    orgs = list_person_orgs(client)
+    if not orgs:
+        raise CLIError(Messages.E135)
+    if name_or_id is not None:
+        matched = _match_org(orgs, name_or_id)
+        if matched is None:
+            raise CLIError(Messages.E038.format(noun="org", name_or_id=name_or_id))
+        return matched
+    if len(orgs) == 1:
+        return orgs[0]
+    return _prompt_for_org(orgs)

{ellf_cli-5.0.18 → ellf_cli-6.0.0}/ellf_cli/commands/general.py

@@ -17,6 +17,7 @@ from ..messages import Messages
 from ..ui import print_as_json, print_mutation_result
 from ..util import URL
 from ._cluster_select import select_cluster
+from ._org_select import select_org
 from ._state import get_auth_state, get_root_cfg, get_saved_settings
 
 
@@ -62,14 +63,18 @@ def _install_claude_skills() -> None:
 @cli.command(
     "login",
     no_cluster=Arg("--no-cluster", help=Messages.no_cluster),
+    no_org=Arg("--no-org", help=Messages.no_org),
     no_browser=Arg("--no-browser", help=Messages.no_browser),
+    org=Arg("--org", help=Messages.login_org),
     cluster=Arg("--cluster", help=Messages.login_cluster),
     as_json=Arg("--json", help=Messages.as_json),
     claude=Arg("--claude", help=Messages.claude),
 )
 def login(
     no_cluster: bool = False,
+    no_org: bool = False,
     no_browser: bool = False,
+    org: Optional[Union[str, UUID]] = None,
     cluster: Optional[Union[str, UUID]] = None,
     as_json: bool = False,
     claude: bool = False,
@@ -82,6 +87,11 @@ def login(
     auth.no_browser = no_browser
     auth._ensure_readable_secrets()
     auth.get_api_token(force_refresh=True)
+    if not no_org:
+        # Org selection happens before cluster selection so cluster lookups
+        # below run against the chosen org's api_token, not whatever org
+        # the device-flow login happened to land in.
+        _select_and_persist_org(auth, org)
     if not no_cluster:
         try:
             _select_and_persist_cluster(auth, cluster)
@@ -98,6 +108,68 @@ def login(
         _install_claude_skills()
 
 
+@cli.command(
+    "logout",
+    all_=Arg("--all", help=Messages.logout_all),
+    as_json=Arg("--json", help=Messages.as_json),
+)
+def logout(all_: bool = False, as_json: bool = False) -> None:
+    """
+    Log out by deleting locally-stored auth tokens.
+
+    PAM bearer tokens can't be revoked server-side, so this is a local
+    operation: subsequent commands will trigger a fresh device-flow
+    login. The cached tokens would have expired on their own within
+    roughly an hour. Use ``--all`` to also reset the saved defaults
+    (active org, cluster, project, etc.), e.g. when handing the
+    machine to a different user.
+    """
+    from ..auth import FileSecrets
+
+    ctx = get_root_cfg()
+    secrets_existed = ctx.secrets_path.exists()
+    FileSecrets.clean(ctx.secrets_path)
+    settings_reset = False
+    if all_:
+        settings_path = ctx.saved_settings_path
+        if settings_path.exists():
+            SavedSettings.blank().save(settings_path)
+            settings_reset = True
+    print_mutation_result(
+        {
+            "status": "ok",
+            "secrets_removed": secrets_existed,
+            "settings_reset": settings_reset,
+        },
+        Messages.T013,
+        as_json=as_json,
+    )
+
+
+def _select_and_persist_org(
+    auth: AuthState,
+    name_or_id: Optional[Union[str, UUID]] = None,
+) -> UUID:
+    """Pick an org via pam and write it into SavedSettings.
+
+    If the chosen org differs from the current api_token's org, calls
+    ``/v1/token/switch-org`` to re-issue the token for the target org.
+    The first time a person logs in here we always have *some* api_token
+    (from the device-flow login), but we don't know which org it landed
+    in without a round-trip, so the switch is unconditional when an org
+    is explicitly selected — that's cheap and avoids a JWT decode here.
+    """
+    chosen = select_org(auth.client, name_or_id)
+    settings = get_saved_settings()
+    previous_org_id = settings.org_id
+    if previous_org_id != chosen.org_id:
+        auth.set_active_org(chosen.org_id)
+    settings.update("org_id", chosen.org_id)
+    settings.save(get_root_cfg().saved_settings_path)
+    msg.good(f"Logged in to organization '{chosen.org_name}'")
+    return chosen.org_id
+
+
 def _select_and_persist_cluster(
     auth: AuthState,
     name_or_id: Optional[Union[str, UUID]] = None,

{ellf_cli-5.0.18 → ellf_cli-6.0.0}/ellf_cli/config.py

@@ -40,6 +40,7 @@ class SavedSettings(BaseModel):
     agent: UUID | None = None
     pam_host: str | None = DEFAULT_PAM_HOST
     cluster_id: UUID | None = None
+    org_id: UUID | None = None
     recipes_file: str | None = None
 
     @classmethod
@@ -52,6 +53,7 @@ class SavedSettings(BaseModel):
             agent=None,
             pam_host=DEFAULT_PAM_HOST,
             cluster_id=None,
+            org_id=None,
             recipes_file=None,
         )
 
@@ -96,7 +98,7 @@ class SavedSettings(BaseModel):
     @overload
     def update(
         self,
-        field: Literal["project", "task", "action", "agent", "cluster_id"],
+        field: Literal["project", "task", "action", "agent", "cluster_id", "org_id"],
         value: UUID | None = None,
     ) -> UUID | None: ...
 
@@ -110,12 +112,13 @@ class SavedSettings(BaseModel):
             "action",
             "agent",
             "cluster_id",
+            "org_id",
             "recipes_file",
         ],
         value: str | UUID | None = None,
     ) -> str | UUID | None:
         old_value = getattr(self, field)
         setattr(self, field, value)
-        if old_value != value and field in ["broker_host", "pam_host"]:
+        if old_value != value and field in ["broker_host", "pam_host", "org_id"]:
             self.reset_defaults()
         return getattr(self, field)

{ellf_cli-5.0.18 → ellf_cli-6.0.0}/ellf_cli/ellf.json

@@ -1,7 +1,7 @@
 {
   "prog": "ellf",
   "help": "Ellf Command Line Interface.",
-  "version": "5.0.17",
+  "version": "5.0.18",
   "extra_key": "_extra",
   "commands": {
     "actions": {
@@ -164,6 +164,19 @@
           "type": null,
           "orig_type": "bool"
         },
+        {
+          "id": "no_org",
+          "option": "--no-org",
+          "short": null,
+          "orig_help": "Skip the organization selection step (stay in the org that the device-flow login lands in)",
+          "default": false,
+          "help": "Skip the organization selection step (stay in the org that the device-flow login lands in) (bool)",
+          "action": "store_true",
+          "choices": null,
+          "has_converter": false,
+          "type": null,
+          "orig_type": "bool"
+        },
         {
           "id": "no_browser",
           "option": "--no-browser",
@@ -177,6 +190,19 @@
           "type": null,
           "orig_type": "bool"
         },
+        {
+          "id": "org",
+          "option": "--org",
+          "short": null,
+          "orig_help": "Name or ID of the organization to log into. If omitted: auto-select when only one is available, or prompt interactively",
+          "default": null,
+          "help": "Name or ID of the organization to log into. If omitted: auto-select when only one is available, or prompt interactively (str)",
+          "action": null,
+          "choices": null,
+          "has_converter": false,
+          "type": "str",
+          "orig_type": "str"
+        },
         {
           "id": "cluster",
           "option": "--cluster",
@@ -222,6 +248,41 @@
       "parent": null,
       "is_placeholder": false
     },
+    "logout": {
+      "name": "logout",
+      "args": [
+        {
+          "id": "all_",
+          "option": "--all",
+          "short": null,
+          "orig_help": "Also clear saved defaults (broker host, active org/cluster/project/task/agent), not just the auth tokens",
+          "default": false,
+          "help": "Also clear saved defaults (broker host, active org/cluster/project/task/agent), not just the auth tokens (bool)",
+          "action": "store_true",
+          "choices": null,
+          "has_converter": false,
+          "type": null,
+          "orig_type": "bool"
+        },
+        {
+          "id": "as_json",
+          "option": "--json",
+          "short": null,
+          "orig_help": "Output the result as JSON",
+          "default": false,
+          "help": "Output the result as JSON (bool)",
+          "action": "store_true",
+          "choices": null,
+          "has_converter": false,
+          "type": null,
+          "orig_type": "bool"
+        }
+      ],
+      "description": "\nLog out by deleting locally-stored auth tokens.\n\nPAM bearer tokens can't be revoked server-side, so this is a local\noperation: subsequent commands will trigger a fresh device-flow\nlogin. The cached tokens would have expired on their own within\nroughly an hour. Use ``--all`` to also reset the saved defaults\n(active org, cluster, project, etc.), e.g. when handing the\nmachine to a different user.\n",
+      "allow_extra": false,
+      "parent": null,
+      "is_placeholder": false
+    },
     "info": {
       "name": "info",
       "args": [

{ellf_cli-5.0.18 → ellf_cli-6.0.0}/ellf_cli/messages.py

@@ -75,6 +75,7 @@ ellf secret create my-credentials OPENAI_API_KEY="sk-..." CUSTOM_SECRET=-
     T009 = "Successfully deregistered {noun} {name}"
     T011 = "Successfully copied files"
     T012 = "Login successful"
+    T013 = "Logout successful"
     T014 = "Opening browser to authenticate..."
     T015 = "If a browser doesn't open automatically after some seconds, you can copy and open this link:"
     T016 = "Alternatively, you can manually open:"
@@ -170,8 +171,11 @@ ellf secret create my-credentials OPENAI_API_KEY="sk-..." CUSTOM_SECRET=-
     output_dir = "Output directory for the {noun}"
     pam_host_config = "Host or URL of the Prodigy Annotation Manager (PAM) app"
     no_cluster = "Don't use a cluster"
+    no_org = "Skip the organization selection step (stay in the org that the device-flow login lands in)"
     no_browser = "Don't open a browser, just print the login URL"
+    logout_all = "Also clear saved defaults (broker host, active org/cluster/project/task/agent), not just the auth tokens"
     login_cluster = "Name or ID of the cluster to log into. If omitted: auto-select when only one is available, or prompt interactively"
+    login_org = "Name or ID of the organization to log into. If omitted: auto-select when only one is available, or prompt interactively"
     claude = "Install Ellf Claude Code skills and transcript hook into ~/.claude/"
     use_active_venv = "Use the currently active virtualenv, instead of making a temporary one"
     filter_by = "Filter by {filter}"
@@ -217,6 +221,9 @@ ellf secret create my-credentials OPENAI_API_KEY="sk-..." CUSTOM_SECRET=-
     E118 = "Error requesting recipe schemas"
     E121 = "Invalid JSON for meta"
     E128 = "Cannot parse path: {path}"
+    E135 = "No organizations are accessible for this account"
+    E136 = "Multiple organizations available. Run `ellf login --org <name>` to pick one"
+    E137 = "Could not switch to organization {org_id}"
     E144 = "Not a valid Python package: name should end in .tar.gz or .whl"
     E145 = "No valid meta.json found in package"
     E146 = "Invalid meta.json key ellf_recipes"

{ellf_cli-5.0.18 → ellf_cli-6.0.0/ellf_cli.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ellf-cli
-Version: 5.0.18
+Version: 6.0.0
 Summary: Ellf Command Line Interface
 Home-page: https://prodi.gy
 Author: ExplosionAI GmbH

{ellf_cli-5.0.18 → ellf_cli-6.0.0}/ellf_cli.egg-info/SOURCES.txt

@@ -35,6 +35,7 @@ ellf_cli/cloud/__init__.py
 ellf_cli/cloud/gcp.py
 ellf_cli/commands/__init__.py
 ellf_cli/commands/_cluster_select.py
+ellf_cli/commands/_org_select.py
 ellf_cli/commands/_recipe_file.py
 ellf_cli/commands/_recipe_subcommand.py
 ellf_cli/commands/_state.py
@@ -166,7 +167,9 @@ tests/test_info.py
 tests/test_invalid_secrets.py
 tests/test_key_pair.py
 tests/test_login.py
+tests/test_logout.py
 tests/test_main.py
+tests/test_org_select.py
 tests/test_plans.py
 tests/test_projects.py
 tests/test_query.py

ellf_cli-6.0.0/tests/test_logout.py

@@ -0,0 +1,126 @@
+from uuid import uuid4
+
+from ellf_cli.auth import FileSecrets
+from ellf_cli.commands._state import get_root_cfg, get_saved_settings
+from ellf_cli.commands.general import logout
+from ellf_cli.config import DEFAULT_PAM_HOST, SavedSettings
+
+
+def _seed_secrets() -> None:
+    """Write a secrets.json with a sentinel id_token at the active config path."""
+    ctx = get_root_cfg()
+    ctx.secrets_path.parent.mkdir(parents=True, exist_ok=True)
+    FileSecrets(id_token="sentinel-id-token").save(ctx.secrets_path)
+
+
+def _seed_settings() -> None:
+    """Write saved-defaults.json populated with workflow defaults."""
+    ctx = get_root_cfg()
+    settings = SavedSettings(
+        broker_host="https://cluster.example.com",
+        project=uuid4(),
+        task=uuid4(),
+        action=uuid4(),
+        agent=uuid4(),
+        pam_host="https://pam.example.com",
+        cluster_id=uuid4(),
+        org_id=uuid4(),
+        recipes_file="/tmp/recipes.json",
+    )
+    settings.save(ctx.saved_settings_path)
+
+
+def test_logout_removes_secrets_file():
+    _seed_secrets()
+    ctx = get_root_cfg()
+    assert ctx.secrets_path.exists()
+    logout()
+    assert not ctx.secrets_path.exists()
+
+
+def test_logout_is_idempotent_when_no_secrets():
+    ctx = get_root_cfg()
+    assert not ctx.secrets_path.exists()
+    # Should not raise even when nothing to clean up.
+    logout()
+    assert not ctx.secrets_path.exists()
+
+
+def test_logout_default_keeps_saved_settings():
+    _seed_secrets()
+    _seed_settings()
+    ctx = get_root_cfg()
+    logout()
+    # secrets gone, saved-defaults untouched
+    assert not ctx.secrets_path.exists()
+    persisted = SavedSettings.from_file(ctx.saved_settings_path)
+    assert persisted.org_id is not None
+    assert persisted.cluster_id is not None
+    assert persisted.broker_host == "https://cluster.example.com"
+
+
+def test_logout_all_resets_saved_settings():
+    _seed_secrets()
+    _seed_settings()
+    ctx = get_root_cfg()
+    logout(all_=True)
+    assert not ctx.secrets_path.exists()
+    persisted = SavedSettings.from_file(ctx.saved_settings_path)
+    # `blank()` zeroes everything except pam_host, which defaults back
+    # to DEFAULT_PAM_HOST so the next `ellf login` still knows where
+    # to talk.
+    assert persisted.org_id is None
+    assert persisted.cluster_id is None
+    assert persisted.broker_host is None
+    assert persisted.project is None
+    assert persisted.task is None
+    assert persisted.action is None
+    assert persisted.agent is None
+    assert persisted.recipes_file is None
+    assert persisted.pam_host == DEFAULT_PAM_HOST
+
+
+def test_logout_all_without_existing_settings_file():
+    """--all on a machine that never wrote saved-defaults.json shouldn't
+    create one. Otherwise we'd leave a sticky artifact on what should be
+    a "clean slate" command.
+    """
+    _seed_secrets()
+    ctx = get_root_cfg()
+    # Defensive: confirm settings file isn't there
+    if ctx.saved_settings_path.exists():
+        ctx.saved_settings_path.unlink()
+    logout(all_=True)
+    assert not ctx.secrets_path.exists()
+    assert not ctx.saved_settings_path.exists()
+
+
+def test_logout_does_not_invoke_network(monkeypatch):
+    """logout is a local operation — no PAM round-trip required."""
+    import httpx
+
+    def _explode(*_args, **_kwargs):
+        raise AssertionError("logout must not touch the network")
+
+    monkeypatch.setattr(httpx, "post", _explode)
+    monkeypatch.setattr(httpx, "get", _explode)
+    _seed_secrets()
+    logout()
+    # If we got here without the assertion firing, no network call happened.
+
+
+def test_logout_clears_get_saved_settings_cache_independence():
+    """The in-memory cached SavedSettings from a prior get_saved_settings()
+    call is not mutated by `logout` itself — it just rewrites the file.
+    The next process invocation will pick up the new on-disk state.
+    """
+    _seed_secrets()
+    _seed_settings()
+    cached = get_saved_settings()
+    assert cached.org_id is not None
+    logout(all_=True)
+    # Re-read from disk to verify the persisted state, since the cached
+    # object lives in a ContextVar and isn't refreshed in-process.
+    ctx = get_root_cfg()
+    on_disk = SavedSettings.from_file(ctx.saved_settings_path)
+    assert on_disk.org_id is None