Review fix for #13. The CP org verbs targeted /api/v1/orgs*, which is gated by
RequireSession() (WorkOS cookie-only) — a bearer-token CLI can't authenticate
and these 401 in prod; the tenant Org API Key has no standing on the CP at all.
- org create/list now target the CP ADMIN routes (POST/GET /api/v1/admin/orgs,
AdminGate bearer), authenticated with a DISTINCT credential MOLECULE_CP_ADMIN_TOKEN
(never the tenant MOLECULE_API_KEY). create now requires --owner-user-id, per
controlplane adminCreateOrgRequest{slug,name,owner_user_id}. ListOrgs decodes
the {limit,offset,orgs[]} admin-summary envelope. Two-credential split is
documented in `org`/`org create` help text; the org key is never sent to the CP.
- org get/export have NO AdminGate-reachable route on the CP (session-only), so
they fail fast with a clear "session-only, use the dashboard" error instead of
shipping verbs that 401.
- cpAdminClient() fails fast with guidance when MOLECULE_CP_ADMIN_TOKEN is unset
(wrong-credential path), rather than silently sending the org key to the CP.
- Wire Execute() through handleErr so SilenceErrors'd exitError messages actually
print (they were previously swallowed by main's bare os.Exit(1)) — required for
the fail-fast guidance to reach the user.
- Optional cleanup: extract resolveBillingMode()/budgetLimitsFromFlags() so prod
and tests share one definition.
- Tests: client + cmd assert org verbs hit /api/v1/admin/orgs with the CP-admin
bearer (no org-id header, no org-key leak), the missing-owner and
missing-admin-token fail-fast paths, get/export fail-fast, and an e2e CLI test
that `org list` without the admin token exits non-zero naming MOLECULE_CP_ADMIN_TOKEN.
Budget shape (budget_limits) left unchanged — confirmed correct; the OpenAPI
spec is the stale one (fixed separately on #2056).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
sdk-dev
442d1ebaf4