feat: add --org flag to depot sandbox exec/pty/exec-pipe (DEP-4184)

robstolarz · claude · robstolarz · commit 0a4e54c2ba2b · 2026-04-14T15:48:50.000-07:00
The Go API's RemoteExec/OpenPtySession requires x-depot-org header
for multi-org users. Without it, auth fails with Unauthorized.

Adds --org as a persistent flag on the sandbox parent command and
threads it through to auth headers in all three subcommands.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/pkg/cmd/sandbox/exec-pipe.go b/pkg/cmd/sandbox/exec-pipe.go
@@ -37,6 +37,9 @@ func newSandboxExecPipe() *cobra.Command {
 				return fmt.Errorf("failed to resolve token: %w", err)
 			}
 
+			orgID, err := cmd.Flags().GetString("org")
+			cobra.CheckErr(err)
+
 			sandboxID, err := cmd.Flags().GetString("sandbox-id")
 			cobra.CheckErr(err)
 
@@ -60,6 +63,9 @@ func newSandboxExecPipe() *cobra.Command {
 			client := api.NewComputeClient()
 			stream := client.ExecPipe(ctx)
 			stream.RequestHeader().Set("Authorization", "Bearer "+token)
+			if orgID != "" {
+				stream.RequestHeader().Set("x-depot-org", orgID)
+			}
 
 			// Send init message with the command.
 			if err := stream.Send(&civ1.ExecuteCommandPipeRequest{
diff --git a/pkg/cmd/sandbox/exec.go b/pkg/cmd/sandbox/exec.go
@@ -38,6 +38,9 @@ func newSandboxExec() *cobra.Command {
 				return fmt.Errorf("failed to resolve token: %w", err)
 			}
 
+			orgID, err := cmd.Flags().GetString("org")
+			cobra.CheckErr(err)
+
 			sandboxID, err := cmd.Flags().GetString("sandbox-id")
 			cobra.CheckErr(err)
 
@@ -57,14 +60,14 @@ func newSandboxExec() *cobra.Command {
 
 			client := api.NewComputeClient()
 
-			stream, err := client.RemoteExec(ctx, api.WithAuthentication(connect.NewRequest(&civ1.ExecuteCommandRequest{
+			stream, err := client.RemoteExec(ctx, api.WithAuthenticationAndOrg(connect.NewRequest(&civ1.ExecuteCommandRequest{
 				SandboxId: sandboxID,
 				SessionId: sessionID,
 				Command: &civ1.Command{
 					CommandArray: args,
 					TimeoutMs:    int32(timeout),
 				},
-			}), token))
+			}), token, orgID))
 			if err != nil {
 				// nolint:wrapcheck
 				return err
diff --git a/pkg/cmd/sandbox/pty.go b/pkg/cmd/sandbox/pty.go
@@ -35,6 +35,9 @@ func newSandboxPty() *cobra.Command {
 				return fmt.Errorf("failed to resolve token: %w", err)
 			}
 
+			orgID, err := cmd.Flags().GetString("org")
+			cobra.CheckErr(err)
+
 			sandboxID, err := cmd.Flags().GetString("sandbox-id")
 			cobra.CheckErr(err)
 
@@ -66,6 +69,7 @@ func newSandboxPty() *cobra.Command {
 
 			return pty.Run(ctx, pty.SessionOptions{
 				Token:     token,
+				OrgID:     orgID,
 				SandboxID: sandboxID,
 				SessionID: sessionID,
 				Cwd:       cwd,
diff --git a/pkg/cmd/sandbox/sandbox.go b/pkg/cmd/sandbox/sandbox.go
@@ -19,6 +19,7 @@ Subcommands:
 	}
 
 	cmd.PersistentFlags().String("token", "", "Depot API token")
+	cmd.PersistentFlags().String("org", "", "Organization ID (required when user is a member of multiple organizations)")
 
 	cmd.AddCommand(newSandboxExec())
 	cmd.AddCommand(newSandboxPty())

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@ Subcommands:`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`cmd.PersistentFlags().String("token", "", "Depot API token")`
	`22`	`+ cmd.PersistentFlags().String("org", "", "Organization ID (required when user is a member of multiple organizations)")`
`22`	`23`
`23`	`24`	`cmd.AddCommand(newSandboxExec())`
`24`	`25`	`cmd.AddCommand(newSandboxPty())`