[CLI-2354] Add confluent organization use command for org switching

[Apoorv Munshi (ap00rv)]

Release Notes

Breaking Changes

• PLACEHOLDER

New Features

• switch orgs after login using confluent org use command. This automatically clears the env and clusters from current context.

Bug Fixes

• PLACEHOLDER

Checklist

• I have successfully built and used a custom CLI binary, without linter issues from this PR.
• I have clearly specified in the What section below whether this PR applies to Confluent Cloud, Confluent Platform, or both.
• I have verified this PR in Confluent Cloud pre-prod or production environment, if applicable.
• I have verified this PR in Confluent Platform on-premises environment, if applicable.
• I have attached manual CLI verification results or screenshots in the Test & Review section below.
• I have added appropriate CLI integration or unit tests for any new or updated commands and functionality.
• I confirm that this PR introduces no breaking changes or backward compatibility issues.
• I have indicated the potential customer impact if something goes wrong in the Blast Radius section below.
• I have put checkmarks below confirming that the feature associated with this PR is enabled in:
  • Confluent Cloud prod
  • Confluent Cloud stag
  • Confluent Platform
  • Check this box if the feature is enabled for certain organizations only

What

Problem :
Confluent CLI did not have feature to switch orgs after logging in. To switch orgs, one had to re-login using the --organization flag

A new org use command allows users in multiple organizations to switch between them without re-logging in (Confluent cloud only). The command refreshes the org-scoped JWT using the existing user-scoped refresh token, clears environment and Kafka cluster state, and performs full rollback on failure.

Blast Radius

References

Test & Review

[confluent-cla-assistant]

🎉 All Contributor License Agreements have been signed. Ready to merge.
_{Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.}

[Copilot]

Pull request overview

Adds support for switching Confluent Cloud organizations within an existing login session by introducing confluent organization use <id>. This fits into the CLI’s organization management commands and relies on refreshing an org-scoped JWT using the existing refresh token while clearing org-scoped local state.

Changes:

• Added organization use <id> command with autocomplete suggestions and not-found handling.
• Introduced Context.SwitchOrganization() to refresh tokens and clear environment/Kafka cluster selections with rollback on refresh failure.
• Added unit + integration coverage and updated golden fixtures/help output for the new command.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
internal/organization/command.go	Registers the new use subcommand under organization.
internal/organization/command_use.go	Implements organization use execution and shell completion suggestions.
pkg/config/context.go	Adds SwitchOrganization() for token refresh + clearing org-scoped state.
pkg/config/context_test.go	Adds unit tests for switching orgs, clearing state, and rollback behavior.
test/organization_test.go	Adds CLI integration tests for organization use and not-found behavior.
test/fixtures/output/organization/use.golden	Golden output for successful org switch message.
test/fixtures/output/organization/use-not-found.golden	Golden output for org not found / forbidden error path.
test/fixtures/output/organization/use-help.golden	Golden help output for the new subcommand (covered via recursive help tests).
test/fixtures/output/organization/help.golden	Updates organization command help to include the new use command.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

SwitchOrganization updates Context.LastOrgId but does not update/clear c.State.Auth.Organization (or related org-scoped auth metadata). After a successful switch, GetCurrentOrganization() and GetOrganization() can diverge, and org suspension checks (Config.isOrgSuspended / isLoginBlockedByOrgSuspension) may still evaluate using the previous org’s suspension status. Consider updating the in-memory AuthConfig to reflect the new org (or clearing it and forcing a refresh) and include it in the rollback path if RefreshSession fails.

[Copilot]

The new SwitchOrganization unit tests assert token/org ID changes and that environment/Kafka maps are cleared, but they don’t verify that org-scoped auth metadata is updated (e.g., ctx.State.Auth.Organization.ResourceId) or cleared. Adding assertions for this would prevent regressions where the context switches org IDs but still reports/uses the previous organization in suspension checks or other metadata paths.

Suggested change

	require.Equal(t, newRefreshToken, ctx.State.AuthRefreshToken)
	require.Equal(t, newRefreshToken, ctx.State.AuthRefreshToken)
	// Ensure org-scoped auth metadata is updated to reflect the new organization.
	require.NotNil(t, ctx.State.Auth)
	require.NotNil(t, ctx.State.Auth.Organization)
	require.Equal(t, newOrgId, ctx.State.Auth.Organization.ResourceId)

[sonarqube-confluent]

Quality Gate failed

Failed conditions
78.8% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube