Hivemind turns agent traces into skills and shares with your team

Summary

• Root cause: switchOrg only rewrote creds.orgId while reusing the long-lived API token, but the token has organization_id baked into its JWT claim (minted by POST /users/me/tokens). After a switch, creds.orgId and payload.org_id diverged silently. Code that trusts the claim — server-side checks, the preferredOrgId fallback in saveCredentialsFromToken — kept routing to the original org.
• Fix: switchOrg now re-mints against the destination org before saving. New healDriftedOrgToken helper auto-corrects existing drifted creds on every session start across all 6 hivemind agents (claude-code, codex, cursor, hermes, pi, openclaw).

Commits

1. fix(auth) — switchOrg mint-before-save + new healDriftedOrgToken helper + 5 new tests (46 total).
2. feat(hooks) — wire heal into the 4 standard hook-based agents' session-start.ts.
3. feat(pi,openclaw) — wire heal into the 2 agents that don't fit the standard hook pattern:
   • pi: inline copy (raw-.ts, zero-deps contract — cannot import shared helpers).
   • openclaw: no session_start, so heal runs once per process inside getApi() behind a driftHealAttempted sentinel.

Key design choices

• Token name suffix: deeplake-plugin-heal-${Date.now()} instead of date-only. Deeplake's /users/me/tokens rejects duplicate (user_id, name) with a misleading 500 INTERNAL_ERROR (not 409); a date-only suffix would collide as soon as a second agent heals on the same day. This was caught during cross-agent testing — first pass got 500s on codex+hermes after claude-code minted with the same date-only name.
• Heal never throws: on mint failure (401/403/500/network), logs and returns the original creds. Session start is never blocked.
• Mint-before-save: a failed mint leaves credentials.json untouched so re-runs are safe.

Test plan

• [x] Unit: 46/46 vitest pass, including 5 new tests covering switchOrg success/failure/no-creds + healDriftedOrgToken no-drift / missing-claim / missing-orgId / success / mint-failure.
• [x] E2E fake-token drift × 4 hook agents (claude-code, codex, cursor, hermes): all detect drift, all 401 on mint, all preserve creds.
• [x] E2E real cross-org drift × 4 hook agents (token bound to may25_2, creds.orgId flipped to test_plugin): all detect drift, all mint successfully, all rotate the token in credentials.json.
• [x] E2E real cross-org drift via real claude -p --plugin-dir ./claude-code CLI: heal log + token rotation confirmed.
• [x] Codex bundle heal verified via direct node session-start.js invocation (the real codex exec --dangerously-bypass-approvals-and-sandbox flow skips hooks by design — not a regression).
• [ ] pi end-to-end (requires Pi editor runtime).
• [ ] openclaw end-to-end (requires openclaw gateway runtime).
• [ ] CI green.

Summary by CodeRabbit

• New Features

  • Added automatic credential healing that detects and corrects misaligned authentication tokens when organization IDs drift during startup.

• Bug Fixes

  • Fixed legacy organization switch regression by transparently refreshing credentials with organization-bound tokens, ensuring downstream operations use valid credentials.