Real symptom from a staging run:
Error: FleetDeviceSetupScore: Project 'fleet' not found in Zitadel —
run ZitadelSetupScore first to create it
…even though the project clearly existed and was visible in the
Zitadel UI. Cause: `/management/v1/*` scopes by the caller's org. The
SSO operator's primary org is whatever org their personal account
lives in; the project was created by the system iam-admin user, in
the system org. With no `x-zitadel-orgid` override, the search runs
in the operator's org and returns empty. Project effectively
"invisible" to that token.
Three changes:
* `ZitadelSetupScore` gains `admin_org_id: Option<String>`. When set,
every management API call sends `x-zitadel-orgid: <id>`. Plumbed
through `request()` next to the existing conditional `Host:`
header. Default `None`, serde-default for backward compat.
* `FleetDeviceAuth::ZitadelEnroll` gains a matching `admin_org_id`
field, threaded through `resolve_zitadel_enroll` into the
synthetic `ZitadelSetupScore` connection it builds for
`mint_device_credentials`. CLI surface: `--admin-org-id` on
`fleet_device_enroll`, with help text explaining the symptom and
where to find the value (Zitadel UI → Organization → Resource ID).
* `find_project` now uses a `nameQuery` filter rather than scanning
the full default-paginated list, so it doesn't depend on the
project being on page 1. When the filter returns empty it falls
back to an unfiltered enumeration and logs the project names that
ARE visible to the token — that list is usually enough for the
operator to spot an org-context mismatch in seconds. The not-found
error in `mint_device_credentials` was rewritten to spell out the
three real causes (org context, role, no project) instead of the
misleading "run ZitadelSetupScore first".
All 7 existing `ZitadelSetupScore` initializer sites updated with
`admin_org_id: None`. README's troubleshooting section gets the new
failure-mode entry.
Jean-Gabriel Gill-Couture
e1d74bae45