fix(cli): reuse @agent-relay/cloud auth as Bearer; drop workspace-token mint (#113)

* fix(cli): short-circuit workspace-list when --workspace is set; clearer 403 hint

When agentworkforce login is invoked with --workspace, listWorkspacesForLogin
should not be called — but the previous flow always listed first and only
short-circuited the picker. That meant users hitting 403 on /api/v1/workspaces
could not log in at all, even with the workspace id in hand. This PR:

- Short-circuits listWorkspacesForLogin when opts.workspace is provided
- Surfaces a clearer error when the list 403s, pointing at --workspace
- Surfaces a clearer error when the list is empty (no workspaces yet)
- Adds tests covering all three paths

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(cli): reuse @agent-relay/cloud auth as Bearer; drop workspace-token mint

agentworkforce login was hitting POST /api/v1/workspaces/{id}/tokens/workspace
(and two fallback paths) to mint a workspace-scoped token. Cloud does not
implement any of those routes -- all three 404, blocking login for every
user who already has a valid agent-relay cloud login.

Cloud's resolveRequestAuth already accepts the user's accessToken from
~/.agent-relay/cloud-auth.json as Authorization: Bearer. The mint step
exists for CI/service-account use, not interactive CLI use, but currently
blocks BOTH because cloud has not shipped the route.

This PR:
- Drops issueWorkspaceToken from runLogin.
- Persists a lightweight ~/.agentworkforce/active.json pointer
  (workspaceId + workspaceSlug + cloudUrl) at login time.
- resolveWorkspaceToken reads active.json + @agent-relay/cloud's shared
  auth and returns auth.accessToken as the Bearer. Refreshes the
  accessToken via refreshStoredAuth when expired.
- Preserves the WORKFORCE_WORKSPACE_TOKEN env fallback (CI) and the
  legacy keychain-stored workspace token path (back-compat for users
  mid-upgrade).
- runLogout always clears active.json; --cloud-auth/--all still clears
  the shared agent-relay auth as before.

Layered on top of workforce#112 (--workspace short-circuit) so login
works end-to-end with just a known workspace id.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Ricky Schema Cascade <ricky@agent-relay.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: 3 people

packages/cli/src/deploy-command.test.ts

@@ -54,7 +54,7 @@ function trapExit(throwOnExit = true): ExitTrap {
   return trap;
 }
 
-test('runLogin uses cloud SDK auth, mints a workspace token, and stores it', async () => {
+test('runLogin uses cloud SDK auth, picks a workspace, and writes the active pointer (no token mint)', async () => {
   const calls: string[] = [];
   const writes: unknown[] = [];
   const restoreDeps = configureDeployCommandForTest({
@@ -79,12 +79,8 @@ test('runLogin uses cloud SDK auth, mints a workspace token, and stores it', asy
         }
       };
     },
-    issueWorkspaceToken: async (workspace: string, options: { apiUrl?: string; name?: string } = {}) => {
-      calls.push(`issue:${workspace}:${options.apiUrl}:${options.name}`);
-      return { key: 'tok-ws', workspaceToken: { workspaceId: 'ws-1', kind: 'workspace_token' } };
-    },
-    writeStoredWorkspaceToken: async (login: unknown) => {
-      writes.push(login);
+    writeActiveWorkspace: async (pointer: unknown) => {
+      writes.push(pointer);
     }
   });
   const trap = trapExit(false);
@@ -93,14 +89,12 @@ test('runLogin uses cloud SDK auth, mints a workspace token, and stores it', asy
     assert.deepEqual(trap.exits, [0]);
     assert.deepEqual(calls, [
       'ensure:https://cloud.example.test',
-      'fetch:/api/v1/workspaces',
-      'issue:acme:https://cloud.example.test:agentworkforce-cli'
+      'fetch:/api/v1/workspaces'
     ]);
     assert.deepEqual(writes, [{
       workspace: 'acme',
       workspaceSlug: 'acme',
       workspaceId: 'ws-1',
-      token: 'tok-ws',
       cloudUrl: 'https://cloud.example.test'
     }]);
     assert.match(trap.stdout, /logged in: acme/);
@@ -110,12 +104,137 @@ test('runLogin uses cloud SDK auth, mints a workspace token, and stores it', asy
   }
 });
 
-test('runLogout preserves shared cloud auth and clears only the workspace token by default', async () => {
+test('runLogin with --workspace skips the workspaces list, skips token mint, writes active pointer', async () => {
+  const calls: string[] = [];
+  const writes: unknown[] = [];
+  const restoreDeps = configureDeployCommandForTest({
+    createTerminalIO: () => createBufferedIO(),
+    ensureAuthenticated: async (apiUrl: string) => {
+      calls.push(`ensure:${apiUrl}`);
+      return {
+        apiUrl,
+        accessToken: 'access',
+        refreshToken: 'refresh',
+        accessTokenExpiresAt: '2999-01-01T00:00:00.000Z'
+      };
+    },
+    createCloudApiClient() {
+      calls.push('createCloudApiClient');
+      return {
+        async fetch(pathname: string) {
+          calls.push(`fetch:${pathname}`);
+          return new Response('should not be called', { status: 500 });
+        }
+      };
+    },
+    writeActiveWorkspace: async (pointer: unknown) => {
+      writes.push(pointer);
+    }
+  });
+  const trap = trapExit(false);
+  try {
+    await runLogin([
+      '--cloud-url',
+      'https://cloud.example.test/',
+      '--workspace',
+      '50587328-441d-4acb-b8f3-dbe1b3c5de99'
+    ]);
+    assert.deepEqual(trap.exits, [0]);
+    assert.ok(
+      !calls.some((c) => c === 'createCloudApiClient' || c.startsWith('fetch:')),
+      `expected workspace-list to be skipped, got calls: ${JSON.stringify(calls)}`
+    );
+    assert.deepEqual(calls, ['ensure:https://cloud.example.test']);
+    assert.deepEqual(writes, [{
+      workspace: '50587328-441d-4acb-b8f3-dbe1b3c5de99',
+      cloudUrl: 'https://cloud.example.test'
+    }]);
+    assert.match(trap.stdout, /logged in: 50587328-441d-4acb-b8f3-dbe1b3c5de99/);
+  } finally {
+    trap.restore();
+    restoreDeps();
+  }
+});
+
+test('runLogin without --workspace surfaces a --workspace hint when the workspaces list returns 403', async () => {
+  const restoreDeps = configureDeployCommandForTest({
+    createTerminalIO: () => createBufferedIO(),
+    ensureAuthenticated: async (apiUrl: string) => ({
+      apiUrl,
+      accessToken: 'access',
+      refreshToken: 'refresh',
+      accessTokenExpiresAt: '2999-01-01T00:00:00.000Z'
+    }),
+    createCloudApiClient() {
+      return {
+        async fetch(_pathname: string) {
+          return new Response(JSON.stringify({ error: 'Forbidden' }), {
+            status: 403,
+            headers: { 'content-type': 'application/json' }
+          });
+        }
+      };
+    },
+    writeActiveWorkspace: async () => {
+      throw new Error('writeActiveWorkspace should not be called when listing fails');
+    }
+  });
+  const trap = trapExit(false);
+  try {
+    await runLogin(['--cloud-url', 'https://cloud.example.test/']);
+    assert.deepEqual(trap.exits, [1]);
+    assert.match(trap.stderr, /workspace list returned 403 Forbidden/);
+    assert.match(trap.stderr, /Pass --workspace <id-or-slug> to skip listing/);
+  } finally {
+    trap.restore();
+    restoreDeps();
+  }
+});
+
+test('runLogin without --workspace surfaces a no-workspaces message when the list comes back empty', async () => {
+  const restoreDeps = configureDeployCommandForTest({
+    createTerminalIO: () => createBufferedIO(),
+    ensureAuthenticated: async (apiUrl: string) => ({
+      apiUrl,
+      accessToken: 'access',
+      refreshToken: 'refresh',
+      accessTokenExpiresAt: '2999-01-01T00:00:00.000Z'
+    }),
+    createCloudApiClient() {
+      return {
+        async fetch(_pathname: string) {
+          return new Response(JSON.stringify({ workspaces: [] }), {
+            status: 200,
+            headers: { 'content-type': 'application/json' }
+          });
+        }
+      };
+    },
+    writeActiveWorkspace: async () => {
+      throw new Error('writeActiveWorkspace should not be called when no workspaces');
+    }
+  });
+  const trap = trapExit(false);
+  try {
+    await runLogin(['--cloud-url', 'https://cloud.example.test/']);
+    assert.deepEqual(trap.exits, [1]);
+    assert.match(trap.stderr, /no workspaces are accessible from this account/);
+    assert.match(trap.stderr, /pass --workspace <id-or-slug>/);
+  } finally {
+    trap.restore();
+    restoreDeps();
+  }
+});
+
+test('runLogout preserves shared cloud auth and clears the active pointer + legacy keychain token by default', async () => {
   const calls: string[] = [];
   const restoreDeps = configureDeployCommandForTest({
     clearStoredAuth: async () => {
       calls.push('clear-auth');
     },
+    clearActiveWorkspace: async () => {
+      calls.push('clear-active');
+    },
     clearStoredWorkspaceToken: async (workspace?: string) => {
       calls.push(`clear-workspace:${workspace ?? ''}`);
     }
@@ -124,20 +243,23 @@ test('runLogout preserves shared cloud auth and clears only the workspace token
   try {
     await runLogout(['--workspace', 'acme']);
     assert.deepEqual(trap.exits, [0]);
-    assert.deepEqual(calls, ['clear-workspace:acme']);
+    assert.deepEqual(calls, ['clear-active', 'clear-workspace:acme']);
     assert.match(trap.stdout, /workspace login cleared/);
   } finally {
     trap.restore();
     restoreDeps();
   }
 });
 
-test('runLogout clears shared cloud auth when explicitly requested', async () => {
+test('runLogout clears shared cloud auth + active pointer when --cloud-auth is passed', async () => {
   const calls: string[] = [];
   const restoreDeps = configureDeployCommandForTest({
     clearStoredAuth: async () => {
       calls.push('clear-auth');
     },
+    clearActiveWorkspace: async () => {
+      calls.push('clear-active');
+    },
     clearStoredWorkspaceToken: async (workspace?: string) => {
       calls.push(`clear-workspace:${workspace ?? ''}`);
     }
@@ -146,20 +268,23 @@ test('runLogout clears shared cloud auth when explicitly requested', async () =>
   try {
     await runLogout(['--workspace', 'acme', '--cloud-auth']);
     assert.deepEqual(trap.exits, [0]);
-    assert.deepEqual(calls, ['clear-auth', 'clear-workspace:acme']);
+    assert.deepEqual(calls, ['clear-auth', 'clear-active', 'clear-workspace:acme']);
     assert.match(trap.stdout, /logged out/);
   } finally {
     trap.restore();
     restoreDeps();
   }
 });
 
-test('runLogout treats --all as an alias for clearing shared cloud auth', async () => {
+test('runLogout treats --all as an alias for clearing shared cloud auth + active pointer', async () => {
   const calls: string[] = [];
   const restoreDeps = configureDeployCommandForTest({
     clearStoredAuth: async () => {
       calls.push('clear-auth');
     },
+    clearActiveWorkspace: async () => {
+      calls.push('clear-active');
+    },
     clearStoredWorkspaceToken: async (workspace?: string) => {
       calls.push(`clear-workspace:${workspace ?? ''}`);
     }
@@ -168,7 +293,7 @@ test('runLogout treats --all as an alias for clearing shared cloud auth', async
   try {
     await runLogout(['--all']);
     assert.deepEqual(trap.exits, [0]);
-    assert.deepEqual(calls, ['clear-auth', 'clear-workspace:']);
+    assert.deepEqual(calls, ['clear-auth', 'clear-active', 'clear-workspace:']);
     assert.match(trap.stdout, /logged out/);
   } finally {
     trap.restore();