fix(auth): resolve auth token discovery mismatch between CLI and server (#3409)

Closes #3340. CLI resolveAuthToken() now falls back to loadConfig() clientAuthToken. Server AuthManager and encryption key also check clientAuthToken.

Author: OneStepAt4time

src/commands/run.ts

@@ -30,14 +30,25 @@ function writeLine(stream: NodeJS.WritableStream, text: string = ''): void {
   stream.write(`${text}\n`);
 }
 
-function resolveAuthToken(): string | undefined {
+async function resolveAuthToken(): Promise<string | undefined> {
   const envToken = process.env.AEGIS_AUTH_TOKEN || process.env.AEGIS_TOKEN;
   if (envToken) return envToken;
 
   // #3369: Check ~/.aegis/auth-token file as fallback
   try {
     const tokenPath = join(homedir(), '.aegis', 'auth-token');
     return readFileSync(tokenPath, 'utf-8').trim() || undefined;
+  } catch {
+    // File doesn't exist — continue to config search
+  }
+
+  // #3340: Search config files for clientAuthToken/authToken as last resort.
+  // Covers the case where ag init wrote the token to a config but the
+  // auth-token file is missing (e.g., partial state, file deleted).
+  try {
+    const { loadConfig } = await import('../config.js');
+    const config = await loadConfig();
+    return config.clientAuthToken || config.authToken || undefined;
   } catch {
     return undefined;
   }
@@ -262,7 +273,7 @@ export async function handleRun(args: string[], io: CliIO): Promise<number> {
     : getConfiguredBaseUrl(config);
 
   // Check if server is running
-  let authToken = resolveAuthToken() || config.authToken || config.clientAuthToken || undefined;
+  let authToken = await resolveAuthToken() || config.authToken || config.clientAuthToken || undefined;
   let serverRunning = await isServerHealthy(baseUrl, authToken);
 
   if (!serverRunning) {

src/server.ts

@@ -833,8 +833,10 @@ async function main(): Promise<void> {
 
   const container = new ServiceContainer();
   // #1644: Derive hook-secret encryption key from master auth token (non-empty only)
-  if (config.authToken) {
-    sessions.setEncryptionKey(config.authToken);
+  // #3340: Also check clientAuthToken
+  const encryptionKey = config.authToken || config.clientAuthToken;
+  if (encryptionKey) {
+    sessions.setEncryptionKey(encryptionKey);
   }
 
   // Issue #3143: Wire ACP event store into session transcript reader
@@ -861,7 +863,9 @@ async function main(): Promise<void> {
   registerChannels(config);
 
   // Setup auth (Issue #39: multi-key + backward compat)
-  auth = new AuthManager(path.join(config.stateDir, 'keys.json'), config.authToken, config.defaultTenantId);
+  // #3340: Fall back to clientAuthToken when authToken is not set
+  const masterToken = config.authToken || config.clientAuthToken || undefined;
+  auth = new AuthManager(path.join(config.stateDir, 'keys.json'), masterToken, config.defaultTenantId);
   auth.setHost(config.host);  // #1080: needed for auth bypass security check
 
   // #1419: Initialize audit logger and wire into auth