Add auth secret dropdown picker for non-Oz orchestration (#10885)

Author: advait-m

app/src/ai/agent/api/convert_from.rs

@@ -154,6 +154,10 @@ fn convert_run_agents(run_agents: api::RunAgents) -> AIAgentActionType {
             })
             .collect(),
         plan_id,
+        // Auth secret is a client-side dispatch concern populated by the
+        // confirmation card from `CloudAgentSettings.last_selected_auth_secret`
+        // before Accept. The proto does not carry it.
+        harness_auth_secret_name: None,
     })
 }
 
@@ -175,6 +179,9 @@ fn convert_start_agent_v2_execution_mode(
                 harness_type: convert_start_agent_v2_harness_type(remote.harness)
                     .unwrap_or_default(),
                 title: remote.title,
+                // Auth secret is plumbed client-side via `RunAgentsRequest`;
+                // StartAgentV2 from the server never carries it.
+                auth_secret_name: None,
             }
         }
         Some(api::start_agent_v2::execution_mode::Mode::Local(local)) => {

app/src/ai/agent/api/convert_from_tests.rs

@@ -520,6 +520,7 @@ fn converts_remote_start_agent_with_environment_id() {
             worker_host: String::new(),
             harness_type: String::new(),
             title: String::new(),
+            auth_secret_name: None,
         }
     );
     assert_eq!(lifecycle_subscription, None);
@@ -560,6 +561,7 @@ fn converts_remote_start_agent_v2_with_skill_references() {
             worker_host: "worker-host".to_string(),
             harness_type: "claude-code".to_string(),
             title: "Remote child".to_string(),
+            auth_secret_name: None,
         }
     );
     assert_eq!(lifecycle_subscription, None);

app/src/ai/blocklist/action_model/execute/run_agents.rs

@@ -119,6 +119,7 @@ impl RunAgentsExecutor {
             skills,
             agent_run_configs,
             base_prompt,
+            harness_auth_secret_name,
             ..
         } = request;
 
@@ -130,6 +131,7 @@ impl RunAgentsExecutor {
                 &harness_type,
                 &model_id,
                 &skills,
+                harness_auth_secret_name.as_deref(),
                 cfg,
             ) {
                 Ok(mode) => mode,
@@ -368,11 +370,16 @@ pub fn compose_run_agents_child_prompt(base_prompt: &str, per_agent_prompt: &str
 /// Translates run-wide config into a per-child
 /// [`StartAgentExecutionMode`]. Returns `Err` for rejected
 /// combinations (e.g. OpenCode+Remote).
+///
+/// `run_auth_secret_name` is the managed-secret name the orchestration UI
+/// resolved for the run-wide harness; only Remote mode currently consumes
+/// it (Local children inherit auth from the user's shell environment).
 pub fn run_agents_to_start_agent_mode(
     run_execution_mode: &RunAgentsExecutionMode,
     run_harness_type: &str,
     run_model_id: &str,
     run_skills: &[SkillReference],
+    run_auth_secret_name: Option<&str>,
     cfg: &RunAgentsAgentRunConfig,
 ) -> Result<StartAgentExecutionMode, String> {
     match run_execution_mode {
@@ -412,6 +419,9 @@ pub fn run_agents_to_start_agent_mode(
                 worker_host: worker_host.clone(),
                 harness_type: run_harness_type.to_string(),
                 title: cfg.title.clone(),
+                auth_secret_name: run_auth_secret_name
+                    .map(str::to_string)
+                    .filter(|s| !s.trim().is_empty()),
             })
         }
     }

app/src/ai/blocklist/action_model/execute/start_agent.rs

@@ -374,6 +374,7 @@ impl StartAgentExecutor {
                 worker_host,
                 harness_type,
                 title,
+                auth_secret_name,
             } => {
                 if !FeatureFlag::OrchestrationV2.is_enabled() {
                     return ActionExecution::Sync(AIAgentActionResultType::StartAgent(
@@ -430,6 +431,7 @@ impl StartAgentExecutor {
                         worker_host,
                         harness_type,
                         title,
+                        auth_secret_name,
                     },
                     Some(parent_run_id),
                 )

app/src/ai/blocklist/action_model/execute/start_agent_tests.rs

@@ -643,6 +643,7 @@ fn execute_returns_error_when_remote_opencode_harness_is_requested() {
                 worker_host: String::new(),
                 harness_type: "opencode".to_string(),
                 title: String::new(),
+                auth_secret_name: None,
             },
         );
 

app/src/ai/blocklist/block/view_impl/orchestration_tests.rs

@@ -77,6 +77,7 @@ fn start_agent_copy_uses_remote_labels_for_remote_children() {
         worker_host: String::new(),
         harness_type: String::new(),
         title: String::new(),
+        auth_secret_name: None,
     };
 
     assert_eq!(start_agent_success_suffix(&execution_mode), " remotely.");

app/src/ai/blocklist/block_tests.rs

@@ -156,6 +156,7 @@ fn remote_arm_propagates_skills_into_skill_references() {
         "oz",
         "auto",
         &skills,
+        None,
         &agent_cfg(),
     )
     .expect("Remote+oz must convert");
@@ -167,6 +168,7 @@ fn remote_arm_propagates_skills_into_skill_references() {
         model_id,
         computer_use_enabled,
         title,
+        auth_secret_name,
     } = mode
     else {
         panic!("expected Remote start-agent mode");
@@ -178,6 +180,7 @@ fn remote_arm_propagates_skills_into_skill_references() {
     assert_eq!(model_id, "auto");
     assert!(computer_use_enabled);
     assert_eq!(title, "Child");
+    assert_eq!(auth_secret_name, None);
 }
 
 #[test]
@@ -191,6 +194,7 @@ fn remote_arm_with_empty_skills_propagates_empty_vec() {
         "claude",
         "auto",
         &[],
+        None,
         &agent_cfg(),
     )
     .expect("Remote+claude must convert");
@@ -214,12 +218,76 @@ fn remote_arm_rejects_opencode() {
         "opencode",
         "auto",
         &[],
+        None,
         &agent_cfg(),
     )
     .expect_err("Remote+opencode must be rejected");
     assert!(err.to_lowercase().contains("opencode"));
 }
 
+#[test]
+fn remote_arm_propagates_claude_auth_secret_into_mode() {
+    let mode = run_agents_to_start_agent_mode(
+        &RunAgentsExecutionMode::Remote {
+            environment_id: "env-1".to_string(),
+            worker_host: "warp".to_string(),
+            computer_use_enabled: false,
+        },
+        "claude",
+        "auto",
+        &[],
+        Some("my-claude-key"),
+        &agent_cfg(),
+    )
+    .expect("Remote+claude must convert");
+    let StartAgentExecutionMode::Remote {
+        auth_secret_name, ..
+    } = mode
+    else {
+        panic!("expected Remote start-agent mode");
+    };
+    assert_eq!(auth_secret_name.as_deref(), Some("my-claude-key"));
+}
+
+#[test]
+fn remote_arm_filters_whitespace_auth_secret_name_to_none() {
+    let mode = run_agents_to_start_agent_mode(
+        &RunAgentsExecutionMode::Remote {
+            environment_id: "env-1".to_string(),
+            worker_host: "warp".to_string(),
+            computer_use_enabled: false,
+        },
+        "codex",
+        "auto",
+        &[],
+        Some("   "),
+        &agent_cfg(),
+    )
+    .expect("Remote+codex must convert");
+    let StartAgentExecutionMode::Remote {
+        auth_secret_name, ..
+    } = mode
+    else {
+        panic!("expected Remote start-agent mode");
+    };
+    assert_eq!(auth_secret_name, None);
+}
+
+#[test]
+fn local_arm_ignores_auth_secret_name() {
+    let mode = run_agents_to_start_agent_mode(
+        &RunAgentsExecutionMode::Local,
+        "claude",
+        "auto",
+        &[],
+        Some("my-claude-key"),
+        &agent_cfg(),
+    )
+    .expect("Local+claude must convert");
+    // Local children don't carry an auth_secret_name field.
+    assert!(matches!(mode, StartAgentExecutionMode::Local { .. }));
+}
+
 #[test]
 fn should_show_agent_mode_ask_user_question_speedbump_defaults_to_true() {
     App::test((), |mut app| async move {