fix(auth): use production cloud and tolerate whoami latency

[kjgbot]

Summary

• default Pear Cloud auth to https://agentrelay.com/cloud instead of the legacy dev host
• canonicalize stored https://agentrelay.dev/cloud auth records to production when resolving auth/workspace state
• raise the whoami abort timeout to avoid false auth recovery when the request is only slow

Why

The app was opening login at agentrelay.dev/cloud and then timing out /auth/whoami after 2.5s. Cloud PR #1979 can only help after whoami reaches the server and completes; a client-side abort still surfaces as cloud-auth-required/account-workspace-required and blocks integrations/mount recovery.

Validation

• npx vitest run src/main/auth.test.ts
• npx vitest run src/main/auth.test.ts src/main/integrations.test.ts src/main/integration-mounts.test.ts
• npm run build

[codeant-ai]

Your free trial PR review limit of 300 PRs has been reached. Please upgrade your plan to continue using CodeAnt AI.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Warning

Review limit reached

@agent-relay-code[bot], we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 49 minutes and 3 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: cdc85fb5-262e-4bac-aeb0-a4b9eef79619

📥 Commits

Reviewing files that changed from the base of the PR and between 22f2bf8 and 400a87e.

📒 Files selected for processing (2)

• src/main/auth.test.ts
• src/main/auth.ts

📝 Walkthrough

Walkthrough

Default cloud API URL changed to https://agentrelay.com/cloud, legacy agentrelay.dev URLs are canonicalized to production, whoami requests use a 10s timeout constant, auth metadata persistence/load normalize apiUrl, and tests verify getApiUrl, whoami retry, and legacy canonicalization.

Changes

Cloud authentication endpoint migration

Layer / File(s)	Summary
Production cloud URL & constants src/main/auth.ts	Default CLOUD_API_URL set to https://agentrelay.com/cloud and WHOAMI_REQUEST_TIMEOUT_MS (10,000ms) introduced.
Auth meta persistence and normalization src/main/auth.ts	Normalize tokens.apiUrl when deriving keys, persist normalized apiUrl, trim trailing slashes on load, map legacy https://agentrelay.dev/cloud to production, and ensure workspace cache stores normalized apiUrl.
Workspace cache fast-path adjustment src/main/auth.ts	Cached-workspace fast path trims workspaceId into cachedWorkspaceId before returning while validating cache matches.
Test coverage for API URL and whoami behavior src/main/auth.test.ts	Adds getApiUrl default test; adds whoami retry test on AbortError; adds two canonicalization tests to verify whoami is called against production base and legacy stored metadata is normalized and persisted as production apiUrl.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 From dev hops to prod we roam,
Old .dev finds a brand new home.
Timeouts lengthen, URLs align,
Tests sing loud: the clouds refine.
Heap of carrots — CI's green comb.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: switching to production cloud and increasing whoami timeout.
Description check	✅ Passed	The description is clearly related to the changeset, explaining the motivation, changes, and validation approach.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/auth-whoami-timeout-prod-default

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 2 files

_{Re-trigger cubic}

[codeant-ai]

Your free trial PR review limit of 300 PRs has been reached. Please upgrade your plan to continue using CodeAnt AI.

[agent-relay-code]

Reviewed PR #137 and made a small follow-up fix.

I found that legacy https://agentrelay.dev/cloud records were canonicalized for resolveCloudAuth(), but getApiUrl() could still return legacy metadata after getAccessToken() loaded stored tokens. That affects callers like cloud sandbox creation. I fixed auth metadata read/write normalization and added a regression test for that path.

Also fixed a narrow TypeScript narrowing issue in getAccountWorkspaceId() by returning a pre-trimmed cached workspace id only after confirming it exists.

Validation run:

• npx vitest run src/main/auth.test.ts passes: 25 tests
• npm run build passes
• npx tsc -p tsconfig.node.json --noEmit is not clean in this repo; it fails on many existing unrelated project/test typing issues, though the touched auth-file narrowing issue it exposed was fixed.

[cubic-dev-ai]

1 issue found across 2 files (changes from recent commits).

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[codeant-ai]

Your free trial PR review limit of 300 PRs has been reached. Please upgrade your plan to continue using CodeAnt AI.

[agent-relay-code]

✅ pr-reviewer applied fixes — committed and pushed 400a87e to this PR. The notes below describe what changed.

Fixed one validated issue in the PR:

• auth.ts: loadTokens() now returns a normalized apiUrl, so legacy https://agentrelay.dev/cloud stored in auth.json no longer leaks into getAuthStatus() or profile refresh calls.
• auth.ts: normalizeCloudApiUrl(undefined) now falls back to CLOUD_API_URL directly, avoiding the recursive getApiUrl() fallback.
• auth.test.ts: added regression coverage that legacy stored tokens make getAuthStatus() call production whoami and report the production cloud URL.

Validation run:

• npx --yes vitest run src/main/auth.test.ts passed: 26 tests.
• npm test passed: 88 tests.
• npx --yes vitest run src/main/broker.test.ts passed: 34 tests.
• npx tsc -p tsconfig.node.json --noEmit did not pass due broad existing repo config/type issues, including missing declared vitest types and unrelated errors across broker/cloud/integration/store files. I did not change those unrelated areas.