Prepare subscription credentials before deploy integrations

[khaliqgant]

Summary

• make cloud deploy support useSubscription:true without requiring callers to inject a subscription resolver
• prepare OAuth or BYOK LLM provider credentials before integration connection checks, preventing half-connected integrations when subscription setup is doomed
• reject non-cloud deploys and workforce-plan credentials for useSubscription with actionable CLI guidance
• pass pre-created BYOK credential selections into the cloud launcher so credentials are not re-created during launch

Fixes #151

Tests

• pnpm --filter @agentworkforce/deploy test

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 234b6c53-70ac-4e49-957a-a2c78c7c1985

📥 Commits

Reviewing files that changed from the base of the PR and between b198c85 and fcd4800.

📒 Files selected for processing (6)

• packages/deploy/src/connect.test.ts
• packages/deploy/src/connect.ts
• packages/deploy/src/deploy.test.ts
• packages/deploy/src/deploy.ts
• packages/deploy/src/modes/cloud/index.ts
• packages/deploy/src/types.ts

---

📝 Walkthrough

Walkthrough

This PR resolves issue #151 by adding early validation and cloud provisioning support for useSubscription:true personas. The changes move the subscription resolver requirement check from the connection phase (where it caused late failures and integration side effects) to preflight validation, wire cloud subscription credential provisioning via OAuth or BYOK, and plumb credential selections through to the launcher.

Changes

Subscription support for cloud deployment

Layer / File(s)	Summary
Subscription connection extraction and testing packages/deploy/src/connect.ts, packages/deploy/src/connect.test.ts	Refactors subscription connection into connectSubscriptionProvider and requireSubscriptionResolver helpers. The connection helper handles already-connected checks, --no-prompt/--no-connect validation, user confirmation, and logging. Tests verify fail-fast rejection when no resolver is supplied and correct call ordering (subscription-before-integration) when a resolver is present.
Cloud subscription provisioning infrastructure packages/deploy/src/modes/cloud/index.ts	Exports HarnessSource type and CloudSubscriptionReadyResult interface. Implements validateCloudSubscriptionSupport to enforce cloud-only harness source when useSubscription is enabled, and ensureCloudSubscriptionReady to provision BYOK credentials (via /provider-credentials/byok endpoint) or establish OAuth connectivity (via connectProvider with polling). Updates cloudLauncher.launch to use pre-resolved credentialSelections when provided.
Deploy orchestration of subscription validation and preparation packages/deploy/src/deploy.ts, packages/deploy/src/types.ts	Computes mode early and calls validateSubscriptionSupport before early returns. When the preflight persona requires subscriptions and no resolver is supplied, calls ensureCloudSubscriptionReady, captures credentialSelections, and derives an alreadyConnectedSubscriptionResolver. Wires the resolved subscription through connectAndCollectIntegrations and forwards credentialSelections to the launcher. Adds ModeLaunchInput.credentialSelections field.
Deploy test coverage for subscription workflows packages/deploy/src/deploy.test.ts	Adds dry-run validation tests: accepts useSubscription in cloud mode, rejects outside cloud mode, rejects with harnessSource: 'plan'. Tests dry-run with a provided resolver (no connection side effects). Adds integration test for BYOK flow that stubs globalThis.fetch, validates POST body, verifies call ordering (workspace → subscription-byok → integration → launch), and asserts launched credentialSelections.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• AgentWorkforce/workforce#110: Both PRs modify packages/deploy/src/connect.ts's connectIntegrations for personas using useSubscription, specifically around subscription-resolver requirement handling and fail-fast behavior.
• AgentWorkforce/workforce#115: Both PRs refactor connectIntegrations control flow to fail early on missing or unauthorized integration resolvers, running checks before side effects.

Poem

🐰 A CLI that once left you half-connected,
Now validates subscriptions—defects detected!
Cloud BYOK and OAuth now provision with flair,
No more green dry-runs with late despair. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title directly addresses the main objective: preparing subscription credentials before connecting integrations, which is the core focus of the changeset across multiple files.
Description check	✅ Passed	The PR description covers the key changes: supporting useSubscription without requiring callers to inject a resolver, preparing credentials before integration checks, rejecting unsupported scenarios, and preventing credential re-creation.
Linked Issues check	✅ Passed	The changeset fulfills all three primary requirements from issue #151: (1) validates useSubscription in preflight before side effects; (2) makes it deployable via --harness-source oauth/byok or fails fast with guidance; (3) reorders checks before integration connection.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with issue #151 objectives: subscription validation, credential preparation, harness-source support, and reordering deploy steps. No unrelated modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-use-subscription-preflight

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}