feat: add cloud remote auth flow

[thymikee]

Summary

Add CLI-side cloud remote authentication for connect --remote-config: env/service token resolution, stored CLI-session refresh into short-lived agent tokens, implicit interactive login, CI/non-interactive refusal, and explicit auth status|login|logout management.

Cleanup pass after security/API review:

• revoked CLI sessions fail immediately instead of falling through to generic auth handling
• docs distinguish CLI controls from cloud-side requirements for expiry, tenant/run scope, revocation, one-time approval, rate limiting, and dashboard/API separation
• redaction covers adc_* tokens, user/device codes, and auth URLs

Touched files: 12. Scope stayed within CLI remote-auth/connection surface, command schema/routing, tests, docs, and skill guidance. Cloud server/dashboard endpoints are documented as required follow-up because this repo does not contain that service.

Validation

• pnpm format
• pnpm vitest run src/cli/__tests__/auth-session.test.ts src/utils/__tests__/args.test.ts src/utils/__tests__/diagnostics.test.ts
• pnpm check:quick
• pnpm test:unit

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 16aa8ce4b9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Gate CLI-session refresh on cloud auth eligibility

The session-refresh path runs before shouldUseCloudAuth, so any command with daemonBaseUrl plus a stored CLI session will call the cloud refresh endpoint even for non-cloud daemons (for example http://127.0.0.1 or an internal host). In those cases a network/cloud failure now blocks commands that previously relied on existing daemon auth behavior. This is visible because refresh is attempted unconditionally in resolveRemoteAuth, and only afterward does the code check whether cloud auth should apply.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Skip remote-auth resolution for local-only connection status

runCli now resolves remote auth for every non-auth command, including connection. But connection status is implemented as local state inspection in src/cli/commands/connection.ts and does not require daemon access, so this change can make connection status --remote-config ... fail with login/token errors when credentials are missing. That regresses a read-only diagnostic path by adding an unnecessary auth precondition.

Useful? React with 👍 / 👎.

[thymikee]

Addressed both review comments in 662dc6d.

• Gated stored CLI-session refresh behind cloud-auth eligibility, so non-cloud daemon URLs keep existing daemon auth behavior and do not call cloud refresh. Added regression coverage with a stored CLI session and a non-cloud daemon.
• Skipped remote-auth resolution for connection status, preserving it as local-only state inspection even with --remote-config in CI. Added regression coverage for connection status --remote-config with a cloud daemon URL and no credentials.

Validation after the fix:

• pnpm format
• pnpm vitest run src/cli/__tests__/auth-session.test.ts src/__tests__/cli-config.test.ts
• pnpm check:quick

[github-actions]

PR Preview Action v1.8.1
🚀 View preview at https://callstackincubator.github.io/agent-device/pr-preview/pr-443/
Built to branch gh-pages at 2026-04-26 00:21 UTC. Preview will be ready when the GitHub Pages deployment is complete.