fix: improve cloud remote auth UX

[thymikee]

Summary

• make pending remote leases actionable and have devices allocate/refresh leases before listing
• preserve safe cloud API-token setup URLs during redaction while still scrubbing secrets
• document cloud bridge/control-plane auth origins in CLI help, docs, and the packaged skill

Touched-file count: 12. Scope stayed within remote connection/auth UX, docs, and tests.

Validation

• pnpm format
• pnpm vitest run src/__tests__/remote-connection.test.ts src/__tests__/cli-config.test.ts src/cli/__tests__/auth-session.test.ts src/utils/__tests__/diagnostics.test.ts src/__tests__/cli-help.test.ts
• pnpm check:quick
• pnpm check:unit

[github-actions]

PR Preview Action v1.8.1
🚀 View preview at https://callstackincubator.github.io/agent-device/pr-preview/pr-452/
Built to branch gh-pages at 2026-04-26 22:25 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 04962d17c2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Redact access_token-style assignments in string payloads

The new SENSITIVE_ASSIGNMENT_RE requires a word boundary before token, so strings like access_token=... and refresh_token=... are no longer matched and will pass through unredacted. This is a regression from the previous pattern and can leak bearer/OAuth credentials in diagnostic events and normalized error details when tokens appear in stderr or API response text blobs rather than as object keys.

Useful? React with 👍 / 👎.