Route auth status/list/revoke/logout through TokenForResource

[khaong]

https://entire.io/gh/entireio/cli/trails/422

Stacked on top of #1239 (soph/auth-go). Once that merges, this PR's base will auto-rebase to main.

Summary

In v2 split-host deployments (ENTIRE_AUTH_BASE_URL ≠ ENTIRE_API_BASE_URL), the keyring stores an auth-host-issued token. Sending that token directly to the data API's /api/v1/auth/tokens endpoint produces 401s because the audience is wrong; the user sees a misleading "Token in keychain ... is no longer valid" message.

This PR routes entire auth status / auth list / auth revoke / logout (server-side revoke) through auth.TokenForResource so they pick up a correctly-audienced bearer via the same RFC 8693 exchange that entire search, activity, recap, and dispatch already use. In v1 single-host the tokenmanager hits its same-host shortcut and returns the keyring token unchanged — so this is a no-op for v1 deployments.

What's in the diff

cmd/entire/cli/auth.go, logout.go

• defaultListTokens, defaultRevokeTokenByID, defaultRevokeCurrentToken now resolve a data-API-scoped bearer internally via auth.TokenForResource(ctx, api.OriginOnly(api.BaseURL())).
• The bug-prone token / callerToken parameters are dropped from authTokenLister, authTokenRevoker, and revokeCurrentFunc so the audience-mismatch mistake is structurally impossible at the call sites.
• New helper resolveDataAPIToken centralises the resolution.
• requireSecureBaseURL now also calls auth.EnableInsecureHTTP() when --insecure-http-auth is set, matching NewAuthenticatedAPIClient — otherwise the tokenmanager's HTTPS guard rejects non-loopback http:// resources even after the per-command TLS check is waived.

cmd/entire/cli/api_client.go

• Wrap the not-logged-in case as fmt.Errorf("...: %w", auth.ErrNotLoggedIn) (was errors.New(...) which lost the sentinel). Callers can now errors.Is past the boundary.

cmd/entire/cli/activity_cmd.go

• Only print "Not logged in. Run 'entire login' to authenticate." when errors.Is(err, auth.ErrNotLoggedIn). Real errors (STS rejections, network errors, malformed env config) surface verbatim via main.go instead of being papered over with a misleading login hint.

Tests

• auth_test.go and logout_test.go updated to match the new function-literal signatures. Assertions that checked "called with token X" are replaced with was-called booleans (the new contract is "implementation resolves its own bearer", so there's nothing to forward).

Test plan

• go build ./... clean
• mise run lint:go — 0 issues
• mise run lint:gofmt clean
• mise run lint:gomod clean
• All TestRunAuth* / TestRunLogout* pass
• End-to-end against us.auth.entire.io: entire auth status, auth list succeed (previously 401'd)

The same pre-existing TestExplainCmd_* failures from the base branch persist — environmental (.entire/settings.json enabled: false in this working tree), unrelated to this work.

Known gaps / follow-up work

Internal review during development surfaced several things that didn't make it into this PR's scope; happy to address in a follow-up:

• STS-stage 401s aren't recognized by IsHTTPErrorStatus — auth.go's 401 branch only fires for *api.HTTPError wrappers. auth-go/sts returns plain fmt.Errorf strings, so an STS-stage 401 (e.g. core token revoked, invalid_client) surfaces as a raw error rather than the friendly "Token in keychain is no longer valid. Run 'entire login' to re-authenticate." message. Worth either typing the STS error upstream or a string-match workaround here.
• The self-revoke detection at auth.go:516 (list-after-revoke 401 → delete keychain) is pre-existing but mis-specified for v2 split-host — revoking an application API token by id doesn't invalidate the OAuth bearer chain, so the heuristic silently no-ops. Probably wants removal rather than papering over.
• Other NewAuthenticatedAPIClient callers share the false-"authentication required" pattern that activity_cmd.go fixes — trail_cmd.go, trail_watch_cmd.go, dispatch_wizard.go, search_cmd.go. Sweep opportunity now that the sentinel-wrapping in api_client.go makes it trivial.
• No direct unit test that defaultListTokens / defaultRevokeTokenByID / defaultRevokeCurrentToken actually route through TokenForResource. Covered e2e but a regression to "send raw keyring token" would pass go test ./.... The auth.SetManagerForTest seam exists in auth-go ready for use.
• auth.EnableInsecureHTTP is sticky process-wide with no off switch — fine for one-shot CLI invocations, silent state leak across in-process subcommands (e.g. test harnesses, kubectl-style external command dispatcher).

🤖 Generated with Claude Code

---

Note

Medium Risk
Touches CLI authentication/token resolution and logout/token-revocation paths; mistakes could break auth flows or change which errors are surfaced to users, especially in split-host deployments.

Overview
Fixes split-host (ENTIRE_AUTH_BASE_URL != ENTIRE_API_BASE_URL) auth-token management by resolving a data-API-scoped bearer via auth.TokenForResource for entire auth status/list/revoke and server-side logout revocation, instead of forwarding the raw keyring token.

Refactors the token-management call sites to drop caller-supplied bearer parameters (making audience-mismatch harder to reintroduce), adds resolveDataAPIToken, and aligns --insecure-http-auth with the token manager via auth.EnableInsecureHTTP. Error handling is tightened so activity only shows the friendly login hint for auth.ErrNotLoggedIn, and NewAuthenticatedAPIClient preserves the ErrNotLoggedIn sentinel via wrapping.

^{Reviewed by Cursor Bugbot for commit 5824022. Configure here.}

[Copilot]

Pull request overview

This PR fixes split-host (ENTIRE_AUTH_BASE_URL ≠ ENTIRE_API_BASE_URL) auth-token management by ensuring auth status/list/revoke/logout obtain a data-API-audience bearer via auth.TokenForResource (RFC 8693 exchange) rather than sending the raw keyring token to the data API. It also improves error propagation by preserving the auth.ErrNotLoggedIn sentinel across NewAuthenticatedAPIClient, and refines activity to only show the “Not logged in” hint when that sentinel is actually present.

Changes:

• Route auth token list/revoke/current-revoke through a centralized data-API token resolver (resolveDataAPIToken) and remove caller-supplied bearer parameters to prevent audience-mismatch regressions.
• Preserve auth.ErrNotLoggedIn across NewAuthenticatedAPIClient and update activity to gate the friendly login hint on errors.Is(..., auth.ErrNotLoggedIn).
• Update auth/logout unit tests to match the new function signatures (implementations now resolve their own bearer).

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
cmd/entire/cli/auth.go	Adds resolveDataAPIToken, updates list/revoke flows to resolve their own data-API-scoped bearer, and relaxes tokenmanager HTTP guard when --insecure-http-auth is set.
cmd/entire/cli/logout.go	Updates server-side revoke to internally resolve a data-API token and removes the caller-supplied bearer parameter.
cmd/entire/cli/api_client.go	Wraps “not logged in” errors to preserve the auth.ErrNotLoggedIn sentinel for errors.Is checks.
cmd/entire/cli/activity_cmd.go	Only prints the “Not logged in…” hint when the error is actually auth.ErrNotLoggedIn; otherwise returns the real error.
cmd/entire/cli/auth_test.go	Updates injected lister/revoker function signatures in tests to match the new contracts.
cmd/entire/cli/logout_test.go	Updates injected revoke function signature and assertions to match the new contract.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 5824022. Configure here.}