Wire the cloud-context MCP into the launcher with pinned-identity auth visibility

[sourcehawk]

Problem

The cloud-context MCP package and its providers (#45, #43, #46) are inert without launcher wiring: the profile has to declare cloud sources, each session has to spawn an aliased triagent-cloud-<alias> server with the pinned-identity credentials, and the operator needs to see cloud auth readiness before a session starts rather than discovering a degraded session. None of the other sub-issues own this cross-cutting work.

Approach

Four launcher-side surfaces, all reusing the shared cloud.Probe / IdentityStatus from #45:

• Profile. Add a cloud: block (CloudSource{alias, provider, assumed_identity, scope, command_allowlist_path}) to internal/profile, with base: merge support (ADR-0008).
• Per-session wiring. In internal/preflight/mcpconfig.go (ADR-0003), add MCPAliasCloudPrefix and emit one triagent-cloud-<alias> server per source with args ["serve","--kind=cloud","--provider=<p>"] and env carrying the TRIAGENT_CLOUD_* config plus the pinned-identity impersonation env (CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT / AWS_PROFILE) derived from assumed_identity — the same explicit-env discipline as KUBECONFIG.
• Preflight, visible degrade. In preflight.Run(), run cloud.Probe per source after the kubeconfig freeze. A failed probe does not error the session (unlike the current k8s auth check); it marks the source unavailable in Result and attaches the ReauthAdvisor hint, so Kubernetes triage proceeds without the cloud axis.
• Connections panel (read-only). GET /api/connections grows a cloud array of {provider, assumed_identity, valid, hint}, built from the profile's cloud sources probed at request time, rendered as read-only pills next to Slack / incident.io (assumed identity always shown; checkmark when valid; reauth hint when not). No PUT/DELETE route for cloud — it is configured in the profile, not entered here.

Verification

• make test passes (internal/profile, internal/preflight, internal/connections, internal/server race tests): a cloud: profile loads and base-merges; writeMCPConfig emits the aliased server with the impersonation env; a failing probe degrades rather than blocks; GET /api/connections returns the cloud array.
• cd frontend && npm test -- --run && npm run typecheck pass: the panel renders a read-only cloud pill per entry with identity + checkmark + hint.
• Manual: the connections panel shows cloud readiness before a session starts; an invalid identity yields a visibly degraded (not blocked) session.

Out of scope

• The MCP package, harness, and tools (Build the cloud-context MCP package, Provider interface, and shared tool surface #45); the provider implementations (Implement the GCP provider for the cloud-context MCP #43, Implement the AWS provider for the cloud-context MCP #46).
• OAuth / SSO login flows and the static-key connection realization (both deferred).
• Any write operation against either cloud.

Context

Sub-issue of #44.