@agentworkforce/deploy 3.0.3 → 3.0.5

package/dist/login.test.js

@@ -0,0 +1,126 @@
+import test from 'node:test';
+import assert from 'node:assert/strict';
+import { mkdtemp, readFile, rm } from 'node:fs/promises';
+import os from 'node:os';
+import path from 'node:path';
+import { clearStoredWorkspaceToken, loadWorkspaceToken, resolveWorkspaceToken, writeStoredWorkspaceToken } from './login.js';
+import { createBufferedIO } from './io.js';
+async function withLoginEnv(env, fn) {
+    const previous = {
+        WORKFORCE_LOGIN_FILE: process.env.WORKFORCE_LOGIN_FILE,
+        WORKFORCE_DISABLE_KEYCHAIN: process.env.WORKFORCE_DISABLE_KEYCHAIN,
+        WORKFORCE_WORKSPACE_ID: process.env.WORKFORCE_WORKSPACE_ID,
+        WORKFORCE_WORKSPACE_TOKEN: process.env.WORKFORCE_WORKSPACE_TOKEN
+    };
+    process.env.WORKFORCE_DISABLE_KEYCHAIN = '1';
+    if (env.loginFile === undefined)
+        delete process.env.WORKFORCE_LOGIN_FILE;
+    else
+        process.env.WORKFORCE_LOGIN_FILE = env.loginFile;
+    if (env.workspaceId === undefined)
+        delete process.env.WORKFORCE_WORKSPACE_ID;
+    else
+        process.env.WORKFORCE_WORKSPACE_ID = env.workspaceId;
+    if (env.workspaceToken === undefined)
+        delete process.env.WORKFORCE_WORKSPACE_TOKEN;
+    else
+        process.env.WORKFORCE_WORKSPACE_TOKEN = env.workspaceToken;
+    try {
+        return await fn();
+    }
+    finally {
+        for (const [key, value] of Object.entries(previous)) {
+            if (value === undefined) {
+                delete process.env[key];
+            }
+            else {
+                process.env[key] = value;
+            }
+        }
+    }
+}
+test('workspace token store writes and reads the active workspace token', async () => {
+    const dir = await mkdtemp(path.join(os.tmpdir(), 'wf-login-store-'));
+    const loginFile = path.join(dir, 'login.json');
+    try {
+        await withLoginEnv({ loginFile }, async () => {
+            await writeStoredWorkspaceToken({
+                workspaceSlug: 'acme',
+                workspaceId: 'ws-123',
+                token: 'tok-stored',
+                cloudUrl: 'https://cloud.example.test'
+            });
+            const raw = JSON.parse(await readFile(loginFile, 'utf8'));
+            assert.equal(raw.workspace, 'acme');
+            assert.equal(raw.workspaceId, 'ws-123');
+            assert.equal(raw.token, 'tok-stored');
+            assert.equal((await loadWorkspaceToken('acme'))?.token, 'tok-stored');
+        });
+    }
+    finally {
+        await rm(dir, { recursive: true, force: true });
+    }
+});
+test('resolveWorkspaceToken prefers env token before stored login', async () => {
+    const dir = await mkdtemp(path.join(os.tmpdir(), 'wf-login-precedence-'));
+    const loginFile = path.join(dir, 'login.json');
+    try {
+        await withLoginEnv({ loginFile }, async () => {
+            await writeStoredWorkspaceToken({ workspace: 'stored', token: 'tok-stored' });
+        });
+        await withLoginEnv({
+            loginFile,
+            workspaceId: 'env-ws',
+            workspaceToken: 'tok-env'
+        }, async () => {
+            assert.deepEqual(await resolveWorkspaceToken({
+                cloudUrl: 'https://cloud.example.test',
+                io: createBufferedIO()
+            }), { token: 'tok-env', workspace: 'env-ws' });
+        });
+    }
+    finally {
+        await rm(dir, { recursive: true, force: true });
+    }
+});
+test('resolveWorkspaceToken reads stored token and fails clearly with --no-prompt', async () => {
+    const dir = await mkdtemp(path.join(os.tmpdir(), 'wf-login-resolve-'));
+    const loginFile = path.join(dir, 'login.json');
+    try {
+        await withLoginEnv({ loginFile }, async () => {
+            await writeStoredWorkspaceToken({ workspace: 'stored', token: 'tok-stored' });
+            assert.deepEqual(await resolveWorkspaceToken({
+                workspace: 'stored',
+                cloudUrl: 'https://cloud.example.test',
+                io: createBufferedIO(),
+                noPrompt: true
+            }), { token: 'tok-stored', workspace: 'stored' });
+        });
+        await withLoginEnv({ loginFile: path.join(dir, 'missing.json') }, async () => {
+            await assert.rejects(resolveWorkspaceToken({
+                workspace: 'missing',
+                cloudUrl: 'https://cloud.example.test',
+                io: createBufferedIO(),
+                noPrompt: true
+            }), /run `agentworkforce login`/);
+        });
+    }
+    finally {
+        await rm(dir, { recursive: true, force: true });
+    }
+});
+test('clearStoredWorkspaceToken removes the stored token file', async () => {
+    const dir = await mkdtemp(path.join(os.tmpdir(), 'wf-login-clear-'));
+    const loginFile = path.join(dir, 'login.json');
+    try {
+        await withLoginEnv({ loginFile }, async () => {
+            await writeStoredWorkspaceToken({ workspace: 'stored', token: 'tok-stored' });
+            await clearStoredWorkspaceToken('stored');
+            assert.equal(await loadWorkspaceToken('stored'), null);
+        });
+    }
+    finally {
+        await rm(dir, { recursive: true, force: true });
+    }
+});
+//# sourceMappingURL=login.test.js.map

package/dist/login.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.test.js","sourceRoot":"","sources":["../src/login.test.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,MAAM,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,kBAAkB,CAAC;AACzD,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EACL,yBAAyB,EACzB,kBAAkB,EAClB,qBAAqB,EACrB,yBAAyB,EAC1B,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAE3C,KAAK,UAAU,YAAY,CACzB,GAIC,EACD,EAAoB;IAEpB,MAAM,QAAQ,GAAG;QACf,oBAAoB,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB;QACtD,0BAA0B,EAAE,OAAO,CAAC,GAAG,CAAC,0BAA0B;QAClE,sBAAsB,EAAE,OAAO,CAAC,GAAG,CAAC,sBAAsB;QAC1D,yBAAyB,EAAE,OAAO,CAAC,GAAG,CAAC,yBAAyB;KACjE,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,0BAA0B,GAAG,GAAG,CAAC;IAC7C,IAAI,GAAG,CAAC,SAAS,KAAK,SAAS;QAAE,OAAO,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;;QACpE,OAAO,CAAC,GAAG,CAAC,oBAAoB,GAAG,GAAG,CAAC,SAAS,CAAC;IACtD,IAAI,GAAG,CAAC,WAAW,KAAK,SAAS;QAAE,OAAO,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;;QACxE,OAAO,CAAC,GAAG,CAAC,sBAAsB,GAAG,GAAG,CAAC,WAAW,CAAC;IAC1D,IAAI,GAAG,CAAC,cAAc,KAAK,SAAS;QAAE,OAAO,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC;;QAC9E,OAAO,CAAC,GAAG,CAAC,yBAAyB,GAAG,GAAG,CAAC,cAAc,CAAC;IAEhE,IAAI,CAAC;QACH,OAAO,MAAM,EAAE,EAAE,CAAC;IACpB,CAAC;YAAS,CAAC;QACT,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpD,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACxB,OAAO,OAAO,CAAC,GAAG,CAAC,GAA4B,CAAC,CAAC;YACnD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,GAA4B,CAAC,GAAG,KAAK,CAAC;YACpD,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,IAAI,CAAC,mEAAmE,EAAE,KAAK,IAAI,EAAE;IACnF,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC,CAAC;IACrE,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IAC/C,IAAI,CAAC;QACH,MAAM,YAAY,CAAC,EAAE,SAAS,EAAE,EAAE,KAAK,IAAI,EAAE;YAC3C,MAAM,yBAAyB,CAAC;gBAC9B,aAAa,EAAE,MAAM;gBACrB,WAAW,EAAE,QAAQ;gBACrB,KAAK,EAAE,YAAY;gBACnB,QAAQ,EAAE,4BAA4B;aACvC,CAAC,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,CAA4B,CAAC;YACrF,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;YACpC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;YACxC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;YACtC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,kBAAkB,CAAC,MAAM,CAAC,CAAC,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC;QACxE,CAAC,CAAC,CAAC;IACL,CAAC;YAAS,CAAC;QACT,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,6DAA6D,EAAE,KAAK,IAAI,EAAE;IAC7E,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,sBAAsB,CAAC,CAAC,CAAC;IAC1E,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IAC/C,IAAI,CAAC;QACH,MAAM,YAAY,CAAC,EAAE,SAAS,EAAE,EAAE,KAAK,IAAI,EAAE;YAC3C,MAAM,yBAAyB,CAAC,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC;QAChF,CAAC,CAAC,CAAC;QACH,MAAM,YAAY,CAAC;YACjB,SAAS;YACT,WAAW,EAAE,QAAQ;YACrB,cAAc,EAAE,SAAS;SAC1B,EAAE,KAAK,IAAI,EAAE;YACZ,MAAM,CAAC,SAAS,CACd,MAAM,qBAAqB,CAAC;gBAC1B,QAAQ,EAAE,4BAA4B;gBACtC,EAAE,EAAE,gBAAgB,EAAE;aACvB,CAAC,EACF,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,EAAE,CAC1C,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;YAAS,CAAC;QACT,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,6EAA6E,EAAE,KAAK,IAAI,EAAE;IAC7F,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,mBAAmB,CAAC,CAAC,CAAC;IACvE,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IAC/C,IAAI,CAAC;QACH,MAAM,YAAY,CAAC,EAAE,SAAS,EAAE,EAAE,KAAK,IAAI,EAAE;YAC3C,MAAM,yBAAyB,CAAC,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC;YAC9E,MAAM,CAAC,SAAS,CACd,MAAM,qBAAqB,CAAC;gBAC1B,SAAS,EAAE,QAAQ;gBACnB,QAAQ,EAAE,4BAA4B;gBACtC,EAAE,EAAE,gBAAgB,EAAE;gBACtB,QAAQ,EAAE,IAAI;aACf,CAAC,EACF,EAAE,KAAK,EAAE,YAAY,EAAE,SAAS,EAAE,QAAQ,EAAE,CAC7C,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,MAAM,YAAY,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,EAAE,EAAE,KAAK,IAAI,EAAE;YAC3E,MAAM,MAAM,CAAC,OAAO,CAClB,qBAAqB,CAAC;gBACpB,SAAS,EAAE,SAAS;gBACpB,QAAQ,EAAE,4BAA4B;gBACtC,EAAE,EAAE,gBAAgB,EAAE;gBACtB,QAAQ,EAAE,IAAI;aACf,CAAC,EACF,4BAA4B,CAC7B,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;YAAS,CAAC;QACT,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;IACzE,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC,CAAC;IACrE,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IAC/C,IAAI,CAAC;QACH,MAAM,YAAY,CAAC,EAAE,SAAS,EAAE,EAAE,KAAK,IAAI,EAAE;YAC3C,MAAM,yBAAyB,CAAC,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC;YAC9E,MAAM,yBAAyB,CAAC,QAAQ,CAAC,CAAC;YAC1C,MAAM,CAAC,KAAK,CAAC,MAAM,kBAAkB,CAAC,QAAQ,CAAC,EAAE,IAAI,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;IACL,CAAC;YAAS,CAAC;QACT,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,CAAC;AACH,CAAC,CAAC,CAAC"}

package/dist/modes/cloud.d.ts

@@ -1,3 +1,4 @@
+import { CloudApiClient, connectProvider, readStoredAuth, refreshStoredAuth, type StoredAuth } from '@agent-relay/cloud';
 import type { ModeLaunchHandle, ModeLauncher } from '../types.js';
 type CloudDeployStatus = 'starting' | 'active' | 'failed' | 'cancelled';
 export interface CloudRunHandle extends ModeLaunchHandle {
@@ -5,6 +6,14 @@ export interface CloudRunHandle extends ModeLaunchHandle {
     deploymentId: string;
     status: CloudDeployStatus;
 }
+type CloudApiClientLike = Pick<CloudApiClient, 'fetch'>;
+type CloudCredentialDeps = {
+    readStoredAuth: typeof readStoredAuth;
+    refreshStoredAuth: typeof refreshStoredAuth;
+    connectProvider: typeof connectProvider;
+    createCloudApiClient(auth: StoredAuth, apiUrl: string): CloudApiClientLike;
+};
+export declare function configureCloudCredentialDepsForTest(overrides: Partial<CloudCredentialDeps>): () => void;
 /**
  * Cloud-hosted deploy mode. Uploads the deploy-ready persona bundle to a
  * workforce-compatible cloud endpoint. The implementation is intentionally

package/dist/modes/cloud.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cloud.d.ts","sourceRoot":"","sources":["../../src/modes/cloud.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAEV,gBAAgB,EAChB,YAAY,EACb,MAAM,aAAa,CAAC;AAarB,KAAK,iBAAiB,GAAG,UAAU,GAAG,QAAQ,GAAG,QAAQ,GAAG,WAAW,CAAC;AAIxE,MAAM,WAAW,cAAe,SAAQ,gBAAgB;IACtD,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,iBAAiB,CAAC;CAC3B;AA+CD;;;;;;GAMG;AACH,eAAO,MAAM,aAAa,EAAE,YAmI3B,CAAC"}
+{"version":3,"file":"cloud.d.ts","sourceRoot":"","sources":["../../src/modes/cloud.ts"],"names":[],"mappings":"AACA,OAAO,EACL,cAAc,EACd,eAAe,EAEf,cAAc,EACd,iBAAiB,EACjB,KAAK,UAAU,EAChB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,KAAK,EAEV,gBAAgB,EAChB,YAAY,EACb,MAAM,aAAa,CAAC;AAYrB,KAAK,iBAAiB,GAAG,UAAU,GAAG,QAAQ,GAAG,QAAQ,GAAG,WAAW,CAAC;AAIxE,MAAM,WAAW,cAAe,SAAQ,gBAAgB;IACtD,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,iBAAiB,CAAC;CAC3B;AAsCD,KAAK,kBAAkB,GAAG,IAAI,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;AAExD,KAAK,mBAAmB,GAAG;IACzB,cAAc,EAAE,OAAO,cAAc,CAAC;IACtC,iBAAiB,EAAE,OAAO,iBAAiB,CAAC;IAC5C,eAAe,EAAE,OAAO,eAAe,CAAC;IACxC,oBAAoB,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,GAAG,kBAAkB,CAAC;CAC5E,CAAC;AAkBF,wBAAgB,mCAAmC,CACjD,SAAS,EAAE,OAAO,CAAC,mBAAmB,CAAC,GACtC,MAAM,IAAI,CAMZ;AAED;;;;;;GAMG;AACH,eAAO,MAAM,aAAa,EAAE,YA8H3B,CAAC"}

package/dist/modes/cloud.js

@@ -1,15 +1,32 @@
-import { spawn } from 'node:child_process';
-import { randomUUID } from 'node:crypto';
 import { readFile } from 'node:fs/promises';
-import { createServer } from 'node:http';
-import { platform } from 'node:os';
+import { CloudApiClient, connectProvider, defaultApiUrl, readStoredAuth, refreshStoredAuth } from '@agent-relay/cloud';
 import { resolveWorkspaceToken } from '../login.js';
-const DEFAULT_CLOUD_URL = 'https://agentrelay.com';
 const BUILD_YOUR_OWN_CLOUD_DOCS_URL = 'https://docs.agentworkforce.com/deploy/build-your-own-cloud';
 const USER_AGENT = 'workforce-deploy';
 const MAX_ATTEMPTS = 3;
 const POLL_TIMEOUT_MS = 60_000;
 const POLL_INTERVAL_MS = 2_000;
+const defaultCloudCredentialDeps = {
+    readStoredAuth,
+    refreshStoredAuth,
+    connectProvider,
+    createCloudApiClient(auth, apiUrl) {
+        return new CloudApiClient({
+            apiUrl,
+            accessToken: auth.accessToken,
+            refreshToken: auth.refreshToken,
+            accessTokenExpiresAt: auth.accessTokenExpiresAt
+        });
+    }
+};
+let cloudCredentialDeps = defaultCloudCredentialDeps;
+export function configureCloudCredentialDepsForTest(overrides) {
+    const previous = cloudCredentialDeps;
+    cloudCredentialDeps = { ...cloudCredentialDeps, ...overrides };
+    return () => {
+        cloudCredentialDeps = previous;
+    };
+}
 /**
  * Cloud-hosted deploy mode. Uploads the deploy-ready persona bundle to a
  * workforce-compatible cloud endpoint. The implementation is intentionally
@@ -29,7 +46,7 @@ export const cloudLauncher = {
                 io: input.io,
                 noPrompt
             });
-        await ensureHarnessReady({
+        const credentialSelections = await ensureHarnessReady({
             cloudUrl,
             workspaceId: input.workspace,
             token: auth.token,
@@ -39,14 +56,6 @@ export const cloudLauncher = {
             harnessSource: input.harnessSource,
             byokKey: input.byokKey
         });
-        await ensureCloudIntegrations({
-            cloudUrl,
-            workspaceId: input.workspace,
-            token: auth.token,
-            persona: input.persona,
-            io: input.io,
-            noPrompt
-        });
         const existingPersona = await handleExistingPersona({
             cloudUrl,
             workspaceId: input.workspace,
@@ -76,6 +85,10 @@ export const cloudLauncher = {
                 agent: await readFile(input.bundle.bundlePath, 'utf8'),
                 packageJson: JSON.parse(await readFile(input.bundle.packageJsonPath, 'utf8'))
             },
+            // Keep both casings until all cloud deploy endpoints converge; older
+            // previews read snake_case, while current routes read camelCase.
+            credentialSelections,
+            credential_selections: credentialSelections,
             inputs: input.inputs ?? readInputsOverride()
         });
         input.io.info(`cloud: deploying persona bundle to ${cloudUrl}`);
@@ -139,9 +152,9 @@ function resolveCloudUrl(input) {
     const fromEnv = process.env.WORKFORCE_DEPLOY_CLOUD_URL?.trim()
         || process.env.WORKFORCE_CLOUD_URL?.trim();
     const fromPersona = readPersonaCloudDeployUrl(input.persona);
-    const raw = fromInput || fromEnv || fromPersona || DEFAULT_CLOUD_URL;
+    const raw = fromInput || fromEnv || fromPersona || defaultApiUrl();
     const resolved = normalizeCloudUrl(raw);
-    if (resolved !== DEFAULT_CLOUD_URL) {
+    if (resolved !== normalizeCloudUrl(defaultApiUrl())) {
         input.io.info(`cloud: using custom cloud URL ${resolved}. Build your own cloud docs: ${BUILD_YOUR_OWN_CLOUD_DOCS_URL}`);
     }
     return resolved;
@@ -156,28 +169,31 @@ async function ensureHarnessReady(args) {
     const source = await resolveHarnessSource(args);
     const modelProvider = deriveModelProvider(args.persona);
     if (source === 'plan') {
-        await saveProviderCredential({
+        const credentialId = await saveProviderCredential({
             cloudUrl: args.cloudUrl,
+            workspaceId: args.workspaceId,
             token: args.token,
             modelProvider,
             authType: 'relay_managed'
         });
         args.io.info(`cloud: using workforce plan credentials for ${args.persona.harness}`);
-        return;
+        return { [modelProvider]: credentialId };
     }
     if (source === 'byok') {
         const key = await resolveByokKey(args);
-        await saveProviderCredential({
+        const credentialId = await saveProviderCredential({
             cloudUrl: args.cloudUrl,
+            workspaceId: args.workspaceId,
             token: args.token,
             modelProvider,
             authType: 'byo_api_key',
             apiKey: key
         });
         args.io.info(`cloud: using BYOK credentials for ${args.persona.harness}`);
-        return;
+        return { [modelProvider]: credentialId };
     }
     await ensureHarnessOauth(args);
+    return {};
 }
 async function resolveHarnessSource(args) {
     if (args.harnessSource)
@@ -195,13 +211,14 @@ async function resolveHarnessSource(args) {
     return expectHarnessSource(answer);
 }
 async function isHarnessOauthConnected(args) {
-    const url = `${args.cloudUrl}/api/v1/users/me/provider_credentials?model_provider=${encodeURIComponent(deriveModelProvider(args.persona))}`;
-    const res = await fetch(url, {
+    const auth = await readUsableCloudAuth(args.cloudUrl);
+    if (!auth)
+        return false;
+    const client = cloudCredentialDeps.createCloudApiClient(auth, args.cloudUrl);
+    const path = `/api/v1/users/me/provider_credentials?model_provider=${encodeURIComponent(deriveModelProvider(args.persona))}`;
+    const res = await client.fetch(path, {
         method: 'GET',
-        headers: {
-            authorization: `Bearer ${args.token}`,
-            'user-agent': USER_AGENT
-        }
+        headers: { 'user-agent': USER_AGENT }
     });
     if (res.status === 404 || res.status === 405)
         return false;
@@ -242,76 +259,17 @@ async function ensureHarnessOauth(args) {
         throw new Error(`cloud: ${args.persona.harness} credentials are required for deploy`);
     }
     const modelProvider = deriveModelProvider(args.persona);
-    const startUrl = `${args.cloudUrl}/api/v1/users/me/provider_credentials/auth-session`;
-    const body = await requestJsonWithRetry(startUrl, {
-        method: 'POST',
-        headers: jsonHeaders(args.token),
-        body: JSON.stringify({
-            model_provider: modelProvider,
-            provider: args.persona.harness,
-            language: 'typescript'
-        })
-    }, { action: 'cloud harness OAuth start' });
-    const connectUrl = readFirstString(body, ['connectLink', 'authUrl', 'url', 'sandboxUrl']);
-    if (connectUrl) {
-        args.io.info(`cloud: open ${connectUrl} to finish ${args.persona.harness} OAuth`);
-        tryOpenBrowser(connectUrl);
-    }
-    await pollUntil(() => isHarnessOauthConnected(args), `timed out waiting for ${args.persona.harness} OAuth credentials`);
-    args.io.info(`cloud: ${args.persona.harness} credentials connected`);
-}
-async function ensureCloudIntegrations(args) {
-    const providers = Object.keys(args.persona.integrations ?? {});
-    for (const provider of providers) {
-        const ready = await isIntegrationReady({ ...args, provider });
-        if (ready) {
-            args.io.info(`cloud: integrations.${provider} ready`);
-            continue;
-        }
-        if (args.noPrompt) {
-            throw new Error(`cloud: integrations.${provider} is not connected. Run without --no-prompt or connect it before deploying.`);
-        }
-        const ok = await args.io.confirm(`Connect ${provider} in workforce cloud now? (opens browser)`, { defaultValue: true });
-        if (!ok) {
-            throw new Error(`cloud: integrations.${provider} is required for deploy`);
-        }
-        await connectIntegration({ ...args, provider });
-        await pollUntil(() => isIntegrationReady({ ...args, provider }), `timed out waiting for integrations.${provider} to become ready`);
-        args.io.info(`cloud: integrations.${provider} connected`);
-    }
-}
-async function isIntegrationReady(args) {
-    const url = `${args.cloudUrl}/api/v1/workspaces/${encodeURIComponent(args.workspaceId)}/integrations?provider=${encodeURIComponent(args.provider)}`;
-    const res = await fetch(url, {
-        method: 'GET',
-        headers: {
-            authorization: `Bearer ${args.token}`,
-            'user-agent': USER_AGENT
-        }
-    });
-    if (res.status === 401) {
-        throw new Error('cloud integration check failed: unauthorized. Run `workforce login` and retry.');
-    }
-    if (res.status === 404)
-        return false;
-    if (!res.ok) {
-        throw new Error(`cloud integration check failed: ${res.status} ${await responseExcerpt(res)}`);
-    }
-    const body = (await res.json());
-    return integrationReady(body, args.provider);
-}
-async function connectIntegration(args) {
-    await waitForOAuthCallback({
-        action: `integrations.${args.provider}`,
-        io: args.io,
-        buildUrl(returnTo) {
-            const url = new URL('/integrations', args.cloudUrl);
-            url.searchParams.set('provider', args.provider);
-            url.searchParams.set('workspace', args.workspaceId);
-            url.searchParams.set('return_to', returnTo);
-            return url.toString();
+    await cloudCredentialDeps.connectProvider({
+        provider: modelProvider,
+        apiUrl: args.cloudUrl,
+        language: 'typescript',
+        io: {
+            log: (...parts) => args.io.info(parts.map(String).join(' ')),
+            error: (...parts) => args.io.error(parts.map(String).join(' '))
         }
     });
+    await pollUntil(() => isHarnessOauthConnected(args), `timed out waiting for ${args.persona.harness} OAuth credentials`);
+    args.io.info(`cloud: ${args.persona.harness} credentials connected`);
 }
 async function handleExistingPersona(args) {
     const existing = await findExistingAgent(args);
@@ -411,23 +369,67 @@ function parseAgentLike(value) {
     };
 }
 async function saveProviderCredential(args) {
-    await requestJsonWithRetry(`${args.cloudUrl}/api/v1/users/me/provider_credentials`, {
+    if (args.authType === 'relay_managed') {
+        const url = new URL(`${args.cloudUrl}/api/v1/workspaces/${encodeURIComponent(args.workspaceId)}/provider-credentials/managed`);
+        url.searchParams.set('provider', args.modelProvider);
+        const body = await requestJsonWithRetry(url.toString(), {
+            method: 'POST',
+            headers: jsonHeaders(args.token)
+        }, { action: 'cloud managed provider credentials' });
+        return readCredentialId(body);
+    }
+    const body = await requestJsonWithRetry(`${args.cloudUrl}/api/v1/workspaces/${encodeURIComponent(args.workspaceId)}/provider-credentials/byok`, {
         method: 'POST',
         headers: jsonHeaders(args.token),
         body: JSON.stringify({
+            // Keep both casings during the deploy-v1 rollout for the same mixed
+            // preview/production route compatibility as the deploy payload above.
+            modelProvider: args.modelProvider,
             model_provider: args.modelProvider,
-            auth_type: args.authType,
-            ...(args.apiKey ? { api_key: args.apiKey } : {})
+            key: args.apiKey,
+            api_key: args.apiKey
         })
-    }, { action: 'cloud provider credentials save' });
+    }, { action: 'cloud BYOK provider credentials' });
+    return readCredentialId(body);
 }
 function deriveModelProvider(persona) {
     const model = typeof persona.model === 'string' ? persona.model.trim() : '';
+    if (!model)
+        return persona.harness;
+    const lower = model.toLowerCase();
+    if (matchesProviderToken(lower, ['anthropic', 'claude']))
+        return 'anthropic';
+    if (matchesProviderToken(lower, ['openai', 'codex', 'gpt']))
+        return 'openai';
+    if (matchesProviderToken(lower, ['google', 'gemini']))
+        return 'google';
+    if (matchesProviderToken(lower, ['openrouter', 'opencode']))
+        return 'openrouter';
     const [provider] = model.split(/[/:]/, 1);
     if (provider?.trim())
-        return provider.trim();
+        return provider.trim().toLowerCase();
     return persona.harness;
 }
+function matchesProviderToken(model, tokens) {
+    return tokens.some((token) => new RegExp(`^${escapeRegExp(token)}($|[/:._-])`).test(model));
+}
+function escapeRegExp(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+function readCredentialId(body) {
+    const direct = readFirstString(body, ['providerCredentialId', 'provider_credential_id', 'credentialId', 'id']);
+    if (direct)
+        return direct;
+    for (const field of ['credential', 'providerCredential']) {
+        const nested = body[field];
+        if (nested && typeof nested === 'object' && !Array.isArray(nested)) {
+            const nestedId = readFirstString(nested, ['id', 'providerCredentialId', 'provider_credential_id']);
+            if (nestedId)
+                return nestedId;
+        }
+    }
+    throw new Error('cloud provider credentials response missing credential id');
+}
 function providerCredentialsReady(body) {
     const candidates = [
         body.credential,
@@ -447,87 +449,6 @@ function providerCredentialsReady(body) {
             || typeof record.id === 'string';
     });
 }
-function integrationReady(body, provider) {
-    const candidates = [
-        ...(Array.isArray(body.integrations) ? body.integrations : []),
-        body
-    ];
-    return candidates.some((candidate) => {
-        if (!candidate || typeof candidate !== 'object' || Array.isArray(candidate))
-            return false;
-        const record = candidate;
-        const recordProvider = typeof record.provider === 'string' ? record.provider : provider;
-        if (recordProvider !== provider)
-            return false;
-        return record.ready === true
-            || record.state === 'ready'
-            || record.state === 'connected'
-            || typeof record.connectionId === 'string'
-            || typeof record.currentConnectionId === 'string';
-    });
-}
-async function waitForOAuthCallback(args) {
-    const state = randomUUID();
-    await new Promise((resolve, reject) => {
-        let settled = false;
-        const timeout = setTimeout(() => {
-            settleError(new Error(`timed out waiting for ${args.action} OAuth callback`));
-        }, pollTimeoutMs()).unref();
-        const server = createServer((request, response) => {
-            const requestUrl = new URL(request.url ?? '/', 'http://127.0.0.1');
-            if (requestUrl.pathname !== '/callback') {
-                response.statusCode = 404;
-                response.end('not found');
-                return;
-            }
-            if (requestUrl.searchParams.get('state') !== state) {
-                response.statusCode = 400;
-                response.end('invalid state');
-                settleError(new Error(`${args.action} OAuth callback returned an invalid state`));
-                return;
-            }
-            const error = requestUrl.searchParams.get('error');
-            if (error) {
-                response.statusCode = 400;
-                response.end('OAuth failed');
-                settleError(new Error(error));
-                return;
-            }
-            response.statusCode = 200;
-            response.end('workforce OAuth complete; you can close this tab');
-            settleOk();
-        });
-        function settleOk() {
-            if (settled)
-                return;
-            settled = true;
-            clearTimeout(timeout);
-            server.close();
-            resolve();
-        }
-        function settleError(error) {
-            if (settled)
-                return;
-            settled = true;
-            clearTimeout(timeout);
-            server.close();
-            reject(error);
-        }
-        server.on('error', settleError);
-        server.listen(0, '127.0.0.1', () => {
-            const address = server.address();
-            if (!address || typeof address === 'string') {
-                settleError(new Error(`failed to start ${args.action} OAuth callback server`));
-                return;
-            }
-            const callback = new URL('/callback', `http://127.0.0.1:${address.port}`);
-            callback.searchParams.set('state', state);
-            const connectUrl = args.buildUrl(callback.toString());
-            args.io.info(`cloud: open ${connectUrl} to finish ${args.action} OAuth`);
-            tryOpenBrowser(connectUrl);
-        });
-    });
-}
 function expectHarnessSource(value) {
     const normalized = value.trim().toLowerCase();
     if (normalized === 'plan' || normalized === 'byok' || normalized === 'oauth') {
@@ -574,9 +495,33 @@ function readPersonaCloudDeployUrl(persona) {
 function normalizeCloudUrl(url) {
     const trimmed = url.trim();
     if (!trimmed)
-        return DEFAULT_CLOUD_URL;
+        return normalizeCloudUrl(defaultApiUrl());
     return trimmed.replace(/\/+$/, '');
 }
+async function readUsableCloudAuth(apiUrl) {
+    let auth = await cloudCredentialDeps.readStoredAuth().catch(() => null);
+    if (!auth)
+        return null;
+    if (isAuthExpired(auth.accessTokenExpiresAt)) {
+        auth = await cloudCredentialDeps.refreshStoredAuth(auth).catch((err) => {
+            console.warn(`cloud: stored auth refresh failed: ${formatErrorMessage(err)}`);
+            return null;
+        });
+    }
+    if (!auth)
+        return null;
+    return {
+        ...auth,
+        apiUrl
+    };
+}
+function formatErrorMessage(err) {
+    return err instanceof Error ? err.message : String(err);
+}
+function isAuthExpired(expiresAt) {
+    const millis = Date.parse(expiresAt);
+    return Number.isNaN(millis) || millis <= Date.now() + 60_000;
+}
 function readInputsOverride() {
     const raw = process.env.WORKFORCE_DEPLOY_INPUTS_JSON?.trim();
     if (!raw)
@@ -678,19 +623,6 @@ function emitLog(args, line) {
     args.onLog?.(line);
     args.io.info(line);
 }
-function tryOpenBrowser(url) {
-    const command = platform() === 'darwin'
-        ? 'open'
-        : platform() === 'win32'
-            ? 'cmd'
-            : 'xdg-open';
-    const args = platform() === 'win32' ? ['/c', 'start', '', url] : [url];
-    const child = spawn(command, args, { stdio: 'ignore', detached: true });
-    child.on('error', () => {
-        // URL is printed; browser launch is best-effort.
-    });
-    child.unref();
-}
 function pollTimeoutMs() {
     return numberFromEnv('WORKFORCE_DEPLOY_POLL_TIMEOUT_MS') ?? POLL_TIMEOUT_MS;
 }