Fix race conditions in CLI auth credential fetching

Critical fixes for OAuth auth reliability:

1. /creds endpoint now checks for token existence, not just status
   - Status='success' can be set before credentials are extracted
   - Added hasToken field to error response for debugging

2. Added error passthrough in /creds endpoint
   - Returns errorHint and recoverable for auth failures
   - Allows frontend to show actionable error messages

3. Added retry loop for credential fetching in cloud API
   - 5 retries with 1s delay (5s total wait)
   - Handles race between OAuth completion and credential extraction
   - Returns immediately on auth error (no retry)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: khaliqgant

src/cloud/api/onboarding.ts

@@ -343,30 +343,67 @@ onboardingRouter.post('/cli/:provider/complete/:sessionId', async (req: Request,
         session.status = 'success';
       }
 
-      // Fetch credentials from workspace
+      // Fetch credentials from workspace with retry
+      // Credentials may not be immediately available after OAuth completes
       if (!accessToken) {
-        try {
-          const credsResponse = await fetch(
-            `${session.workspaceUrl}/auth/cli/${provider}/creds/${session.workspaceSessionId}`
-          );
-          if (credsResponse.ok) {
-            const creds = await credsResponse.json() as {
-              token?: string;
-              refreshToken?: string;
-              expiresAt?: string;
+        const MAX_CREDS_RETRIES = 5;
+        const CREDS_RETRY_DELAY = 1000; // 1 second between retries
+
+        for (let attempt = 1; attempt <= MAX_CREDS_RETRIES; attempt++) {
+          try {
+            console.log(`[onboarding] Fetching credentials from workspace (attempt ${attempt}/${MAX_CREDS_RETRIES})`);
+            const credsResponse = await fetch(
+              `${session.workspaceUrl}/auth/cli/${provider}/creds/${session.workspaceSessionId}`
+            );
+
+            if (credsResponse.ok) {
+              const creds = await credsResponse.json() as {
+                token?: string;
+                refreshToken?: string;
+                tokenExpiresAt?: string;
+              };
+              accessToken = creds.token;
+              refreshToken = creds.refreshToken;
+              if (creds.tokenExpiresAt) {
+                tokenExpiresAt = new Date(creds.tokenExpiresAt);
+              }
+              console.log('[onboarding] Fetched credentials from workspace:', {
+                hasToken: !!accessToken,
+                hasRefreshToken: !!refreshToken,
+                attempt,
+              });
+              break; // Success, exit retry loop
+            }
+
+            // Check if it's an error state (not just "not ready yet")
+            const errorBody = await credsResponse.json().catch(() => ({})) as {
+              status?: string;
+              error?: string;
+              errorHint?: string;
+              recoverable?: boolean;
             };
-            accessToken = creds.token;
-            refreshToken = creds.refreshToken;
-            if (creds.expiresAt) {
-              tokenExpiresAt = new Date(creds.expiresAt);
+
+            if (errorBody.status === 'error') {
+              // Auth failed, don't retry
+              console.error('[onboarding] Auth failed in workspace:', errorBody);
+              return res.status(400).json({
+                error: errorBody.error || 'Authentication failed',
+                errorHint: errorBody.errorHint,
+                recoverable: errorBody.recoverable,
+              });
+            }
+
+            // If not ready yet and we have more retries, wait and try again
+            if (attempt < MAX_CREDS_RETRIES) {
+              console.log(`[onboarding] Credentials not ready yet, retrying in ${CREDS_RETRY_DELAY}ms...`);
+              await new Promise(resolve => setTimeout(resolve, CREDS_RETRY_DELAY));
+            }
+          } catch (err) {
+            console.error(`[onboarding] Failed to get credentials from workspace (attempt ${attempt}):`, err);
+            if (attempt < MAX_CREDS_RETRIES) {
+              await new Promise(resolve => setTimeout(resolve, CREDS_RETRY_DELAY));
             }
-            console.log('[onboarding] Fetched credentials from workspace:', {
-              hasToken: !!accessToken,
-              hasRefreshToken: !!refreshToken,
-            });
           }
-        } catch (err) {
-          console.error('[onboarding] Failed to get credentials from workspace:', err);
         }
       }
     }

src/daemon/api.ts

@@ -371,13 +371,36 @@ export class DaemonApi extends EventEmitter {
       if (!session) {
         return { status: 404, body: { error: 'Session not found' } };
       }
-      if (session.status !== 'success') {
-        return { status: 400, body: { error: 'Auth not complete', status: session.status } };
+      // Check for error state first
+      if (session.status === 'error') {
+        return {
+          status: 400,
+          body: {
+            error: session.error || 'Authentication failed',
+            errorHint: session.errorHint,
+            recoverable: session.recoverable,
+            status: session.status,
+          },
+        };
+      }
+      // Check if auth is complete AND we have credentials
+      // Status can be 'success' before credentials are extracted (race condition)
+      if (session.status !== 'success' || !session.token) {
+        return {
+          status: 400,
+          body: {
+            error: 'Auth not complete or credentials not yet available',
+            status: session.status,
+            hasToken: !!session.token,
+          },
+        };
       }
       return {
         status: 200,
         body: {
           token: session.token,
+          refreshToken: session.refreshToken,
+          tokenExpiresAt: session.tokenExpiresAt,
           provider: session.provider,
         },
       };