feat(eve): recover remote TUI authentication

[ruiconti]

Description

Remote eve dev sessions need to recover when a verified Vercel deployment rejects missing, stale, or untrusted local OIDC credentials. This PR adds that recovery path on top of the credential boundary in #109 and the project-selection boundary in #110.

At startup, the TUI attempts a project-scoped token refresh when a refresh token is available, probes the deployment, and exposes /vc:auth only for recognized Vercel or Eve authentication failures.

Core invariant

The selected project is a candidate. The deployment resolved from the target URL is authoritative for:

• the owner and project allowed to receive the live token;
• the project whose Trusted Sources policy may change;
• the final post-auth connection probe.

A selection that does not match the target deployment fails before project, policy, or environment mutation.

What

• Show remote deployment and authentication state in the TUI status line.
• Attempt refreshed project-scoped OIDC credentials during startup.
• Add a cancellable /vc:auth flow with team and project selection.
• Let Escape go back inside /vc:auth while ordinary setup flows still cancel.
• Confirm Trusted Sources changes, reread current policy immediately before PATCH, then validate the exact returned project identity.
• Apply mutations in dependency order: project link, Trusted Sources, environment pull, final probe.
• Race async credential resolution against request cancellation.
• Keep blank space around the live Working status and retain the badge, notices, and command polish.
• Move Vercel setup commands under the /vc:* namespace.

Review map

• remote-connection.ts owns startup probing and replacement of active credentials.
• remote-auth.ts owns the interactive state machine and mutation ordering.
• vercel-trusted-sources-policy.ts owns the pure environment-policy decision.
• vercel-trusted-sources.ts owns the Vercel API boundary.
• setup-commands.ts and the TUI renderer/status files own the visible flow.

Diff shape

The incremental PR is 5,257 changed lines:

• 2,780 production lines;
• 2,437 test lines;
• 40 documentation and release-metadata lines.

The three large product seams above are paired with direct unit tests. This supersedes the closed monolithic #98.

Stack

1. fix(eve): verify remote Vercel credentials #109 — verified remote credentials
2. feat(eve): search team-scoped Vercel projects #110 — team-scoped project selection
3. feat(eve): recover remote TUI authentication #111 — remote TUI authentication recovery

Verification

Passed on the stack rebased onto current origin/main:

• workspace typecheck, format, lint, docs validation, invariant checks, and build;
• 3,747 eve unit tests;
• 323 integration tests;
• 253 scenario tests, with 15 skipped;
• 163 focused client, remote-connection, auth-flow, Trusted Sources, renderer, and status tests.

The non-server TUI smoke scripts passed, including auth states, log modes, model setup, slash commands, status line, and transport errors. Server-backed smoke scripts could not start because an unrelated process already owned the harness fixed port 3000.

PR Checklist

• I ran the relevant checks from CONTRIBUTING.md
• I added tests and documentation where relevant
• I added a changeset
• Every commit has a DCO sign-off

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
eve-docs	Ready	Preview, Comment, Open in v0	Jun 19, 2026 3:35pm