fn spawn_auth_cli(
mgr: Arc<AuthSessionManager>,
wstore: Arc<WaveStore>,
broker: Arc<Broker>,
session_id: String,
provider_id: String,
into_bundle_id: Option<String>,
bundle_dir: Option<String>,
cli_path: String,
auth_login_args: Vec<String>,
auth_check_args: Vec<String>,
auth_env: HashMap<String, String>,
requires_tty: bool,
)Expand description
Spawn the provider’s auth-login CLI and drive the session through
to a terminal state. Background-only — returns immediately. The
drain task feeds stdout+stderr lines into
AuthSessionManager::record_line; on a login-success pattern OR
child exit, runs the provider’s authCheckCommand to confirm and
transitions to Success or Failed.
On the success path (CLI exited cleanly + authCheckCommand passed),
when into_bundle_id AND bundle_dir are both set, the function
persists the OAuth binding into the bundle: a SecretRef::OAuthConfigDir
account is upserted (status valid) and bound via
bundle_identity_bind. This is the §4.5 OAuth-success invariant —
after this point, future launches of any agent against the bundle
resolve through inject_identity_env’s oauth-class dispatch (PR B)
and reuse the same CLI-managed tokens inside bundle_dir.
On failure or when into_bundle_id is empty (ambient launch), the
per-bundle binding step is skipped. The bundle row (if any was
auto-created by the New Identity modal) stays — the user’s next
attempt reuses it.