Fix basecamp me 404 for BASECAMP_TOKEN users

[jeremy]

Summary

• Add AuthorizationEndpoint() to auth.Manager that resolves the correct authorization info URL based on the effective authentication context. BASECAMP_TOKEN takes precedence over stored credentials (matching AccessToken()), with the bc_at_ token prefix used to distinguish BC3-issued tokens from Launchpad tokens.
• Replace duplicated endpoint-selection switches in people.go and resolve/account.go, and convert all remaining nil-opts GetInfo() callers (wizard.go, doctor.go, workspace.go) to use the new method.
• Add endpoint parameter to MultiStore.DiscoverAccounts (1 production caller; tests use SetAccountsForTest).

Test plan

• bin/ci passes (unit tests, e2e, lint, vet, surface snapshot, skill drift, SDK provenance)
• 8 auth-level unit tests cover: stored bc3, stored launchpad, launchpad URL override, bc_at_ prefix token, non-prefix token, unknown stored type, and two mixed-state regressions (env token overriding conflicting stored creds in both directions)
• Command-level TestMeWithBC3Token (clean env-only path) and TestMeWithBC3TokenOverridingStaleLaunchpadCreds (the exact basecamp me returns 404 on v0.4.0 #268 scenario end-to-end)
• Resolve-level tests for bc_at_ and non-prefix BASECAMP_TOKEN routing

Fixes #268

---

Summary by cubic

Fixes a 404 when running basecamp me with BASECAMP_TOKEN by routing authorization requests to the right issuer (BC3 vs Launchpad) and passing the resolved endpoint to the SDK across commands and the TUI.

• Bug Fixes

  • BASECAMP_TOKEN now takes precedence over stored creds; bc_at_ tokens route to BC3, others to Launchpad (fixes basecamp me returns 404 on v0.4.0 #268).
  • Commands and TUI now pass the resolved endpoint to Authorization().GetInfo, preventing 404s in mixed states.
  • Normalizes BASECAMP_LAUNCHPAD_URL by trimming trailing slashes to avoid //authorization.json and related 404s.

• Refactors

  • Added auth.Manager.AuthorizationEndpoint() to unify authorization endpoint selection.
  • Removed duplicated logic in people and resolve/account; updated wizard, doctor, and workspace to use the new method.
  • Added endpoint param to workspace/data.MultiStore.DiscoverAccounts; combined identical launchpad/empty cases in AuthorizationEndpoint().

^{Written for commit d45aefc. Summary will update on new commits.}

[github-actions]

⚠️ Potential breaking changes detected:

• Removal of support for the BASECAMP_LAUNCHPAD_URL environment variable, which was previously used to override the Launchpad base URL.
• Change in behavior for determining the authorization endpoint, particularly affecting scenarios where BASECAMP_TOKEN is set and previously used 'launchpad' type stored credentials existed. The new implementation now prioritizes the AuthorizationEndpoint method, potentially altering existing workflows.

Review carefully before merging. Consider a major version bump.

[cubic-dev-ai]

1 issue found across 11 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="internal/auth/auth.go">

<violation number="1" location="internal/auth/auth.go:855">
P3: The `"launchpad"` and `""` cases are identical. Combine them into `case "launchpad", "":` to avoid the duplicated block.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[Copilot]

Pull request overview

This PR centralizes how the CLI/TUI selects the correct authorization.json endpoint (BC3 vs Launchpad), ensuring BASECAMP_TOKEN-based auth routes correctly even when stale stored credentials exist.

Changes:

• Add auth.Manager.AuthorizationEndpoint(ctx) and refactor commands/resolvers/TUI to use it when calling Authorization().GetInfo(...).
• Update TUI MultiStore.DiscoverAccounts to accept an explicit authorization endpoint.
• Add regression tests covering endpoint routing for env tokens and stale stored OAuth type.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
internal/tui/workspace/workspace.go	TUI account discovery/name lookup now resolves and passes the correct authorization endpoint.
internal/tui/workspace/data/multistore.go	DiscoverAccounts now accepts an endpoint to avoid relying on SDK defaults.
internal/tui/resolve/account.go	Resolver endpoint-selection logic replaced with AuthorizationEndpoint.
internal/tui/resolve/account_test.go	New tests verifying resolver routing for BC3 vs Launchpad tokens.
internal/commands/wizard.go	Wizard uses resolved endpoint when fetching auth info/account name.
internal/commands/people.go	basecamp me uses resolved endpoint instead of duplicating OAuth-type switching.
internal/commands/people_test.go	Added regression tests for BASECAMP_TOKEN routing and stale creds scenario.
internal/commands/doctor.go	Doctor connectivity check now uses resolved endpoint.
internal/auth/auth.go	Introduces AuthorizationEndpoint(ctx) and BC3 token prefix handling.
internal/auth/auth_test.go	Adds comprehensive tests for AuthorizationEndpoint precedence and overrides.
internal/appctx/context.go	Updates guidance comment to prefer AuthorizationEndpoint() over nil GetInfo options.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.