Add health checks, auto-reauth, and record-session flags to managed auth

[masnwilliams]

Summary

• Surfaces the managed-auth health-monitoring controls in `kernel auth connections create` and `update`.
• Bumps `kernel-go-sdk` to v0.55.0 to pull in the new SDK fields (`HealthChecks`, `AutoReauth`, `RecordSession` on `ManagedAuthCreateRequestParam` and `ManagedAuthUpdateRequestParam`, and on `ManagedAuth`).
• Updates the managed-auth summary table to display the three booleans.

Flags

Create (server-side defaults: `health_checks=true`, `auto_reauth=true`, `record_session=false`):

• `--no-health-checks` — opt out of periodic health checks
• `--no-auto-reauth` — opt out of automatic re-auth on session expiry
• `--record-session` — opt in to recording browser sessions

Update (toggle both directions):

• `--health-checks` / `--no-health-checks`
• `--auto-reauth` / `--no-auto-reauth`
• `--record-session` / `--no-record-session`

Conflicting flag pairs are marked mutually exclusive.

Test plan

• `make test` — full suite passes including new `TestAuthConnectionsCreate_HealthMonitoringFlags` and updated update-mapping assertions.
• Manual: `kernel auth connections create --domain ... --profile-name ... --no-health-checks --no-auto-reauth --record-session` produces a connection with the three fields set as expected.
• Manual: `kernel auth connections update --health-checks --auto-reauth --no-record-session` flips the fields back.

🤖 Generated with Claude Code

---

Note

Medium Risk
Changes how operators configure session health checks, automatic re-authentication, and default session recording for managed auth—auth-adjacent behavior with server-side impact, but limited to CLI/API field wiring and covered by unit tests.

Overview
Exposes managed auth health-monitoring settings on kernel auth connections create and update, wiring new SDK fields (HealthChecks, AutoReauth, RecordSession) through the CLI.

Create uses opt-out / opt-in flags aligned with server defaults: --no-health-checks, --no-auto-reauth, and --record-session only send explicit values when set. Update adds paired toggles (--health-checks / --no-health-checks, --auto-reauth / --no-auto-reauth, --record-session / --no-record-session) with the same BoolFlag + Changed() pattern as save-credentials, plus mutual exclusivity on each pair.

After create/update, the managed auth summary table now always shows the three booleans. Tests cover create flag mapping and extend the update param-mapping test.

^{Reviewed by Cursor Bugbot for commit 9a7b8bf. Bugbot is set up for automated code reviews on this repo. Configure here.}

[firetiger-agent]

Monitoring Plan: Auth Connection CLI — New Health/Session Flags

This PR adds three new flags to auth connections create and auth connections update: --no-health-checks / --health-checks, --no-auto-reauth / --auto-reauth, and --record-session / --no-record-session. It also bumps the kernel-go-sdk from v0.53.0 to v0.55.0 to expose the backing API fields (HealthChecks, AutoReauth, RecordSession). The change is purely CLI-side — it maps flag values onto existing API parameters — with no schema migrations and no new server-side logic.

Key risks to watch: (1) The new fields flowing through to the API could hit validation errors if the SDK v0.55 contract differs from what the server expects, surfacing as 4xx/5xx spikes on PostAuthConnections or PatchAuthConnectionsById. (2) Setting --no-health-checks disables the periodic health-check scheduler for a connection; if misused at scale, the skipped count in kernel_managed_auth_health_check_total should rise significantly. (3) Enabling --record-session by default on connections may increase recording-start traffic. Baselines: PostAuthConnections ~550–1,950/hr, PatchAuthConnectionsById ~57–240/hr, both currently 0 HTTP 5xx errors. Health-check non-skipped total runs ~8,500–673,000/hr (varies by time of day); error rate ~2–3% of non-skipped checks. Session success rate ~67% of total sessions/hr.

Status updates will be posted automatically on this PR as monitoring progresses.

View agent

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 8abaeaa. Configure here.}

[cursor]

Get view missing new health-monitoring boolean fields

Medium Severity

The Get function builds its own detailed table (not using printManagedAuthSummary) and already displays HealthCheckInterval, but was not updated to also display the three new boolean fields (HealthChecks, AutoReauth, RecordSession). These fields are shown after create and update via printManagedAuthSummary, but the get command — the primary way to inspect a connection — silently omits them. Users who set these flags won't be able to verify them through get.

Additional Locations (1)

• cmd/auth_connections.go#L238-L241

 

^{Reviewed by Cursor Bugbot for commit 8abaeaa. Configure here.}

[dcruzeneil2]

looks good to me, 2 nit (first one blocking, second one non-blocking):

Nit 1: the get command does not display HealthChecks, AutoReauth, or RecordSession. It builds its own table separately from printManagedAuthSummary. Users who set these flags on create/update will not be able to verify through get. Could you add the 3 lines there as well? (caught by Bugbot as well)

Nit 2: unlike the dashboard (which auto-disables auto-reauth when health checks are turned off), the CLI lets you pass --no-health-checks without --no-auto-reauth. The result is health_checks = false, and auto_reauth = true, which is harmless because of the way the temporal workflow works but could be potentially confusing. Worth either updating the API (also noted in the other PR), or making that change here in the CLI, or just adding a comment and explaining it's a no-op.