Add health checks, auto-reauth, and record-session flags to managed auth

[masnwilliams]

Summary

• Surfaces the managed-auth health-monitoring controls in `kernel auth connections create` and `update`.
• Bumps `kernel-go-sdk` to v0.55.0 to pull in the new SDK fields (`HealthChecks`, `AutoReauth`, `RecordSession` on `ManagedAuthCreateRequestParam` and `ManagedAuthUpdateRequestParam`, and on `ManagedAuth`).
• Updates the managed-auth summary table to display the three booleans.

Flags

Create (server-side defaults: `health_checks=true`, `auto_reauth=true`, `record_session=false`):

• `--no-health-checks` — opt out of periodic health checks
• `--no-auto-reauth` — opt out of automatic re-auth on session expiry
• `--record-session` — opt in to recording browser sessions

Update (toggle both directions):

• `--health-checks` / `--no-health-checks`
• `--auto-reauth` / `--no-auto-reauth`
• `--record-session` / `--no-record-session`

Conflicting flag pairs are marked mutually exclusive.

Test plan

• `make test` — full suite passes including new `TestAuthConnectionsCreate_HealthMonitoringFlags` and updated update-mapping assertions.
• Manual: `kernel auth connections create --domain ... --profile-name ... --no-health-checks --no-auto-reauth --record-session` produces a connection with the three fields set as expected.
• Manual: `kernel auth connections update --health-checks --auto-reauth --no-record-session` flips the fields back.

🤖 Generated with Claude Code

---

Note

Medium Risk
Changes how managed auth sessions are monitored, re-authenticated, and recorded; mistakes in flag mapping could leave connections in unintended states, but scope is CLI-only over existing API fields.

Overview
Exposes managed-auth health monitoring settings through kernel auth connections create and update, wiring new flags into the SDK create/update payloads and showing Health Checks, Auto Reauth, and Record Session on the post-create/update summary table.

Create uses opt-out/opt-in flags aligned with server defaults: --no-health-checks, --no-auto-reauth, and --record-session only send explicit values when set. Update adds paired toggles (--health-checks / --no-health-checks, --auto-reauth / --no-auto-reauth, --record-session / --no-record-session) with the same BoolFlag + Changed() pattern as save-credentials, and marks conflicting pairs mutually exclusive.

Tests add TestAuthConnectionsCreate_HealthMonitoringFlags and extend the update mapping test to assert the three new fields.

^{Reviewed by Cursor Bugbot for commit 79d7f48. Bugbot is set up for automated code reviews on this repo. Configure here.}

[firetiger-agent]

Monitoring Plan: Auth Connection CLI — New Health/Session Flags

This PR adds three new flags to auth connections create and auth connections update: --no-health-checks / --health-checks, --no-auto-reauth / --auto-reauth, and --record-session / --no-record-session. It also bumps the kernel-go-sdk from v0.53.0 to v0.55.0 to expose the backing API fields (HealthChecks, AutoReauth, RecordSession). The change is purely CLI-side — it maps flag values onto existing API parameters — with no schema migrations and no new server-side logic.

Key risks to watch: (1) The new fields flowing through to the API could hit validation errors if the SDK v0.55 contract differs from what the server expects, surfacing as 4xx/5xx spikes on PostAuthConnections or PatchAuthConnectionsById. (2) Setting --no-health-checks disables the periodic health-check scheduler for a connection; if misused at scale, the skipped count in kernel_managed_auth_health_check_total should rise significantly. (3) Enabling --record-session by default on connections may increase recording-start traffic. Baselines: PostAuthConnections ~550–1,950/hr, PatchAuthConnectionsById ~57–240/hr, both currently 0 HTTP 5xx errors. Health-check non-skipped total runs ~8,500–673,000/hr (varies by time of day); error rate ~2–3% of non-skipped checks. Session success rate ~67% of total sessions/hr.

Status updates will be posted automatically on this PR as monitoring progresses.

View agent

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 8abaeaa. Configure here.}

[dcruzeneil2]

looks good to me, 2 nit (first one blocking, second one non-blocking):

Nit 1: the get command does not display HealthChecks, AutoReauth, or RecordSession. It builds its own table separately from printManagedAuthSummary. Users who set these flags on create/update will not be able to verify through get. Could you add the 3 lines there as well? (caught by Bugbot as well)

Nit 2: unlike the dashboard (which auto-disables auto-reauth when health checks are turned off), the CLI lets you pass --no-health-checks without --no-auto-reauth. The result is health_checks = false, and auto_reauth = true, which is harmless because of the way the temporal workflow works but could be potentially confusing. Worth either updating the API (also noted in the other PR), or making that change here in the CLI, or just adding a comment and explaining it's a no-op.