CLI: Update SDK to cee2050 and add credential-providers commands (#82)

[dprevoznik]

This PR updates the Go SDK to cee2050be3f8136505d41c20c2903dfca2cbc479 and adds CLI commands for new SDK methods.

SDK Update

• Updated kernel-go-sdk to cee2050be3f8136505d41c20c2903dfca2cbc479

Coverage Analysis

This PR was generated by performing a full enumeration of SDK methods and CLI commands.

New Commands

• kernel credential-providers list - List configured external credential providers
• kernel credential-providers get <id> - Get a credential provider by ID
• kernel credential-providers create - Create a new credential provider (supports 1Password)
• kernel credential-providers update <id> - Update a credential provider's configuration
• kernel credential-providers delete <id> - Delete a credential provider
• kernel credential-providers test <id> - Test a credential provider connection

Breaking Changes Fixed

• Fixed browsers.Get() calls to pass new required BrowserGetParams parameter

Triggered by:
kernel/kernel-go-sdk@cee2050 Reviewer: @masnwilliams

---

Note

Introduces automated web auth and external credential provider management to the CLI, updates to latest Kernel SDK, and adapts browser commands to new SDK APIs.

• Agent Auth (new): Adds kernel agents auth commands including run (end‑to‑end auth flow with auto field submission, TOTP, MFA, live view), plus create/get/list/delete and invocation create/get/exchange/submit; documented in README with examples
• Credential Providers (new): Adds kernel credential-providers list/get/create/update/delete/test (supports onepassword), wired into root
• SDK upgrade: Bumps kernel-go-sdk to cee2050 (v0.27.1-pre); fixes breaking change by passing kernel.BrowserGetParams to all browsers.Get calls and tests
• Browser features: Adds browsers process resize (PTY resize) and filesystem watch (fs watch start/stop/events), updates service interfaces and command wiring
• Docs/Deps: README updated with Agent Auth; adds pquerna/otp and related indirect deps

^{Written by Cursor Bugbot for commit ca377b6. This will update automatically on new commits. Configure here.}

---

[cursor]

Cursor Bugbot has reviewed your changes and found 3 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Dead code due to impossible condition

Low Severity

The condition in.SaveCredentialAs != "" && credentialName == "" at line 689 can never evaluate to true. When in.SaveCredentialAs is non-empty, the code always sets credentialName to a non-empty value either from in.CredentialName (line 610) or from in.SaveCredentialAs itself (line 617). This makes lines 689-692 unreachable dead code that will never execute.

 

[cursor]

Test command returns success when connection test fails

Medium Severity

The Test function returns nil (exit code 0) even when result.Success is false and the connection test has failed. When the test fails, line 267 prints an error message via pterm.Error.Printf, but the function still returns nil at line 281. This causes the CLI command to exit with success status even on test failure, which breaks automation and scripting scenarios where users check exit codes.

 

[cursor]

Missing tracking for MFA TOTP submissions causes duplicates

Medium Severity

The MFA TOTP code submission path (lines 893-912) lacks tracking to prevent duplicate submissions. While field submissions are tracked via fieldsSubmitted map (line 704) with checks at lines 786-789, the MFA TOTP submission has no equivalent tracking. If the backend doesn't immediately clear resp.MfaOptions after accepting the TOTP code, the next poll iteration (2 seconds later) will generate and submit another TOTP code, potentially causing auth failures or rejected codes due to replay protection.

Additional Locations (1)

• cmd/agents.go#L702-L704