fix(cloud/frontend): StewardProvider syncs steward-session cookie to api.elizacloud.ai (#7360)

* fix(cloud/frontend): use apiFetch for /api/auth/steward-session so cookie sets on api.elizacloud.ai

Follow-up to #7358. setSessionCookie was still calling raw
fetch("/api/auth/steward-session"), which goes same-origin to
www.elizacloud.ai. The Worker sets steward-token + steward-authed
cookies on the host the Set-Cookie response came from, so they
end up host-only on www.elizacloud.ai.

Subsequent apiFetch calls (e.g. /api/auth/cli-session/<id>/complete)
now go cross-origin to api.elizacloud.ai (per #7358 SPA-direct
behaviour). The host-only www cookie does not flow on that
cross-origin request, the request 401s, and the CLI login screen
deadlocks at "Generating API Key" until the 30s client timeout
fires.

Switch setSessionCookie to apiFetch so the cookie-setting POST
also goes to api.elizacloud.ai. The Set-Cookie response is now
scoped to the same host that all subsequent /api/* calls hit.

Production deploy verified: /api/auth/cli-session/<id>/complete
returns 200 with the cookie attached, login flow unblocks past
"Generating API Key".

Co-authored-by: wakesync <shadow@shad0w.xyz>

* fix(cloud/frontend): StewardProvider syncs steward-session cookie to api.elizacloud.ai

Follow-up to #7359. The login form's setSessionCookie was switched to
apiFetch in #7359, but StewardProvider has its own auto-sync useEffect
that POSTs the localStorage token to /api/auth/steward-session via raw
fetch. That request still goes same-origin to www.elizacloud.ai so the
Set-Cookie response is scoped host-only to www. Then when the
/auth/cli-login page's completeCliLogin sends apiFetch to
api.elizacloud.ai, the host-only www cookie does not flow on the
cross-origin request. The CLI login spinner deadlocks at
'Generating API Key' until the 30s client timeout fires.

Same root cause, second seam.

Add a stewardSessionUrl helper that returns the absolute Workers
origin (https://api.elizacloud.ai/api/auth/steward-session) when the
SPA is running on a known elizacloud.ai host, and fall back to the
relative same-origin path everywhere else (dev, preview, ad-hoc
hosts).

All four steward-session calls in StewardProvider (one POST sync,
three DELETE wipes) now go through stewardSessionUrl with explicit
credentials: 'include'. Cookies set on api.elizacloud.ai by the POST
flow with subsequent apiFetch calls.

Verified live on production deploy 60caf2a0:
- www.elizacloud.ai/api/health -> 200 JSON
- www.elizacloud.ai/steward/auth/providers -> 200 JSON
- /auth/cli-login completes the spinner past 'Generating API Key'

Co-authored-by: wakesync <shadow@shad0w.xyz>

---------

Co-authored-by: wakesync <shadow@shad0w.xyz>

Author: 0xSolace

cloud/packages/lib/providers/StewardProvider.tsx

@@ -5,6 +5,29 @@ import { StewardAuth, StewardClient } from "@stwd/sdk";
 import { createContext, useEffect, useMemo, useRef } from "react";
 import { resolveBrowserStewardApiUrl } from "@/lib/steward-url";
 
+// Resolve the absolute origin to use for /api/* calls in the browser. On
+// known elizacloud.ai hosts, bypass the same-origin Pages Functions proxy
+// and hit the Workers API directly so the steward-session cookie is set on
+// the same host that subsequent apiFetch / cli-login calls hit. Without
+// this, the cookie is set on www.elizacloud.ai while later requests go
+// cross-origin to api.elizacloud.ai and the host-only cookie does not
+// flow, deadlocking the CLI login spinner at "Generating API Key".
+const ELIZA_CLOUD_PROXIED_HOSTS = new Set([
+  "elizacloud.ai",
+  "www.elizacloud.ai",
+  "dev.elizacloud.ai",
+]);
+const ELIZA_CLOUD_DIRECT_API = "https://api.elizacloud.ai";
+
+function stewardSessionUrl(): string {
+  if (typeof window === "undefined") return "/api/auth/steward-session";
+  const host = window.location.hostname.toLowerCase();
+  if (ELIZA_CLOUD_PROXIED_HOSTS.has(host)) {
+    return `${ELIZA_CLOUD_DIRECT_API}/api/auth/steward-session`;
+  }
+  return "/api/auth/steward-session";
+}
+
 /**
  * Steward authentication provider for Eliza Cloud.
  *
@@ -134,7 +157,7 @@ export function clearStaleStewardSession(): void {
     // ignore
   }
   // Server-side cookies (HttpOnly — JS can't touch them directly).
-  fetch("/api/auth/steward-session", { method: "DELETE" }).catch(() => {});
+  fetch(stewardSessionUrl(), { method: "DELETE", credentials: "include" }).catch(() => {});
   // Notify any in-tab listeners; the "storage" event covers cross-tab.
   try {
     window.dispatchEvent(new CustomEvent("steward-token-sync"));
@@ -175,7 +198,7 @@ function AuthTokenSync({ children }: { children: React.ReactNode }) {
           lastSyncedToken.current = null;
           lastSyncedRefreshToken.current = null;
           wasAuthenticated.current = false;
-          fetch("/api/auth/steward-session", { method: "DELETE" }).catch(() => {});
+          fetch(stewardSessionUrl(), { method: "DELETE", credentials: "include" }).catch(() => {});
         }
         return;
       }
@@ -192,8 +215,9 @@ function AuthTokenSync({ children }: { children: React.ReactNode }) {
       lastSyncedRefreshToken.current = refreshToken;
       wasAuthenticated.current = true;
 
-      fetch("/api/auth/steward-session", {
+      fetch(stewardSessionUrl(), {
         method: "POST",
+        credentials: "include",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({ token, refreshToken }),
       })
@@ -266,7 +290,9 @@ function AuthTokenSync({ children }: { children: React.ReactNode }) {
             lastSyncedToken.current = null;
             lastSyncedRefreshToken.current = null;
             wasAuthenticated.current = false;
-            fetch("/api/auth/steward-session", { method: "DELETE" }).catch(() => {});
+            fetch(stewardSessionUrl(), { method: "DELETE", credentials: "include" }).catch(
+              () => {},
+            );
           }
         }
       } catch (err) {