Auth: 'kane-cli login' + whoami report success while backend rejects every API call

[hardikshah197]

Summary

After kane-cli login reports "Authenticated" and kane-cli whoami confirms the profile, every actual API call (balance, run, testmd) returns Controller auth failed: authentication failed / invalid or expired token. The only fix is to logout and login multiple times (took 4 retries in my case) until the credentials happen to land in a server-accepted state.

Repro

$ kane-cli logout
$ kane-cli login --username <user> --access-key <key>
Logged in as default [prod] via basic auth
✓
$ kane-cli whoami
✓ Authenticated
  Method: basic (<user>)
$ kane-cli balance
Error: Credit balance request failed: 401 {"error":"invalid or expired token"}
$ kane-cli run "..."
{"type":"error","message":"Controller auth failed: {\"error\":\"authentication failed\"}"}
{"type":"run_end","status":"failed","reason_code":"infra_error.controller_auth"}

Suggested fixes

• kane-cli login should make a server roundtrip to verify credentials work before declaring success. If the credentials don't authenticate against the controller, fail the login command with the actual error.
• kane-cli whoami should reflect the actual server-side auth state, not just the presence of a local credentials file. Hit a /me endpoint and surface the real status.
• When credentials are silently broken, surface the rotate-your-access-key hint in the error.

Environment

• kane-cli 0.2.9
• macOS 14