PR-B: cloud token administration (runner + commands)

[edgrosvenor]

PR-B — cloud token administration (CLI)

Adds the Cloud-CLI-driven token administration layer on top of the PR-A core.

What shipped (vs plan)

• CloudCommandRunner — wraps the Laravel Cloud CLI via the Process facade. resolveEnvironment() (1 env → auto, many → prompt, 0 → throw; app id from config or .cloud/config.json); run() executes command:run <env> --cmd "php artisan ..." --json --fields=output,exitCode --no-interaction and parses the JSON.
• Contracts\UsageReporter + NullUsageReporter (singleton-bound; consuming apps override).
• Commands token:create|rotate|revoke|list|usage + fallback-token:generate, each with a driver (default) and hidden --execute mode.

Deserves attention

• Security boundary (tested for both create & rotate): in driver mode the freshly generated plaintext is NEVER placed in the Cloud --cmd — only its sha256 --hash crosses the wire; plaintext prints locally exactly once, and only after a zero remote exit code.
• Fail-closed parsing: run() throws on a missing/non-numeric exitCode; token:list/token:usage throw on malformed/non-list remote JSON rather than rendering an empty table. Prevents a corrupt Cloud response from looking like success.
• Remote token names are escapeshellarg-quoted in the --cmd string; token:list/token:usage never expose token_hash.

Findings disposition

• Independent review: Claude judge ACCEPT (9/9 ACs, security AC discriminating); Codex flagged fail-open exitCode parsing + a missing rotate driver security test (both fixed), plus advisories — list/usage fail-closed and an env id guard folded in.
• Deferred (advisory, non-blocking): hide --execute from --help (only mutates the local DB; fragile to implement) and a faked multi-env prompt test.

Gate evidence

• composer lint:test → passed · composer stan (level 6) → no errors · composer test → 38 passed (77 assertions)

Risk / next

Low risk; additive package code. After merge: tag v0.1.0 (Packagist stable), then PR-C wires the package into Matte.