fix: Consolidate credential retrieval logic to fix terraform auth

This commit fixes a bug where `atmos terraform plan` and other Terraform commands
failed to use file-based credentials, while `atmos auth whoami` and similar
commands worked correctly. The root cause was duplicate credential retrieval
code across three methods with inconsistent fallback behavior.

## Problem

Three separate code paths retrieved credentials:
1. `GetCachedCredentials` - Had keyring → identity storage fallback ✓
2. `findFirstValidCachedCredentials` - Had fallback logic ✓
3. `retrieveCachedCredentials` - NO fallback (the bug!) ✗

When users authenticated via AWS SSO (credentials in files, not keyring),
Terraform commands would fail because only `retrieveCachedCredentials` was
used in that code path, and it didn't have fallback logic.

## Solution

Extracted a shared `retrieveCredentialWithFallback` method that implements
the single source of truth for credential retrieval. All three code paths
now delegate to this method, ensuring consistent behavior:

- Tries keyring cache first (fast path)
- Falls back to identity storage if not in keyring (slow path)
- Provides detailed logging and error handling

## Changes

- Added `retrieveCredentialWithFallback()` method (38 lines)
- Refactored `GetCachedCredentials()` (40% code reduction)
- Refactored `findFirstValidCachedCredentials()` (57% code reduction)
- Refactored `retrieveCachedCredentials()` (now uses shared method)
- Fixed `TestManager_GetCachedCredentials_Paths` to use proper test data

## Result

✅ All three credential retrieval paths now behave identically
✅ Terraform commands work with file-based credentials
✅ ~110 lines of duplicate code eliminated
✅ All tests pass
✅ Regression test included to prevent this class of bug

Fixes the issue where Terraform commands failed with valid session credentials.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: osterman

cmd/auth_console.go

@@ -76,7 +76,7 @@ func executeAuthConsoleCommand(cmd *cobra.Command, args []string) error {
 	// Try to use cached credentials first (passive check, no prompts).
 	// Only authenticate if cached credentials are not available or expired.
 	ctx := context.Background()
-	whoami, err := authManager.GetCachedCredentials(ctx, identityName)
+	whoami, err := authManager.DescribeIdentity(ctx, identityName)
 	if err != nil {
 		log.Debug("No valid cached credentials found, authenticating", "identity", identityName, "error", err)
 		// No valid cached credentials - perform full authentication.

cmd/auth_console_test.go

@@ -585,7 +585,7 @@ func (m *mockAuthManagerForProvider) GetProviderKindForIdentity(identityName str
 	return m.providerKind, nil
 }
 
-func (m *mockAuthManagerForProvider) GetCachedCredentials(ctx context.Context, identityName string) (*types.WhoamiInfo, error) {
+func (m *mockAuthManagerForProvider) DescribeIdentity(ctx context.Context, identityName string) (*types.WhoamiInfo, error) {
 	return nil, errors.New("not implemented")
 }
 
@@ -667,7 +667,7 @@ func (m *mockAuthManagerForIdentity) GetProviderKindForIdentity(identityName str
 	return "", errors.New("not implemented")
 }
 
-func (m *mockAuthManagerForIdentity) GetCachedCredentials(ctx context.Context, identityName string) (*types.WhoamiInfo, error) {
+func (m *mockAuthManagerForIdentity) DescribeIdentity(ctx context.Context, identityName string) (*types.WhoamiInfo, error) {
 	return nil, errors.New("not implemented")
 }
 

cmd/auth_env.go

@@ -64,7 +64,7 @@ var authEnvCmd = &cobra.Command{
 			// Try to use cached credentials first (passive check, no prompts).
 			// Only authenticate if cached credentials are not available or expired.
 			ctx := cmd.Context()
-			whoami, err := authManager.GetCachedCredentials(ctx, identityName)
+			whoami, err := authManager.DescribeIdentity(ctx, identityName)
 			if err != nil {
 				log.Debug("No valid cached credentials found, authenticating", "identity", identityName, "error", err)
 				// No valid cached credentials - perform full authentication.

cmd/auth_exec.go

@@ -77,7 +77,7 @@ func executeAuthExecCommandCore(cmd *cobra.Command, args []string) error {
 	// Try to use cached credentials first (passive check, no prompts).
 	// Only authenticate if cached credentials are not available or expired.
 	ctx := context.Background()
-	whoami, err := authManager.GetCachedCredentials(ctx, identityName)
+	whoami, err := authManager.DescribeIdentity(ctx, identityName)
 	if err != nil {
 		log.Debug("No valid cached credentials found, authenticating", "identity", identityName, "error", err)
 		// No valid cached credentials - perform full authentication.

cmd/auth_shell.go

@@ -86,7 +86,7 @@ func executeAuthShellCommandCore(cmd *cobra.Command, args []string) error {
 	// Try to use cached credentials first (passive check, no prompts).
 	// Only authenticate if cached credentials are not available or expired.
 	ctx := context.Background()
-	whoami, err := authManager.GetCachedCredentials(ctx, identityName)
+	whoami, err := authManager.DescribeIdentity(ctx, identityName)
 	if err != nil {
 		log.Debug("No valid cached credentials found, authenticating", "identity", identityName, "error", err)
 		// No valid cached credentials - perform full authentication.