#19385: fix: pass authProfileId from cron session to runEmbeddedPiAgent

## Summary - Cron isolated-agent jobs were not passing `authProfileId` to `runEmbeddedPiAgent`, causing the runner to fall back to default auth profile ordering (OAuth > Token > API Key) - CLI auth (API key type) was deprioritized, so billing-eligible profiles were tried first, producing repeated "payment verification failed" messages on every cron run - This applies the same fix as #16303 — passes `authProfileId`/`authProfileIdSource` from the session entry and applies `applyModelOverrideToSessionEntry` when the resolved model differs from the default ## Changes (2 files) - **`src/cron/isolated-agent/run.ts`** — import `applyModelOverrideToSessionEntry`, apply it after `resolveCronSession` when model override is active, and pass `authProfileId`/`authProfileIdSource` to `runEmbeddedPiAgent` - **`src/cron/isolated-agent/session.test.ts`** — add test verifying `authProfileOverride` fields are preserved across session resets Fixes #14401 Ref: #16303, #14376 ## Test plan - [x] All 145 cron tests pass (`npx vitest run src/cron/`) - [x] New test verifies `authProfileOverride`/`authProfileOverrideSource` preservation - [ ] Manual: configure a cron job with Claude CLI auth, verify it uses CLI profile instead of billing-eligible profiles 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR fixes a bug where cron isolated-agent jobs were not passing `authProfileId` to `runEmbeddedPiAgent`, causing the runner to fall back to the default auth profile ordering (OAuth > Token > API Key) and repeatedly attempt billing-eligible profiles before CLI API key profiles, resulting in "payment verification failed" spam on every cron run. **Key changes:** - In `run.ts`: imports `applyModelOverrideToSessionEntry` and calls it after `resolveCronSession` when a model override is active, mirroring existing sub-agent behavior. Also computes `cronAuthProfileId` (only when `providerOverride === provider` to guard against cross-provider profile leakage during fallback) and passes `authProfileId`/`authProfileIdSource` to `runEmbeddedPiAgent`. - In `session.test.ts`: adds a regression test verifying `authProfileOverride`/`authProfileOverrideSource` are preserved across session loads. The implementation correctly mirrors the pattern in `src/commands/agent.ts` (the reference PR #16303) where `authProfileId` is set to `undefined` when the active provider differs from the primary, preventing an auth profile for one provider from being mistakenly applied to a fallback provider. The logic flows cleanly and doesn't introduce any correctness issues. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge; the fix is a targeted, well-scoped bug fix that mirrors an existing pattern in the codebase. - The logic correctly mirrors the reference pattern from `commands/agent.ts`, the provider-guard check prevents cross-provider auth profile leakage during model fallback, `applyModelOverrideToSessionEntry` is called with the session entry's own override fields (so it either preserves them or correctly clears them when unset), and the code doesn't introduce any new execution paths. The one style note is about incomplete test coverage for the stale-session case, but the underlying implementation is correct (the `...entry` spread in `resolveCronSession` already preserves the fields unconditionally). - No files require special attention _{Last reviewed commit: e627be4} <!-- greptile_other_comments_section --> _{(3/5) Reply to the agent's comments like "Can you suggest a fix for this @greptileai?" or ask follow-up questions!} <!-- /greptile_comment -->