Address degraded-auth review feedback

- Drive.tsx + drive.ts: surface the cloud-unavailable stub on the default
  category and force `cloud` as the default while degraded, so the failure
  is visible right after sign-in instead of silently landing on Local.
- auth.ts: disable usersMeQuery retries so the degraded UI appears without
  the ~10 s router-guard stall; key the synthetic-user cache + userId on
  cognito email instead of the app-wide clientId; guard setUsername.
- Settings/data.tsx: keep the Account tab reachable in degraded mode
  (Cognito-only sections stay visible), hide cloud-dependent sections.
- auth.test.ts / degradedAuth.spec.ts: update tests for email-based
  identifier; drive the 401 path by hand so the form-disappears assertion
  doesn't fight the immediate unauthorized-recovery logout.

Author: farmaazon

app/gui/integration-test/dashboard/degradedAuth.spec.ts

@@ -1,7 +1,7 @@
 /** @file Verify the degraded-auth mode triggered when `users/me` fails for a non-auth reason. */
 import { expect, test } from 'integration-test/base'
 
-import { TEXT } from '../actions'
+import { TEXT, VALID_EMAIL, VALID_PASSWORD } from '../actions'
 
 const HTTP_INTERNAL_SERVER_ERROR = 500
 const HTTP_UNAUTHORIZED = 401
@@ -54,11 +54,20 @@ test('401 keeps the existing recovery + logout path, no degraded UI', async ({
   loginPage,
   cloudApi,
 }) => {
+  // Submit credentials by hand: `loginPage.login()` asserts the login form disappears,
+  // but the 401-driven unauthorized-recovery flow logs the user back out almost
+  // immediately, so the form may never stay hidden long enough.
   cloudApi.setUsersMeFailureStatus(HTTP_UNAUTHORIZED)
 
-  await loginPage.login().do(async (page) => {
-    // The unauthorized-recovery flow eventually logs the user out, which makes the
-    // login form visible again. The degraded `cloud-unavailable` stub must never show.
+  await loginPage.do(async (page) => {
+    await page.getByPlaceholder(TEXT.emailPlaceholder).fill(VALID_EMAIL)
+    await page.getByPlaceholder(TEXT.passwordPlaceholder).fill(VALID_PASSWORD)
+    await page
+      .getByRole('button', { name: TEXT.login, exact: true })
+      .getByText(TEXT.login)
+      .click()
+    // After unauthorized recovery exhausts, the user is logged out and the login
+    // screen is shown again. The cloud-unavailable stub must never appear.
     await expect(
       page.getByRole('button', { name: TEXT.login, exact: true }),
     ).toBeVisible({ timeout: 30_000 })

app/gui/src/dashboard/layouts/Drive.tsx

@@ -5,6 +5,7 @@ import { ErrorBoundary } from '#/components/ErrorBoundary'
 import * as result from '#/components/Result'
 import SvgMask from '#/components/SvgMask'
 import { useEventCallback } from '#/hooks/eventCallbackHooks'
+import { useLocalStorageState } from '#/hooks/localStoreState'
 import * as offlineHooks from '#/hooks/offlineHooks'
 import * as toastAndLogHooks from '#/hooks/toastAndLogHooks'
 import AssetsTable from '#/layouts/AssetsTable'
@@ -56,6 +57,13 @@ function DriveInner(props: DriveProperties) {
   const { getText } = useText()
   const [category, setCategory] = useDriveCurrentCategory()
   const { setDefaultCategory } = useDriveLocation()
+  // The cloud-unavailable status is decoupled from `isCloud`: while the user is on the
+  // default category (no explicit choice yet) the stub takes over so cloud failure is
+  // surfaced no matter which category the default logic picked. Once the user explicitly
+  // picks a category — sidebar click or the "Switch to Local" button — `driveDisplay`
+  // becomes non-null and we defer to their choice for the local categories.
+  const [storedDriveDisplay] = useLocalStorageState('driveDisplay')
+  const hasExplicitCategory = storedDriveDisplay != null
 
   const isCloud = isCloudCategory(category)
 
@@ -69,7 +77,7 @@ function DriveInner(props: DriveProperties) {
 
   const status =
     isCloud && isOffline ? 'offline'
-    : isCloud && session.isCloudDataUnavailable ? 'cloud-unavailable'
+    : session.isCloudDataUnavailable && (isCloud || !hasExplicitCategory) ? 'cloud-unavailable'
     : isCloud && !user.isEnabled ? 'not-enabled'
     : 'ok'
 

app/gui/src/dashboard/layouts/Settings/data.tsx

@@ -70,7 +70,9 @@ export const SETTINGS_TAB_DATA: Readonly<Record<SettingsTabType, SettingsTabData
     nameId: 'accountSettingsTab',
     settingsTab: SettingsTabType.account,
     icon: 'settings',
-    visible: ({ isCloudDataUnavailable }) => !isCloudDataUnavailable,
+    // The tab stays visible in degraded-auth mode so the Cognito-only sections
+    // (password change, 2FA setup) remain reachable; the cloud-dependent sections
+    // hide themselves via their own `getVisible`.
     sections: [
       {
         nameId: 'userAccountSettingsSection',
@@ -89,6 +91,7 @@ export const SETTINGS_TAB_DATA: Readonly<Record<SettingsTabType, SettingsTabData
                 IanaTimeZone(getLocalTimeZone()),
               ),
             }),
+            getVisible: ({ isCloudDataUnavailable }) => !isCloudDataUnavailable,
             onSubmit: async (context, { name, timeZone }) => {
               const newTimeZone = timeZone != null ? tryGetTimeZoneFromDescription(timeZone) : null
               if (newTimeZone != null) {
@@ -229,6 +232,7 @@ export const SETTINGS_TAB_DATA: Readonly<Record<SettingsTabType, SettingsTabData
           {
             type: 'custom',
             aliasesId: 'deleteUserAccountSettingsCustomEntryAliases',
+            getVisible: ({ isCloudDataUnavailable }) => !isCloudDataUnavailable,
             render: () => <DeleteUserAccountSettingsSection />,
           },
         ],
@@ -240,6 +244,7 @@ export const SETTINGS_TAB_DATA: Readonly<Record<SettingsTabType, SettingsTabData
           {
             type: 'custom',
             aliasesId: 'profilePictureSettingsCustomEntryAliases',
+            getVisible: ({ isCloudDataUnavailable }) => !isCloudDataUnavailable,
             render: (context) => <ProfilePictureInput backend={context.backend} />,
           },
         ],

app/gui/src/providers/__tests__/auth.test.ts

@@ -44,9 +44,9 @@ describe('makeSyntheticUser', () => {
   })
 
   it('derives identifiers in the expected newtype shape', () => {
-    const user = makeSyntheticUser(fakeCognitoSession({ clientId: 'abc' }))
+    const user = makeSyntheticUser(fakeCognitoSession({ email: 'someone@enso.org' }))
     expect(isUserId(user.userId)).toBe(true)
-    expect(user.userId).toContain('abc')
+    expect(user.userId).toContain('someone@enso.org')
     expect(isOrganizationId(user.organizationId)).toBe(true)
     expect(isDirectoryId(user.rootDirectoryId)).toBe(true)
   })
@@ -57,8 +57,14 @@ describe('makeSyntheticUser', () => {
     expect(user.name).toBe('someone@enso.org')
   })
 
-  it('handles a missing clientId without producing an empty identifier', () => {
-    const user = makeSyntheticUser(fakeCognitoSession({ clientId: '' }))
+  it('keys identifiers on email so two users on the same Cognito app are distinct', () => {
+    const a = makeSyntheticUser(fakeCognitoSession({ email: 'a@enso.org' }))
+    const b = makeSyntheticUser(fakeCognitoSession({ email: 'b@enso.org' }))
+    expect(a.userId).not.toBe(b.userId)
+  })
+
+  it('handles a missing email without producing an empty identifier', () => {
+    const user = makeSyntheticUser(fakeCognitoSession({ email: '' }))
     expect(user.userId).toBe('user-cloud-unavailable-unknown')
   })
 })

app/gui/src/providers/auth.ts

@@ -23,6 +23,10 @@ export interface UserSession extends cognitoModule.UserSession {
    * `true` when this session is a placeholder synthesized after `users/me` failed with
    * a non-auth error. The user is signed in to Cognito and can use local projects, but
    * the `user` field is a stub — cloud features must be disabled by callers.
+   *
+   * Only set on deployments that have a local backend; cloud-only builds fall back to
+   * the existing redirect-to-login path when `users/me` fails, so this flag is never
+   * `true` there.
    */
   readonly isCloudDataUnavailable?: boolean
 }
@@ -72,6 +76,12 @@ export function createUsersMeQuery(
   let refetchCount = 0
   return vueQuery.queryOptions({
     queryKey: createUsersMeQueryKey(session, remoteBackend),
+    // Disable the default 3-retry backoff: a failed `users/me` should surface immediately
+    // so the degraded-auth UI can render instead of stalling navigation for ~10 s while
+    // the query retries. Unauthorized errors have a dedicated recovery flow in
+    // {@link useUnauthorizedRecovery}; transient network errors are handled by the
+    // user clicking the "Retry" button.
+    retry: false,
     queryFn: async (): Promise<UserSession | null> => {
       const sessionVal = toValue(session)
       if (!sessionVal) {
@@ -102,11 +112,14 @@ export function createUsersMeQuery(
  * response is unavailable. All cloud features must be treated as disabled — the
  * placeholder mirrors a real user without a licence (`isEnabled: false`,
  * `plan: Plan.free`) so the existing "not-enabled" rendering paths apply.
+ *
+ * Identifier fields embed the Cognito email so the placeholder is distinct per signed-in
+ * user (the Cognito app `clientId` is a deployment-wide constant and would alias users).
  */
 export function makeSyntheticUser(cognitoSession: cognitoModule.UserSession): backendModule.User {
-  const clientIdSuffix = cognitoSession.clientId || 'unknown'
+  const identitySuffix = cognitoSession.email || 'unknown'
   return {
-    userId: backendModule.UserId(`user-cloud-unavailable-${clientIdSuffix}`),
+    userId: backendModule.UserId(`user-cloud-unavailable-${identitySuffix}`),
     organizationId: backendModule.OrganizationId(
       'organization-00000000000000000000000000',
     ),
@@ -162,7 +175,13 @@ function createAuthStore(
   })
 
   const setUsername = async (username: string) => {
-    if (userData.value != null) {
+    if (isCloudDataUnavailable.value) {
+      throw new Error('Cannot set username while Enso Cloud is unavailable.')
+    }
+    // Branch on the real `users/me` result, not the (possibly synthetic) `userData`:
+    // a synthetic placeholder would otherwise route us into the update path and hit
+    // the failing remote.
+    if (usersMeQuery.data.value != null) {
       await updateUserMutation.mutateAsync({ username })
     } else {
       const orgId = await organizationId()
@@ -190,10 +209,13 @@ function createAuthStore(
 
   const usersMeQuery = vueQuery.useQuery(usersMeQueryOptions)
 
-  let syntheticUserCache: { clientId: string; user: backendModule.User } | null = null
+  // Keyed on `email`, not `clientId`: `clientId` is the Cognito app integration ID and is
+  // identical across users on the same deployment, so caching on it would surface user A's
+  // placeholder for user B after a sign-out/sign-in.
+  let syntheticUserCache: { email: string; user: backendModule.User } | null = null
   const getSyntheticUser = (cognitoSession: cognitoModule.UserSession) => {
-    if (syntheticUserCache?.clientId !== cognitoSession.clientId) {
-      syntheticUserCache = { clientId: cognitoSession.clientId, user: makeSyntheticUser(cognitoSession) }
+    if (syntheticUserCache?.email !== cognitoSession.email) {
+      syntheticUserCache = { email: cognitoSession.email, user: makeSyntheticUser(cognitoSession) }
     }
     return syntheticUserCache.user
   }
@@ -202,7 +224,8 @@ function createAuthStore(
    * `true` when Cognito sign-in succeeded but the subsequent `users/me` fetch failed
    * with a non-auth error. Auth (401/403) failures are owned by `useUnauthorizedRecovery`
    * and excluded here. Requires a local backend so the synthesised session has somewhere
-   * to land — without one, callers fall back to the redirect-to-login path.
+   * to land — on cloud-only deployments without `localBackend`, this stays `false` and
+   * the user falls through to the existing redirect-to-login path.
    */
   const isCloudDataUnavailable = computed(() => {
     const cognitoSession = session.value

app/gui/src/providers/drive.ts

@@ -4,6 +4,7 @@ import { createContextStore } from '@/providers'
 import { isDirectoryId, type DirectoryId } from 'enso-common/src/services/Backend'
 import { computed, watch } from 'vue'
 import * as z from 'zod'
+import { useAuth } from './auth'
 import { useBackends } from './backends'
 import {
   CATEGORY_BACKEND,
@@ -39,12 +40,17 @@ export const [provideDriveLocation, useDriveLocation] = createContextStore(
   (startReactTransition: (action: () => void) => void) => {
     const backends = useBackends()
     const categories = useCategories()
+    const auth = useAuth()
     const localStorage = LocalStorage.getInstance()
     const storedDriveDisplay = computed(() => localStorage.get('driveDisplay'))
 
-    const defaultCategory = computed<Category>(() =>
-      backends.localBackend != null ? { type: 'local' } : { type: 'cloud' },
-    )
+    // In degraded-auth mode the user must land on cloud so the "Enso Cloud is unavailable"
+    // stub (rendered by the cloud-category view) is visible after sign-in. Otherwise the
+    // existing local-first default would silently hide the failure.
+    const defaultCategory = computed<Category>(() => {
+      if (auth.session?.isCloudDataUnavailable) return { type: 'cloud' }
+      return backends.localBackend != null ? { type: 'local' } : { type: 'cloud' }
+    })
 
     const currentCategory = computed({
       get: () =>