fix: propagate server error messages instead of swallowing them

[DevOpsDave]

Summary

• Bug: The catch block in getIamKey.ts (line 146-148) discards the actual server error from alks.getIAMKeys() and always throws a generic "Incorrect account or role" message. This prevents meaningful server-side errors from reaching the user.
• Fix: Propagate the server's error message when available, falling back to badAccountMessage only when no message is present.
• Tests: Updated existing test case and added a new test case verifying that server error messages (e.g., "Change request required for production access") are properly surfaced.

Context

Starting the week of April 20, 2026, ALKS Core will enforce ChangeMinder (change ticket requirements) for production access via an Optimizely feature flag. When CLI users try to get prod keys without providing --ciid or --chg-number, the server returns a meaningful rejection message — but the CLI currently swallows it and shows "Incorrect account or role", which will confuse users and flood #alks-support.

Changes

src/lib/getIamKey.ts

  } catch (e) {
-   throw new Error(badAccountMessage);
+   const serverMessage = (e as Error).message;
+   throw new Error(serverMessage || badAccountMessage);
  }

src/lib/getIamKey.test.ts

• Renamed existing "when alks.getIAMKeys fails" test to "when alks.getIAMKeys fails with no message" and added assertion that it falls back to badAccountMessage
• Added new test case "when alks.getIAMKeys fails with a server error message" that verifies the server message is propagated

Test plan

• npm test passes — all 44 tests in getIamKey.test.ts pass
• Manual test: run alks sessions open against a prod account without --ciid/--chg-number after ChangeMinder enforcement is enabled — should see the server's rejection message instead of "Incorrect account or role"

🤖 Generated with Claude Code

[samsolaimani]

This is a well-scoped, correct fix with good test coverage. Approved 👍

[americk0]

Simple enough. 👍