diff --git a/packages/cli/src/destroy-command.test.ts b/packages/cli/src/destroy-command.test.ts
index 9dcda18..baf45ef 100644
--- a/packages/cli/src/destroy-command.test.ts
+++ b/packages/cli/src/destroy-command.test.ts
@@ -73,6 +73,7 @@ function trapFetch(handler: (call: FetchCall) => Response | Promise<Response>):
 }
 
 function withTokenEnv(token: string, workspace: string): () => void {
+  const restoreIsolate = isolateAuthFiles();
   const prevToken = process.env.WORKFORCE_WORKSPACE_TOKEN;
   const prevWs = process.env.WORKFORCE_WORKSPACE_ID;
   const prevCloudA = process.env.WORKFORCE_DEPLOY_CLOUD_URL;
@@ -86,8 +87,35 @@ function withTokenEnv(token: string, workspace: string): () => void {
     else process.env.WORKFORCE_WORKSPACE_TOKEN = prevToken;
     if (prevWs === undefined) delete process.env.WORKFORCE_WORKSPACE_ID;
     else process.env.WORKFORCE_WORKSPACE_ID = prevWs;
-    if (prevCloudA !== undefined) process.env.WORKFORCE_DEPLOY_CLOUD_URL = prevCloudA;
-    if (prevCloudB !== undefined) process.env.WORKFORCE_CLOUD_URL = prevCloudB;
+    if (prevCloudA === undefined) delete process.env.WORKFORCE_DEPLOY_CLOUD_URL;
+    else process.env.WORKFORCE_DEPLOY_CLOUD_URL = prevCloudA;
+    if (prevCloudB === undefined) delete process.env.WORKFORCE_CLOUD_URL;
+    else process.env.WORKFORCE_CLOUD_URL = prevCloudB;
+    restoreIsolate();
+  };
+}
+
+/**
+ * Pin every filesystem-backed auth source to definitely-missing/disabled
+ * paths so the destroy CLI tests don't accidentally pick up the host
+ * developer's `~/.agentworkforce/active.json` or `~/.agent-relay/cloud-auth.json`.
+ * Tests that intentionally exercise the active.json fallback override
+ * `WORKFORCE_ACTIVE_WORKSPACE_FILE` after this runs.
+ */
+function isolateAuthFiles(): () => void {
+  const prevActive = process.env.WORKFORCE_ACTIVE_WORKSPACE_FILE;
+  const prevLogin = process.env.WORKFORCE_LOGIN_FILE;
+  const prevDisable = process.env.WORKFORCE_DISABLE_SHARED_AUTH;
+  process.env.WORKFORCE_ACTIVE_WORKSPACE_FILE = path.join(os.tmpdir(), 'wf-destroy-test-active-MISSING.json');
+  process.env.WORKFORCE_LOGIN_FILE = path.join(os.tmpdir(), 'wf-destroy-test-login-MISSING.json');
+  process.env.WORKFORCE_DISABLE_SHARED_AUTH = '1';
+  return () => {
+    if (prevActive === undefined) delete process.env.WORKFORCE_ACTIVE_WORKSPACE_FILE;
+    else process.env.WORKFORCE_ACTIVE_WORKSPACE_FILE = prevActive;
+    if (prevLogin === undefined) delete process.env.WORKFORCE_LOGIN_FILE;
+    else process.env.WORKFORCE_LOGIN_FILE = prevLogin;
+    if (prevDisable === undefined) delete process.env.WORKFORCE_DISABLE_SHARED_AUTH;
+    else process.env.WORKFORCE_DISABLE_SHARED_AUTH = prevDisable;
   };
 }
 
@@ -227,7 +255,13 @@ test('runDestroy: 401 maps to exit 1 with a login hint', async () => {
 });
 
 test('runDestroy: missing workspace exits 1', async () => {
-  // No WORKFORCE_WORKSPACE_ID, no --workspace.
+  // No WORKFORCE_WORKSPACE_ID, no --workspace, and no on-disk auth state
+  // — destroy should fail fast with an actionable error and never reach
+  // the network. We isolate the filesystem sources because the new code
+  // path also consults `~/.agentworkforce/active.json` and the shared
+  // cloud-auth file, which would otherwise leak from the host machine
+  // running the test.
+  const restoreIsolate = isolateAuthFiles();
   const prevToken = process.env.WORKFORCE_WORKSPACE_TOKEN;
   const prevWs = process.env.WORKFORCE_WORKSPACE_ID;
   process.env.WORKFORCE_WORKSPACE_TOKEN = 'tok-1';
@@ -237,9 +271,12 @@ test('runDestroy: missing workspace exits 1', async () => {
   });
   const trap = trapIO();
   try {
-    await assert.rejects(runDestroy([AGENT_UUID]), /__exit_trap__:1/);
+    await assert.rejects(runDestroy([AGENT_UUID, '--no-prompt']), /__exit_trap__:1/);
     assert.deepEqual(trap.exits, [1]);
-    assert.match(trap.stderr, /no workspace resolved/);
+    // Accept either the orchestrator-level message ("no workspace resolved")
+    // or the auth-resolver message ("no workspace credentials resolved")
+    // — both are valid pre-network failures.
+    assert.match(trap.stderr, /no workspace (credentials )?resolved/);
     assert.equal(fetchTrap.calls.length, 0);
   } finally {
     trap.restore();
@@ -247,6 +284,7 @@ test('runDestroy: missing workspace exits 1', async () => {
     if (prevToken === undefined) delete process.env.WORKFORCE_WORKSPACE_TOKEN;
     else process.env.WORKFORCE_WORKSPACE_TOKEN = prevToken;
     if (prevWs !== undefined) process.env.WORKFORCE_WORKSPACE_ID = prevWs;
+    restoreIsolate();
   }
 });
 
@@ -389,3 +427,117 @@ test('runDestroy: 5xx server error exits 1 and surfaces the status', async () =>
     restoreEnv();
   }
 });
+
+test('runDestroy: HTML 404 body is replaced with a hint, not dumped verbatim', async () => {
+  // Regression guard for the apex-without-/cloud bug: when the CLI hits
+  // `agentrelay.com/api/...` instead of `agentrelay.com/cloud/api/...`,
+  // cloud's marketing site returns a full Next.js 404 page. The error
+  // formatter must summarize that, not dump it into stderr.
+  const restoreEnv = withTokenEnv('tok-1', WORKSPACE);
+  const htmlPage = '<!DOCTYPE html><html lang="en"><head>'
+    + '<title>404</title>'
+    + '<script src="/_next/static/chunks/main.js"></script>'.repeat(20)
+    + '</head><body></body></html>';
+  const fetchTrap = trapFetch(
+    async () => new Response(htmlPage, {
+      status: 404,
+      headers: { 'content-type': 'text/html; charset=utf-8' }
+    })
+  );
+  const trap = trapIO();
+  try {
+    // 404 on a DELETE is the documented "not found / already destroyed"
+    // path (exit 2). That branch produces a clean message that doesn't
+    // surface the body — so this guard is really about the
+    // !res.ok fallthrough. We use 500 here to exercise the generic
+    // formatter instead.
+    fetchTrap.restore();
+    const fetchTrap2 = trapFetch(
+      async () => new Response(htmlPage, {
+        status: 500,
+        headers: { 'content-type': 'text/html; charset=utf-8' }
+      })
+    );
+    try {
+      await assert.rejects(
+        runDestroy([AGENT_UUID, '--cloud-url', CLOUD]),
+        /__exit_trap__:1/
+      );
+      assert.deepEqual(trap.exits, [1]);
+      assert.match(trap.stderr, /500/);
+      assert.match(trap.stderr, /HTML|wrong API root/);
+      // The raw <script> tags must not appear in stderr.
+      assert.equal(trap.stderr.includes('<script'), false);
+      assert.equal(trap.stderr.includes('<!DOCTYPE'), false);
+    } finally {
+      fetchTrap2.restore();
+    }
+  } finally {
+    trap.restore();
+    restoreEnv();
+  }
+});
+
+test('runDestroy: reads active.json cloudUrl when no flag and no env is set', async () => {
+  // The destroy command must consult `~/.agentworkforce/active.json` for
+  // the cloud URL just like the deploy orchestrator does. Without this,
+  // a user who ran `agentworkforce login` (which writes active.json with
+  // the canonical cloud URL) would still hit the legacy default.
+  const restoreIsolate = isolateAuthFiles();
+  const prevToken = process.env.WORKFORCE_WORKSPACE_TOKEN;
+  const prevWs = process.env.WORKFORCE_WORKSPACE_ID;
+  const prevCloudA = process.env.WORKFORCE_DEPLOY_CLOUD_URL;
+  const prevCloudB = process.env.WORKFORCE_CLOUD_URL;
+  process.env.WORKFORCE_WORKSPACE_TOKEN = 'tok-active';
+  process.env.WORKFORCE_WORKSPACE_ID = WORKSPACE;
+  delete process.env.WORKFORCE_DEPLOY_CLOUD_URL;
+  delete process.env.WORKFORCE_CLOUD_URL;
+
+  const tmp = await mkdtemp(path.join(os.tmpdir(), 'aw-destroy-active-'));
+  const activeFile = path.join(tmp, 'active.json');
+  await writeFile(
+    activeFile,
+    JSON.stringify({
+      workspace: WORKSPACE,
+      workspaceId: WORKSPACE,
+      cloudUrl: 'https://active.example.test/cloud',
+      setAt: new Date().toISOString()
+    }),
+    'utf8'
+  );
+  process.env.WORKFORCE_ACTIVE_WORKSPACE_FILE = activeFile;
+
+  const fetchTrap = trapFetch(
+    async () =>
+      new Response(
+        JSON.stringify({
+          agentId: AGENT_UUID,
+          status: 'destroyed',
+          destroyedAt: '2026-05-13T00:00:00.000Z',
+          cancelledScheduleIds: []
+        }),
+        { status: 200, headers: { 'content-type': 'application/json' } }
+      )
+  );
+  const trap = trapIO();
+  try {
+    // No `--cloud-url` flag. The command must derive the URL from active.json.
+    await assert.rejects(runDestroy([AGENT_UUID]), /__exit_trap__:0/);
+    assert.equal(fetchTrap.calls.length, 1);
+    assert.equal(
+      fetchTrap.calls[0].url,
+      `https://active.example.test/cloud/api/v1/workspaces/${WORKSPACE}/deployments/${AGENT_UUID}`
+    );
+  } finally {
+    trap.restore();
+    fetchTrap.restore();
+    if (prevToken === undefined) delete process.env.WORKFORCE_WORKSPACE_TOKEN;
+    else process.env.WORKFORCE_WORKSPACE_TOKEN = prevToken;
+    if (prevWs === undefined) delete process.env.WORKFORCE_WORKSPACE_ID;
+    else process.env.WORKFORCE_WORKSPACE_ID = prevWs;
+    if (prevCloudA !== undefined) process.env.WORKFORCE_DEPLOY_CLOUD_URL = prevCloudA;
+    if (prevCloudB !== undefined) process.env.WORKFORCE_CLOUD_URL = prevCloudB;
+    restoreIsolate();
+    await rm(tmp, { recursive: true, force: true });
+  }
+});
diff --git a/packages/cli/src/destroy-command.ts b/packages/cli/src/destroy-command.ts
index 0221dd4..6668dea 100644
--- a/packages/cli/src/destroy-command.ts
+++ b/packages/cli/src/destroy-command.ts
@@ -1,8 +1,13 @@
 import { readFile, stat } from 'node:fs/promises';
 import path from 'node:path';
-import { createTerminalIO, resolveWorkspaceToken } from '@agentworkforce/deploy';
+import {
+  createTerminalIO,
+  formatHttpErrorBody,
+  readActiveWorkspace,
+  resolveCloudUrl,
+  resolveWorkspaceToken
+} from '@agentworkforce/deploy';
 
-const DEFAULT_CLOUD_URL = 'https://agentrelay.com';
 const USER_AGENT = 'agentworkforce-cli/destroy';
 // UUID v1-v5, what the cloud agents.id column emits.
 const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
@@ -12,7 +17,7 @@ export interface DestroyOptions {
   target: string;
   /** Workforce workspace id. Falls back to WORKFORCE_WORKSPACE_ID. */
   workspace?: string;
-  /** Override cloud base URL. Falls back to env, then DEFAULT_CLOUD_URL. */
+  /** Override cloud base URL. Falls back to env, then active.json, then the canonical default. */
   cloudUrl?: string;
   /** Fail instead of opening the browser to log in. */
   noPrompt?: boolean;
@@ -77,28 +82,32 @@ export async function runDestroy(args: readonly string[]): Promise<void> {
 }
 
 async function executeDestroy(opts: DestroyOptions): Promise<void> {
-  const workspace = (opts.workspace ?? process.env.WORKFORCE_WORKSPACE_ID ?? '').trim();
-  if (!workspace) {
-    throw new DestroyExit(
-      1,
-      '\nagentworkforce destroy failed: no workspace resolved: pass --workspace or set WORKFORCE_WORKSPACE_ID\n'
-    );
-  }
-
-  const cloudUrl = normalizeCloudUrl(
-    opts.cloudUrl ??
-      process.env.WORKFORCE_DEPLOY_CLOUD_URL ??
-      process.env.WORKFORCE_CLOUD_URL ??
-      DEFAULT_CLOUD_URL
-  );
+  const active = await readActiveWorkspace().catch(() => null);
+  const cloudUrl = resolveCloudUrl({
+    ...(opts.cloudUrl ? { flag: opts.cloudUrl } : {}),
+    active
+  });
 
   const io = createTerminalIO();
-  const { token } = await resolveWorkspaceToken({
-    workspace,
+  const auth = await resolveWorkspaceToken({
+    ...(opts.workspace ? { workspace: opts.workspace } : {}),
     cloudUrl,
     io,
     ...(opts.noPrompt ? { noPrompt: true } : {})
   });
+  const workspace = (
+    auth.workspace
+    ?? opts.workspace
+    ?? process.env.WORKFORCE_WORKSPACE_ID
+    ?? ''
+  ).trim();
+  if (!workspace) {
+    throw new DestroyExit(
+      1,
+      '\nagentworkforce destroy failed: no workspace resolved: pass --workspace, set WORKFORCE_WORKSPACE_ID, or run `agentworkforce login`\n'
+    );
+  }
+  const token = auth.token;
 
   const agentId = await resolveAgentId({
     target: opts.target,
@@ -260,18 +269,13 @@ async function pathExists(target: string): Promise<boolean> {
 
 async function responseExcerpt(res: Response): Promise<string> {
   try {
-    const text = (await res.text()).trim();
-    return text.length > 200 ? `${text.slice(0, 200)}…` : text;
+    const text = await res.text();
+    return formatHttpErrorBody(text, { url: res.url, maxLength: 200 });
   } catch {
     return '';
   }
 }
 
-function normalizeCloudUrl(url: string): string {
-  const trimmed = url.trim();
-  return trimmed ? trimmed.replace(/\/+$/, '') : DEFAULT_CLOUD_URL;
-}
-
 export const DESTROY_USAGE = `usage: agentworkforce destroy <persona-or-agent-id> [flags]
 
 Tear down a deployed agent: cancel all relaycron schedules and mark the
diff --git a/packages/cli/src/list-command.ts b/packages/cli/src/list-command.ts
index 6a83848..1a64da0 100644
--- a/packages/cli/src/list-command.ts
+++ b/packages/cli/src/list-command.ts
@@ -1,10 +1,11 @@
 import {
   createTerminalIO,
+  formatHttpErrorBody,
+  readActiveWorkspace,
+  resolveCloudUrl,
   resolveWorkspaceToken
 } from '@agentworkforce/deploy';
 
-const DEFAULT_CLOUD_URL = 'https://agentrelay.com';
-
 type DeploymentListOptions = {
   workspace?: string;
   status?: string;
@@ -38,17 +39,16 @@ export async function runDeploymentList(args: readonly string[]): Promise<void>
   try {
     const opts = parseDeploymentListArgs(args);
     const io = createTerminalIO();
-    const cloudUrl = normalizeCloudUrl(
-      opts.cloudUrl
-        ?? process.env.WORKFORCE_DEPLOY_CLOUD_URL
-        ?? process.env.WORKFORCE_CLOUD_URL
-        ?? DEFAULT_CLOUD_URL
-    );
+    const active = await readActiveWorkspace().catch(() => null);
+    const cloudUrl = resolveCloudUrl({
+      ...(opts.cloudUrl ? { flag: opts.cloudUrl } : {}),
+      active
+    });
     const auth = await resolveWorkspaceToken({
-      workspace: opts.workspace,
+      ...(opts.workspace ? { workspace: opts.workspace } : {}),
       cloudUrl,
       io,
-      noPrompt: opts.noPrompt
+      ...(opts.noPrompt ? { noPrompt: true } : {})
     });
     const workspace = auth.workspace?.trim() || opts.workspace?.trim();
     if (!workspace) {
@@ -70,7 +70,9 @@ export async function runDeploymentList(args: readonly string[]): Promise<void>
       throw new Error('unauthorized. Run `agentworkforce login` and retry.');
     }
     if (!res.ok) {
-      throw new Error(`list failed: ${res.status} ${await res.text().catch(() => '')}`.trim());
+      const body = await res.text().catch(() => '');
+      const hint = formatHttpErrorBody(body, { url: url.toString() });
+      throw new Error(`list failed: ${res.status}${hint ? ` ${hint}` : ''}`);
     }
     const agents = parseAgents((await res.json()) as ListResponse);
     if (opts.json) {
@@ -224,11 +226,6 @@ function readNullableString(record: Record<string, unknown>, key: string): strin
   return typeof value === 'string' && value.trim() ? value.trim() : null;
 }
 
-function normalizeCloudUrl(url: string): string {
-  const trimmed = url.trim();
-  return trimmed ? trimmed.replace(/\/+$/, '') : DEFAULT_CLOUD_URL;
-}
-
 function expectValue(flag: string, value: string | undefined): string {
   if (typeof value !== 'string' || !value.trim() || value.startsWith('-')) {
     throw new Error(`${flag}: missing value`);
diff --git a/packages/deploy/src/cloud-url.test.ts b/packages/deploy/src/cloud-url.test.ts
index b5ba152..7f2f6cc 100644
--- a/packages/deploy/src/cloud-url.test.ts
+++ b/packages/deploy/src/cloud-url.test.ts
@@ -1,6 +1,6 @@
 import test from 'node:test';
 import assert from 'node:assert/strict';
-import { canonicalizeCloudUrl } from './cloud-url.js';
+import { canonicalizeCloudUrl, resolveCloudUrl } from './cloud-url.js';
 
 test('canonicalizeCloudUrl: origin.agentrelay.cloud bare host → public canonical', () => {
   assert.equal(
@@ -65,3 +65,111 @@ test('canonicalizeCloudUrl: empty input returns empty string', () => {
 test('canonicalizeCloudUrl: unparseable input is returned untouched (trimmed)', () => {
   assert.equal(canonicalizeCloudUrl('  not-a-url  '), 'not-a-url');
 });
+
+test('canonicalizeCloudUrl: apex agentrelay.com (no /cloud) → public canonical', () => {
+  // Previously the CLI's DEFAULT_CLOUD_URL was `https://agentrelay.com`,
+  // which sent every API call to the Next.js marketing site and 404'd.
+  // canonicalizeCloudUrl normalizes that mistake before it ever leaves
+  // the CLI.
+  assert.equal(
+    canonicalizeCloudUrl('https://agentrelay.com'),
+    'https://agentrelay.com/cloud'
+  );
+  assert.equal(
+    canonicalizeCloudUrl('https://agentrelay.com/'),
+    'https://agentrelay.com/cloud'
+  );
+});
+
+test('canonicalizeCloudUrl: apex with a non-root path is left untouched', () => {
+  // Only the bare apex is remapped — paths like /docs are valid surface area.
+  assert.equal(
+    canonicalizeCloudUrl('https://agentrelay.com/docs/runtimes'),
+    'https://agentrelay.com/docs/runtimes'
+  );
+});
+
+test('resolveCloudUrl: flag wins over env wins over active.json wins over default', () => {
+  // Flag wins.
+  assert.equal(
+    resolveCloudUrl({
+      flag: 'https://flag.example.test',
+      env: {
+        WORKFORCE_DEPLOY_CLOUD_URL: 'https://env.example.test',
+        WORKFORCE_CLOUD_URL: 'https://legacy-env.example.test'
+      },
+      active: { cloudUrl: 'https://active.example.test' }
+    }),
+    'https://flag.example.test'
+  );
+
+  // No flag → preferred env wins.
+  assert.equal(
+    resolveCloudUrl({
+      env: { WORKFORCE_DEPLOY_CLOUD_URL: 'https://env.example.test' },
+      active: { cloudUrl: 'https://active.example.test' }
+    }),
+    'https://env.example.test'
+  );
+
+  // Preferred env empty → legacy env wins.
+  assert.equal(
+    resolveCloudUrl({
+      env: {
+        WORKFORCE_DEPLOY_CLOUD_URL: '',
+        WORKFORCE_CLOUD_URL: 'https://legacy-env.example.test'
+      },
+      active: { cloudUrl: 'https://active.example.test' }
+    }),
+    'https://legacy-env.example.test'
+  );
+
+  // No env → active.json wins.
+  assert.equal(
+    resolveCloudUrl({
+      env: {},
+      active: { cloudUrl: 'https://active.example.test' }
+    }),
+    'https://active.example.test'
+  );
+});
+
+test('resolveCloudUrl: nothing set → canonical default', () => {
+  assert.equal(
+    resolveCloudUrl({ env: {}, active: null }),
+    'https://agentrelay.com/cloud'
+  );
+});
+
+test('resolveCloudUrl: active.json with bypass hostname is canonicalized', () => {
+  // The active.json file may still carry an origin.* hostname written by
+  // an older login flow. resolveCloudUrl repairs that on read.
+  assert.equal(
+    resolveCloudUrl({
+      env: {},
+      active: { cloudUrl: 'https://origin.agentrelay.cloud/cloud' }
+    }),
+    'https://agentrelay.com/cloud'
+  );
+});
+
+test('resolveCloudUrl: active.json with bare apex is canonicalized', () => {
+  assert.equal(
+    resolveCloudUrl({
+      env: {},
+      active: { cloudUrl: 'https://agentrelay.com' }
+    }),
+    'https://agentrelay.com/cloud'
+  );
+});
+
+test('resolveCloudUrl: whitespace-only candidates are skipped', () => {
+  assert.equal(
+    resolveCloudUrl({
+      flag: '   ',
+      env: { WORKFORCE_DEPLOY_CLOUD_URL: '  ', WORKFORCE_CLOUD_URL: '' },
+      active: { cloudUrl: '\t\n' }
+    }),
+    'https://agentrelay.com/cloud'
+  );
+});
diff --git a/packages/deploy/src/cloud-url.ts b/packages/deploy/src/cloud-url.ts
index 868a0c6..c9c4d1c 100644
--- a/packages/deploy/src/cloud-url.ts
+++ b/packages/deploy/src/cloud-url.ts
@@ -1,3 +1,6 @@
+import { defaultApiUrl } from '@agent-relay/cloud';
+import type { ActiveWorkspacePointer } from './login.js';
+
 /**
  * Canonicalize the workforce cloud URL to the public host the user logged
  * into, regardless of which edge / origin-bypass URL the auth response
@@ -16,6 +19,9 @@
  * Rules:
  *   - Map known-bypass hostnames (`origin.agentrelay.cloud`,
  *     `*.agentrelay.cloud`) → canonical `https://agentrelay.com/cloud`.
+ *   - Map the apex `agentrelay.com` (no `/cloud` basePath) → canonical
+ *     `https://agentrelay.com/cloud` so callers that hardcoded the apex
+ *     don't land on the Next.js marketing 404 page.
  *   - Leave other hostnames untouched (dev `localhost:*`, custom tenants,
  *     etc.) — only the cloud-bypass family is remapped.
  *   - Strip a trailing slash so equality comparisons in the rest of the
@@ -37,9 +43,64 @@ export function canonicalizeCloudUrl(input: string): string {
   if (host === 'agentrelay.cloud' || host.endsWith('.agentrelay.cloud')) {
     return 'https://agentrelay.com/cloud';
   }
+  if (
+    host === 'agentrelay.com'
+    && (url.pathname === '' || url.pathname === '/')
+  ) {
+    // Apex without the /cloud basePath would route to the marketing site
+    // and 404 every API call. Public docs/login flows always include the
+    // /cloud prefix — treat the bare apex as a user mistake and fix it
+    // before it produces a wall of HTML in error messages.
+    return 'https://agentrelay.com/cloud';
+  }
   return stripTrailingSlash(url.toString());
 }
 
+/**
+ * Single source of truth for "which cloud URL should this CLI invocation
+ * talk to?" Resolution order, top wins:
+ *
+ *   1. Explicit `--cloud-url` flag.
+ *   2. `WORKFORCE_DEPLOY_CLOUD_URL` (preferred env override).
+ *   3. `WORKFORCE_CLOUD_URL` (legacy env override).
+ *   4. `cloudUrl` recorded in `~/.agentworkforce/active.json` by
+ *      `agentworkforce login`.
+ *   5. `defaultApiUrl()` from `@agent-relay/cloud` (the public canonical
+ *      URL — currently `https://agentrelay.com/cloud`).
+ *
+ * The result is always run through {@link canonicalizeCloudUrl} so
+ * downstream consumers never see an origin-bypass hostname or the
+ * `/cloud`-less apex.
+ */
+export function resolveCloudUrl(context: CloudUrlContext = {}): string {
+  const env = context.env ?? process.env;
+  const raw = firstTruthy(
+    context.flag,
+    env.WORKFORCE_DEPLOY_CLOUD_URL,
+    env.WORKFORCE_CLOUD_URL,
+    context.active?.cloudUrl,
+    defaultApiUrl()
+  );
+  return canonicalizeCloudUrl(raw);
+}
+
+export interface CloudUrlContext {
+  /** Explicit `--cloud-url` flag value, if any. */
+  flag?: string | undefined;
+  /** Process env override; defaults to `process.env`. Pass `{}` to ignore env. */
+  env?: NodeJS.ProcessEnv;
+  /** Active workspace pointer read from `~/.agentworkforce/active.json`. */
+  active?: Pick<ActiveWorkspacePointer, 'cloudUrl'> | null | undefined;
+}
+
+function firstTruthy(...candidates: Array<string | undefined>): string {
+  for (const candidate of candidates) {
+    const trimmed = candidate?.trim();
+    if (trimmed) return trimmed;
+  }
+  return '';
+}
+
 function stripTrailingSlash(value: string): string {
   return value.replace(/\/+$/, '');
 }
diff --git a/packages/deploy/src/deploy.test.ts b/packages/deploy/src/deploy.test.ts
index a008698..0854800 100644
--- a/packages/deploy/src/deploy.test.ts
+++ b/packages/deploy/src/deploy.test.ts
@@ -708,3 +708,81 @@ test('--mode cloud uses the workspace token resolver before launching', async ()
     await cleanup();
   }
 });
+
+test('deploy: default auth resolver honors env credentials without a workspaceAuth resolver', async () => {
+  // Regression guard for the orchestrator wiring change in this PR. The
+  // previous default (`envWorkspaceAuth()`) only consulted env vars and a
+  // long-dead keychain; the new default delegates to `resolveWorkspaceToken`,
+  // which still honors WORKFORCE_WORKSPACE_TOKEN + WORKFORCE_WORKSPACE_ID
+  // as Tier 1 but additionally falls through to the shared cloud-auth +
+  // active.json pointer. This test exercises the Tier 1 path end-to-end
+  // through `deploy()` with no resolver injection — proving the wiring is
+  // intact for CI users while the filesystem-fallback paths stay covered
+  // by `login.test.ts`.
+  const { personaPath, cleanup } = await withTempPersona(
+    basePersonaJson({ integrations: {} })
+  );
+
+  await withWorkspaceEnv({ workspace: 'env-ws', token: 'env-tok' }, async () => {
+    let launched = false;
+    const result = await deploy(
+      { personaPath, mode: 'dev', noConnect: true, io: createBufferedIO() },
+      {
+        bundle: successfulBundleStager(),
+        modes: { dev: successfulDevLauncher(() => { launched = true; }) }
+      }
+    );
+    assert.equal(result.workspace, 'env-ws');
+    assert.equal(launched, true);
+  });
+
+  await cleanup();
+});
+
+test('deploy: clear error when nothing resolves and noPrompt is set', async () => {
+  // Without env or an explicit resolver, the orchestrator must surface
+  // an actionable error rather than wedging in a prompt loop. Setting
+  // `noPrompt` forces `resolveWorkspaceToken` to throw at Tier 3 instead
+  // of opening a browser, so we get a deterministic error path to assert.
+  const { personaPath, cleanup } = await withTempPersona(
+    basePersonaJson({ integrations: {} })
+  );
+
+  await withWorkspaceEnv({ workspace: undefined, token: undefined }, async () => {
+    // Point filesystem-backed auth at definitely-missing/disabled paths so the
+    // test doesn't accidentally pick up host credentials.
+    const previousActiveFile = process.env.WORKFORCE_ACTIVE_WORKSPACE_FILE;
+    const previousLoginFile = process.env.WORKFORCE_LOGIN_FILE;
+    const previousDisableShared = process.env.WORKFORCE_DISABLE_SHARED_AUTH;
+    process.env.WORKFORCE_ACTIVE_WORKSPACE_FILE = path.join(os.tmpdir(), 'wf-deploy-test-missing-active.json');
+    process.env.WORKFORCE_LOGIN_FILE = path.join(os.tmpdir(), 'wf-deploy-test-missing-login.json');
+    process.env.WORKFORCE_DISABLE_SHARED_AUTH = '1';
+    try {
+      await assert.rejects(
+        deploy(
+          { personaPath, mode: 'dev', noConnect: true, noPrompt: true, io: createBufferedIO() },
+          { bundle: successfulBundleStager(), modes: { dev: successfulDevLauncher() } }
+        ),
+        /no workspace credentials resolved|workspace is required for deploy/
+      );
+    } finally {
+      if (previousActiveFile === undefined) {
+        delete process.env.WORKFORCE_ACTIVE_WORKSPACE_FILE;
+      } else {
+        process.env.WORKFORCE_ACTIVE_WORKSPACE_FILE = previousActiveFile;
+      }
+      if (previousLoginFile === undefined) {
+        delete process.env.WORKFORCE_LOGIN_FILE;
+      } else {
+        process.env.WORKFORCE_LOGIN_FILE = previousLoginFile;
+      }
+      if (previousDisableShared === undefined) {
+        delete process.env.WORKFORCE_DISABLE_SHARED_AUTH;
+      } else {
+        process.env.WORKFORCE_DISABLE_SHARED_AUTH = previousDisableShared;
+      }
+    }
+  });
+
+  await cleanup();
+});
diff --git a/packages/deploy/src/deploy.ts b/packages/deploy/src/deploy.ts
index 52ec36b..9c82084 100644
--- a/packages/deploy/src/deploy.ts
+++ b/packages/deploy/src/deploy.ts
@@ -2,6 +2,7 @@ import path from 'node:path';
 import { mkdir } from 'node:fs/promises';
 import { defaultApiUrl } from '@agent-relay/cloud';
 import { bundleStager } from './bundle.js';
+import { resolveCloudUrl } from './cloud-url.js';
 import {
   connectIntegrations,
   envIntegrationResolver,
@@ -12,7 +13,11 @@ import {
   type ProviderSubscriptionResolver
 } from './connect.js';
 import { createTerminalIO } from './io.js';
-import { envWorkspaceAuth, type WorkspaceAuth } from './login.js';
+import {
+  readActiveWorkspace,
+  resolveWorkspaceToken,
+  type WorkspaceAuth
+} from './login.js';
 import { devLauncher } from './modes/dev.js';
 import { sandboxLauncher } from './modes/sandbox.js';
 import { cloudLauncher } from './modes/cloud.js';
@@ -145,18 +150,37 @@ export async function deploy(opts: DeployOptions, resolvers: DeployResolvers = {
   }
 
   const mode: DeployMode = opts.mode ?? pickMode(opts);
-  const { workspace, token } = await (resolvers.workspaceAuth ?? envWorkspaceAuth()).resolveWorkspace({
-    override: opts.workspace,
-    io
+  const active = await readActiveWorkspace().catch(() => null);
+  const cloudUrl = resolveCloudUrl({
+    ...(opts.cloudUrl ? { flag: opts.cloudUrl } : {}),
+    active
   });
+
+  // Auth resolution: an explicit `resolvers.workspaceAuth` (used by tests
+  // and bespoke harnesses) wins. Otherwise consult the shared resolver
+  // that walks env → cloud-auth.json → active.json → legacy keychain,
+  // which is the same path `list`/`destroy` and the cloud launcher use.
+  // The orchestrator historically called `envWorkspaceAuth()` directly,
+  // which only honoured WORKFORCE_WORKSPACE_TOKEN + a long-dead keychain —
+  // a user who freshly ran `agentworkforce login` would hit "no workspace
+  // resolved" because that flow only writes the shared accessToken and
+  // active.json pointer.
+  const resolvedAuth = resolvers.workspaceAuth
+    ? await resolvers.workspaceAuth.resolveWorkspace({ override: opts.workspace, io })
+    : await resolveWorkspaceToken({
+        ...(opts.workspace ? { workspace: opts.workspace } : {}),
+        cloudUrl,
+        io,
+        ...(opts.noPrompt ? { noPrompt: true } : {})
+      });
+  const workspace = (resolvedAuth.workspace ?? opts.workspace ?? '').trim();
+  if (!workspace) {
+    throw new Error(
+      'workspace is required for deploy: pass --workspace, set WORKFORCE_WORKSPACE_ID, or run `agentworkforce login`'
+    );
+  }
   io.info(`workspace: ${workspace}`);
-  let activeToken = token;
-  const cloudUrl = normalizeCloudUrl(
-    opts.cloudUrl
-      ?? process.env.WORKFORCE_DEPLOY_CLOUD_URL
-      ?? process.env.WORKFORCE_CLOUD_URL
-      ?? defaultApiUrl()
-  );
+  let activeToken = resolvedAuth.token;
 
   const connectedIntegrations = await connectAndCollectIntegrations({
     persona: preflight.persona,
@@ -207,7 +231,7 @@ export async function deploy(opts: DeployOptions, resolvers: DeployResolvers = {
     ...(activeToken ? { workspaceToken: activeToken } : {}),
     ...(opts.detach ? { detach: true } : {}),
     ...(opts.byoSandbox ? { byoSandbox: true } : {}),
-    ...(opts.cloudUrl ? { cloudUrl: opts.cloudUrl } : {}),
+    ...(cloudUrl ? { cloudUrl } : {}),
     ...(opts.noPrompt ? { noPrompt: true } : {}),
     ...(opts.harnessSource ? { harnessSource: opts.harnessSource } : {}),
     ...(opts.byokKey ? { byokKey: opts.byokKey } : {}),
diff --git a/packages/deploy/src/error-format.test.ts b/packages/deploy/src/error-format.test.ts
new file mode 100644
index 0000000..9fe11e6
--- /dev/null
+++ b/packages/deploy/src/error-format.test.ts
@@ -0,0 +1,57 @@
+import test from 'node:test';
+import assert from 'node:assert/strict';
+import { formatHttpErrorBody } from './error-format.js';
+
+test('formatHttpErrorBody: empty body returns empty string', () => {
+  assert.equal(formatHttpErrorBody(''), '');
+  assert.equal(formatHttpErrorBody(null), '');
+  assert.equal(formatHttpErrorBody(undefined), '');
+  assert.equal(formatHttpErrorBody('   \n   '), '');
+});
+
+test('formatHttpErrorBody: short JSON body is returned untouched', () => {
+  const body = '{"error":"workspace not found"}';
+  assert.equal(formatHttpErrorBody(body), body);
+});
+
+test('formatHttpErrorBody: long body is truncated with a suffix', () => {
+  const body = 'a'.repeat(1000);
+  const formatted = formatHttpErrorBody(body, { maxLength: 100 });
+  assert.equal(formatted.startsWith('a'.repeat(100)), true);
+  assert.match(formatted, /more bytes truncated/);
+});
+
+test('formatHttpErrorBody: HTML body is replaced with a hint, body bytes suppressed', () => {
+  const html = '<!DOCTYPE html><html><head><title>404</title></head><body>'
+    + '<script src="/_next/static/chunks/main.js"></script>'.repeat(50)
+    + '</body></html>';
+  const formatted = formatHttpErrorBody(html);
+  // Must not include the raw HTML.
+  assert.equal(formatted.includes('<script'), false);
+  assert.equal(formatted.includes('<!DOCTYPE'), false);
+  // Must mention HTML and the size hint.
+  assert.match(formatted, /HTML/);
+  assert.match(formatted, /\d+ bytes/);
+});
+
+test('formatHttpErrorBody: HTML detection covers <html and Next.js 404 doctype variants', () => {
+  assert.match(formatHttpErrorBody('<!doctype html><html>...'), /HTML/);
+  assert.match(formatHttpErrorBody('<html lang="en">...'), /HTML/);
+  assert.match(formatHttpErrorBody('<HTML><head><title>x</title>'), /HTML/);
+});
+
+test('formatHttpErrorBody: includes the offending URL when provided', () => {
+  const html = '<!doctype html><html><head><title>404</title></head></html>';
+  const formatted = formatHttpErrorBody(html, {
+    url: 'https://agentrelay.com/api/v1/workspaces/abc/deployments'
+  });
+  assert.match(formatted, /https:\/\/agentrelay\.com\/api\/v1\/workspaces\/abc\/deployments/);
+});
+
+test('formatHttpErrorBody: a stray <h1> in plain text is NOT treated as HTML', () => {
+  // Bare angle brackets in JSON error messages shouldn't trigger the
+  // suppress path. The detector looks for the opening doctype / <html /
+  // <head>+<title> trio.
+  const body = '{"error":"got <h1> tag in input"}';
+  assert.equal(formatHttpErrorBody(body), body);
+});
diff --git a/packages/deploy/src/error-format.ts b/packages/deploy/src/error-format.ts
new file mode 100644
index 0000000..6deed3c
--- /dev/null
+++ b/packages/deploy/src/error-format.ts
@@ -0,0 +1,34 @@
+/**
+ * Format an HTTP response body for inclusion in a CLI error message.
+ *
+ * Common failure mode this guards against: the CLI hits the wrong URL
+ * (missing `/cloud` basePath, marketing-site fallthrough, etc.) and the
+ * server returns a full Next.js 404 page. Dumping the HTML verbatim
+ * produces an unreadable wall of `<script>` tags. This helper detects
+ * HTML and replaces it with a one-line hint that points at the cause.
+ *
+ * Non-HTML bodies are truncated to a reasonable length so a stray
+ * stack trace doesn't drown the actual error message.
+ */
+export function formatHttpErrorBody(
+  body: string | undefined | null,
+  opts: { maxLength?: number; url?: string } = {}
+): string {
+  const trimmed = (body ?? '').trim();
+  if (!trimmed) return '';
+  if (looksLikeHtml(trimmed)) {
+    const where = opts.url ? ` from ${opts.url}` : '';
+    return `server returned HTML${where} — likely wrong API root (basePath missing, or fell through to a marketing/landing page). Body suppressed (${trimmed.length} bytes).`;
+  }
+  const max = opts.maxLength ?? 300;
+  if (trimmed.length <= max) return trimmed;
+  return `${trimmed.slice(0, max)}... (${trimmed.length - max} more bytes truncated)`;
+}
+
+function looksLikeHtml(body: string): boolean {
+  const head = body.slice(0, 256).toLowerCase();
+  if (head.startsWith('<!doctype html')) return true;
+  if (head.startsWith('<html')) return true;
+  if (/<head[\s>]/.test(head) && /<title[\s>]/.test(head)) return true;
+  return false;
+}
diff --git a/packages/deploy/src/index.ts b/packages/deploy/src/index.ts
index d6236ab..5f68d48 100644
--- a/packages/deploy/src/index.ts
+++ b/packages/deploy/src/index.ts
@@ -44,7 +44,8 @@ export {
   type WorkspaceAuth,
   type WorkspaceAuthToken
 } from './login.js';
-export { canonicalizeCloudUrl } from './cloud-url.js';
+export { canonicalizeCloudUrl, resolveCloudUrl, type CloudUrlContext } from './cloud-url.js';
+export { formatHttpErrorBody } from './error-format.js';
 export { createTerminalIO, createBufferedIO, type BufferedIO } from './io.js';
 export { bundleStager } from './bundle.js';
 export { devLauncher } from './modes/dev.js';
diff --git a/packages/deploy/src/login.ts b/packages/deploy/src/login.ts
index 3a3a934..dd7f7e8 100644
--- a/packages/deploy/src/login.ts
+++ b/packages/deploy/src/login.ts
@@ -261,8 +261,16 @@ export async function resolveWorkspaceToken(args: {
  * Read the shared @agent-relay/cloud auth, refreshing if the accessToken
  * is expired and a refreshToken is available. Returns `null` on any
  * failure — callers fall through to the next resolution tier.
+ *
+ * Set `WORKFORCE_DISABLE_SHARED_AUTH=1` (or any truthy value) to skip
+ * the shared-auth read entirely. Primary use cases:
+ *   - Hermetic tests that must not pick up the host machine's
+ *     `~/.agent-relay/cloud-auth.json`.
+ *   - Users who want the CLI to behave as if they had never run
+ *     `agent-relay cloud login` (e.g. to force env-only operation in CI).
  */
 async function readSharedAuthForBearer(): Promise<StoredAuth | null> {
+  if (isTruthyEnv(process.env.WORKFORCE_DISABLE_SHARED_AUTH)) return null;
   const auth = await readStoredAuth().catch(() => null);
   if (!auth || !auth.accessToken) return null;
   if (!isExpired(auth.accessTokenExpiresAt)) return auth;
@@ -274,6 +282,12 @@ async function readSharedAuthForBearer(): Promise<StoredAuth | null> {
   }
 }
 
+function isTruthyEnv(value: string | undefined): boolean {
+  if (!value) return false;
+  const v = value.trim().toLowerCase();
+  return v === '1' || v === 'true' || v === 'yes' || v === 'on';
+}
+
 export async function loadWorkspaceToken(
   workspace?: string,
   cloudUrl?: string
@@ -346,6 +360,7 @@ async function readWorkspaceTokenFromCloudAuth(
   cloudUrl?: string
 ): Promise<StoredWorkspaceLogin | null> {
   if (usesWorkspaceLoginFileOverride()) return null;
+  if (isTruthyEnv(process.env.WORKFORCE_DISABLE_SHARED_AUTH)) return null;
   let auth = await readStoredAuth().catch(() => null);
   if (!auth) return null;