fix: route interactive + implicit-context consumers through ephemeral context (PLA-1590)

Codex's round-5 review showed B+ (commit b5667e2) only covered half the
surface: my new helpers (CurrentProjectID etc.) plus a few skip-write
guards in project create / deploy. Two whole entry classes still walked
straight past them.

Path 1 — interactive ParamFiller bypass:

  $ zeabur workspace switch team-A
  $ zeabur context set project --id <team-A-project>
  $ zeabur --workspace team-B service restart    # interactive (default)

`runRestartInteractive` passed the raw `f.Config.GetContext()` to
ParamFiller.ServiceByNameWithEnvironment. The filler read team-A's
pinned project ID as `projectCtx.GetProject().GetID()`, used it as the
project scope for SelectService, and quietly restarted team-A's
service while the user thought they were operating on team-B. Worse,
when the persisted context was empty the filler called
`projectCtx.SetProject(picked)` and *wrote* the team-B project under
the persisted team-A workspace — cross-team contamination that
survived the command. Same shape across
service/{restart,delete,suspend,exec,network,port-forward,redeploy,
instruction,metric,get,update/tag},
variable/{create,delete,env,list,update},
deployment/{get,log,list},
domain/{create,delete,list}.

Path 2 — `project get/delete` PreRunE auto-fill:

  $ zeabur --workspace team-B project delete --yes -i=false   # no --id

`util.DefaultIDNameByContext(f.Config.GetContext().GetProject(), ...)`
was bound at Cobra command-construction time and unconditionally
copied team-A's persisted project ID into opts.id. The runE then
deleted team-A's project, even though every flag on the line said
team-B.

Fix: ephemeral context + EffectiveContext audit.

1. New `zcontext.NewEphemeralContext(workspace)` — an in-memory Context
   implementation that starts empty, writes to memory only, and reports
   the supplied workspace via GetWorkspace() (so consumers that ask
   "what workspace is this context for?" get the override answer
   rather than personal — a second-order trap Codex flagged).
2. New `Factory.EffectiveContext() zcontext.Context`:
   - Without override: returns the persisted config context, byte-
     equivalent to today.
   - Under override: lazy-initialises a per-Factory ephemeral context
     and returns it for every subsequent call (so ParamFiller's
     `Set → later Get` cycle still works in-process; nothing leaks to
     disk).
3. 24 interactive callers swap `f.Config.GetContext()` for
   `f.EffectiveContext()`: every service/, variable/, deployment/,
   domain/ command that ran ParamFiller.
4. project get/delete PreRunE swap to a lazy closure so
   EffectiveContext is resolved at PreRunE time (after PersistentPreRunE
   parses `--workspace`), not at command construction. The signature of
   util.DefaultIDNameByContext changes from `BasicInfo` to
   `func() BasicInfo` to make that lazy evaluation explicit.
5. `context get` reads EffectiveContext and, under override, prints an
   extra "Note: --workspace is one-shot; persisted ... is not used"
   line for human-readable output. JSON output stays structurally
   identical so scripts keep parsing.
6. `context clear` rejects under override — clearing belongs to the
   persisted state, not a one-shot override.
7. Deleted internal/util.NeedProjectContextWhenNonInteractive and
   DefaultIDByContext — both had zero callers and would re-introduce
   the same pattern if revived from copy/paste later.

What stays on `f.Config.GetContext()` (intentional):
workspace/{switch,clear}, auth/logout, root.go's lazy workspace
verify, context/{set,clear} command bodies (set already rejects
override; clear now does too), project create / deploy interactive
flows (already wrapped in `if !HasWorkspaceOverride` from b5667e2 with
a user-visible hint).

Tests:

zcontext/ephemeral_test.go (new):
  TestEphemeralContext_WorkspaceFromConstructor
  TestEphemeralContext_NilWorkspaceIsPersonal
  TestEphemeralContext_ReadEmptyByDefault
  TestEphemeralContext_SetReadCycleWorksInMemory
  TestEphemeralContext_ClearAll

cmdutil/factory_test.go (added):
  TestFactory_EffectiveContext_NoOverride
  TestFactory_EffectiveContext_OverrideReturnsEphemeral_WithWorkspace
  TestFactory_EffectiveContext_OverrideCachedWithinCommand
  TestFactory_EffectiveContext_OverridePersistedUnpolluted

Dev-2 E2E (this round):
  C1: --workspace team-B service delete --name redis (interactive,
      persisted=team-A + pinned project) → opens Select project from
      team-B; for-clone-test redis NOT deleted (verified via list).
  C3: --workspace team-B project delete --yes -i=false (no --id) →
      "please specify project by --name or --id"; for-clone-test
      project NOT deleted.
  C4: --workspace team-B context get → all inner context shows
      "<not set>" + the Note line; --json stays structurally clean.
  C5: --workspace team-B context clear → rejected with actionable
      hint pointing at workspace switch.
  C6: no override → context get reads persisted normally
      (back-compat red line).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: BruceDu521

internal/cmd/context/clear/clear.go

@@ -1,6 +1,8 @@
 package clear
 
 import (
+	"fmt"
+
 	"github.com/spf13/cobra"
 
 	"github.com/zeabur/cli/internal/cmdutil"
@@ -24,6 +26,18 @@ func NewCmdClear(f *cmdutil.Factory) *cobra.Command {
 }
 
 func runClear(f *cmdutil.Factory, opts *Options) error {
+	// `context clear` modifies the persisted inner context. Under a
+	// `--workspace` override the persisted state belongs to a (potentially)
+	// different workspace than the user thinks they're in, so silently
+	// clearing it would surprise them. Reject up front and tell them to
+	// switch first if they really mean to wipe the persisted context
+	// (PLA-1590 B+).
+	if f.HasWorkspaceOverride() {
+		return fmt.Errorf(
+			"`context clear` cannot be combined with `--workspace`; the override does not modify persisted context",
+		)
+	}
+
 	confirm := true
 
 	if f.Interactive {

internal/cmd/context/get/get.go

@@ -23,9 +23,14 @@ func NewCmdGet(f *cmdutil.Factory) *cobra.Command {
 }
 
 func runGet(f *cmdutil.Factory, opts *Options) error {
-	project := f.Config.GetContext().GetProject()
-	environment := f.Config.GetContext().GetEnvironment()
-	service := f.Config.GetContext().GetService()
+	// Use the effective context so `--workspace` override truthfully shows
+	// "(not set)" for inner context — displaying the persisted team-A
+	// project under an override to team-B would mislead the user into
+	// thinking it's available there (PLA-1590 B+).
+	ctx := f.EffectiveContext()
+	project := ctx.GetProject()
+	environment := ctx.GetEnvironment()
+	service := ctx.GetService()
 
 	header := []string{"Context", "Name", "ID"}
 	data := [][]string{
@@ -56,5 +61,13 @@ func runGet(f *cmdutil.Factory, opts *Options) error {
 
 	f.Printer.Table(header, data)
 
+	// Human-readable mode also tells the user *why* everything is unset when
+	// they're running under a `--workspace` override, so they don't
+	// misread it as a config bug. JSON mode stays structurally clean
+	// (no prose mixed into the payload) so scripts keep parsing it.
+	if f.HasWorkspaceOverride() {
+		f.Log.Info("Note: --workspace is one-shot; persisted project/service/environment context is not used.")
+	}
+
 	return nil
 }

internal/cmd/deployment/get/get.go

@@ -49,7 +49,7 @@ func runGet(f *cmdutil.Factory, opts *Options) error {
 
 func runGetInteractive(f *cmdutil.Factory, opts *Options) error {
 	if opts.deploymentID == "" {
-		zctx := f.Config.GetContext()
+		zctx := f.EffectiveContext()
 		_, err := f.ParamFiller.ServiceByNameWithEnvironment(fill.ServiceByNameWithEnvironmentOptions{
 			ProjectCtx:    zctx,
 			ServiceID:     &opts.serviceID,

internal/cmd/deployment/list/list.go

@@ -45,7 +45,7 @@ func runList(f *cmdutil.Factory, opts *Options) error {
 }
 
 func runListInteractive(f *cmdutil.Factory, opts *Options) error {
-	zctx := f.Config.GetContext()
+	zctx := f.EffectiveContext()
 	_, err := f.ParamFiller.ServiceByNameWithEnvironment(fill.ServiceByNameWithEnvironmentOptions{
 		ProjectCtx:    zctx,
 		ServiceID:     &opts.serviceID,

internal/cmd/deployment/log/log.go

@@ -61,7 +61,7 @@ func runLog(f *cmdutil.Factory, opts *Options) error {
 
 func runLogInteractive(f *cmdutil.Factory, opts *Options) error {
 	if opts.deploymentID == "" {
-		zctx := f.Config.GetContext()
+		zctx := f.EffectiveContext()
 		_, err := f.ParamFiller.ServiceByNameWithEnvironment(fill.ServiceByNameWithEnvironmentOptions{
 			ProjectCtx:    zctx,
 			ServiceID:     &opts.serviceID,

internal/cmd/domain/create/create.go

@@ -52,7 +52,7 @@ func runCreateDomain(f *cmdutil.Factory, opts *Options) error {
 }
 
 func runCreateDomainInteractive(f *cmdutil.Factory, opts *Options) error {
-	zctx := f.Config.GetContext()
+	zctx := f.EffectiveContext()
 
 	if _, err := f.ParamFiller.ServiceByNameWithEnvironment(fill.ServiceByNameWithEnvironmentOptions{
 		ProjectCtx:    zctx,

internal/cmd/domain/delete/delete.go

@@ -50,7 +50,7 @@ func runDeleteDomain(f *cmdutil.Factory, opts *Options) error {
 }
 
 func runDeleteDomainInteractive(f *cmdutil.Factory, opts *Options) error {
-	zctx := f.Config.GetContext()
+	zctx := f.EffectiveContext()
 
 	if _, err := f.ParamFiller.ServiceByNameWithEnvironment(fill.ServiceByNameWithEnvironmentOptions{
 		ProjectCtx:    zctx,

internal/cmd/domain/list/list.go

@@ -47,7 +47,7 @@ func runListDomains(f *cmdutil.Factory, opts *Options) error {
 }
 
 func runListDomainsInteractive(f *cmdutil.Factory, opts *Options) error {
-	zctx := f.Config.GetContext()
+	zctx := f.EffectiveContext()
 
 	if _, err := f.ParamFiller.ServiceByNameWithEnvironment(fill.ServiceByNameWithEnvironmentOptions{
 		ProjectCtx:    zctx,

internal/cmd/project/delete/delete.go

@@ -8,6 +8,7 @@ import (
 	"github.com/zeabur/cli/internal/cmdutil"
 	"github.com/zeabur/cli/internal/util"
 	"github.com/zeabur/cli/pkg/model"
+	"github.com/zeabur/cli/pkg/zcontext"
 )
 
 type Options struct {
@@ -23,7 +24,14 @@ func NewCmdDelete(f *cmdutil.Factory) *cobra.Command {
 		Use:     "delete",
 		Short:   "Delete project",
 		Aliases: []string{"del"},
-		PreRunE: util.DefaultIDNameByContext(f.Config.GetContext().GetProject(), &opts.id, &opts.name),
+		// Closure (not direct call) so EffectiveContext is resolved at
+		// PreRunE time — after PersistentPreRunE has parsed `--workspace`
+		// — instead of at Cobra construction time when the override flag
+		// has not yet been seen (PLA-1590 B+).
+		PreRunE: util.DefaultIDNameByContext(
+			func() zcontext.BasicInfo { return f.EffectiveContext().GetProject() },
+			&opts.id, &opts.name,
+		),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return runDelete(f, opts)
 		},

internal/cmd/project/get/get.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/zeabur/cli/internal/cmdutil"
 	"github.com/zeabur/cli/pkg/model"
+	"github.com/zeabur/cli/pkg/zcontext"
 )
 
 type Options struct {
@@ -23,7 +24,14 @@ func NewCmdGet(f *cmdutil.Factory) *cobra.Command {
 		Use:     "get",
 		Short:   "Get project",
 		Long:    "Get project, use --id or --name to specify the project",
-		PreRunE: util.DefaultIDNameByContext(f.Config.GetContext().GetProject(), &opts.id, &opts.name),
+		// Closure (not direct call) so EffectiveContext is resolved at
+		// PreRunE time — after PersistentPreRunE has parsed `--workspace`
+		// — instead of at Cobra construction time when the override flag
+		// has not yet been seen (PLA-1590 B+).
+		PreRunE: util.DefaultIDNameByContext(
+			func() zcontext.BasicInfo { return f.EffectiveContext().GetProject() },
+			&opts.id, &opts.name,
+		),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return runGet(f, opts)
 		},