Inconsistency in client_key loading cli/knife

I'm still on a traditional layout working successfully with knife:

Layout

$WORKSPACE/.chef/knife.rb
$WORKSPACE/.chef/username.pem
$WORKSPACE/roles/
$WORKSPACE/cookbooks/
$WORKSPACE/nodes/
…

relevant contents $WORKSPACE/.chef/knife.rb

repo = '/path/to/workspace'

node_name 'rmoriz'
client_key  "#{repo}/.chef/rmoriz.pem"

no configs in ~./chef !

Problems start with chef-cli when we evaluate Policyfiles.

what's working fine:

within $WORKSPACE

$ chef-cli show-policy
(result obmitted)

but within $WORKSPACE/policyfiles OR
but within $WORKSPACE/cookbooks/cookbook_with_policyfile

$ chef-cli show-policy
[2024-12-07T01:22:43+01:00] WARN: Failed to read the private key rmoriz.pem: #<Errno::ENOENT: No such file or directory @ rb_sysopen - rmoriz.pem>
Error: Failed to list policyfile data from the server
Reason: (Chef::Exceptions::PrivateKeyMissing) I cannot read rmoriz.pem, which you told me to use to sign requests!

Looks like the logic to find the config file is not sucessfully traversing and/or losing the configuration setting for the key (maybe node_name + .pem overwrites my config setting?)

It breaks the whole Policyfile workflow.

from within the policy files directory can you successfully run knife status? I'm guessing chef-cli isn't navigating the directories and is only looking or starting in $HOME/.chef. If knife works then that would be more evident that my theory is true, if not then it maybe another issue.

yes I can. Knife works.