feat: better authentication UX — proactive key check & key discovery#2796
feat: better authentication UX — proactive key check & key discovery#2796ibetitsmike wants to merge 10 commits intomainfrom
Conversation
Implements both parts of #1: 1. Proactive auth check on workspace select: Shows an inline warning banner in the chat input when the active model's provider is not configured or is disabled, before the user tries to send a message. Gateway-aware — suppressed when the model is routed through Mux Gateway. 2. Key discovery from other AI tools: New backend service scans known config locations (Claude Code, Codex CLI, aider, Continue.dev, shell RC files) for API keys and offers to import them during onboarding. Full keys never cross the IPC boundary — only masked previews. Import requires explicit user consent. Closes #1
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6fab410599
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
- Shell RC scanner now uses global regex to find the *last* matching export line, matching real shell behavior where later assignments override earlier ones (key rotation). - Onboarding wizard pre-selects only the first discovered key per provider; duplicates require explicit user choice. - Run prettier on all changed files.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 77deb3d694
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
- Claude .env scanner: strip '# comment' and trailing ';' from values - Shell RC regex: exclude ';' from captured token character class - Added tests for both edge cases
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b327cf8b9b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
- Banner uses 'not configured' instead of 'API key required' for keyless providers (bedrock, ollama). - Aider YAML parser strips inline # comments from values. - Added tests for both.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3939ec05c9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5eec6be9f7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b566ce8ceb
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 029647089a
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: dc1a6b8c96
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
- importDiscoveredKey accepts optional isProviderAllowed policy guard - Router passes context.policyService check before import - handleImportKeys skips already-successful entries - Only the first selected source per provider is imported
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5aef9d1dbf
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| { envVar: "GOOGLE_API_KEY", provider: "google" }, | ||
| { envVar: "GOOGLE_GENERATIVE_AI_API_KEY", provider: "google" }, |
There was a problem hiding this comment.
The shell scanner prioritizes GOOGLE_API_KEY before GOOGLE_GENERATIVE_AI_API_KEY, and because the loop short-circuits per provider (seen), a file that defines both will always import the former even when the latter is the intended active credential. That conflicts with runtime credential precedence (providerRequirements.ts prefers GOOGLE_GENERATIVE_AI_API_KEY first), so onboarding can import a stale Google key into providers.jsonc and then force auth failures because config keys override env fallbacks.
Useful? React with 👍 / 👎.
| discover: t | ||
| .input(schemas.keyDiscovery.discover.input) | ||
| .output(schemas.keyDiscovery.discover.output) | ||
| .handler(() => discoverApiKeys()), |
There was a problem hiding this comment.
The discover endpoint returns all discovered keys without checking policy, while import immediately rejects blocked providers via isProviderAllowed; in enforced-policy environments this surfaces disallowed provider key previews in onboarding and offers imports that are guaranteed to fail. Filtering at discovery time (or before rendering) would keep policy behavior consistent and avoid exposing blocked-provider credential metadata.
Useful? React with 👍 / 👎.
1 participant
Summary
Implements both parts of #1:
Part 1: Ask for key before message
Shows an inline warning banner in the chat input area when the active workspace's model requires an unconfigured or disabled provider — before the user tries to send a message and gets an error.
New files:
ProviderNotConfiguredBanner.tsx— banner componentProviderNotConfiguredBanner.test.tsx— 15 testsPart 2: Authentication stealing (key discovery)
New backend service scans known AI tool config locations for API keys and offers to import them during onboarding with explicit user consent.
Sources scanned:
~/.claude.json,~/.config/claude/settings.json,~/.claude/.env)~/.codex/config.json,~/.codex/auth.json)~/.aider.conf.yml)~/.continue/config.json).bashrc,.zshrc,.profile,.bash_profile)Security:
Config.saveProvidersConfig()withmode: 0o600New files:
keyDiscoveryService.ts— backend scanner + import logickeyDiscoveryService.test.ts— 27 testsModified files:
schemas/api.ts—DiscoveredKeySchema,keyDiscovery.discover/importschemasschemas.ts— barrel re-exportrouter.ts— oRPC handler implementationsOnboardingWizardSplash.tsx— conditional wizard step with checkboxes + consentChatInput/index.tsx— rendersProviderNotConfiguredBannerValidation
tsc --noEmit— 0 errorseslint— 0 errorsCloses #1