feat: better authentication UX — proactive key check & key discovery#2796
feat: better authentication UX — proactive key check & key discovery#2796ibetitsmike wants to merge 1 commit intomainfrom
Conversation
Implements both parts of #1: 1. Proactive auth check on workspace select: Shows an inline warning banner in the chat input when the active model's provider is not configured or is disabled, before the user tries to send a message. Gateway-aware — suppressed when the model is routed through Mux Gateway. 2. Key discovery from other AI tools: New backend service scans known config locations (Claude Code, Codex CLI, aider, Continue.dev, shell RC files) for API keys and offers to import them during onboarding. Full keys never cross the IPC boundary — only masked previews. Import requires explicit user consent. Closes #1
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6fab410599
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| const pattern = new RegExp( | ||
| `^\\s*export\\s+${mapping.envVar}\\s*=\\s*["']?([^"'\\s#]+)["']?`, | ||
| "m" | ||
| ); | ||
| const match = pattern.exec(content); |
There was a problem hiding this comment.
The shell RC scanner calls pattern.exec(content) once per env var, so it always captures the first matching export line. In shell startup files, later assignments override earlier ones; when users rotate keys by appending a new export, discovery will import the stale value and the provider will still fail authentication after onboarding.
Useful? React with 👍 / 👎.
| // Pre-select all discovered keys | ||
| setSelectedKeys(new Set(keys.map((k) => `${k.provider}:${k.source}`))); |
There was a problem hiding this comment.
This pre-selects every discovered key, including multiple entries for the same provider, and handleImportKeys then imports all selected entries in order. If two sources contain different keys for one provider, the later import silently overwrites the earlier one, so users can end up with an unintended/stale credential unless they manually detect and uncheck duplicates.
Useful? React with 👍 / 👎.
1 participant
Summary
Implements both parts of #1:
Part 1: Ask for key before message
Shows an inline warning banner in the chat input area when the active workspace's model requires an unconfigured or disabled provider — before the user tries to send a message and gets an error.
New files:
ProviderNotConfiguredBanner.tsx— banner componentProviderNotConfiguredBanner.test.tsx— 15 testsPart 2: Authentication stealing (key discovery)
New backend service scans known AI tool config locations for API keys and offers to import them during onboarding with explicit user consent.
Sources scanned:
~/.claude.json,~/.config/claude/settings.json,~/.claude/.env)~/.codex/config.json,~/.codex/auth.json)~/.aider.conf.yml)~/.continue/config.json).bashrc,.zshrc,.profile,.bash_profile)Security:
Config.saveProvidersConfig()withmode: 0o600New files:
keyDiscoveryService.ts— backend scanner + import logickeyDiscoveryService.test.ts— 27 testsModified files:
schemas/api.ts—DiscoveredKeySchema,keyDiscovery.discover/importschemasschemas.ts— barrel re-exportrouter.ts— oRPC handler implementationsOnboardingWizardSplash.tsx— conditional wizard step with checkboxes + consentChatInput/index.tsx— rendersProviderNotConfiguredBannerValidation
tsc --noEmit— 0 errorseslint— 0 errorsCloses #1