fix(auth): Improve OAuth credential detection and startup warning

[Shironex]

• Enhanced getClaudeAuthIndicators() to return detailed check information including file paths checked and specific error details for debugging
• Added debug logging to server startup credential detection for easier troubleshooting in Docker environments
• Show paths that were checked in the warning message to help users debug mount issues
• Added support for CLAUDE_CODE_OAUTH_TOKEN environment variable
• Return authType in verify-claude-auth response to distinguish between OAuth and CLI authentication methods
• Updated UI to show specific success messages for Claude Code subscription vs generic CLI auth
• Added Docker troubleshooting tips to sandbox risk dialog
• Added comprehensive unit tests for OAuth credential detection scenarios

Closes #721

Summary by CodeRabbit

• New Features

  • Added OAuth token authentication support and explicit reporting of the auth method (API key, OAuth, or CLI).

• Improvements

  • More detailed authentication detection and richer diagnostics, including reported path checks and clearer success messages per auth type.
  • Added troubleshooting guidance for Docker environments in the setup UI.

• Tests

  • Added comprehensive unit tests covering credential detection and edge cases.

[coderabbitai]

📝 Walkthrough

Walkthrough

Startup and verification now detect Claude authentication method (API key, OAuth token, or CLI) across server, platform, and UI; filesystem checks are structured and reported; UI shows auth-specific messages and a sandbox dialog now includes Docker troubleshooting tips.

Changes

Cohort / File(s)	Summary
Server startup & verify apps/server/src/index.ts, apps/server/src/routes/setup/routes/verify-claude-auth.ts	Detects CLAUDE_CODE_OAUTH_TOKEN env var, preserves CLI auth indicators, logs detailed path/auth checks, and exposes authType (api_key | oauth | cli) in verify response.
Platform checks & types libs/platform/src/system-paths.ts, libs/platform/src/index.ts	Adds FileCheckResult and DirectoryCheckResult types; ClaudeAuthIndicators gains checks with per-path existence/readability/parse results; credential detection refactored to record per-file outcomes.
UI API surface apps/ui/src/lib/electron.ts, apps/ui/src/lib/http-api-client.ts	verifyClaudeAuth response type extended to optionally include `authType?: 'oauth'
UI behavior & content apps/ui/src/components/views/setup-view/steps/claude-setup-step.tsx, apps/ui/src/components/dialogs/sandbox-risk-dialog.tsx	Adds cliAuthType state and conditional success messaging for OAuth vs CLI; sandbox risk dialog gains Docker troubleshooting steps and snippets.
Tests libs/platform/tests/oauth-credential-detection.test.ts	Large Vitest suite simulating home dirs and filesystem permutations to validate OAuth/API key/CLI credential detection, formats, precedence, and edge cases.

Sequence Diagram(s)

sequenceDiagram
    participant UI
    participant Server
    participant Platform
    participant FS as Filesystem

    UI->>Server: GET /verify-claude-auth
    Server->>Platform: getClaudeAuthIndicators()
    Platform->>FS: read settings.json, stats-cache, projects dir, credential files
    FS-->>Platform: per-path FileCheckResult / DirectoryCheckResult
    Platform-->>Server: ClaudeAuthIndicators (checks + cli indicators)
    Server->>Server: determine authType (api_key | oauth | cli)
    Server-->>UI: { success, authenticated, authType }
    UI->>UI: update cliAuthType state & render conditional message

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: Check Claude Code CLI auth before showing warning #703: Related changes refining startup auth-check flow and CLI detection in apps/server/src/index.ts.
• feat: add Cursor CLI installation attempts documentation and enhance … #366: Overlaps with credential parsing and detection logic in libs/platform/src/system-paths.ts.
• feat: unified Claude API key and profile system with z.AI, MiniMax, OpenRouter support #600: Related adjustments to Claude authentication handling and provider credential resolution.

Suggested labels

Tests

Poem

🐰 I sniffed the files and hopped around,

OAuth, API, CLI — each one found.
Startup warns no more, I cheer,
Auth types shown, the path is clear.
🥕✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main changes: improving OAuth credential detection and enhancing the startup warning, which aligns with the primary objectives.
Linked Issues check	✅ Passed	The PR fully addresses issue #721 by implementing comprehensive OAuth credential detection at startup, improving error logging, and updating UI messages to distinguish between authentication methods.
Out of Scope Changes check	✅ Passed	All changes are directly related to improving OAuth credential detection and startup warnings as specified in issue #721. Docker troubleshooting tips and UI updates support the main objective.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/bug-startup-warning-ignores-claude-oauth-credenti-fuzx

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @Shironex, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refines the authentication mechanism for Claude, focusing on improving the clarity, debuggability, and user experience around credential detection. It introduces more detailed logging and error reporting for authentication checks, provides better feedback to users through specific UI messages and warning details, and expands support for OAuth tokens via environment variables. Additionally, it includes new troubleshooting guidance for Docker users and a robust set of unit tests to validate the enhanced detection logic.

Highlights

• Improved Claude Authentication Detection: The getClaudeAuthIndicators() function has been significantly enhanced to provide detailed information about the authentication files and directories checked, including their paths, existence, readability, and any errors encountered. This aids in debugging authentication issues.
• Enhanced Debugging and User Feedback: Extensive debug logging has been added to the server's startup credential detection process, especially useful for Docker environments. Warning messages for unconfigured authentication now include the specific file paths that were checked, helping users diagnose mount or permission problems.
• New OAuth Environment Variable Support: The system now supports CLAUDE_CODE_OAUTH_TOKEN as an environment variable for OAuth authentication, providing an additional flexible method for credential configuration.
• Granular Authentication Type Reporting: The verify-claude-auth endpoint now returns a specific authType (e.g., 'oauth', 'api_key', 'cli') to distinguish between different authentication methods. The UI has been updated to display tailored success messages, differentiating between a Claude Code subscription (OAuth) and generic CLI authentication.
• Docker Troubleshooting Tips: The sandbox risk dialog in the UI now includes practical troubleshooting tips specifically for users running the application in Docker, addressing common issues related to environment variables and logging.
• Comprehensive Unit Testing: A new suite of unit tests has been added to cover various OAuth credential detection scenarios, including different credential formats, missing files, malformed JSON, and edge cases, ensuring robustness and reliability of the authentication logic.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request significantly improves the OAuth credential detection and startup warnings. The changes to getClaudeAuthIndicators to return detailed check information and handle errors gracefully are excellent for debugging. The addition of comprehensive unit tests for credential detection scenarios is a major step forward in ensuring the robustness of this critical feature. The UI improvements, such as showing specific auth success messages and adding Docker troubleshooting tips, will greatly enhance the user experience. I've identified one high-severity logic bug in how multiple credential files are prioritized, which could lead to incorrect auth detection. With that addressed, this will be a very strong set of improvements.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@libs/platform/src/system-paths.ts`:
- Around line 1069-1076: The code sets settingsFileCheck.readable to true based
solely on systemPathAccess(settingsPath) which currently checks F_OK (existence)
and can be misleading; change the check to explicitly verify read permission
(use R_OK via systemPathAccess or an fs.access call with fs.constants.R_OK) when
determining settingsFileCheck.readable, keep result.hasSettingsFile true only if
existence check passes, and ensure the catch still assigns
settingsFileCheck.error; update references in this block (systemPathAccess,
settingsPath, settingsFileCheck.readable, result.hasSettingsFile) accordingly.

🧹 Nitpick comments (1)

libs/platform/tests/oauth-credential-detection.test.ts (1)

68-69: Use @automaker/platform entrypoint instead of relative module paths.

The getClaudeAuthIndicators function and related exports are available directly from the @automaker/platform public entrypoint. Relative imports from ../src/system-paths bypass the shared package interface. Switch to the platform barrel export to align with package architecture:

const { getClaudeAuthIndicators } = await import('@automaker/platform');

This applies to all similar dynamic imports in this test file.