fix: Codex API key auth status detection

[wushap]

Summary

• refresh the old codex/fix-codex-auth-status branch onto the latest main
• fix Codex auth status reporting so API-key-based setups return a valid authenticated state
• detect API keys from the active Codex provider config via model_provider -> model_providers.<provider>.env_key
• preserve existing auth.json and OPENAI_API_KEY fallback behavior

Root Cause

The previous status check only looked at ~/.codex/auth.json and did not account for Codex configurations that use a custom model_provider with an env_key. Those setups can run successfully in Codex, but this UI incorrectly showed them as disconnected.

Validation

• npm run typecheck
• direct status verification against the current machine config

Summary by CodeRabbit

• Refactor
  • Improved authentication detection and handling for the Codex provider: the app now checks multiple credential sources (local config files and environment variable) and reports consistent status messages. This increases reliability when signing in or using API keys and yields a clearer "not configured" message when no credentials are found.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Credential detection was moved from instance methods to module-level helpers. The new exported checkStatus() inspects, in order: ~/.codex/auth.json (OAuth tokens or OPENAI_API_KEY), ~/.codex/config.toml (provider env_key → process.env), then process.env.OPENAI_API_KEY. Returns a consistent CodexCredentialsStatus with error: string | null.

Changes

Codex Auth Refactoring

Layer / File(s)	Summary
Data Shape server/modules/providers/list/codex/codex-auth.provider.ts	CodexCredentialsStatus.error is now `string
Credential Helpers server/modules/providers/list/codex/codex-auth.provider.ts	Added readEmailFromIdToken(), readAuthJsonStatus() to parse JWT/email and read ~/.codex/auth.json for OAuth tokens or embedded OPENAI_API_KEY.
Config Parsing server/modules/providers/list/codex/codex-auth.provider.ts	Added readConfigTomlStatus() to parse ~/.codex/config.toml, select model_providers[model_provider], extract env_key, and check process.env[env_key].
Orchestration server/modules/providers/list/codex/codex-auth.provider.ts	Added exported checkStatus() that queries auth.json → config.toml → process.env.OPENAI_API_KEY, handles ENOENT, and returns CodexCredentialsStatus with error:null on success or 'Codex not configured' on final failure.
Class Integration server/modules/providers/list/codex/codex-auth.provider.ts	CodexProviderAuth now delegates to the module-level checkStatus(); previous in-class credential logic removed.
Manifest package.json	Touched (listed in diff summary).

Suggested reviewers

• blackmammoth
• viper151

Poem

🐰 Hopping through files with cheer,

Tokens and keys now neatly appear,
auth.json, toml, then env in line,
checkStatus finds the code's sign,
A rabbit's nibble—credentials align.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: refactoring credential status detection for Codex API key authentication.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@server/providers/codex/status.js`:
- Around line 43-94: The current readTomlStringValue/getConfiguredProviderApiKey
logic uses regex and misses valid TOML forms; replace this ad-hoc parsing with
the existing `@iarna/toml` parser: in loadCodexConfig keep reading the file but in
getConfiguredProviderApiKey parse the file content with
require('@iarna/toml').parse(content), read parsed.model_provider and then look
up parsed.model_providers[providerId].env_key (with null checks), then read
process.env[envKey] and return { envKey, apiKey } or null; remove/stop using
readTomlStringValue and ensure parsing errors are caught and cause
getConfiguredProviderApiKey to return null.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 3749f2c4-99ba-4fbd-933c-ed9fd23a9462

📥 Commits

Reviewing files that changed from the base of the PR and between 25b00b5 and cd55631.

📒 Files selected for processing (1)

• server/providers/codex/status.js

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@server/providers/codex/status.js`:
- Around line 66-104: The authentication check in checkCredentials wrongly
prefers generic env vars before the active provider; change checkCredentials to
call loadCodexConfig() and getConfiguredProviderApiKey(config) first and return
authenticated if that returns a valid envKey/apiKey, and only if no configured
provider API key is found fall back to checking process.env.CODEX_API_KEY and
process.env.OPENAI_API_KEY; keep the same return shape ({ authenticated: true,
email: 'API Key Auth', method: 'api_key' }) and ensure you still trim and
validate values as currently done in getConfiguredProviderApiKey and the generic
env checks.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 59cecfdd-3a32-4c89-935e-fce1b0ad3228

📥 Commits

Reviewing files that changed from the base of the PR and between cd55631 and a1bc64e.

📒 Files selected for processing (1)

• server/providers/codex/status.js

[blackmammoth]

Hey @wushap, thanks for the PR. We want to merge this. However, there has been some big refactor recently and a lot of code has moved around. Can you take a look at the current setup and resubmit the PR?

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@server/modules/providers/list/codex/codex-auth.provider.ts`:
- Around line 108-129: The current logic after readConfigTomlStatus falls
through to a "Codex not configured" error even when an OPENAI_API_KEY is present
in the process environment; restore the env-only fallback by checking
process.env.OPENAI_API_KEY (in codex-auth.provider.ts, around the
readConfigTomlStatus/codexHome block) and if set return the same authenticated
response used for API-key-based auth (authenticated: true, appropriate
email/method or method:'apiKey', error:null) instead of the "Codex not
configured" object so providers using only OPENAI_API_KEY appear connected.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: bdab540c-e00b-4337-a40b-b004c406bd3e

📥 Commits

Reviewing files that changed from the base of the PR and between 626aba3 and f9f02bf.

📒 Files selected for processing (1)

• server/modules/providers/list/codex/codex-auth.provider.ts

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@server/modules/providers/list/codex/codex-auth.provider.ts`:
- Around line 97-121: The current catch blocks in the Codex auth probe (around
the read of auth.json and config.toml where readAuthJsonStatus and
readConfigTomlStatus are called) return immediately on non-ENOENT errors,
short-circuiting other credential sources (like process.env.OPENAI_API_KEY).
Change the logic to record or stash the non-ENOENT error (e.g., save a local
variable lastReadError or authReadError) and continue to the next probe (do not
return); after all credential sources (auth.json, config.toml, and environment)
have been checked, if none authenticated then return an unauthenticated result
that uses the most relevant stored error.message (or a combined message) as the
error field. Ensure you still treat ENOENT as non-fatal and proceed normally,
and reference codexHome and process.env where those probes run.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 4f484e0c-2adb-4d8c-a369-b5c8820c1397

📥 Commits

Reviewing files that changed from the base of the PR and between f9f02bf and 731db39.

📒 Files selected for processing (1)

• server/modules/providers/list/codex/codex-auth.provider.ts

[wushap]

Hey @wushap, thanks for the PR. We want to merge this. However, there has been some big refactor recently and a lot of code has moved around. Can you take a look at the current setup and resubmit the PR?

Done! I've updated the PR to match the new project structure. Tested locally and it's all good to go.