feat(den): add provider contract and managed sync#1939
Conversation
Add the LLM provider credential kind/opencode auth storage contract, migration, and passive credential redaction/flags needed by follow-up provider credential and worker sync PRs.
Include organization context variables in worker route typing so managed provider sync typechecks without changing runtime behavior.
|
@pascalandr is attempting to deploy a commit to the Different AI Team on Vercel. A member of the Team first needs to authorize it. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Translate Den catalog model metadata through an explicit OpenCode-compatible allowlist before writing managed provider runtime config. Preserve boolean experimental values while dropping incompatible catalog metadata covered by focused regression tests.
Filter Den-managed provider-list responses to configured model IDs so OAuth providers keep native auth IDs without exposing the full OpenCode catalog. Adds focused regression coverage for OpenAI OAuth and NVIDIA API-key managed providers.
Apply only product code from the mixed integration commit for the managed provider sync PR branch, excluding workflow and evidence artifacts.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
3 issues found across 10 files
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
Merge upstream/dev into pr/credential-contract-managed-sync and resolve managed-provider sync route plus Den DB migration numbering conflicts.
Ensure Den-managed providers remain visible to the desktop model picker when OpenCode returns an empty connected provider list, and cover the static Den regression.
Use OpenCode's PUT /auth/{providerID} contract with the auth object as the request body so Den-managed API key and OAuth credentials are applied before runtime model invocation.
Add the managed-provider sync 502 OpenAPI response, correct OAuth credential presence reporting, and roll back opencode config writes when runtime auth application fails.
…ct-managed-sync # Conflicts: # ee/packages/den-db/drizzle/meta/_journal.json
Import the JSONC path updater used by managed provider sync so runtime config writes succeed before auth is applied and rollback tests remain meaningful.
Remove stale managed providers and auth during authoritative Den sync, roll back auth writes on failed sync attempts, and filter revoked providers from runtime provider lists.
There was a problem hiding this comment.
1 issue found across 4 files (changes from recent commits).
Tip: Review your code locally with the cubic CLI to iterate faster.
Re-trigger cubic
Update managed-provider sync proxy assertions to use the normal bearer token path so the tests remain valid after host tokens are limited to host-only routes.
Move stale managed-provider auth deletion after config commit so rollback never restores config that references already-deleted stale auth, with regression coverage for deletion failure.
There was a problem hiding this comment.
1 issue found across 2 files (changes from recent commits).
Tip: Review your code locally with the cubic CLI to iterate faster.
Re-trigger cubic
Keep stale managed provider IDs in metadata until auth deletion succeeds so failed stale cleanup remains retryable without restoring config that references deleted auth.
Sync only to healthy current worker runtimes and restore prior provider auth on failed runtime credential updates.
There was a problem hiding this comment.
1 issue found across 4 files (changes from recent commits).
Tip: Review your code locally with the cubic CLI to iterate faster.
Re-trigger cubic
Validate managed provider runtime id uniqueness before mutating config or auth state so rollback snapshots cannot be overwritten by duplicate payload entries. Adds a regression proving duplicate ids fail without touching existing auth.
Add an explicit array guard around provider-list model filtering and cover array-shaped provider model lists so managed allowlists do not collapse them through numeric Object.entries keys.
Filter array-shaped provider-list models by Den managed-provider allowlists while preserving array shape. Adds regression coverage so allowed model ids remain visible and disallowed ids are removed.
|
You're iterating quickly on this pull request. To help protect your rate limits, cubic has paused automatic reviews on new pushes for now—when you're ready for another review, comment |
|
@cubic-dev-ai review |
@pascalandr I have started the AI code review. It will take a few minutes to complete. |
|
Superseded by the clean consolidated managed providers PR #2175. |
1 participant
Dependency map
Scope
Tests
pnpm --filter @openwork-ee/den-db build- PASS.ee/apps/den-api:pnpm exec tsc -p tsconfig.json --noEmit- PASS.ee/apps/den-api:pnpm exec bun test test/managed-provider-sync.test.ts- PASS, 6 tests.apps/server:pnpm exec bun test src/managed-provider-sync.e2e.test.ts- PASS, 3 tests.Linked issues