Skip to content

fix(grok): fail fast when Grok CLI is not authenticated#3784

Open
RioPlay wants to merge 1 commit into
pingdotgg:mainfrom
RioPlay:fix/grok-acp-auth-preflight
Open

fix(grok): fail fast when Grok CLI is not authenticated#3784
RioPlay wants to merge 1 commit into
pingdotgg:mainfrom
RioPlay:fix/grok-acp-auth-preflight

Conversation

@RioPlay

@RioPlay RioPlay commented Jul 7, 2026

Copy link
Copy Markdown

Problem

When Grok is enabled in T3 Code but the user has not signed in, provider status checks and thread startup hang for 15 seconds and then report:

Grok CLI is installed but ACP startup timed out after 15000ms.

This is confusing because the real issue is missing authentication, not a slow or broken ACP handshake.

Root cause

Grok ACP startup follows this sequence:

  1. grok agent stdio
  2. initialize
  3. authenticate with cached_token (unless XAI_API_KEY is set)
  4. session/new

If the user has no XAI_API_KEY and no cached credentials in ~/.grok/auth.json, the authenticate RPC waits indefinitely for interactive OAuth. T3 Code does not implement Grok's URL elicitation / terminal auth flow, so the call never completes. After the existing 15s discovery timeout, we surface a generic timeout error.

Workaround today: run grok login in a terminal, or set XAI_API_KEY in provider environment variables.

Solution

Add a lightweight preflight credential probe before ACP model discovery and thread startup:

  • Treat XAI_API_KEY in the provider environment as authenticated.
  • Otherwise, read ~/.grok/auth.json and look for issuer-keyed entries containing refresh_token or key (Grok's actual auth.json shape).
  • If neither is present, return immediately with auth: { status: "unauthenticated" } and an actionable message instead of starting ACP.

User-facing message

Grok CLI is not authenticated. Run `grok login` in a terminal or set XAI_API_KEY in provider environment variables.

Where the check runs

Location When
GrokProvider.checkGrokProviderStatus Provider enable / status refresh
GrokAdapter.startSession Starting a Grok thread

The timeout message for genuine ACP slowness was also updated to mention grok login as a possible cause.

Out of scope (future work)

This PR does not wire in-app browser OAuth via ACP URL elicitation (grok.com login from within T3 Code). That would be a larger follow-up. This change matches the Codex pattern of guiding users to codex login when credentials are missing.

Testing

  • Added unit tests for credential helpers (hasGrokApiKeyInEnvironment, grokAuthJsonHasCredentials, probeGrokCliCredentials).
  • Added provider status test: unauthenticated preflight returns auth: unauthenticated without hitting ACP.
  • Existing ACP discovery test now passes XAI_API_KEY to bypass the auth gate.
vp test GrokAcpSupport GrokProvider

17 tests pass.


Note: PR #3783 was closed — it was accidentally opened against a branch that included unrelated Android parity work from fork main. This PR is rebased on upstream main and contains only the 6 Grok auth files above.


Note

Low Risk
Localized Grok provider behavior with read-only credential probing; no changes to core auth or other providers.

Overview
Adds a preflight credential check for Grok so missing auth no longer surfaces as a 15s ACP timeout.

Before ACP model discovery (checkGrokProviderStatus) and before starting a thread (GrokAdapter.startSession), the server treats XAI_API_KEY in provider env as authenticated, or reads ~/.grok/auth.json for issuer entries with refresh_token or key. If neither is present, it returns immediately with auth: unauthenticated and a shared message pointing users to grok login or XAI_API_KEY.

GrokDriver wires FileSystem and Path into status checks. The genuine ACP timeout message now also mentions grok login as a possible cause. Unit tests cover the credential helpers and the unauthenticated provider-status path.

Reviewed by Cursor Bugbot for commit c595058. Bugbot is set up for automated code reviews on this repo. Configure here.

Note

Fail fast with unauthenticated error in Grok provider when CLI credentials are missing

  • checkGrokProviderStatus in GrokProvider.ts now probes for Grok CLI credentials after detecting the CLI version; if missing, it returns an unauthenticated auth status with a clear message instead of attempting ACP model discovery.
  • startSession in GrokAdapter.ts also fails fast with a ProviderAdapterProcessError when credentials are absent, before creating the ACP runtime.
  • New helpers (probeGrokCliCredentials, grokAuthJsonHasCredentials, resolveGrokAuthJsonPath) in GrokAcpSupport.ts check for credentials via XAI_API_KEY env var or ~/.grok/auth.json.
  • The ACP startup timeout error message now includes guidance to run grok login.

Macroscope summarized c595058.

When Grok is enabled but neither XAI_API_KEY nor ~/.grok/auth.json
credentials are present, ACP startup hangs on the authenticate RPC
waiting for interactive OAuth that T3 Code does not implement. After
15s this surfaces as a generic ACP timeout.

Add a preflight credential probe before ACP model discovery and thread
startup so the provider reports auth: unauthenticated with actionable
guidance (`grok login` or XAI_API_KEY) instead of timing out.
@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: be47cdc6-5aca-4bee-bed1-639a5d5e55c2

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added vouch:unvouched PR author is not yet trusted in the VOUCHED list. size:L 100-499 changed lines (additions + deletions). labels Jul 7, 2026

@cursor cursor Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 3 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit c595058. Configure here.

}
const content = yield* fileSystem.readFileString(authPath).pipe(Effect.orElseSucceed(() => ""));
return grokAuthJsonHasCredentials(content);
}).pipe(Effect.catch(() => Effect.succeed(false)));

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing deployment key auth check

Medium Severity

The new Grok credential preflight only treats non-empty XAI_API_KEY or ~/.grok/auth.json as authenticated. xAI’s Grok CLI installer documents GROK_DEPLOYMENT_KEY as a valid auth path that can replace grok login. Users who authenticate only via that variable in provider environment are rejected with the unauthenticated message even though the CLI would accept them.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit c595058. Configure here.

}
const content = yield* fileSystem.readFileString(authPath).pipe(Effect.orElseSucceed(() => ""));
return grokAuthJsonHasCredentials(content);
}).pipe(Effect.catch(() => Effect.succeed(false)));

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auth probe hides filesystem errors

Medium Severity

When auth.json exists but cannot be read or checked, the probe returns “no credentials” instead of surfacing the I/O failure. readFileString failures become an empty string, and the outer Effect.catch turns any other probe error into false, so provider status and thread startup show the login/XAI_API_KEY message even when credentials may be present but inaccessible.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit c595058. Configure here.

threadId: input.threadId,
detail: GROK_UNAUTHENTICATED_MESSAGE,
});
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adapter tests lack credential bypass

Medium Severity

startSession now runs probeGrokCliCredentialsWithServices against options?.environment ?? process.env before spawning the mock ACP agent. GrokAdapterLive tests construct the adapter without provider environment or XAI_API_KEY, so on CI (no ~/.grok/auth.json) startSession fails with the unauthenticated error instead of exercising the mock Grok flow.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit c595058. Configure here.

@macroscopeapp

macroscopeapp Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Approvability

Verdict: Needs human review

This PR introduces new fail-fast authentication checking that changes runtime behavior, and has 3 unresolved medium-severity review comments identifying potential bugs: missing GROK_DEPLOYMENT_KEY support, error swallowing in auth probes, and test coverage gaps.

You can customize Macroscope's approvability policy. Learn more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size:L 100-499 changed lines (additions + deletions). vouch:unvouched PR author is not yet trusted in the VOUCHED list.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant