fix(grok): fail fast when Grok CLI is not authenticated#3784
Conversation
When Grok is enabled but neither XAI_API_KEY nor ~/.grok/auth.json credentials are present, ACP startup hangs on the authenticate RPC waiting for interactive OAuth that T3 Code does not implement. After 15s this surfaces as a generic ACP timeout. Add a preflight credential probe before ACP model discovery and thread startup so the provider reports auth: unauthenticated with actionable guidance (`grok login` or XAI_API_KEY) instead of timing out.
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 3 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit c595058. Configure here.
| } | ||
| const content = yield* fileSystem.readFileString(authPath).pipe(Effect.orElseSucceed(() => "")); | ||
| return grokAuthJsonHasCredentials(content); | ||
| }).pipe(Effect.catch(() => Effect.succeed(false))); |
There was a problem hiding this comment.
Missing deployment key auth check
Medium Severity
The new Grok credential preflight only treats non-empty XAI_API_KEY or ~/.grok/auth.json as authenticated. xAI’s Grok CLI installer documents GROK_DEPLOYMENT_KEY as a valid auth path that can replace grok login. Users who authenticate only via that variable in provider environment are rejected with the unauthenticated message even though the CLI would accept them.
Reviewed by Cursor Bugbot for commit c595058. Configure here.
| } | ||
| const content = yield* fileSystem.readFileString(authPath).pipe(Effect.orElseSucceed(() => "")); | ||
| return grokAuthJsonHasCredentials(content); | ||
| }).pipe(Effect.catch(() => Effect.succeed(false))); |
There was a problem hiding this comment.
Auth probe hides filesystem errors
Medium Severity
When auth.json exists but cannot be read or checked, the probe returns “no credentials” instead of surfacing the I/O failure. readFileString failures become an empty string, and the outer Effect.catch turns any other probe error into false, so provider status and thread startup show the login/XAI_API_KEY message even when credentials may be present but inaccessible.
Reviewed by Cursor Bugbot for commit c595058. Configure here.
| threadId: input.threadId, | ||
| detail: GROK_UNAUTHENTICATED_MESSAGE, | ||
| }); | ||
| } |
There was a problem hiding this comment.
Adapter tests lack credential bypass
Medium Severity
startSession now runs probeGrokCliCredentialsWithServices against options?.environment ?? process.env before spawning the mock ACP agent. GrokAdapterLive tests construct the adapter without provider environment or XAI_API_KEY, so on CI (no ~/.grok/auth.json) startSession fails with the unauthenticated error instead of exercising the mock Grok flow.
Reviewed by Cursor Bugbot for commit c595058. Configure here.
ApprovabilityVerdict: Needs human review This PR introduces new fail-fast authentication checking that changes runtime behavior, and has 3 unresolved medium-severity review comments identifying potential bugs: missing GROK_DEPLOYMENT_KEY support, error swallowing in auth probes, and test coverage gaps. You can customize Macroscope's approvability policy. Learn more. |


Problem
When Grok is enabled in T3 Code but the user has not signed in, provider status checks and thread startup hang for 15 seconds and then report:
This is confusing because the real issue is missing authentication, not a slow or broken ACP handshake.
Root cause
Grok ACP startup follows this sequence:
grok agent stdioinitializeauthenticatewithcached_token(unlessXAI_API_KEYis set)session/newIf the user has no
XAI_API_KEYand no cached credentials in~/.grok/auth.json, theauthenticateRPC waits indefinitely for interactive OAuth. T3 Code does not implement Grok's URL elicitation / terminal auth flow, so the call never completes. After the existing 15s discovery timeout, we surface a generic timeout error.Workaround today: run
grok loginin a terminal, or setXAI_API_KEYin provider environment variables.Solution
Add a lightweight preflight credential probe before ACP model discovery and thread startup:
XAI_API_KEYin the provider environment as authenticated.~/.grok/auth.jsonand look for issuer-keyed entries containingrefresh_tokenorkey(Grok's actual auth.json shape).auth: { status: "unauthenticated" }and an actionable message instead of starting ACP.User-facing message
Where the check runs
GrokProvider.checkGrokProviderStatusGrokAdapter.startSessionThe timeout message for genuine ACP slowness was also updated to mention
grok loginas a possible cause.Out of scope (future work)
This PR does not wire in-app browser OAuth via ACP URL elicitation (
grok.comlogin from within T3 Code). That would be a larger follow-up. This change matches the Codex pattern of guiding users tocodex loginwhen credentials are missing.Testing
hasGrokApiKeyInEnvironment,grokAuthJsonHasCredentials,probeGrokCliCredentials).auth: unauthenticatedwithout hitting ACP.XAI_API_KEYto bypass the auth gate.17 tests pass.
Note: PR #3783 was closed — it was accidentally opened against a branch that included unrelated Android parity work from fork
main. This PR is rebased on upstreammainand contains only the 6 Grok auth files above.Note
Low Risk
Localized Grok provider behavior with read-only credential probing; no changes to core auth or other providers.
Overview
Adds a preflight credential check for Grok so missing auth no longer surfaces as a 15s ACP timeout.
Before ACP model discovery (
checkGrokProviderStatus) and before starting a thread (GrokAdapter.startSession), the server treatsXAI_API_KEYin provider env as authenticated, or reads~/.grok/auth.jsonfor issuer entries withrefresh_tokenorkey. If neither is present, it returns immediately withauth: unauthenticatedand a shared message pointing users togrok loginorXAI_API_KEY.GrokDriverwires FileSystem and Path into status checks. The genuine ACP timeout message now also mentionsgrok loginas a possible cause. Unit tests cover the credential helpers and the unauthenticated provider-status path.Reviewed by Cursor Bugbot for commit c595058. Bugbot is set up for automated code reviews on this repo. Configure here.
Note
Fail fast with unauthenticated error in Grok provider when CLI credentials are missing
checkGrokProviderStatusin GrokProvider.ts now probes for Grok CLI credentials after detecting the CLI version; if missing, it returns anunauthenticatedauth status with a clear message instead of attempting ACP model discovery.startSessionin GrokAdapter.ts also fails fast with aProviderAdapterProcessErrorwhen credentials are absent, before creating the ACP runtime.probeGrokCliCredentials,grokAuthJsonHasCredentials,resolveGrokAuthJsonPath) in GrokAcpSupport.ts check for credentials viaXAI_API_KEYenv var or~/.grok/auth.json.grok login.Macroscope summarized c595058.