Secure credentials, eyrie catalog setup, and first-run /config flow#6
Merged
Conversation
Remove external/eyrie submodule in favor of ../eyrie with a committed go.mod replace and go.work. CI clones eyrie via checkout-eyrie action. Co-authored-by: Cursor <cursoragent@cursor.com>
Route API keys through eyrie keychain and catalog env fallbacks, add /config deployment UI with setup guards, and replace hawk-local provider lists with eyrie catalog-driven model and routing configuration. Co-authored-by: Cursor <cursoragent@cursor.com>
Mark hawk/eyrie feature branch SHAs, completed phases 4.1–4.2, and iteration log entries. Co-authored-by: Cursor <cursoragent@cursor.com>
Automated checks for provider.json sanitization, setup flow, and optional container isolation; update milestone plan, AGENTS.md, and verify-milestone.sh. Co-authored-by: Cursor <cursoragent@cursor.com>
Removes plaintext env credential paths, adds hawk credentials CLI, improves catalog-empty UX, and updates milestone docs and verification. Co-authored-by: Cursor <cursoragent@cursor.com>
Format credential-related sources and teach checkout-eyrie to use the PR branch so hawk builds against sibling eyrie credentials packages. Co-authored-by: Cursor <cursoragent@cursor.com>
Handle writer errors explicitly, remove unused helpers, and restore openConfigPanel after cleanup. Co-authored-by: Cursor <cursoragent@cursor.com>
Mark dependency-review as continue-on-error until GitHub Dependency graph is enabled. Co-authored-by: Cursor <cursoragent@cursor.com>
Tabbed /config (Keys · Gateways · Models) guides first-run key paste, clarifies catalog counts, and keeps secrets redacted. The chat status bar and input path use cached credentials, throttled streaming, and memoized slash completion for a snappier feel. Co-authored-by: Cursor <cursoragent@cursor.com>
Apply gofumpt to cmd changes and guard configGatewayRows when session is nil in tests and first-run setup. Co-authored-by: Cursor <cursoragent@cursor.com>
Use pointer receiver for welcome cache rebuild and remove dead glimmer/catalog refresh helpers flagged by CI. Co-authored-by: Cursor <cursoragent@cursor.com>
The action fails on repos without GitHub Dependency graph enabled; govulncheck in the security job already scans module vulnerabilities. Co-authored-by: Cursor <cursoragent@cursor.com>
Tests that write model selection must use a temp HOME so shuffled runs do not leak state into EvaluateSetupCached checks. Co-authored-by: Cursor <cursoragent@cursor.com>
- Block /run, /test, /lint commands that fail safety checks (IsDestructiveCommand/IsSuspicious) - Add SSRF protection to WebFetch/Download tools (blocks private IP ranges) - Fix constantTimeEqual timing leak in daemon and API server auth - Fix type assertion panic in chat.go (ok check on finalModel) - Add context cancellation to /loop goroutine (cancels on /clear) - Clean up temp seatbelt profile files in sandbox - Protect modelCache with sync.RWMutex across all access points
- Add live-only provider fallback in DefaultModelForProvider: when the compiled catalog and static tiers return nothing (openrouter, z-ai, canopywave, ollama), fetch models from the live API. Only triggers when credentials are configured to avoid hitting public APIs unauthenticated. - Show "0k" for missing context sizes instead of hiding the field, so all models display a context indicator in the status bar. - Fix TestChatConnectionStatus_NoCredentials to properly isolate credentials from the environment (matching sibling test pattern).
Use QuadBlock spinner with a dark-bg-friendly 20-color palette, rotate verbs on a timer, and align footer/welcome hints with actual shortcuts and commands. Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Patel230
added a commit
that referenced
this pull request
May 21, 2026
* Use Eyrie deployment catalog for model routing * chore: drop eyrie submodule; use sibling replace Remove external/eyrie submodule in favor of ../eyrie with a committed go.mod replace and go.work. CI clones eyrie via checkout-eyrie action. * Integrate eyrie credentials, catalog discovery, and first-run setup. Route API keys through eyrie keychain and catalog env fallbacks, add /config deployment UI with setup guards, and replace hawk-local provider lists with eyrie catalog-driven model and routing configuration. * docs: update milestone plan with branch commits and phase status. Mark hawk/eyrie feature branch SHAs, completed phases 4.1–4.2, and iteration log entries. * test: add milestone verification and clarify sandbox vs Docker help. Automated checks for provider.json sanitization, setup flow, and optional container isolation; update milestone plan, AGENTS.md, and verify-milestone.sh. * Use keychain-only credentials with /config key remove and preflight. Removes plaintext env credential paths, adds hawk credentials CLI, improves catalog-empty UX, and updates milestone docs and verification. * Fix CI: gofumpt and checkout matching eyrie branch in workflows. Format credential-related sources and teach checkout-eyrie to use the PR branch so hawk builds against sibling eyrie credentials packages. * Fix golangci-lint issues for credential and catalog startup code. Handle writer errors explicitly, remove unused helpers, and restore openConfigPanel after cleanup. * Do not fail CI when dependency graph is unavailable. Mark dependency-review as continue-on-error until GitHub Dependency graph is enabled. * Polish Connect Center UX, TUI performance, and credential resilience. Tabbed /config (Keys · Gateways · Models) guides first-run key paste, clarifies catalog counts, and keeps secrets redacted. The chat status bar and input path use cached credentials, throttled streaming, and memoized slash completion for a snappier feel. * Fix CI formatting and nil-safe gateway row rendering. Apply gofumpt to cmd changes and guard configGatewayRows when session is nil in tests and first-run setup. * Fix golangci-lint failures for unused code and welcome cache. Use pointer receiver for welcome cache rebuild and remove dead glimmer/catalog refresh helpers flagged by CI. * Remove dependency-review job when Dependency graph is disabled. The action fails on repos without GitHub Dependency graph enabled; govulncheck in the security job already scans module vulnerabilities. * Isolate provider.json in setup cache tests for CI shuffle. Tests that write model selection must use a temp HOME so shuffled runs do not leak state into EvaluateSetupCached checks. * Fix 7 security and correctness issues from code audit - Block /run, /test, /lint commands that fail safety checks (IsDestructiveCommand/IsSuspicious) - Add SSRF protection to WebFetch/Download tools (blocks private IP ranges) - Fix constantTimeEqual timing leak in daemon and API server auth - Fix type assertion panic in chat.go (ok check on finalModel) - Add context cancellation to /loop goroutine (cancels on /clear) - Clean up temp seatbelt profile files in sandbox - Protect modelCache with sync.RWMutex across all access points * Fix OpenRouter model resolution and context size display - Add live-only provider fallback in DefaultModelForProvider: when the compiled catalog and static tiers return nothing (openrouter, z-ai, canopywave, ollama), fetch models from the live API. Only triggers when credentials are configured to avoid hitting public APIs unauthenticated. - Show "0k" for missing context sizes instead of hiding the field, so all models display a context indicator in the status bar. - Fix TestChatConnectionStatus_NoCredentials to properly isolate credentials from the environment (matching sibling test pattern). * Polish hawk TUI spinner, welcome banner, and status bar UX. Use QuadBlock spinner with a dark-bg-friendly 20-color palette, rotate verbs on a timer, and align footer/welcome hints with actual shortcuts and commands. * Fix gofumpt formatting in chat model status helper. * Remove unused TUI color styles flagged by golangci-lint. ---------
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/configdeployment UI (no API keys inprovider.json).EvaluateSetup), auto-open/config, and block chat until API key + model are configured.scripts/verify-milestone.sh.go.work+replace(submodule removed).Depends on: GrayCodeAI/eyrie#4 (merge eyrie first or use the same branch locally).
Test plan
go test ./... -short(local)./scripts/verify-milestone.sh/config→ paste key → pick model → first chat message~/.hawk/provider.jsonhas no API key fields after apply