fix: [ENG-2548] activate byterover provider on connect + raise auth:getState timeout

[RyanNg1403]

Summary

This PR fixes two related bugs that surface when ByteRover is the active provider. Both were exposed by the regression report on ENG-2548:

1. Activation regression: brv providers connect byterover reports success but never sets activeProvider. Downstream commands like brv curate fail with "No provider connected".
2. Latent auth-timeout bouncer: TUI startup intermittently bounced logged-in byterover-active users to the provider picker. This bug pre-dated PR fix: [ENG-2484] validate openai-compatible URL and defer provider activation #549 but was only reachable through the TUI's provider-flow.tsx (which guards itself with an explicit setActive call). Once Feat/init #1 is fixed and the CLI can leave a user in byterover-active state, opening the TUI exposes Feat/refactor structure #2.

Why both in one PR: same Linear ticket (ENG-2548), same user-visible failure mode ("byterover doesn't work"), same code domain (auth + provider activation). Bundling avoids landing #1 and immediately needing a follow-up PR to make the user experience actually work end-to-end.

Type of change

• Bug fix
• New feature
• Refactor (no behavior change)
• Documentation
• Test
• Chore (build, dependencies, CI)

Scope (select all touched areas)

• TUI / REPL
• Agent / Tools
• LLM Providers
• Server / Daemon
• Shared (constants, types, transport events)
• CLI Commands (oclif)
• Hub / Connectors
• Cloud Sync
• CI/CD / Infra

Linked issues

• Closes ENG-2548
• Related ENG-2484 (PR fix: [ENG-2484] validate openai-compatible URL and defer provider activation #549 — the activation regression source)

Root cause (bug fixes only)

Bug 1 — activation regression

PR #549 (5ce16556) added setAsActive: willHaveActiveModel to the provider:connect handler. willHaveActiveModel evaluates to Boolean(provider?.defaultModel) || Boolean(getActiveModel(providerId)). For byterover both halves are false on a fresh connect — the registry has no defaultModel for byterover, and a fresh user has no stored activeModel. So the connect handler skips withActiveProvider('byterover') and activeProvider stays empty.

Why this was not caught earlier: PR #549's tests covered openai-compatible (the intended target) and openrouter (representative of providers WITH defaultModel), but not byterover specifically. byterover is the only provider in the registry without a defaultModel, sitting in the gap between the two test cases. The TUI's provider-flow.tsx:198-199 explicitly calls setActive after connect, so the TUI was self-healing — only the CLI path surfaced the regression, and it surfaced as a downstream brv curate error rather than at the connect command itself.

Bug 2 — auth:getState timeout

The TUI's AuthInitializer calls auth:getState on every startup with a hardcoded 500ms transport timeout (get-auth-state.ts:14). The daemon's setupGetState does an HTTPS round-trip to /user/me which measured 400-3100ms across three networks (p99 = 3085ms in the slowest sample). On any normal-or-slow connection, every retry exceeded 500ms, the request stayed data: undefined, and the auth store fell back to its default isAuthorized: false.

The bouncer was always firing — but useAppViewMode:49 only routes to 'config-provider' on byterover-active + !isAuthorized. For Anthropic/OpenAI/etc., view-mode routes to 'ready' regardless of isAuthorized, so users never noticed. Bug 1's fix made byterover-active reachable from CLI, surfacing this latent timing issue.

Why this was not caught earlier: silent failure — no error message, no log entry. The 500ms value was originally chosen for "fail fast if handler not ready," but the handler does a network call inside, so 500ms was unrealistically tight. Reproduces probabilistically in ~5% of TUI starts on a fast network, ~100% on a slow one — easy to miss in any single test session.

Test plan

• Coverage added:

  • Unit test (Bug 1)
  • Integration test
  • Manual verification only (Bug 2 — config change, no logic to unit-test)

• Test files

  • test/unit/infra/transport/handlers/provider-handler.test.ts — should activate byterover on connect without persisting an activeModel pins both setAsActive: true and activeModel: undefined on the connect call args.
  • test/unit/core/domain/entities/provider-registry.test.ts — should not have a defaultModel for byterover pins the intentional absence (runtime resolution via DEFAULT_LLM_MODEL).
  • Bug 2: no test infrastructure exists for tui/features/auth/api/get-auth-state.ts (TUI api files are bare config). Verified empirically with a node script that emits auth:getState at the new 4000ms timeout and confirms full payload returns within budget.

• Key scenarios covered

  1. byterover connect → setAsActive: true AND activeModel: undefined (new test)
  2. openai-compatible connect with no existing model → setAsActive: false (existing test, kept green)
  3. openai-compatible connect with existing active model → setAsActive: true (existing test, kept green)
  4. openrouter (representative of providers with defaultModel) → setAsActive: true (existing test, kept green)
  5. byterover registry has no defaultModel (new test) — protects the runtime-fallback / migration property

User-visible changes

• brv providers connect byterover now actually activates byterover. brv providers shows ByteRover as active. brv curate works end-to-end after a fresh connect (was previously failing with "No provider connected").
• providers.json shape: byterover's entry has no activeModel field. The runtime resolves the model via DEFAULT_LLM_MODEL from constants.ts on every invocation, so changing that constant rolls out a new default to all existing users without per-user migration code.
• TUI startup with byterover active no longer bounces to the provider picker on slow networks. The auth check has 4000ms to complete its /user/me round-trip; happy-path startup is unaffected (single attempt typically completes in 400-1100ms).

Evidence

Unit tests: 7240 passing, 0 failing. Targeted suite (provider-handler + provider-registry): 86 passing.

Network latency measurements for /user/me, three networks:

	Network 1	Network 2	Network 3
min	363	502	415
p50	423	728	964
p99	1183	1705	3085
% over old 500ms timeout	30%	100%	73%
% over new 4000ms timeout	0%	0%	0%

Bug 1 interactive verification (8 scenarios, all pass):

#	Scenario	Result
1	brv providers connect byterover (no follow-up)	Provider: ByteRover (byterover) set, activeModel absent
2	TUI-equivalent: CONNECT followed by SET_ACTIVE	Same as 1, idempotent
3	Switch away to anthropic, switch back	Both transitions clean
4	brv model list --provider byterover	"No models available." (unchanged)
5	brv model switch X --provider byterover	Hard-block message (unchanged)
6	brv curate "..." --format json with byterover active	success: true, status: completed (originally failing)
7	Disconnect → reconnect cycle	byterover absent then re-active
8	Curate after reconnect	success: true, status: completed

Bug 2 interactive verification: confirmed auth:getState completes in 1141ms with full payload at the new 4000ms client timeout (was timing out at 500ms). Confirmed by reverting to 43575800 (pre-timeout-fix) and reproducing the bouncer at the expected probabilistic rate.

Checklist

• Tests added or updated and passing (npm test) — 7240 passing
• Lint passes (changed files clean; full npm run lint fails on a pre-existing byterover-packages submodule issue unrelated to this PR)
• Type check passes (npm run typecheck)
• Build succeeds (npm run build)
• Commits follow Conventional Commits format
• Documentation updated (if applicable) — N/A, no doc-visible behavior change
• No breaking changes
• Branch is up to date with main

Risks and mitigations

• Risk: A future internal-auth provider (other than byterover) inherits the same "no model fetcher, no model switch" shape. The providerId === 'byterover' bypass would not cover it.
  • Mitigation: Inline rationale documents the bypass and points to the future refactor (parameterize by an authType field on ProviderDefinition). Out of scope for this fix.
• Risk: A future change to DEFAULT_LLM_MODEL immediately affects every existing byterover user on next agent invocation, with no opt-in.
  • Mitigation: Intentional and matches pre-PR-fix: [ENG-2484] validate openai-compatible URL and defer provider activation #549 behavior. If managed rollout is needed later, the persistence-based pattern other providers use can be added at that time.
• Risk: 4000ms timeout still fails on networks where /user/me consistently exceeds 4s.
  • Mitigation: Worst observed sample across measurement was 3085ms; 4000ms covers it with 1.3x headroom. If the backend baseline ever regresses past 4s, the right fix is on the backend side, not bumping the timeout further.
• Risk: Auth flow other than the startup check was changed.
  • Mitigation: Only the client-side timeout and retry config changed. setupGetState daemon logic is unchanged — backend revocation is still caught at startup, login/logout/refresh handlers are untouched.

[github-actions]

Claude finished @RyanNg1403's task in 2m 30s —— View job

---

PR Review: fix/ENG-2548

Tasks

• Gather context and read changed files
• Review provider-handler.ts fix
• Review test additions
• Check for edge cases, security, and quality issues
• Post inline comments and final summary

---

Summary

Score: 4 / 5 — Correct, minimal, well-tested fix for a real regression. Two minor style issues noted inline; no correctness or security concerns.

---

What the fix does

willHaveActiveModel at provider-handler.ts:309 previously evaluated to false for byterover on a fresh connect (no defaultModel in the registry, no stored activeModel on first use). The deferred-activation gate therefore skipped setAsActive, leaving activeProvider empty. Adding providerId === 'byterover' as a short-circuit ensures byterover is always activated on connect, while still passing activeModel: undefined — which is intentional since the model is resolved at runtime via DEFAULT_LLM_MODEL.

---

Correctness

• The guard at line 259–261 (auth check) still fires before the gate, so unauthenticated users can't bypass it.
• Because providerId === 'byterover' short-circuits the || chain, the getActiveModel async call is skipped entirely for byterover — a nice side effect.
• activeModel: provider?.defaultModel (line 313) correctly stays undefined for byterover, matching the runtime-fallback design.
• brv model switch --provider byterover is hard-blocked, so the implicit "overwrite any stored activeModel on reconnect" behaviour of passing activeModel: undefined is a non-issue in practice.

---

Tests

• provider-handler.test.ts (new test, line 371–385): Correctly verifies setAsActive: true AND activeModel: undefined for {providerId: 'byterover'}. Uses the default authenticated mock (isAuthenticated: true) so the auth guard passes — the test isolates exactly the deferred-activation logic. ✓
• provider-registry.test.ts (new test, line 110–117): Pins the intentional absence of defaultModel in the byterover registry entry. Acts as a guard against someone accidentally adding defaultModel: ... to the byterover entry and breaking the runtime-fallback story. ✓
• The four existing regression scenarios (openai-compatible with/without model, openrouter, byterover) now form a complete matrix. ✓

---

Inline comments

Three inline comments posted:

1. provider-handler.ts:309 — suggestion (non-blocking): 'byterover' is now the fourth hard-coded string literal in this file. Consider extracting a constant or a ProviderDefinition flag for the follow-up refactor flagged in Risks.

2. provider-handler.test.ts:376 — style: 4-line block comment duplicates the PR description; the test name is already self-documenting (CLAUDE.md: one short line max).

3. provider-registry.test.ts:114 — style: Same multi-line comment concern.

---

Risk assessment

The PR description's risk section is honest and complete. The providerId === 'byterover' bypass is acceptable for a targeted bug fix. The recommended follow-up (parameterise by authType field) is the right long-term shape.

[github-actions]

suggestion (non-blocking): 'byterover' now appears four times in this file (lines 259, 309, 344, 397). The pattern pre-dates this PR, but the PR description already flags that a second "no-model-fetcher" provider would need an authType field — at that point you'll be doing a search-replace across all four sites. Worth extracting a local constant, or a ProviderDefinition flag (noModelFetcher: true) to avoid the drift. The fix is correct and consistent with existing style; this is just a note for the follow-up refactor.

[github-actions]

Claude finished @RyanNg1403's task in 1m 7s —— View job

---

PR Review: fix/ENG-2548 (re-review after latest commit)

Tasks

• Gather context and read changed files
• Review provider-handler.ts fix
• Review test additions (including refactored comments from latest commit)
• Check for edge cases, security, and quality issues
• Post final summary

---

Summary

Score: 5 / 5 — Previous review feedback was fully addressed. The fix is correct, minimal, and well-tested. No remaining concerns.

---

What changed in the latest commit (4357580)

The previous review flagged multi-line block comments in both test files as duplicating the PR description. The latest commit trimmed both to single lines:

• provider-handler.test.ts:372 — now one line: // byterover bypasses the gate (no model fetcher, no model-switch recovery path); runtime resolves via DEFAULT_LLM_MODEL. ✓
• provider-registry.test.ts:111 — now one line: // intentional: model is runtime-resolved so default changes auto-roll without per-user migration. ✓

Both comments now meet the CLAUDE.md standard (one short line explaining a non-obvious constraint).

---

Implementation review (provider-handler.ts:309)

const willHaveActiveModel = providerId === 'byterover'
  || Boolean(provider?.defaultModel)
  || Boolean(await this.providerConfigStore.getActiveModel(providerId))

• Short-circuit is correct: for byterover the getActiveModel async call is skipped entirely — a minor perf win.
• activeModel: provider?.defaultModel (line 313) still evaluates to undefined for byterover, matching the intentional runtime-fallback design.
• Auth guard at line 259–261 (isByteRoverAuthSatisfied()) fires before this gate — unauthenticated users cannot reach the bypass.
• The 5-line comment block above the gate (lines 304–308) is appropriate here: it explains a non-obvious invariant (why byterover is special), which is exactly the CLAUDE.md exception for when a comment is warranted.

---

Test review

provider-handler.test.ts:371–381 — Calls handler!({providerId: 'byterover'}, 'client-1') with the default authenticated mock (auth guard passes). Asserts both setAsActive: true AND activeModel: undefined. Pins the full contract end-to-end through the gate. ✓

provider-registry.test.ts:110–114 — Pins the intentional absence of defaultModel in the byterover registry entry. Guards against accidental addition that would break the runtime-fallback story. Correctly mirrors the existing openai-compatible sibling test at line 100–103. ✓

The full matrix now covers:

1. byterover → setAsActive: true, activeModel: undefined (new)
2. byterover registry has no defaultModel (new)
3. openai-compatible, no existing model → setAsActive: false (existing)
4. openai-compatible, existing active model → setAsActive: true (existing)
5. openrouter (registry defaultModel present) → setAsActive: true (existing)

---

Remaining non-blocking note (not a blocker for merge)

The previous review's suggestion to extract a constant or ProviderDefinition flag for 'byterover' (which appears 4 times in provider-handler.ts) is still unaddressed — but it was explicitly flagged as non-blocking and out of scope for a targeted bug fix. The PR description documents this as a follow-up refactor (parameterise by authType field). No action needed here.

---

Verdict: Ready to merge. ✓

[github-actions]

Claude finished @RyanNg1403's task in 1m 42s —— View job

---

PR Review: fix/ENG-2548 (re-review after latest commit b576b7a)

Tasks

• Gather context from PR description and previous reviews
• Read changed files
• Analyze implementation and tests
• Post final review summary

---

Summary

Score: 5 / 5 — All three commits form a coherent, well-scoped fix. The core activation bug is correct. The latest commit (b576b7a) adds a related startup reliability improvement. One trivial comment inaccuracy noted inline — no correctness or security concerns.

---

What changed in the latest commit (b576b7a)

The prior two commits fixed the activation gate and trimmed test comments. The latest commit adds two startup-UX improvements triggered by the same ticket:

get-auth-state.ts — timeout 500ms → 4000ms

The old 500ms was too aggressive for the /user/me round-trip. The comment's p99 rationale (1.2–3.1s measured, 4s = ~1.3× headroom) is a principled choice. Note that src/webui/features/auth/api/get-auth-state.ts independently uses 5000ms — a small inconsistency, but acceptable since TUI and webUI run in different network contexts.

auth-initializer.tsx — retry 5 → 1, delay capped at 500ms

The old schedule was min(500 * 2^n, 2000) over 5 retries, which could block startup for ~10s when offline. The new schedule — 1 retry with 500ms fixed delay — keeps total worst-case startup time comparable (~8.5s: 2 × 4s timeout + 500ms delay) while failing fast and preventing the "17s frozen startup" scenario. Reasonable trade.

---

Core fix (provider-handler.ts:309) — unchanged from previous review

const willHaveActiveModel = providerId === 'byterover'
  || Boolean(provider?.defaultModel)
  || Boolean(await this.providerConfigStore.getActiveModel(providerId))

Still correct. Auth guard at line 259 fires before this gate. Short-circuit skips the async getActiveModel call for byterover. activeModel: provider?.defaultModel stays undefined intentionally. ✓

---

Inline comment

src/tui/features/auth/components/auth-initializer.tsx:34 — minor inaccuracy:

// One retry covers transient blips; the per-attempt timeout is now generous
// (3s) so we don't need 5+ retries...

The actual timeout is 4000ms (get-auth-state.ts:17), not 3s. Fix this →

---

Test coverage

All five matrix scenarios are covered:

1. byterover → setAsActive: true, activeModel: undefined ✓ (new)
2. byterover registry has no defaultModel ✓ (new)
3. openai-compatible, no existing model → setAsActive: false ✓ (existing)
4. openai-compatible, existing active model → setAsActive: true ✓ (existing)
5. openrouter (registry defaultModel present) → setAsActive: true ✓ (existing)

The byterover test correctly uses the default isAuthenticated: true mock so the auth guard passes — the test isolates exactly the gate logic it's targeting. ✓

---

Verdict: Ready to merge. The comment inaccuracy (3s → 4s) is trivial and non-blocking.

[github-actions]

Claude finished @RyanNg1403's task in 2m 8s —— View job

---

PR Review: fix/ENG-2548 (re-review after merge 7cb230f)

Tasks

• Gather context from PR description and previous reviews
• Read changed files and identify latest commit
• Review implementation and tests
• Post final review summary

---

Summary

Score: 5 / 5 — The merge from main resolved cleanly and brought in complementary improvements from PR #595 (ENG-2544). No conflicts, no regressions. One trivial comment inaccuracy (3s → 4s) flagged in the previous two reviews is still present — one inline comment posted, fix attempted locally but push was denied (permissions).

---

What changed in the merge commit (7cb230f)

The merge pulled in PR #595's improvements to the byterover auth-gate error message. These changes are directly adjacent to this PR's domain and interact correctly with the activation fix:

provider-handler.ts — BYTEROVER_AUTH_REQUIRED_MESSAGE extracted as a module-level constant:

const BYTEROVER_AUTH_REQUIRED_MESSAGE = [
  'ByteRover Provider requires a ByteRover account.',
  '',
  '  • Interactive shell: brv login',
  '  • Headless / SSH / CI: create an account at https://app.byterover.dev,',
  ...
].join('\n')

Used in both the CONNECT and SET_ACTIVE auth-gate checks. The constant is not exported, which is correct — external tests use the fixture pattern instead.

test/helpers/provider-fixtures.ts — New STUB_BYTEROVER_AUTH_ERROR fixture:

export const STUB_BYTEROVER_AUTH_ERROR = [
  'ByteRover Provider requires a ByteRover account.',
  '  • Interactive shell: brv login',
  '  • Headless: brv login --api-key <key>',
].join('\n')

Intentionally simplified (documented in the file header). CLI tests mock the daemon's response, so they don't need the full real message — they only need representative keyword anchors. The file header documents the contract: the real BYTEROVER_AUTH_REQUIRED_MESSAGE must always contain 'ByteRover account' and 'brv login --api-key'. ✓

connect.test.ts / switch.test.ts — Tests now use STUB_BYTEROVER_AUTH_ERROR and assert against specific meaningful keywords ('ByteRover account', 'brv login --api-key') rather than the generic 'authentication' / 'login'. More precise and resilient to unrelated wording changes. The json.data.error check (toEqual(STUB_BYTEROVER_AUTH_ERROR)) is now a strict equality rather than a property-presence check — better signal. ✓

provider-handler.test.ts — The unit tests were updated in parallel: 'authentication' → 'ByteRover account' + 'brv login --api-key' as dual assertions. The two-assertion pattern is appropriate here since it confirms both the user-facing noun (ByteRover account) and the actionable instruction (brv login --api-key). ✓

---

Core fix review (unchanged from previous reviews)

const willHaveActiveModel = providerId === 'byterover'
  || Boolean(provider?.defaultModel)
  || Boolean(await this.providerConfigStore.getActiveModel(providerId))

• Auth guard (isByteRoverAuthSatisfied()) at line 268 still fires before this gate — the bypass is not a security hole. ✓
• Short-circuit skips the getActiveModel async call for byterover. ✓
• activeModel: provider?.defaultModel (line 324) stays undefined for byterover — runtime-fallback design preserved. ✓

---

Inline comment

src/tui/features/auth/components/auth-initializer.tsx:34 — (3s) should be (4s). Flagged in the prior two reviews; suggested fix posted inline.

---

Test matrix (complete)

#	Scenario	Status
1	byterover → setAsActive: true, activeModel: undefined	✓ new
2	byterover registry has no defaultModel	✓ new
3	openai-compatible, no existing model → setAsActive: false	✓ existing
4	openai-compatible, existing active model → setAsActive: true	✓ existing
5	openrouter (registry defaultModel present) → setAsActive: true	✓ existing
6	byterover auth gate (connect) → 'ByteRover account' + 'brv login --api-key'	✓ updated
7	byterover auth gate (set-active) → same keywords	✓ updated

---

Verdict: Ready to merge. Apply the (3s) → (4s) comment fix before or after merge — it's one character and non-blocking.

[github-actions]

issue (non-blocking): Comment says (3s) but the actual timeout in get-auth-state.ts:17 is 4000ms = 4s. Flagged in the previous two reviews; still present after the merge.

Suggested change

	// (3s) so we don't need 5+ retries that would block startup for ~17s when offline.
	// One retry covers transient blips; the per-attempt timeout is now generous
	// (4s) so we don't need 5+ retries that would block startup for ~17s when offline.

[bao-byterover]

LGTM