[codex] Clarify CodeRabbit auth recovery flow

[juanpflores]

Summary

Clarifies the CodeRabbit review skill's authentication recovery instructions.

What Changed

Updates the coderabbit-review skill so the agent is explicitly told to:

• treat an unauthenticated coderabbit auth status --agent result as a step to handle
• run coderabbit auth login --agent
• re-run coderabbit auth status --agent
• continue to review commands only after authentication succeeds

Why

The prior wording only said to run the login command if auth was missing. This left too much room for the agent to stop at the auth error instead of actively recovering and retrying.

Impact

Agents using the CodeRabbit review skill should handle missing authentication more reliably and continue the workflow without unnecessary user interruption.

Validation

Verified the repo diff and committed only the plugins/coderabbit/skills/coderabbit-review/SKILL.md change.

Summary by CodeRabbit

• Bug Fixes

  • Improved error handling with clear guidance for authentication and troubleshooting issues

• Changes

  • Authentication now occurs when plugin features are used rather than at installation
  • Simplified default prompts for streamlined user experience
  • Updated terminology in results reporting

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates the CodeRabbit plugin configuration and documentation: shifts authentication from install-time to use-time, bumps the plugin version to 1.1.1, reduces default prompt options from three to one, and enhances authentication and error-handling instructions in the skill documentation.

Changes

Cohort / File(s)	Summary
Plugin Marketplace Configuration .agents/plugins/marketplace.json	Changed authentication policy for CodeRabbit plugin from "ON_INSTALL" to "ON_USE", deferring authentication requirement to when the plugin is actively used.
Plugin Manifest plugins/coderabbit/.codex-plugin/plugin.json	Incremented plugin version to 1.1.1 and simplified interface.defaultPrompt from three options to a single "Review my current changes and provide feedback" prompt.
Skill Documentation plugins/coderabbit/skills/coderabbit-review/SKILL.md	Enhanced authentication handling instructions, hardened failure behavior to prevent fallback to manual review on CLI errors, and updated terminology from "findings" to "issues".

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• Add CodeRabbit Codex plugin #1 — Directly modifies the same CodeRabbit plugin configuration files and fields, establishing a direct code-level dependency.

Poem

🐰 A clever shift in timing's grace,
Auth moves to its proper place—
From install to use, the change unfolds,
While prompts grow wise and errors bold!
One prompt now, with focus keen, ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the primary change: clarifying the CodeRabbit authentication recovery flow in the skill documentation, which is the core objective of this pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/coderabbit-auth-login-on-unauth

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (3)

plugins/coderabbit/skills/coderabbit-review/SKILL.md (2)

59-59: Consider clarifying "retry once network is available".

Reads as if the agent should autonomously keep retrying. Since the surrounding guidance is to report failure to the user rather than silently recover (except for auth), suggest rephrasing to make it clear this is user-facing resolution guidance, not an instruction for the agent to loop.

✏️ Suggested wording tweak

-- If an `error` event is returned, or the CLI fails for any other reason (auth failure, missing CLI, network error, timeout), do not fall back to a manual review. Report the exact failure and tell the user how to resolve it (e.g. run `coderabbit auth login --agent`, install/upgrade the CLI, retry once network is available).
+- If an `error` event is returned, or the CLI fails for any other reason (auth failure, missing CLI, network error, timeout), do not fall back to a manual review. Report the exact failure to the user along with the concrete resolution step (e.g. run `coderabbit auth login --agent`, install/upgrade the CLI, or retry after the network is restored).

Also note the auth-failure case here partially overlaps with the Prerequisites recovery flow (which tells the agent to auto-run coderabbit auth login --agent). Worth reconciling so it's unambiguous whether a mid-review auth failure should be auto-recovered or surfaced to the user.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/coderabbit/skills/coderabbit-review/SKILL.md` at line 59, Update the
sentence in SKILL.md that currently reads "If an `error` event is returned, or
the CLI fails for any other reason (auth failure, missing CLI, network error,
timeout), do not fall back to a manual review. Report the exact failure and tell
the user how to resolve it (e.g. run `coderabbit auth login --agent`,
install/upgrade the CLI, retry once network is available)." to clarify that
"retry once network is available" is user-facing guidance (e.g., "retry when
network connectivity is restored") and not an instruction for the agent to loop;
also reconcile the auth-failure clause with the Prerequisites recovery flow by
explicitly stating whether the agent should attempt `coderabbit auth login
--agent` automatically on mid-review auth failures or instead surface the auth
error to the user (make the behavior unambiguous and consistent with the
Prerequisites section).

---

67-71: Terminology switch to "issues" is consistent here, but two upstream strings still say "findings".

The Result Format section is internally consistent, but for end-to-end consistency with the PR's rename:

• Line 8: "summarize the findings" — user-facing skill intro.
• Line 23 in plugin.json: longDescription mentions "actionable findings".

Line 57 ("Collect finding events") should stay as-is since finding is the NDJSON event type emitted by the CLI, not user-facing copy.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/coderabbit/skills/coderabbit-review/SKILL.md` around lines 67 - 71,
Update the remaining user-facing occurrences of "findings" to "issues": change
the phrase "summarize the findings" in SKILL.md to "summarize the issues" and
update the plugin.json longDescription value that currently mentions "actionable
findings" to use "actionable issues" (leave the NDJSON event reference "finding"
on the "Collect `finding` events" line unchanged). Ensure wording and
punctuation match existing style and that only user-facing copy is altered.

plugins/coderabbit/.codex-plugin/plugin.json (1)

3-3: Version bump and defaultPrompt trim look good.

1.1.1 appropriately reflects a docs/config-only change, and narrowing defaultPrompt to the primary prompt matches the PR intent.

Nit: interface.longDescription on line 23 still says "actionable findings". Since the PR renames user-facing "findings" → "issues" in SKILL.md, consider updating this string for consistency.

Also applies to: 36-38

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/coderabbit/.codex-plugin/plugin.json` at line 3, Update the
user-facing wording in the JSON interface strings: replace occurrences of
"actionable findings" with "actionable issues" in the interface.longDescription
property and the other similar description strings (the other entries around the
same block, e.g., the secondary description lines). Locate the JSON keys named
interface.longDescription (and the adjacent description fields in the same
object) and edit their text to use "issues" instead of "findings" so the plugin
wording matches the SKILL.md rename.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@plugins/coderabbit/.codex-plugin/plugin.json`:
- Line 3: Update the user-facing wording in the JSON interface strings: replace
occurrences of "actionable findings" with "actionable issues" in the
interface.longDescription property and the other similar description strings
(the other entries around the same block, e.g., the secondary description
lines). Locate the JSON keys named interface.longDescription (and the adjacent
description fields in the same object) and edit their text to use "issues"
instead of "findings" so the plugin wording matches the SKILL.md rename.

In `@plugins/coderabbit/skills/coderabbit-review/SKILL.md`:
- Line 59: Update the sentence in SKILL.md that currently reads "If an `error`
event is returned, or the CLI fails for any other reason (auth failure, missing
CLI, network error, timeout), do not fall back to a manual review. Report the
exact failure and tell the user how to resolve it (e.g. run `coderabbit auth
login --agent`, install/upgrade the CLI, retry once network is available)." to
clarify that "retry once network is available" is user-facing guidance (e.g.,
"retry when network connectivity is restored") and not an instruction for the
agent to loop; also reconcile the auth-failure clause with the Prerequisites
recovery flow by explicitly stating whether the agent should attempt `coderabbit
auth login --agent` automatically on mid-review auth failures or instead surface
the auth error to the user (make the behavior unambiguous and consistent with
the Prerequisites section).
- Around line 67-71: Update the remaining user-facing occurrences of "findings"
to "issues": change the phrase "summarize the findings" in SKILL.md to
"summarize the issues" and update the plugin.json longDescription value that
currently mentions "actionable findings" to use "actionable issues" (leave the
NDJSON event reference "finding" on the "Collect `finding` events" line
unchanged). Ensure wording and punctuation match existing style and that only
user-facing copy is altered.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: coderabbitai/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f1436d6c-e4f8-406e-ad90-dc121fdd5104

📥 Commits

Reviewing files that changed from the base of the PR and between f335f9e and 97aed30.

📒 Files selected for processing (3)

• .agents/plugins/marketplace.json
• plugins/coderabbit/.codex-plugin/plugin.json
• plugins/coderabbit/skills/coderabbit-review/SKILL.md

[esthor]

@coderabbitai based on everything you know about codex plugins (and coding agent plugins/skills), what are all the wording tweaks you'd suggest for this PR?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

Let me read the actual file contents to give you precise, line-level suggestions.

---

🏁 Script executed:

#!/bin/bash
cat plugins/coderabbit/skills/coderabbit-review/SKILL.md
echo "---FILE SEPARATOR---"
cat plugins/coderabbit/.codex-plugin/plugin.json
echo "---FILE SEPARATOR---"
cat .agents/plugins/marketplace.json

Repository: coderabbitai/codex-plugin
Length of output: 11932

---

@esthor: Here's a full pass across all three changed files, from most impactful to most minor:

---

plugins/coderabbit/skills/coderabbit-review/SKILL.md

1. Opening sentence — "findings" survives the rename

"Use this skill to run CodeRabbit from the terminal, summarize the findings, and help implement follow-up fixes."

The PR renames "findings" → "issues" throughout, but this sentence still says "findings." Suggest:

"Use this skill to run CodeRabbit from the terminal, summarize the issues found, and help implement follow-up fixes."

---

2. Frontmatter description — awkward phrasing

"…or wants autonomous fix-review cycles."

Agents parse this description to decide when to invoke the skill; "wants autonomous" reads oddly. Suggest:

"…or requests fix-review cycles."

---

3. Silence rule — "scope selection" is ambiguous

"Do not send progress commentary about waiting, polling, remote processing, or scope selection once coderabbit review has started."

"Scope selection" could be read as the user selecting a scope, not the CLI doing it. Suggest:

"…waiting, polling, remote processing, or diff scoping once…"

---

4. Silence rule — "other prerequisite action is required"

"Only message the user if authentication or other prerequisite action is required…"

"Action is required" is passive and vague. Suggest:

"Only message the user if an authentication step or other prerequisite is needed…"

---

5. Prerequisites step 1 — "git worktree" has a specific git meaning

"Confirm the repo is a git worktree."

git worktree is a specific git feature (linked working trees). For an agent reading this literally, it could trigger a git worktree list check. Most repos are just a regular checkout. Suggest:

"Confirm the working directory is inside a git repository."

---

6. Prerequisites step 3 — "Check auth" is weak

"Check auth in agent mode:"

Suggest a more assertive verb matching the imperative style of the rest of the doc:

"Verify authentication in agent mode:"

---

7. Auth recovery — "yourself" is unusual in agent instructions

"Run the login flow yourself:"

"Yourself" is a bit anthropomorphic and could confuse smaller models. Suggest:

"Initiate the login flow:"

---

8. Review Commands — "pass the files that exist" is redundant

"If AGENTS.md, .coderabbit.yaml, or CLAUDE.md exist in the repo root, pass the files that exist with -c…"

The conditional "if...exist" already filters; "the files that exist" repeats it. Suggest:

"If any of AGENTS.md, .coderabbit.yaml, or CLAUDE.md exist in the repo root, pass them with -c to improve review quality."

---

9. Output Handling — "intermediary" → "intermediate"

"Do not emit intermediary waiting or polling messages…"

"Intermediary" means a go-between (a person or entity); the correct word here is "intermediate." Suggest:

"Do not emit intermediate waiting or polling messages…"

---

10. Output Handling — "even if output is quiet" is colloquial

"Treat a running CodeRabbit review as healthy for up to 10 minutes even if output is quiet."

Suggest:

"Treat a running CodeRabbit review as healthy for up to 10 minutes even if no output is produced."

---

11. Output Handling — "wait budget is exhausted" is jargon-y

"Only report timeout or failure after the full 10-minute wait budget is exhausted."

Suggest:

"Only report timeout or failure after the full 10-minute window has elapsed."

---

12. Result Format — "severity/category label"

"Format the severity/category label with a space between the emoji and the text…"

These are purely severity levels, not categories. Suggest:

"Format each severity label with a space between the emoji and the text…"

---

13. Result Format — "concrete fix direction" is awkward

"Include file path, impact, and the concrete fix direction."

Suggest:

"Include the file path, impact, and a concrete suggested fix."

---

plugins/coderabbit/.codex-plugin/plugin.json

14. shortDescription — leading space

" Run AI-powered code review for your current changes"

There is a stray leading space before "Run". Suggest:

"Run AI-powered code review for your current changes"

---

15. longDescription — still uses "findings"

"…surface actionable findings, and turn review output into follow-up fixes."

Inconsistent with the "issues" rename. Suggest:

"…surface actionable issues, and turn review output into follow-up fixes."

---

Summary table

#	File	Location	Current	Suggested
1	SKILL.md	Opening sentence	"summarize the findings"	"summarize the issues found"
2	SKILL.md	Frontmatter description	"wants autonomous fix-review cycles"	"requests fix-review cycles"
3	SKILL.md	Silence rule	"scope selection"	"diff scoping"
4	SKILL.md	Silence rule	"prerequisite action is required"	"prerequisite is needed"
5	SKILL.md	Prerequisites #1	"git worktree"	"git repository"
6	SKILL.md	Prerequisites #3	"Check auth"	"Verify authentication"
7	SKILL.md	Auth recovery	"Run the login flow yourself"	"Initiate the login flow"
8	SKILL.md	Review Commands	"pass the files that exist with -c"	"pass them with -c"
9	SKILL.md	Output Handling	"intermediary"	"intermediate"
10	SKILL.md	Output Handling	"even if output is quiet"	"even if no output is produced"
11	SKILL.md	Output Handling	"wait budget is exhausted"	"10-minute window has elapsed"
12	SKILL.md	Result Format	"severity/category label"	"severity label"
13	SKILL.md	Result Format	"concrete fix direction"	"concrete suggested fix"
14	plugin.json	shortDescription	leading space before "Run"	remove leading space
15	plugin.json	longDescription	"actionable findings"	"actionable issues"

[esthor]

@coderabbitai great finds. go though the whole coderabbit plugin with a holistic view of all one could use the current coderabbit cli for (ALL possible intents in ALL contexts) and suggest additions here.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

Let me read all plugin files and check the latest CodeRabbit CLI documentation simultaneously.

---

🏁 Script executed:

#!/bin/bash
echo "=== PLUGIN DIRECTORY TREE ==="
tree plugins/coderabbit/ 2>/dev/null || find plugins/coderabbit/ -type f | sort

echo ""
echo "=== ALL SKILL FILES ==="
find plugins/coderabbit/ -type f | sort | while read f; do
  echo ""
  echo "====== FILE: $f ======"
  cat "$f"
done

echo ""
echo "=== MARKETPLACE JSON ==="
cat .agents/plugins/marketplace.json

Repository: coderabbitai/codex-plugin
Length of output: 3320

---

🌐 Web query:

CodeRabbit CLI all commands documentation 2025

💡 Result:

Official “all commands” documentation for the CodeRabbit CLI is the CLI Command Reference page. It lists the full command set, review modes, and flags. [1]

Commands (as documented)

• cr (alias of coderabbit) — run a review (default output is plain text) [1]
• Output / UI modes:
  • cr --plain
  • cr --interactive
  • cr --agent (JSON, one object per line) [1]
• Auth:
  • cr auth
  • cr auth login (OAuth, --self-hosted, or --api-key "<key>")
  • cr auth logout
  • cr auth status
  • cr auth org [1]
• Reviews:
  • cr review (supports the same output modes) [1]
• Updates:
  • cr update (note: changelog says the CLI started auto-updating in the background in v0.3.4 (Oct 10, 2025), so manual update may no longer be needed depending on your version/install method) [1][2]

If you meant “all PR commands” (the @coderabbitai ... comment commands), those are documented separately under Code review commands. [3]

Sources: CLI Command Reference [1], CodeRabbit changelog (CLI v0.3.4 auto-update) [2], PR review commands reference [3].

---

@esthor: Here's a full gap analysis. The CLI surface area is significantly wider than what the single coderabbit-review skill currently covers. I've organized the suggestions into new skills and additions to the existing skill.

---

🆕 Missing skills (new files to create)

1. coderabbit-fix — Resolve GitHub PR review comments

The official coderabbitai/skills repository ships a second skill covering an "auto-fix workflow for unresolved CodeRabbit GitHub PR review comments, with interactive per-issue review or batch fixing" — covering review-thread extraction, issue prioritization, guided fixes, and consolidated commit and PR summary. This plugin has no equivalent. A coderabbit-fix skill would cover the full loop: fetch open CodeRabbit comments from a PR via gh api, triage them by severity, implement fixes, and re-run coderabbit review --agent to confirm resolution.

---

2. coderabbit-configure — Generate or edit .coderabbit.yaml

Running CodeRabbit with default settings works for getting started, but the real value comes from tailoring the AI reviewer to the specific codebase via a .coderabbit.yaml file. Without configuration, CodeRabbit reviews every file with the same level of scrutiny; with a well-tuned configuration it focuses on what matters most. There's no skill in this plugin that handles the "set up or tune my CodeRabbit config" intent. The schema is at https://coderabbit.ai/integrations/schema.v2.json and supports review profiles, path filters, path-based instructions, custom pre-merge checks, and linter toggles.

---

➕ Additions to coderabbit-review SKILL.md

3. --prompt-only flag — missing output mode

The CLI offers three primary review modes: plain (cr --plain), agent (cr --agent — structured JSON for Skills and agent integrations), and interactive (cr --interactive — terminal UI for manual review). But there's actually a fourth: --prompt-only. cr --prompt-only produces minimal output for AI coding agents and works well in background review/fix loops. It is token-efficient, and because it runs locally, it preserves code privacy and lets developers continue other work while reviews run.

The skill should document when to choose --prompt-only vs --agent: --agent gives structured NDJSON (parseable, good for formatted output), while --prompt-only gives lighter plain-text prompts (good for token-constrained agents or simple pass-through loops).

---

4. --dir <path> flag — missing

The --dir flag changes the review directory, but that directory must also contain a Git repository. This is entirely absent from the skill. Useful when the agent's working directory differs from the repo root being reviewed.

---

5. API key auth path in the recovery flow

The CLI supports both browser-based login (cr auth login) and API key login (coderabbit auth login --api-key "cr-************"). The current skill only documents coderabbit auth login --agent (browser-based). In headless or CI environments, the --api-key path is the only viable option. The auth recovery section should offer it as a fallback.

---

6. coderabbit auth logout and coderabbit auth org — missing

coderabbit auth logout (switching accounts) and coderabbit auth org (switching organizations) are both valid user intents — e.g., "log me out of CodeRabbit" or "switch to my work org" — that the current skill's frontmatter description would trigger on, but the skill has no instructions for them.

---

7. coderabbit update — missing

The official skills repo documents coderabbit auth login and CLI installation as prerequisites before running skills. The coderabbit update command is a real CLI surface and a natural user intent ("update my CodeRabbit CLI"). While auto-update was added in v0.3.4, older installs or restricted environments still need manual coderabbit update. The prerequisites section should check for staleness and surface this.

---

8. Rate limit awareness — entirely absent

The CLI enforces a 1-review-per-hour rate limit and is best reserved for high-risk changes: security-sensitive code, concurrency/async issues, memory management, complex business logic, database migrations, and public API contract changes — not trivial edits like formatting, simple refactors, or docs. This is critical agent guidance — without it, an agent in a fix-review loop will silently exhaust the quota. The skill should include rate-limit handling: detect a rate-limit error event, surface it clearly, and tell the agent not to retry until the window clears.

---

9. Frontmatter description trigger expansion

The current description reads: "Reviews code changes using CodeRabbit AI. Use when user asks for code review, PR feedback, code quality checks, security issues, or wants autonomous fix-review cycles."

The official CodeRabbit skills repo lists broader trigger phrases: "Review my code", "Check for security issues", "What's wrong with my changes?", "Run a code review", "Review my PR". Adding common phrasings increases the chance the agent picks this skill in ambiguous cases.

---

10. --interactive mode — guidance on when to skip it

In interactive mode, the user navigates to a finding with arrow keys and presses enter to see the detailed explanation and suggested fix inline in the CLI. For simple issues like missing imports, syntax errors, or formatting problems, they can choose "Apply suggested change" to fix immediately. The skill should document that --interactive is explicitly a human-in-the-loop mode and should never be invoked by the agent autonomously — only surfaced as a suggestion when the user wants to manually walk through results themselves.

---

Summary table

#	Type	Gap	Addition
1	New skill	PR comment auto-fix loop	coderabbit-fix skill
2	New skill	Config generation/editing	coderabbit-configure skill
3	Review commands	--prompt-only mode undocumented	Add with when-to-use guidance vs --agent
4	Review commands	--dir <path> flag missing	Add to Review Commands section
5	Auth recovery	API key path missing	Add --api-key fallback in Prerequisites
6	Auth	logout + org intents not handled	Add to Prerequisites or new auth section
7	CLI maintenance	coderabbit update not covered	Add to Prerequisites
8	Output Handling	Rate limit errors not handled	Add rate-limit event handling + retry guidance
9	Frontmatter	Narrow trigger phrases	Expand description with common phrasings
10	Output Handling	--interactive mode never clarified	Add "do not invoke autonomously" guardrail