feat: Auto-detect API Keys from Common Locations (Issue #255)

[mikejmorgan-ai]

Summary

Implements Issue #255: Auto-detect API keys from common locations

This PR adds automatic API key detection to improve the onboarding experience. New users often have API keys already configured in their shell or .env files - Cortex can now find and use them automatically.

Features

• Multi-source detection: Environment variables, shell configs, .env files
• Provider support: Both Anthropic (Claude) and OpenAI keys
• Safe display: Key masking for logs and UI (shows sk-ant-a...mnop)
• Validation: Format and length validation for detected keys
• Priority system: Anthropic keys preferred (Cortex is optimized for Claude)
• Deduplication: Same key from multiple sources only returned once

Search Locations

Location	Type
$ANTHROPIC_API_KEY / $OPENAI_API_KEY	Environment
~/.bashrc, ~/.bash_profile	Bash config
~/.zshrc, ~/.zprofile	Zsh config
~/.profile	Generic shell
~/.env, ./.env, ./.env.local	Env files
~/.config/cortex/, ~/.cortex/	Cortex config

Usage

from cortex.api_key_detector import auto_configure_api_key, get_detection_summary

# Auto-detect and configure
key = auto_configure_api_key()
if key:
    print(f"Found {key.provider.value} key from {key.source}")

# Get summary for display
summary = get_detection_summary()
print(f"Found {summary['count']} API key(s)")

Test Plan

• 31 unit tests covering all functionality
• Tests for regex patterns matching various formats
• Tests for environment variable detection
• Tests for file-based detection
• Integration tests with realistic config files

Files Changed

• cortex/api_key_detector.py - New detection module (290 lines)
• tests/test_api_key_detector.py - Comprehensive test suite (430 lines)

Closes #255

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Automatic detection of API keys for Anthropic and OpenAI from environment variables and configuration files.
  • Masked display for safe key handling.
  • Support for preferred provider selection.
  • Configurable custom search locations.

• Tests

  • Added comprehensive test coverage for API key detection functionality.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This pull request introduces an API key auto-detection module that scans environment variables and common configuration file locations (e.g., ~/.cortex/.env, ~/.config/anthropic) to identify Anthropic and OpenAI API keys, along with comprehensive test coverage validating detection, deduplication, preference selection, and validation logic.

Changes

Cohort / File(s)	Summary
API Key Detection Module cortex/api_key_detector.py	Introduces Provider enum (ANTHROPIC, OPENAI), DetectedKey dataclass with masked_key property, APIKeyDetector class with methods for environment and file scanning, key extraction via regex patterns, deduplication and preference logic, and utility functions for auto-configuration, validation, and summary reporting.
Test Suite tests/test_api_key_detector.py	Comprehensive test coverage for DetectedKey masking, KEY_PATTERNS regex validation, APIKeyDetector environment and file detection, deduplication, preference selection, auto-configuration workflow, and validation helpers.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Areas requiring attention:
  • Regex patterns in KEY_PATTERNS for accurate key extraction across export statements, assignments, and .env formats
  • Error handling and robustness of file I/O operations (PermissionError, missing files)
  • Deduplication logic in detect_all() to ensure environment keys are prioritized correctly
  • get_best_key() preference selection logic and fallback behavior
  • Key validation logic for Anthropic and OpenAI format compliance
  • Search locations order alignment with issue requirements (#255)

Poem

🐰 A hunter of keys, swift and keen,
Scours the files where secrets convene,
From ~/.cortex to ~/.config deep,
Auto-detecting treasures to keep,
No need to ask—the keys appear,
Zero-config magic is finally here! 🔑

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main feature being added - automatic API key detection from common locations, directly addressing Issue #255.
Description check	✅ Passed	The PR description is comprehensive, covering summary, features, search locations, usage examples, test plan, and files changed. It follows the template structure with clear sections and closes the linked issue.
Linked Issues check	✅ Passed	The implementation successfully addresses all primary coding objectives: multi-source detection (environment, files), provider support (Anthropic/OpenAI), key validation, priority system, and deduplication. The module provides the core detection functionality required by Issue #255.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the API key detection feature. The two files added (api_key_detector.py and test_api_key_detector.py) are focused solely on auto-detection functionality without unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/auto-detect-api-keys

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

cortex/api_key_detector.py (1)

154-158: Consider catching more specific exceptions.

Per static analysis hint, catching bare Exception is overly broad. While robust error handling is important here, narrowing the scope to expected file I/O exceptions improves clarity.

         except PermissionError:
             logger.debug(f"Permission denied reading {filepath}")
-        except Exception as e:
+        except (OSError, IOError) as e:
             logger.debug(f"Error reading {filepath}: {e}")

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f18bc09 and 2d10a3e.

📒 Files selected for processing (2)

• cortex/api_key_detector.py (1 hunks)
• tests/test_api_key_detector.py (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (2)

tests/test_api_key_detector.py (1)

cortex/api_key_detector.py (11)

• Provider (20-23)
• DetectedKey (27-46)
• APIKeyDetector (93-255)
• auto_configure_api_key (258-295)
• get_detection_summary (298-322)
• validate_detected_key (325-346)
• masked_key (42-46)
• detect_from_environment (161-187)
• _search_file (126-159)
• detect_all (203-227)
• get_best_key (229-255)

cortex/api_key_detector.py (1)

cortex/logging_system.py (3)

• debug (207-209)
• warning (215-217)
• info (211-213)

🪛 Gitleaks (8.30.0)

tests/test_api_key_detector.py

[high] 80-80: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

[high] 404-404: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

[high] 416-416: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🪛 Ruff (0.14.8)

cortex/api_key_detector.py

156-156: Do not catch blind exception: Exception

(BLE001)

🔇 Additional comments (15)

cortex/api_key_detector.py (9)

1-24: LGTM!

Module docstring, imports, and Provider enum are well-structured and appropriate for the functionality.

---

26-47: LGTM!

The DetectedKey dataclass with masked_key property provides good security practice for displaying keys in logs and UI without exposing the full sensitive value.

---

49-63: LGTM!

The regex patterns correctly identify keys based on both variable name and key prefix. The patterns properly handle export statements, quoted values, and simple assignments.

---

71-90: Missing search locations from Issue #255 requirements.

Per Issue #255, the detector should check ~/.config/anthropic and ~/.config/openai directories. These locations are not included in SEARCH_LOCATIONS. Consider adding them to align with the requirements.

 SEARCH_LOCATIONS = [
     # Shell configuration files
     "~/.bashrc",
     "~/.bash_profile",
     "~/.zshrc",
     "~/.zprofile",
     "~/.profile",
     # Environment files
     "~/.env",
     "./.env",
     "./.env.local",
     # Config directories
     "~/.config/cortex/.env",
     "~/.config/cortex/config",
+    "~/.config/anthropic/api_key",
+    "~/.config/anthropic/.env",
+    "~/.config/openai/api_key",
+    "~/.config/openai/.env",
     "~/.cortex/.env",
     "~/.cortex/config",
     # Project-specific
     "./cortex.env",
 ]

---

93-124: LGTM!

The __init__ correctly handles path expansion and additional paths. The _extract_key_from_content method properly iterates through patterns and returns the first match.

---

161-187: LGTM!

The environment detection correctly validates key prefixes before accepting them. The separate checks for each provider ensure proper validation.

---

189-256: LGTM!

The detection and selection logic is well-structured. Environment variables correctly take priority, deduplication works by key value, and the provider preference system with Anthropic as default is clearly documented.

---

258-295: LGTM!

The auto_configure_api_key function provides a clean entry point with appropriate error handling for unknown providers and optional environment variable configuration.

---

325-346: LGTM!

The validation function provides appropriate format checks for both providers with clear error messages.

tests/test_api_key_detector.py (6)

1-50: LGTM!

Imports are appropriate and TestDetectedKey correctly validates the masking behavior for both long and short keys.

---

52-98: LGTM!

Pattern tests comprehensively cover export statements, simple assignments, and .env file formats. The Gitleaks warning on line 80 is a false positive—these are clearly test fixtures, not real API keys.

---

100-281: LGTM!

Comprehensive test coverage for APIKeyDetector including environment detection, file-based detection, deduplication, and key preference logic. Proper use of temporary files with cleanup.

---

283-346: LGTM!

Tests correctly verify auto_configure_api_key behavior including environment variable setting, the set_env=False case, and preferred provider handling.

---

348-447: LGTM!

Good coverage of get_detection_summary and validate_detected_key functions. The Gitleaks warnings on lines 404 and 416 are false positives—these are test fixtures with intentionally invalid prefixes to verify validation logic.

---

449-510: LGTM!

Integration tests with realistic .bashrc and .env file content provide excellent coverage for real-world scenarios. Proper cleanup with try/finally ensures no leftover temp files.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix type hint: use Any instead of any.

The type hint uses lowercase any which is not the typing construct. Use Any from the typing module for proper type annotation.

-def get_detection_summary() -> Dict[str, any]:
+def get_detection_summary() -> Dict[str, Any]:

Also add Any to the imports on line 13:

-from typing import Optional, Dict, List, Tuple
+from typing import Optional, Dict, List, Tuple, Any

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In cortex/api_key_detector.py around line 298, the return type annotation uses
the lowercase built-in name `any` instead of the typing construct `Any`; change
the signature to use `Any` (e.g., Dict[str, Any]) and add `Any` to the imports
on line 13 (from typing import Any, ...). Ensure the import list includes Any
and update the function annotation accordingly.