fix: keep setup mode usable when provider credentials are unavailable

[jamiepine]

Summary

Ensures Spacebot remains functional during initial setup or when provider credentials are temporarily unavailable. This PR addresses three core issues:

Setup Mode Stability: Auto-unlocks encrypted secrets stores from both hosted tmpfs key paths (/run/spacebot/master_key and /run/secrets/master_key) with hex decoding support, allowing users to manage secrets before providers are initialized.

Agent Visibility: Keeps configured agents visible in the UI even when LLM providers are unavailable by seeding agent metadata from config and returning placeholder summaries when runtime pools aren't initialized.

Credential Resolution: Refines provider availability checks to properly resolve secret: and env: references against actual stored values, preventing placeholder config entries from being counted as configured credentials.

UI Guidance: Adds a clear setup warning banner in the Overview when agents are configured but no provider credentials are available, with a direct link to Secrets settings.

Deployment Detection: Sets platform_managed correctly in secrets status for hosted deployments via the SPACEBOT_DEPLOYMENT environment variable.

Note

This PR ensures the Spacebot UI remains functional during initial setup or when provider credentials are temporarily unavailable. It allows users to unlock encrypted secrets, see configured agents even without active providers, and provides clear guidance to complete provider setup. The implementation properly resolves secret references against actual stored values and adds comprehensive hex-key decoding for hosted deployments.

_{Written by Tembo for commit f24f009. This will update automatically on new commits.}

[coderabbitai]

Walkthrough

Adds dynamic provider credential resolution (secrets/env/literal), improves secrets bootstrap with tmpfs master-key handling and platform detection, ensures agents without runtime pools appear in overviews, and surfaces a UI warning in Overview when providers exist but no credentials are available.

Changes

Cohort / File(s)	Summary
UI Notification interface/src/routes/Overview.tsx	Adds a conditional amber notification banner linking to Secrets settings when providers are configured but no provider credentials are resolved and agents exist.
Agent Visibility src/api/agents.rs	When an agent lacks a runtime pool, returns a default AgentSummary with zeroed metrics so every configured agent appears in instance_overview instead of being skipped.
Provider Credential Resolution src/api/providers.rs	Adds centralized resolution for provider credentials via resolve_value (supports secret:KEY, env:VAR, or literal), integrates secrets_store and env_set helpers, and applies this across many provider key checks (OPENROUTER, KILO, ZHIPU, GROQ, TOGETHER, FIREWORKS, DEEPSEEK, XAI, MISTRAL, GEMINI, OPENCODE_, NVIDIA, MINIMAX, MOONSHOT, ZAI_CODING_PLAN, GITHUB_COPILOT, ANTHROPIC/OPENAI handling).
Secrets Store Detection src/api/secrets.rs	Replaces hard-coded flag with runtime platform_managed detection (via SPACEBOT_DEPLOYMENT) when calling store.status, changing how hosted vs local store status is determined.
Bootstrap & Runtime Configuration src/main.rs	Enhances secrets bootstrap to read multiple tmpfs key paths, decode optional hex 64-char keys, persist keys to OS keystore on successful unlock, and only remove tmpfs files after success. Adds configured_agent_infos(config) -> Vec<spacebot::api::AgentInfo>, updates run signature to accept otel_provider and bootstrapped_store, wires bootstrapped store into API state during setup, and rebuilds LLM manager / agent configs on provider reloads.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~55 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: keep setup mode usable when provider credentials are unavailable' directly and clearly describes the main objective of the changeset, which is to ensure Spacebot remains functional when provider credentials are unavailable during setup.
Description check	✅ Passed	The description comprehensively explains the PR's objectives and changes across all modified files, detailing how setup mode is stabilized, agents remain visible, and credentials are properly resolved.
Docstring Coverage	✅ Passed	Docstring coverage is 87.50% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/setup-mode-agent-visibility

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tembo]

resolve_value currently allocates (and materializes secrets) just to answer a boolean. Might be safer/cheaper to keep this as a bool and avoid to_string().

Suggested change

	let resolve_value = |value: &str| -> Option<String> {
	if let Some(alias) = value.strip_prefix("secret:") {
	let store = secrets_store.as_ref().as_ref()?;
	return store
	.get(alias)
	.ok()
	.map(|secret| secret.expose().to_string());
	}
	if let Some(var_name) = value.strip_prefix("env:") {
	return std::env::var(var_name)
	.ok()
	.filter(|resolved| !resolved.trim().is_empty());
	}
	if value.trim().is_empty() {
	None
	} else {
	Some(value.to_string())
	}
	};
	let has_value = |key: &str, env_var: &str| -> bool {
	if let Some(llm) = doc.get("llm")
	&& let Some(val) = llm.get(key)
	&& let Some(s) = val.as_str()
	{
	if let Some(var_name) = s.strip_prefix("env:") {
	return std::env::var(var_name).is_ok();
	}
	return !s.is_empty();
	return resolve_value(s).is_some();
	}
	let resolve_has_value = |value: &str| -> bool {
	if let Some(alias) = value.strip_prefix("secret:") {
	let Some(store) = secrets_store.as_ref().as_ref() else {
	return false;
	};
	return store
	.get(alias)
	.ok()
	.is_some_and(|secret| !secret.expose().trim().is_empty());
	}
	if let Some(var_name) = value.strip_prefix("env:") {
	return std::env::var(var_name)
	.ok()
	.is_some_and(|resolved| !resolved.trim().is_empty());
	}
	!value.trim().is_empty()
	};
	let has_value = |key: &str, env_var: &str| -> bool {
	if let Some(llm) = doc.get("llm")
	&& let Some(val) = llm.get(key)
	&& let Some(s) = val.as_str()
	{
	return resolve_has_value(s);
	}

[tembo]

If reading the tmpfs key fails (for both paths), the injected key file(s) will be left on disk. Consider a best-effort remove on the error path too.

Suggested change

	Err(error) => {
	tracing::warn!(%error, path = %path.display(), "failed to read tmpfs master key");
	return None;
	}
	Err(error) => {
	tracing::warn!(%error, path = %path.display(), "failed to read tmpfs master key");
	if let Err(remove_error) = std::fs::remove_file(path) {
	tracing::warn!(
	%remove_error,
	path = %path.display(),
	"failed to remove tmpfs master key — key may remain accessible"
	);
	}
	return None;
	}

[tembo]

Minor: probably worth trimming here to avoid treating SPACEBOT_DEPLOYMENT="hosted\n" (or similar) as false.

Suggested change

	let platform_managed = std::env::var("SPACEBOT_DEPLOYMENT")
	.is_ok_and(|deployment| deployment.eq_ignore_ascii_case("hosted"));
	let platform_managed = std::env::var("SPACEBOT_DEPLOYMENT")
	.is_ok_and(|deployment| deployment.trim().eq_ignore_ascii_case("hosted"));

[tembo]

Looks like the body of this if block lost indentation in the diff (comments + match are flush-left). Probably just needs a cargo fmt pass to keep this section easy to read.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/api/providers.rs`:
- Around line 391-396: The code currently collapses all secrets_store.get(alias)
errors into None via .ok(), hiding real store failures; change the logic around
value.strip_prefix("secret:") to explicitly match the Result from
secrets_store.as_ref().as_ref()?.get(alias): handle Ok(Some(secret)) by
returning Some(secret.expose().to_string()), handle Ok(None) by returning None
(missing secret), and handle Err(e) by logging the error (use the project's
logger/tracing) and then returning None (or propagate if preferred). Ensure you
reference the existing symbols (value.strip_prefix("secret:"), secrets_store,
store.get(alias), secret.expose().to_string()) so the change replaces the .ok()
call with explicit match/error handling.

In `@src/main.rs`:
- Around line 1353-1415: The current logic reads the first existing tmpfs file
and immediately removes all tmpfs_paths before attempting to unlock, which can
delete a valid key if an earlier file is stale; change the flow in
tmpfs_master_key handling so you attempt to unlock with each candidate key
before deleting files (or alternatively only delete the specific cleanup_path
that successfully unlocked). Concretely, iterate tmpfs_paths collecting
decoded/raw keys (or keep the existing find_map but delay the for cleanup_path
in tmpfs_paths { remove_file } loop), call store.unlock(&key) for each candidate
and on successful unlock set unlocked = true and then call
keystore.store_key(KEYSTORE_INSTANCE_ID, &key) and perform cleanup (either
remove only the used file or remove all tmpfs_paths after a successful unlock);
ensure tracing::warn remains on removal failures and that removal is not done
prior to trying unlock.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ad23c707-0352-4a3c-976c-65256b03f759

📥 Commits

Reviewing files that changed from the base of the PR and between ed3aebe and f24f009.

📒 Files selected for processing (5)

• interface/src/routes/Overview.tsx
• src/api/agents.rs
• src/api/providers.rs
• src/api/secrets.rs
• src/main.rs

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Try all tmpfs keys before deleting them.

The cleanup happens before the first store.unlock attempt. If /run/spacebot/master_key is stale/corrupt but /run/secrets/master_key is valid, the valid file is deleted and never tried, so hosted auto-unlock becomes path-order dependent. Move cleanup until after you've attempted all present tmpfs keys, or only delete the file that actually unlocked the store.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/main.rs` around lines 1353 - 1415, The current logic reads the first
existing tmpfs file and immediately removes all tmpfs_paths before attempting to
unlock, which can delete a valid key if an earlier file is stale; change the
flow in tmpfs_master_key handling so you attempt to unlock with each candidate
key before deleting files (or alternatively only delete the specific
cleanup_path that successfully unlocked). Concretely, iterate tmpfs_paths
collecting decoded/raw keys (or keep the existing find_map but delay the for
cleanup_path in tmpfs_paths { remove_file } loop), call store.unlock(&key) for
each candidate and on successful unlock set unlocked = true and then call
keystore.store_key(KEYSTORE_INSTANCE_ID, &key) and perform cleanup (either
remove only the used file or remove all tmpfs_paths after a successful unlock);
ensure tracing::warn remains on removal failures and that removal is not done
prior to trying unlock.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

src/main.rs (1)

1353-1414: ⚠️ Potential issue | 🟠 Major

Try every tmpfs key candidate before falling back.

This still attempts unlock with only the first readable tmpfs key (find_map). If the first file is stale and the second is valid, the store remains locked even though a valid key exists.

Proposed fix

-        let tmpfs_master_key = tmpfs_paths.iter().find_map(|path| {
-            if !path.exists() {
-                return None;
-            }
-            let raw_key = match std::fs::read(path) {
-                Ok(key) => key,
-                Err(error) => {
-                    tracing::warn!(%error, path = %path.display(), "failed to read tmpfs master key");
-                    return None;
-                }
-            };
-            if let Ok(text) = std::str::from_utf8(&raw_key) {
-                let trimmed = text.trim();
-                if trimmed.len() == 64 && trimmed.bytes().all(|byte| byte.is_ascii_hexdigit()) {
-                    return match hex::decode(trimmed) {
-                        Ok(decoded) => Some(decoded),
-                        Err(error) => {
-                            tracing::warn!(%error, path = %path.display(), "failed to decode hex tmpfs master key, falling back to raw bytes");
-                            Some(raw_key)
-                        }
-                    };
-                }
-            }
-            Some(raw_key)
-        });
-
         let mut unlocked = false;
-
-        if let Some(key) = tmpfs_master_key {
-            match store.unlock(&key) {
+        for path in tmpfs_paths {
+            if !path.exists() {
+                continue;
+            }
+            let raw_key = match std::fs::read(path) {
+                Ok(key) => key,
+                Err(error) => {
+                    tracing::warn!(%error, path = %path.display(), "failed to read tmpfs master key");
+                    continue;
+                }
+            };
+            let key = if let Ok(text) = std::str::from_utf8(&raw_key) {
+                let trimmed = text.trim();
+                if trimmed.len() == 64 && trimmed.bytes().all(|byte| byte.is_ascii_hexdigit()) {
+                    match hex::decode(trimmed) {
+                        Ok(decoded) => decoded,
+                        Err(error) => {
+                            tracing::warn!(%error, path = %path.display(), "failed to decode hex tmpfs master key, falling back to raw bytes");
+                            raw_key
+                        }
+                    }
+                } else {
+                    raw_key
+                }
+            } else {
+                raw_key
+            };
+            match store.unlock(&key) {
                 Ok(()) => {
                     unlocked = true;
                     if let Err(error) = keystore.store_key(KEYSTORE_INSTANCE_ID, &key) {
                         tracing::warn!(%error, "failed to persist master key to OS credential store");
                     }
-                    // Clean up tmpfs key files only after a successful unlock.
-                    for cleanup_path in tmpfs_paths {
+                    for cleanup_path in [
+                        std::path::Path::new("/run/spacebot/master_key"),
+                        std::path::Path::new("/run/secrets/master_key"),
+                    ] {
                         if cleanup_path.exists()
                             && let Err(error) = std::fs::remove_file(cleanup_path)
                         {
@@
                             );
                         }
                     }
+                    break;
                 }
                 Err(error) => {
-                    tracing::warn!(%error, "failed to unlock secret store with tmpfs key");
+                    tracing::warn!(%error, path = %path.display(), "failed to unlock secret store with tmpfs key");
                 }
             }
         }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/main.rs` around lines 1353 - 1414, The current code uses
tmpfs_paths.iter().find_map to pick the first readable tmpfs_master_key and then
attempts a single store.unlock, which fails if that first file is stale; instead
iterate over tmpfs_paths and for each existing readable file produce the raw_key
(and hex-decode when trimmed.len()==64 as the current logic does), then
immediately attempt store.unlock(&key) for that candidate; on the first Ok(())
persist via keystore.store_key(KEYSTORE_INSTANCE_ID, &key), perform the tmpfs
cleanup loop, set unlocked = true and break out of the loop, and on Err(error)
continue to the next candidate while emitting the same tracing::warn; keep using
the same symbols tmpfs_paths, tmpfs_master_key logic (but removed find_map),
store.unlock, keystore.store_key and the cleanup removal loop.

src/api/providers.rs (1)

393-395: ⚠️ Potential issue | 🟠 Major

Empty secrets are still treated as “configured.”

At Line 394, any fetched secret is converted into Some(String) without checking content. Then Line 420 uses .is_some(), so empty/whitespace secrets incorrectly mark providers as available.

Suggested fix

-                return match store.get(alias) {
-                    Ok(secret) => Some(secret.expose().to_string()),
+                return match store.get(alias) {
+                    Ok(secret) => {
+                        let resolved = secret.expose().trim();
+                        (!resolved.is_empty()).then(|| resolved.to_string())
+                    }
                     Err(error) => {
                         tracing::warn!(%error, alias, "failed to resolve secret reference");
                         None
                     }
                 };

Also applies to: 420-420

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/api/providers.rs` around lines 393 - 395, The code treats any fetched
secret as configured by returning Some(secret.expose().to_string()) without
validating its content; update the match on store.get(alias) so that after
obtaining secret via secret.expose() you trim and check for emptiness and return
None for empty/whitespace-only secrets and Some(...) only for non-empty values
(affecting the logic that later uses .is_some()); adjust the branch that
currently returns Some(secret.expose().to_string()) to perform this content
check before returning.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/api/providers.rs`:
- Around line 353-357: The env_set closure currently swallows errors from
std::env::var(...) via .ok(), so replace the .ok().is_some_and(...) pattern with
explicit Result handling: call std::env::var(name) and match/if let on the
Result, returning true only for Ok(value) when !value.trim().is_empty(), and on
Err(e) log or propagate the error (e.g., log::warn! or return Err) and return
false; apply the same change to the other std::env::var(...) usage around lines
403-405 so errors (like invalid UTF-8) are not silently discarded but are logged
or propagated consistently.

---

Duplicate comments:
In `@src/api/providers.rs`:
- Around line 393-395: The code treats any fetched secret as configured by
returning Some(secret.expose().to_string()) without validating its content;
update the match on store.get(alias) so that after obtaining secret via
secret.expose() you trim and check for emptiness and return None for
empty/whitespace-only secrets and Some(...) only for non-empty values (affecting
the logic that later uses .is_some()); adjust the branch that currently returns
Some(secret.expose().to_string()) to perform this content check before
returning.

In `@src/main.rs`:
- Around line 1353-1414: The current code uses tmpfs_paths.iter().find_map to
pick the first readable tmpfs_master_key and then attempts a single
store.unlock, which fails if that first file is stale; instead iterate over
tmpfs_paths and for each existing readable file produce the raw_key (and
hex-decode when trimmed.len()==64 as the current logic does), then immediately
attempt store.unlock(&key) for that candidate; on the first Ok(()) persist via
keystore.store_key(KEYSTORE_INSTANCE_ID, &key), perform the tmpfs cleanup loop,
set unlocked = true and break out of the loop, and on Err(error) continue to the
next candidate while emitting the same tracing::warn; keep using the same
symbols tmpfs_paths, tmpfs_master_key logic (but removed find_map),
store.unlock, keystore.store_key and the cleanup removal loop.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d3977a6f-9319-4afd-99fa-48636b129e8b

📥 Commits

Reviewing files that changed from the base of the PR and between f24f009 and 39ccbab.

📒 Files selected for processing (2)

• src/api/providers.rs
• src/main.rs

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify env var reads that silently discard Result errors in Rust files
rg -nP 'std::env::var\([^)]*\)\s*\.ok\(\)' --type rust

Repository: spacedriveapp/spacebot

Length of output: 5004

---

🏁 Script executed:

cat -n src/api/providers.rs | sed -n '350,410p'

Repository: spacedriveapp/spacebot

Length of output: 2396

---

Environment variables should handle missing/invalid values explicitly instead of silently discarding errors with .ok().

Lines 353-357 and 403-405 use .ok() on std::env::var(), which suppresses error context (e.g., invalid UTF-8). Per coding guidelines, errors must be handled, logged, or propagated—.ok() is only permitted on channel sends where the receiver may be dropped.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/api/providers.rs` around lines 353 - 357, The env_set closure currently
swallows errors from std::env::var(...) via .ok(), so replace the
.ok().is_some_and(...) pattern with explicit Result handling: call
std::env::var(name) and match/if let on the Result, returning true only for
Ok(value) when !value.trim().is_empty(), and on Err(e) log or propagate the
error (e.g., log::warn! or return Err) and return false; apply the same change
to the other std::env::var(...) usage around lines 403-405 so errors (like
invalid UTF-8) are not silently discarded but are logged or propagated
consistently.