fix(providers): detect Anthropic OAuth credentials in provider status

[marcmantei]

Summary

• The get_providers() endpoint only checks for ANTHROPIC_API_KEY env var or config file key to determine if Anthropic is available
• It does not check for anthropic_oauth.json, causing the Settings UI to report Anthropic as "not configured" for OAuth users (Claude Pro/Max subscription)
• This adds 3 lines to mirror the existing openai_oauth_configured pattern already in place for OpenAI

Minimal 3-line alternative to #430.

Changes

• src/api/providers.rs: Check anthropic_oauth.json existence alongside API key checks

Test plan

• Run spacebot auth login to authenticate via OAuth (no API key set)
• Verify Settings page shows Anthropic as configured
• Verify LLM calls work with OAuth token
• Verify no regression when using API key auth

🤖 Generated with Claude Code
via Happy

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0953d963-7826-43b8-97d4-64ea0763fd7b

📥 Commits

Reviewing files that changed from the base of the PR and between 8908008 and 499d1e8.

📒 Files selected for processing (1)

• src/api/providers.rs

🚧 Files skipped from review as they are similar to previous changes (1)

• src/api/providers.rs

---

Walkthrough

get_providers now treats Anthropic as configured if ANTHROPIC_API_KEY is set or Anthropic OAuth credentials exist on disk (checked via crate::auth::credentials_path). delete_provider removes the Anthropic OAuth credentials file when removing the Anthropic provider.

Changes

Anthropic OAuth Configuration

Layer / File(s)	Summary
Provider detection logic src/api/providers.rs	get_providers computes anthropic_oauth_configured from the instance credentials file and uses it in both the config.toml-present and env-only fallback branches; Anthropic is enabled when the API key is present or OAuth creds exist.
Provider deletion logic src/api/providers.rs	delete_provider handles provider == "anthropic" by removing the Anthropic OAuth credentials file (if present) before proceeding with the existing generic provider removal steps.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• spacedriveapp/spacebot#197: Both PRs modify auth-related logic in src/api/providers.rs; this PR adds OAuth-credentials-on-disk check for Anthropic availability and removal on delete.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: detecting Anthropic OAuth credentials in the provider status endpoint.
Description check	✅ Passed	The description clearly relates to the changeset, explaining the problem (Anthropic OAuth not detected), the solution (checking for anthropic_oauth.json), and including a test plan.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/api/providers.rs (1)

1575-1616: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

delete_provider("anthropic") doesn't remove the OAuth credentials file — provider stays "configured" after deletion.

Now that get_providers returns anthropic: true whenever anthropic_oauth.json exists (line 377), a user who authenticates via OAuth and then removes the Anthropic provider through the Settings UI will find the provider is still shown as configured. The generic TOML-key removal path (lines 1600–1604) only removes anthropic_key from config.toml; it never touches the OAuth credentials file on disk.

The fix mirrors the existing "openai-chatgpt" branch (lines 1498–1514): handle "anthropic" specially before the generic path, remove the credentials file, and clear in-memory credentials if the llm_manager exposes a corresponding method.

🐛 Proposed fix

     if provider == "openai-chatgpt" {
         // ... existing block ...
     }

+    if provider == "anthropic" {
+        let instance_dir = (**state.instance_dir.load()).clone();
+        let cred_path = crate::auth::credentials_path(&instance_dir);
+        if cred_path.exists() {
+            tokio::fs::remove_file(&cred_path).await.map_err(|error| {
+                tracing::error!(%error, path = %cred_path.display(), "failed to remove Anthropic OAuth credentials");
+                StatusCode::INTERNAL_SERVER_ERROR
+            })?;
+        }
+        // Fall through to also remove the TOML key if present.
+    }
+
     // GitHub Copilot ...

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/api/providers.rs` around lines 1575 - 1616, The provider removal path
only removes the TOML key via provider_toml_key but doesn't delete the Anthropic
OAuth file, so delete_provider("anthropic") leaves anthropic_oauth.json present
causing get_providers to still report anthropic:true; fix by handling the
"anthropic" provider specially before the generic TOML removal: detect provider
== "anthropic", remove the on-disk OAuth file (anthropic_oauth.json) if it
exists, and if the state.llm_manager exposes an in-memory clearing call (e.g., a
method analogous to the ChatGPT branch such as
clear_anthropic_oauth/clear_anthropic_credentials) invoke it to clear
credentials from memory, then return the same ProviderUpdateResponse success
flow instead of falling through to only removing the toml key.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/api/providers.rs`:
- Line 377: delete_provider currently only removes the TOML key for the
"anthropic" provider leaving its OAuth file (anthropic_oauth.json) on disk so
anthropic_oauth_configured remains true; add a dedicated branch in
delete_provider (mirror the "github-copilot" handling) that checks for provider
== "anthropic", calls crate::auth::credentials_path(&instance_dir).remove_file()
(or std::fs::remove_file) to delete the OAuth file, and clear any in-memory
Anthropic state so the provider is fully unconfigured; place this block before
the generic fallback removal to ensure the OAuth file is removed when deleting
"anthropic".

---

Outside diff comments:
In `@src/api/providers.rs`:
- Around line 1575-1616: The provider removal path only removes the TOML key via
provider_toml_key but doesn't delete the Anthropic OAuth file, so
delete_provider("anthropic") leaves anthropic_oauth.json present causing
get_providers to still report anthropic:true; fix by handling the "anthropic"
provider specially before the generic TOML removal: detect provider ==
"anthropic", remove the on-disk OAuth file (anthropic_oauth.json) if it exists,
and if the state.llm_manager exposes an in-memory clearing call (e.g., a method
analogous to the ChatGPT branch such as
clear_anthropic_oauth/clear_anthropic_credentials) invoke it to clear
credentials from memory, then return the same ProviderUpdateResponse success
flow instead of falling through to only removing the toml key.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4408824a-3626-490d-a558-ec7dcbc53f4e

📥 Commits

Reviewing files that changed from the base of the PR and between 21868af and 8908008.

📒 Files selected for processing (1)

• src/api/providers.rs