fix(server): skip auth check when Codex CLI uses a custom model provider

[binbandit]

Summary

Fixes #644

When the Codex CLI is configured with a custom model_provider in ~/.codex/config.toml (e.g. Portkey, Azure OpenAI proxy, Ollama), t3code's startup health check incorrectly blocks the user from using the app. The codex login status probe reports "not logged in" because there is no ~/.codex/auth.json, even though the CLI works perfectly — authentication is handled via provider-specific environment variables (e.g. PORTKEY_API_KEY, AZURE_API_KEY).

Problem

The provider health check in ProviderHealth.ts runs two sequential probes at server startup:

1. codex --version — checks CLI is installed and above minimum version
2. codex login status — checks OpenAI authentication status

For custom model providers, probe 2 always fails because:

• Authentication is managed through env vars, not codex login
• codex login status reports "not logged in" since there's no auth.json
• t3code treats this as a hard error (status: "error", authStatus: "unauthenticated")

Solution

• Added readCodexConfigModelProvider() — reads the model_provider key from the Codex CLI config file ($CODEX_HOME/config.toml or ~/.codex/config.toml) using a line-by-line scan of the top-level TOML section (no new dependency needed)
• Added hasCustomModelProvider() — returns true when model_provider is set to anything other than "openai"
• Modified checkCodexProviderStatus to skip the codex login status probe when a custom provider is detected, returning status: "ready" with authStatus: "unknown" and a descriptive message

The version check (probe 1) always runs regardless of provider configuration.

Why not change ProviderKind?

The issue mentions that provider: "codex" is hardcoded throughout. This is intentional — ProviderKind refers to the agent runtime (Codex CLI vs future Claude Code), not the model API endpoint. The model_provider in config.toml controls which API backend the Codex CLI connects to internally — it's an implementation detail of the Codex adapter. The two concepts are at different levels of abstraction.

Test coverage

• 26 tests (up from 9), all passing
• Existing checkCodexProviderStatus tests now properly isolate CODEX_HOME via temp directories to prevent env leakage
• Integration tests verify the full checkCodexProviderStatus flow with custom providers (Portkey config), confirming the auth probe is skipped and the spawner never receives login status args
• Integration test confirms auth probe still runs when model_provider = "openai"
• Unit tests for readCodexConfigModelProvider cover: missing file, missing key, top-level providers, section-scoped keys (ignored), comments/whitespace, both single and double quoted TOML values
• Unit tests for hasCustomModelProvider cover: no config, no key, openai, portkey, azure, ollama, and arbitrary custom proxy names

Verification

• bun lint — passes (zero new warnings/errors)
• bun typecheck — passes across all 7 packages
• bun run test — all 26 ProviderHealth tests pass; no regressions in other test files

Note

Skip auth probe in checkCodexProviderStatus when Codex CLI uses a custom model provider

• Adds readCodexConfigModelProvider to parse the top-level model_provider key from $CODEX_HOME/config.toml (falling back to ~/.codex/config.toml) using a regex scan that ignores comments and TOML sections.
• Adds hasCustomModelProvider to return true when the provider is set and not in the new OPENAI_AUTH_PROVIDERS set (currently only 'openai').
• When a non-OpenAI provider is detected, checkCodexProviderStatus skips the codex login status command and returns ready with authStatus: 'unknown' and a skip message instead.
• Behavioral Change: checkCodexProviderStatus now requires FileSystem and Path in its Effect environment.

^{Macroscope summarized 70bcd06.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 0adf8eb0-8398-442a-891d-15520b695aba

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[binbandit]

@juliusmarminge @t3dotgg

Apologies for tagging. This will be a massive unblocker for anyone using it in the workplace. It will allow us to collect more bug reports and potentially enter that market by unblocking them.