Improve credential setup: provider-first flow and prefix learning

Stop multi-provider probe disambiguation from overriding explicit gateway
selection. Record learned key prefixes after successful saves and use them
to rank future resolve hints. Add Gemini AQ. prefix and document the
provider-first Hawk setup path.

Author: Patel230

catalog/live/fetchers.go

@@ -17,7 +17,7 @@ const (
 	DefaultZAIBaseURL        = "https://api.z.ai/api/paas/v4"
 	DefaultOpenAIBaseURL     = "https://api.openai.com/v1"
 	DefaultGrokBaseURL       = "https://api.x.ai/v1"
-	DefaultOpenCodeGoBaseURL = "https://api.opencodego.ai/v1"
+	DefaultOpenCodeGoBaseURL = "https://opencode.ai/zen/go/v1"
 	DefaultKimiBaseURL       = "https://api.moonshot.ai/v1"
 	DefaultXiaomiBaseURL     = "https://api.xiaomimimo.com/v1"
 )

catalog/registry/provider_spec_test.go

@@ -33,6 +33,9 @@ func TestOpenCodeGo_HasProbeBaseURL(t *testing.T) {
 	if spec.ProbeBaseURL == "" {
 		t.Fatal("opencodego must have a ProbeBaseURL")
 	}
+	if spec.ProbeBaseURL != "https://opencode.ai/zen/go/v1" {
+		t.Fatalf("opencodego probe base URL = %q", spec.ProbeBaseURL)
+	}
 	if spec.ProbeKind != registry.ProbeOpenAIModels {
 		t.Fatalf("opencodego probe kind = %q", spec.ProbeKind)
 	}

catalog/registry/providers.go

@@ -23,7 +23,7 @@ func providerSpecs() []ProviderSpec {
 		},
 		{
 			ProviderID: "openai", DisplayName: "OpenAI", DeploymentID: "openai-direct", SortOrder: 2,
-			RequiresKey: true, CredentialEnv: "OPENAI_API_KEY", KeyPrefixes: []string{"sk-proj-", "sk-svcacct-", "sk-"},
+			RequiresKey: true, CredentialEnv: "OPENAI_API_KEY", KeyPrefixes: []string{"sk-proj-", "sk-svcacct-"},
 			BaseURLEnv: []string{"OPENAI_BASE_URL", "OPENAI_API_BASE"},
 			ProbeKind:  ProbeOpenAIModels, ProbeBaseURL: "https://api.openai.com/v1",
 			ModelStrategy: StrategyRemoteThenLive, PreferLiveMerge: true,
@@ -32,7 +32,7 @@ func providerSpecs() []ProviderSpec {
 		},
 		{
 			ProviderID: "gemini", DisplayName: "Google Gemini", DeploymentID: "gemini-direct", SortOrder: 3,
-			RequiresKey: true, CredentialEnv: "GEMINI_API_KEY", KeyPrefixes: []string{"AIza"},
+			RequiresKey: true, CredentialEnv: "GEMINI_API_KEY", KeyPrefixes: []string{"AIza", "AQ."},
 			BaseURLEnv: []string{"GEMINI_BASE_URL", "OPENAI_BASE_URL", "OPENAI_API_BASE"},
 			ProbeKind:  ProbeGemini, ModelStrategy: StrategyRemoteThenLive, PreferLiveMerge: true,
 			LiveFetcherKey: "gemini", LiveCatalogKey: "gemini",
@@ -79,7 +79,7 @@ func providerSpecs() []ProviderSpec {
 			RequiresKey: true, CredentialEnv: "OPENCODEGO_API_KEY", KeyPrefixes: []string{"ocg_"},
 			BaseURLEnv:    []string{"OPENCODEGO_BASE_URL", "OPENAI_BASE_URL", "OPENAI_API_BASE"},
 			ProbeKind:     ProbeOpenAIModels,
-			ProbeBaseURL:  "https://api.opencodego.ai/v1",
+			ProbeBaseURL:  "https://opencode.ai/zen/go/v1",
 			ModelStrategy: StrategyRemoteThenLive, PreferLiveMerge: true,
 			LiveFetcherKey: "opencodego", LiveCatalogKey: "opencodego",
 			APIProtocolID: "openai-chat-completions", AdapterID: "opencodego",

config/credential/inference_test.go

@@ -45,6 +45,13 @@ func TestInferCredentialsFromAPIKey_OpenAI(t *testing.T) {
 	}
 }
 
+func TestInferCredentialsFromAPIKey_GenericOpenAICompatible(t *testing.T) {
+	got := InferCredentialsFromAPIKey(ContextWithoutProbeDisambiguation(context.Background()), "sk-test-key-that-could-belong-to-any-compatible-provider")
+	if len(got) != 0 {
+		t.Fatalf("generic sk- keys should not infer a provider, got %#v", got)
+	}
+}
+
 func TestInferCredentialsFromAPIKey_Gemini(t *testing.T) {
 	got := InferCredentialsFromAPIKey(context.Background(), "AIzaSyD-test-key-1234567890")
 	if len(got) == 0 {

config/credential/learned.go

@@ -0,0 +1,214 @@
+package credential
+
+import (
+	"encoding/json"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+)
+
+const (
+	learnedPrefixesFile   = "learned_credential_prefixes.json"
+	learnedPrefixMinLen   = 4
+	learnedPrefixMaxLen   = 12
+	learnedMaxPerProvider = 24
+)
+
+type learnedPrefixFile struct {
+	Version   int                       `json:"version"`
+	Providers map[string]map[string]int `json:"providers"`
+}
+
+var (
+	learnedMu     sync.Mutex
+	learnedCached *learnedPrefixFile
+)
+
+// RecordLearnedCredential increments local prefix stats after a successful key save.
+// Only a short leading prefix is stored — never the full secret.
+func RecordLearnedCredential(providerID, secret string) {
+	providerID = strings.TrimSpace(providerID)
+	prefix := extractLearningPrefix(secret)
+	if providerID == "" || prefix == "" {
+		return
+	}
+	learnedMu.Lock()
+	defer learnedMu.Unlock()
+	data := loadLearnedLocked()
+	if data.Providers == nil {
+		data.Providers = map[string]map[string]int{}
+	}
+	counts := data.Providers[providerID]
+	if counts == nil {
+		counts = map[string]int{}
+		data.Providers[providerID] = counts
+	}
+	counts[prefix]++
+	pruneLearnedCounts(counts)
+	_ = saveLearnedLocked(data)
+	learnedCached = data
+}
+
+func learnedPrefixBoost(secret string) map[string]int {
+	secret = strings.TrimSpace(secret)
+	if secret == "" {
+		return nil
+	}
+	learnedMu.Lock()
+	data := loadLearnedLocked()
+	learnedMu.Unlock()
+	if data == nil || len(data.Providers) == 0 {
+		return nil
+	}
+	out := map[string]int{}
+	for providerID, counts := range data.Providers {
+		for learned, n := range counts {
+			if n <= 0 || learned == "" {
+				continue
+			}
+			if !strings.HasPrefix(secret, learned) {
+				continue
+			}
+			boost := n * 10
+			if boost > 120 {
+				boost = 120
+			}
+			if out[providerID] < boost {
+				out[providerID] = boost
+			}
+		}
+	}
+	return out
+}
+
+// extractLearningPrefix returns a short, non-secret fingerprint from the start of a key.
+func extractLearningPrefix(secret string) string {
+	secret = strings.TrimSpace(secret)
+	if len(secret) < learnedPrefixMinLen {
+		return ""
+	}
+	max := learnedPrefixMaxLen
+	if len(secret) < max {
+		max = len(secret)
+	}
+	var b strings.Builder
+	for i := 0; i < max; i++ {
+		r := rune(secret[i])
+		if r == '-' || r == '_' || r == '.' ||
+			(r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') || (r >= '0' && r <= '9') {
+			b.WriteRune(r)
+			continue
+		}
+		break
+	}
+	out := b.String()
+	if len(out) < learnedPrefixMinLen {
+		return ""
+	}
+	return out
+}
+
+func pruneLearnedCounts(counts map[string]int) {
+	if len(counts) <= learnedMaxPerProvider {
+		return
+	}
+	type kv struct {
+		k string
+		v int
+	}
+	var all []kv
+	for k, v := range counts {
+		all = append(all, kv{k, v})
+	}
+	for i := 0; i < len(all); i++ {
+		for j := i + 1; j < len(all); j++ {
+			if all[j].v < all[i].v {
+				all[i], all[j] = all[j], all[i]
+			}
+		}
+	}
+	keep := map[string]struct{}{}
+	for i := 0; i < learnedMaxPerProvider && i < len(all); i++ {
+		keep[all[i].k] = struct{}{}
+	}
+	for k := range counts {
+		if _, ok := keep[k]; !ok {
+			delete(counts, k)
+		}
+	}
+}
+
+func learnedHawkConfigDir() string {
+	home, err := os.UserHomeDir()
+	if err != nil || home == "" {
+		return ".hawk"
+	}
+	return filepath.Join(home, ".hawk")
+}
+
+func learnedPrefixesPath() string {
+	return filepath.Join(learnedHawkConfigDir(), learnedPrefixesFile)
+}
+
+func loadLearnedLocked() *learnedPrefixFile {
+	if learnedCached != nil {
+		return learnedCached
+	}
+	path := learnedPrefixesPath()
+	data, err := os.ReadFile(path)
+	if err != nil {
+		learnedCached = &learnedPrefixFile{Version: 1, Providers: map[string]map[string]int{}}
+		return learnedCached
+	}
+	var f learnedPrefixFile
+	if json.Unmarshal(data, &f) != nil || f.Providers == nil {
+		learnedCached = &learnedPrefixFile{Version: 1, Providers: map[string]map[string]int{}}
+		return learnedCached
+	}
+	if f.Version == 0 {
+		f.Version = 1
+	}
+	learnedCached = &f
+	return learnedCached
+}
+
+func saveLearnedLocked(f *learnedPrefixFile) error {
+	if f == nil {
+		return nil
+	}
+	if f.Version == 0 {
+		f.Version = 1
+	}
+	dir := learnedHawkConfigDir()
+	if err := os.MkdirAll(dir, 0o700); err != nil {
+		return err
+	}
+	raw, err := json.MarshalIndent(f, "", "  ")
+	if err != nil {
+		return err
+	}
+	return os.WriteFile(learnedPrefixesPath(), raw, 0o600)
+}
+
+// InvalidateLearnedPrefixCache clears the in-memory learned-prefix snapshot (tests).
+func InvalidateLearnedPrefixCache() {
+	learnedMu.Lock()
+	learnedCached = nil
+	learnedMu.Unlock()
+}
+
+// isGenericOpenAIShapedKey reports OpenAI-style keys without a known vendor prefix.
+func isGenericOpenAIShapedKey(secret string) bool {
+	secret = strings.TrimSpace(secret)
+	if !strings.HasPrefix(secret, "sk-") {
+		return false
+	}
+	if strings.HasPrefix(secret, "sk-ant-") ||
+		strings.HasPrefix(secret, "sk-or-") ||
+		strings.HasPrefix(secret, "sk-proj-") ||
+		strings.HasPrefix(secret, "sk-svcacct-") {
+		return false
+	}
+	return true
+}

config/credential/learned_test.go

@@ -0,0 +1,52 @@
+package credential
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestExtractLearningPrefix(t *testing.T) {
+	got := extractLearningPrefix("AQ.abc123-secret")
+	if len(got) < 4 || got[:3] != "AQ." {
+		t.Fatalf("prefix = %q", got)
+	}
+	if extractLearningPrefix("ab") != "" {
+		t.Fatal("expected empty for short secret")
+	}
+}
+
+func TestRecordLearnedCredential_BoostsInference(t *testing.T) {
+	home := t.TempDir()
+	t.Setenv("HOME", home)
+	_ = os.MkdirAll(filepath.Join(home, ".hawk"), 0o700)
+	InvalidateLearnedPrefixCache()
+
+	RecordLearnedCredential("gemini", "AQ.test-key-1234567890")
+	InvalidateLearnedPrefixCache()
+
+	boost := learnedPrefixBoost("AQ.test-key-9999999999")
+	if boost["gemini"] == 0 {
+		t.Fatal("expected learned boost for gemini after record")
+	}
+
+	ctx := ContextWithoutProbeDisambiguation(t.Context())
+	res := ResolveCredential(ctx, "AQ.test-key-9999999999")
+	if !res.FormatOK {
+		t.Fatalf("resolve failed: %s", res.FormatError)
+	}
+	if res.Providers[0].ProviderID != "gemini" || !res.Providers[0].Inferred {
+		t.Fatalf("expected gemini inferred first, got %#v", res.Providers[0])
+	}
+}
+
+func TestResolveCredential_GeminiAQPrefix(t *testing.T) {
+	ctx := ContextWithoutProbeDisambiguation(t.Context())
+	res := ResolveCredential(ctx, "AQ.test-gemini-key-1234567890")
+	if !res.FormatOK {
+		t.Fatalf("format: %s", res.FormatError)
+	}
+	if res.Providers[0].ProviderID != "gemini" || !res.Providers[0].Inferred {
+		t.Fatalf("top = %#v, want inferred gemini", res.Providers[0])
+	}
+}