Restore Morph secret staging for versioned devboxes

gauss-math-inc · gauss-math-inc · commit 5f95640a3408 · 2026-04-05T03:46:13.000Z
diff --git a/.github/morph/opengauss-template.yaml b/.github/morph/opengauss-template.yaml
@@ -1,5 +1,5 @@
 name: Open Gauss Batteries Included Devbox
-description: Installer-driven Open Gauss template that uses the current checkout when run locally and otherwise clones math-inc/OpenGauss, runs the internal installer, exposes the local guide, and opens a ready Gauss session.
+description: Installer-driven Open Gauss template that uses the current checkout when run locally and otherwise clones math-inc/OpenGauss, runs the internal installer, stages optional provider keys, exposes the local guide, and opens a ready Gauss session.
 steps:
   - id: bootstrap-installer-runtime
     title: Prepare Open Gauss Installer Runtime
@@ -63,6 +63,90 @@ steps:
       ./scripts/install-internal.sh --with-workspace --noninteractive
       . "$HOME/.opengauss-template/runtime.env"
       "$HOME/.local/bin/gauss-launch-session" --print-summary || true
+  - id: optional-openrouter
+    title: Optionally Stage OPENROUTER_API_KEY
+    type: exportSecret
+    name: OPENROUTER_API_KEY
+    optional: true
+    run: |
+      set -euo pipefail
+      . "$HOME/.opengauss-template/runtime.env"
+      mkdir -p "$GAUSS_HOME"
+      touch "$GAUSS_HOME/.env"
+      python3 - <<'PY'
+      from pathlib import Path
+      import os
+
+      env_path = Path(os.environ["GAUSS_HOME"]) / ".env"
+      lines = []
+      if env_path.exists():
+          lines = [line for line in env_path.read_text().splitlines() if line and not line.startswith("OPENROUTER_API_KEY=")]
+      value = os.environ.get("OPENROUTER_API_KEY")
+      if not value:
+          raise SystemExit(0)
+      lines.append("OPENROUTER_API_KEY=" + value)
+      env_path.write_text("\n".join(lines) + "\n")
+      PY
+  - id: optional-openai
+    title: Optionally Stage OPENAI_API_KEY
+    type: exportSecret
+    name: OPENAI_API_KEY
+    optional: true
+    run: |
+      set -euo pipefail
+      . "$HOME/.opengauss-template/runtime.env"
+      mkdir -p "$GAUSS_HOME"
+      touch "$GAUSS_HOME/.env"
+      python3 - <<'PY'
+      from pathlib import Path
+      import os
+
+      env_path = Path(os.environ["GAUSS_HOME"]) / ".env"
+      lines = []
+      if env_path.exists():
+          lines = [line for line in env_path.read_text().splitlines() if line and not line.startswith("OPENAI_API_KEY=")]
+      value = os.environ.get("OPENAI_API_KEY")
+      if not value:
+          raise SystemExit(0)
+      lines.append("OPENAI_API_KEY=" + value)
+      env_path.write_text("\n".join(lines) + "\n")
+      PY
+  - id: optional-anthropic
+    title: Optionally Stage ANTHROPIC_API_KEY
+    type: exportSecret
+    name: ANTHROPIC_API_KEY
+    optional: true
+    run: |
+      set -euo pipefail
+      . "$HOME/.opengauss-template/runtime.env"
+      mkdir -p "$GAUSS_HOME"
+      touch "$GAUSS_HOME/.env"
+      python3 - <<'PY'
+      from pathlib import Path
+      import os
+
+      env_path = Path(os.environ["GAUSS_HOME"]) / ".env"
+      lines = []
+      if env_path.exists():
+          lines = [line for line in env_path.read_text().splitlines() if line and not line.startswith("ANTHROPIC_API_KEY=")]
+      value = os.environ.get("ANTHROPIC_API_KEY")
+      if not value:
+          raise SystemExit(0)
+      lines.append("ANTHROPIC_API_KEY=" + value)
+      env_path.write_text("\n".join(lines) + "\n")
+      PY
+  - id: finalize-provider-selection
+    title: Apply Main Provider Selection
+    type: command
+    run: |
+      set -euo pipefail
+      . "$HOME/.opengauss-template/runtime.env"
+      if [ -f "$GAUSS_HOME/.env" ]; then
+        set -a
+        . "$GAUSS_HOME/.env"
+        set +a
+      fi
+      "$HOME/.local/bin/gauss-configure-main-provider" auto || true
   - id: start-guide-server
     title: Start Guide Iframe Server
     type: command
diff --git a/cli.py b/cli.py
@@ -1730,7 +1730,25 @@ def _ensure_runtime_credentials(self) -> bool:
         resolved_provider = runtime.get("provider", "openrouter")
         resolved_api_mode = runtime.get("api_mode", self.api_mode)
         if not isinstance(api_key, str) or not api_key:
-            self.console.print("[bold red]Provider resolver returned an empty API key.[/]")
+            if resolved_provider in {"openrouter", "custom"}:
+                message = (
+                    "No main interactive provider is configured yet. "
+                    "Run `gauss setup`, or save `OPENROUTER_API_KEY`, `OPENAI_API_KEY`, "
+                    "or `ANTHROPIC_API_KEY` in `~/.gauss/.env`."
+                )
+            elif resolved_provider == "anthropic":
+                message = (
+                    "No Anthropic credentials are available for chat. "
+                    "Run `gauss setup`, `claude auth login`, or save `ANTHROPIC_API_KEY`."
+                )
+            elif resolved_provider == "openai-codex":
+                message = (
+                    "No Codex credentials are available for chat. "
+                    "Run `gauss setup`, `codex login`, or save `OPENAI_API_KEY`."
+                )
+            else:
+                message = "Provider resolver returned an empty API key."
+            self.console.print(f"[bold red]{message}[/]")
             return False
         if not isinstance(base_url, str) or not base_url:
             self.console.print("[bold red]Provider resolver returned an empty base URL.[/]")
diff --git a/tests/test_cli_provider_resolution.py b/tests/test_cli_provider_resolution.py
@@ -162,6 +162,29 @@ def _runtime_resolve(**kwargs):
     assert shell.api_mode == "codex_responses"
 
 
+def test_runtime_resolution_reports_missing_main_provider_clearly(monkeypatch, capsys):
+    cli = _import_cli()
+
+    def _runtime_resolve(**kwargs):
+        return {
+            "provider": "openrouter",
+            "api_mode": "chat_completions",
+            "base_url": "https://openrouter.ai/api/v1",
+            "api_key": "",
+            "source": "env/config",
+        }
+
+    monkeypatch.setattr("gauss_cli.runtime_provider.resolve_runtime_provider", _runtime_resolve)
+    monkeypatch.setattr("gauss_cli.runtime_provider.format_runtime_provider_error", lambda exc: str(exc))
+
+    shell = cli.GaussCLI(model="gpt-5", compact=True, max_turns=1)
+
+    assert shell._ensure_runtime_credentials() is False
+    output = capsys.readouterr().out
+    assert "No main interactive provider is configured yet." in output
+    assert "gauss setup" in output
+
+
 def test_cli_prefers_config_provider_over_stale_env_override(monkeypatch):
     cli = _import_cli()
 
@@ -374,4 +397,4 @@ def test_model_flow_custom_saves_verified_v1_base_url(monkeypatch, capsys):
     assert "Saving the working base URL instead" in output
     assert saved_env["OPENAI_BASE_URL"] == "http://localhost:8000/v1"
     assert saved_env["OPENAI_API_KEY"] == "local-key"
-    assert saved_env["MODEL"] == "llm"
+    assert saved_env["MODEL"] == "llm"
diff --git a/tests/test_morph_template.py b/tests/test_morph_template.py
@@ -0,0 +1,39 @@
+from pathlib import Path
+
+import yaml
+
+
+TEMPLATE_PATH = Path(__file__).resolve().parents[1] / ".github" / "morph" / "opengauss-template.yaml"
+
+
+def _load_template() -> dict:
+    return yaml.safe_load(TEMPLATE_PATH.read_text(encoding="utf-8"))
+
+
+def test_morph_template_restores_optional_provider_secret_staging():
+    template = _load_template()
+    steps = template["steps"]
+    step_ids = [step["id"] for step in steps]
+    by_id = {step["id"]: step for step in steps}
+
+    assert "stages optional provider keys" in template["description"]
+
+    expected_secret_steps = {
+        "optional-openrouter": "OPENROUTER_API_KEY",
+        "optional-openai": "OPENAI_API_KEY",
+        "optional-anthropic": "ANTHROPIC_API_KEY",
+    }
+    for step_id, secret_name in expected_secret_steps.items():
+        step = by_id[step_id]
+        assert step["type"] == "exportSecret"
+        assert step["name"] == secret_name
+        assert step["optional"] is True
+        assert f'{secret_name}=' in step["run"]
+
+    finalize = by_id["finalize-provider-selection"]
+    assert finalize["type"] == "command"
+    assert "gauss-configure-main-provider" in finalize["run"]
+    assert step_ids.index("optional-openrouter") < step_ids.index("finalize-provider-selection")
+    assert step_ids.index("optional-openai") < step_ids.index("finalize-provider-selection")
+    assert step_ids.index("optional-anthropic") < step_ids.index("finalize-provider-selection")
+    assert step_ids.index("finalize-provider-selection") < step_ids.index("start-guide-server")
