feat(provider): add xAI / SuperGrok OAuth (loopback + device-code)#3438
Open
christophacham wants to merge 10 commits into
Open
feat(provider): add xAI / SuperGrok OAuth (loopback + device-code)#3438christophacham wants to merge 10 commits into
christophacham wants to merge 10 commits into
Conversation
|
|
github-actions
Bot
added
type: feature
Author
|
Any thoughts on this? |
christophacham
force-pushed
the
feat/xai-supergrok-oauth
branch
from
6184839 to
087259f
Compare
Make the built-in `xai` provider OAuth-capable by adding `oauth_code` and `oauth_device` auth methods alongside `api_key` in the provider catalog, reusing forgecode's existing generic OAuth framework (no new transport code). - oauth_code: loopback authorization-code + PKCE (S256) on 127.0.0.1:56121/callback, plan=generic, referrer=forgecode. Routes to OAuthCodeStrategy<StandardHttpProvider> via the factory fall-through. - oauth_device: RFC 8628 device-code (headless/VPS). auth_url is the device-authorization endpoint and token_refresh_url is omitted, so the factory routes to the plain OAuthDeviceStrategy (not the Copilot hybrid). use_pkce=false to match the oauth2 exchange_device_code flow. - api_key retained as fallback (picker order: oauth_code, oauth_device, api_key). The bearer is injected by the existing OpenAI-protocol header builder and the loopback server already accepts a pinned 127.0.0.1 redirect, so no other code changes are required. Tests: factory dispatch (XAI OAuthCode->Standard, OAuthDevice->Device) and a provider.json round-trip asserting client_id/urls/scopes/redirect/extra params.
…GBUILD and VM setup - scripts/install.sh: from-source build + install/uninstall/reinstall mimicking the official installer, with full CachyOS RUSTFLAGS/APP_VERSION support and ZSH plugin handling (exact markers from source) - cachyos/PKGBUILD: proper package for custom CachyOS overlay repo (clean chroot friendly, uses CachyOS makepkg.conf for optimizations) - scripts/setup-cachyos-build-env.sh: self-documenting setup for Proxmox VM build host (chroots, storage, pacoloco, repo serving, pairs with the above) All work tracked and closed via beads (forgecode-cmn, forgecode-1jb, forgecode-add). Tested with cargo check, bash -n, mocks, --help etc. Follows AGENTS.md and beads usage. Co-Authored-By: ForgeCode <noreply@forgecode.dev>
Add a manual GitHub Actions pipeline that fast-forwards fork main from upstream, rebases feat/xai-supergrok-oauth, builds a CachyOS-optimized .pkg.tar.zst in an Arch container, and publishes it as a pre-release. Includes scripts/build-cachyos-pkg.sh and makepkg.conf.d tuning for x86-64-v3/v4 target-cpu builds. Co-Authored-By: ForgeCode <noreply@forgecode.dev>
Keep the workflow off main so upstream sync stays clean. Trigger on push to feat/xai-supergrok-oauth and skip re-runs caused by the bot force-push after rebase. Co-Authored-By: ForgeCode <noreply@forgecode.dev>
Job-level if conditions cannot reference workflow env; use push event or workflow_dispatch skip_sync input instead. Co-Authored-By: ForgeCode <noreply@forgecode.dev>
Use checkout -B main upstream/main instead of checkout main when both origin and upstream remotes are present in the Actions runner. Co-Authored-By: ForgeCode <noreply@forgecode.dev>
github-actions
Bot
force-pushed
the
feat/xai-supergrok-oauth
branch
from
bb57fcf to
66f1ac8
Compare
Co-Authored-By: ForgeCode <noreply@forgecode.dev>
Arch pkgrel only allows integer[.integer]. Use YYYYMMDD as pkgrel and encode the cachy build id + git sha in APP_VERSION instead. Co-Authored-By: ForgeCode <noreply@forgecode.dev>
makepkg runs in a fresh Arch container without a populated cargo cache. Always fetch locked deps in prepare() and use cargo build --locked. Co-Authored-By: ForgeCode <noreply@forgecode.dev>
The package build already succeeded in CI and locally via podman; only writing step outputs as the builder user failed. Parse ::package_*:: markers from the build log as root. Add scripts/test-cachyos-build-podman.sh for offline iteration and restore host ownership after container builds. Co-Authored-By: ForgeCode <noreply@forgecode.dev>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Makes the built-in
xaiprovider OAuth-capable, so you can sign in with an xAI / SuperGrok account instead of pasting an API key.Two OAuth methods are added to the
xaientry in the provider catalog, reusing forgecode's existing generic OAuth framework — no new transport code:oauth_code— loopback authorization-code + PKCE (S256) on127.0.0.1:56121/callback. Routes through the genericOAuthCodeStrategy<StandardHttpProvider>.oauth_device— RFC 8628 device-code flow for headless / SSH / CI. Routes to the plainOAuthDeviceStrategy.api_keykept as a fallback (picker order:oauth_code→oauth_device→api_key).The access token is injected as a plain
Bearerby the existing OpenAI-protocol header builder, and the loopback callback server already accepts the pinned127.0.0.1redirect — so the change is data-driven (catalog JSON) plus routing/round-trip tests, with zero per-provider Rust logic.Test it
Then pick OAuth Authorization Code (desktop) or OAuth Device Flow (headless).
Tests added
oauth_code→ Standard,oauth_device→ Device.provider.jsonround-trip asserting client_id / URLs / scopes / redirect / extra params.