Skip to content

Add ClinePass usage provider#2219

Merged
steipete merged 4 commits into
steipete:mainfrom
joeVenner:codex/clinepass-provider
Jul 17, 2026
Merged

Add ClinePass usage provider#2219
steipete merged 4 commits into
steipete:mainfrom
joeVenner:codex/clinepass-provider

Conversation

@joeVenner

@joeVenner joeVenner commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds the ClinePass provider as a standalone branch.
  • Covers API-key usage-limit fetching, provider registration, settings, docs, icons, and parser hash update.
  • Tolerates future/unknown usage-limit types without dropping known 5-hour, weekly, and monthly windows.
  • Regenerates the social card artifact after the provider-count update.

Verification

  • swift test --filter ClinePass
  • make check

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3cb9d0d995

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".


var request = URLRequest(url: self.usageURL)
request.httpMethod = "GET"
request.setValue("Bearer \(cleanedKey)", forHTTPHeaderField: "Authorization")

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Use dashboard auth for ClinePass usage

With the current settings flow, users paste the CLINE_API_KEY documented for Cline's Chat Completions API, but this is the dashboard usage-limits request; Cline's ClinePass docs direct usage checks to the signed-in dashboard, whose request is authenticated by the cline_session_id cookie rather than the Chat Completions Bearer key. In that documented setup the provider reports 401/403 even though the user is subscribed, so the new provider cannot display ClinePass usage unless this endpoint is authenticated with the web session/cookie or a documented usage API.

Useful? React with 👍 / 👎.

@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 auth-provider 🚨 Merging this PR could break OAuth, tokens, provider routing, model choice, or credentials. labels Jul 16, 2026
@clawsweeper

clawsweeper Bot commented Jul 16, 2026

Copy link
Copy Markdown

Codex review: needs real behavior proof before merge. Reviewed July 16, 2026, 4:01 PM ET / 20:01 UTC.

Summary
Adds ClinePass as a configurable usage provider with API-key fetching, app and CLI registration, tests, icons, and provider documentation.

Reproducibility: not applicable. This PR adds a provider rather than fixing a reproducible current-main bug. The relevant validation is a real-account ClinePass fetch through the app or CLI.

Review metrics: 3 noteworthy metrics.

  • Provider surface: 28 files affected. The change spans core fetching, app and CLI registration, widgets, tests, icons, and generated documentation, so proof should exercise the integrated path rather than parsing alone.
  • Patch size: 818 added, 87 removed. Most additions are bounded provider code and focused coverage, but the breadth makes end-to-end credential validation important.
  • Credential inputs: 1 config field, 2 environment keys. All supported credential entry paths converge on the same unproven live endpoint.

Root-cause cluster
Relationship: canonical
Canonical: #2219
Summary: This standalone PR is the viable ClinePass extraction from the closed, unmerged provider-batch PR.

Members:

Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🐚 platinum hermit
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • [P1] Add redacted real-account evidence showing a successful ClinePass fetch and the 5-hour, weekly, and monthly windows that the account returns.

Proof guidance:

  • [P1] Needs real behavior proof before merge: The PR supplies focused tests and clean CI but no after-fix real-account output; add redacted terminal output, runtime logs, or a fresh CodexBar capture showing a successful ClinePass fetch, then update the PR body to trigger review or ask a maintainer to comment @clawsweeper re-review.

Risk before merge

  • [P1] The exact ClinePass subscription-limit endpoint is not listed in the public endpoint table, and the PR lacks a redacted real-account run confirming that a configured API key can retrieve the account's 5-hour, weekly, and monthly limits.

Maintainer options:

  1. Require live credential proof (recommended)
    Keep merge blocked until a redacted real ClinePass account run shows the configured key successfully returns and renders the available limit windows.
  2. Accept the authentication inference
    Merge based on the documented Bearer-token contract and automated tests while accepting that the exact subscription endpoint has not been demonstrated with a contributor account.

Next step before merge

  • [P1] Keep merge blocked for contributor-supplied real-account proof; there is no concrete automated code repair until the credential path is exercised.

Security
Cleared: The diff adds a fixed-host HTTPS fetch and established config-based secret handling without new dependencies, workflow permissions, executable downloads, or cross-provider identity leakage.

Review details

Best possible solution:

Keep the API-key design if a redacted real-account run confirms the exact subscription endpoint and rendered windows; otherwise use a documented account-auth source without exposing credentials or changing provider identity semantics.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this PR adds a provider rather than fixing a reproducible current-main bug. The relevant validation is a real-account ClinePass fetch through the app or CLI.

Is this the best way to solve the issue?

Unclear: the API-key path matches current Bearer-auth guidance and CodexBar's established provider architecture, but it is not confirmed as the best solution until the exact subscription endpoint succeeds in a real setup.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 2f153f4f6b05.

Label changes

Label changes:

  • add rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
  • remove rating: 🧂 unranked krab: Current PR rating is rating: 🦪 silver shellfish, so this older rating label is no longer current.

Label justifications:

  • P2: This is a normal-priority provider addition with bounded blast radius and no demonstrated regression to existing providers.
  • merge-risk: 🚨 auth-provider: Merging could expose a provider that appears configured but cannot fetch subscription limits if the exact endpoint rejects the supplied API-key credential.
  • rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
  • status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR supplies focused tests and clean CI but no after-fix real-account output; add redacted terminal output, runtime logs, or a fresh CodexBar capture showing a successful ClinePass fetch, then update the PR body to trigger review or ask a maintainer to comment @clawsweeper re-review.
Evidence reviewed

What I checked:

  • Credential implementation: The provider resolves a configured API key or CLINE_API_KEY/CLINEPASS_API_KEY and uses it for the ClinePass usage fetch. (Sources/CodexBarCore/Providers/ClinePass/ClinePassSettingsReader.swift:4, a01488d5a43b)
  • Provider isolation: The resulting identity is explicitly scoped to ClinePass and labels the login method as API key, consistent with the repository requirement not to mix provider identity data. (Sources/CodexBarCore/Providers/ClinePass/ClinePassUsageFetcher.swift:48, a01488d5a43b)
  • Focused coverage: The branch adds macOS and Linux coverage for settings registration, credential resolution, response parsing, unknown limit types, HTTP errors, and the three supported usage windows. (TestsLinux/ClinePassProviderLinuxTests.swift:10, a01488d5a43b)
  • Automated validation: All reported GitHub checks completed successfully, including lint, Linux builds, the macOS test shards, and GitGuardian; these checks remain supplemental rather than real-account proof. (a01488d5a43b)
  • Proof remains absent: The PR body and follow-up comments report focused tests and make check, but provide no redacted live output, runtime logs, recording, or app capture showing a successful ClinePass account fetch. (a01488d5a43b)
  • Earlier review continuity: The parser robustness and stale social-card concerns were addressed at the current head; the remaining prior blocker is now the absence of real-account credential proof rather than a discrete source-level defect. (docs/social.png, a01488d5a43b)

Likely related people:

  • steipete: Introduced and repeatedly maintained the descriptor-driven provider architecture and has merged provider integrations across the same registry and documentation surfaces. (role: provider architecture owner; confidence: high; commits: 70a02eb, 5bcd5d1, 17cdc54; files: Sources/CodexBarCore/Providers/ProviderDescriptor.swift, docs/providers.md)
  • ratulsarna: Recent history shows repeated work integrating and hardening API-backed providers and updating the central provider documentation. (role: recent provider integrator; confidence: medium; commits: 8348c85, 043cebd, d2aad5a; files: Sources/CodexBarCore/Providers, docs/providers.md)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.
Review history (6 earlier review cycles)
  • reviewed 2026-07-16T12:34:57.400Z sha ee60da1 :: needs real behavior proof before merge. :: [P1] Use a credential supported by the usage endpoint
  • reviewed 2026-07-16T13:28:29.271Z sha ee60da1 :: needs real behavior proof before merge. :: [P1] Authenticate usage limits with the dashboard session | [P3] Regenerate the social image after changing its count
  • reviewed 2026-07-16T16:18:58.791Z sha a01488d :: needs real behavior proof before merge. :: [P1] Prove or replace the usage endpoint credential
  • reviewed 2026-07-16T17:02:51.166Z sha a01488d :: needs real behavior proof before merge. :: [P1] Authenticate usage limits with a supported credential
  • reviewed 2026-07-16T18:29:58.289Z sha a01488d :: needs real behavior proof before merge. :: none
  • reviewed 2026-07-16T19:14:56.751Z sha a01488d :: needs real behavior proof before merge. :: [P1] Authenticate usage limits with a supported credential

@joeVenner

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

Addressed the ClinePass parser robustness and stale social-card findings at a01488d: unknown limits[].type values are now skipped instead of failing the whole payload, focused regression coverage preserves 5-hour, weekly, and monthly windows, and docs/social.png was regenerated from the 61-provider social card source. Local verification passed: swift test --filter ClinePass; make check.

@clawsweeper

clawsweeper Bot commented Jul 16, 2026

Copy link
Copy Markdown

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

@joeVenner

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

The previous review placeholder for a01488d appears stale after its lease expired. Current head addresses parser robustness for unknown limits[].type values and regenerates the social-card artifact, with local verification: swift test --filter ClinePass; make check. Please re-review current head.

@clawsweeper

clawsweeper Bot commented Jul 16, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@joeVenner

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

The review placeholder for a01488d expired without a verdict. Current head fixes unknown limit parsing and regenerates the social card, with local verification in the PR body. Please re-review current head.

@joeVenner

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

The review placeholder for a01488d expired again without a verdict. Current head includes the ClinePass parser/social-card fixes and verification; one macOS shard is still finishing, but please re-review current head when available.

@joeVenner

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

The review placeholder for a01488d expired again without a verdict. CI is clean; current head includes the ClinePass parser/social-card fixes and PR verification. Please re-review current head.

1 similar comment
@joeVenner

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

The review placeholder for a01488d expired again without a verdict. CI is clean; current head includes the ClinePass parser/social-card fixes and PR verification. Please re-review current head.

@clawsweeper clawsweeper Bot added rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. and removed rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. labels Jul 16, 2026
# Conflicts:
#	Sources/CodexBarCore/Generated/CodexParserHash.generated.swift
@steipete
steipete merged commit ee84dca into steipete:main Jul 17, 2026
8 checks passed
@steipete

Copy link
Copy Markdown
Owner

Verified and merged at head 3abb077705494e759f5be8e0d45ab4eb9f8c74ed.

  • Read the complete final diff and provider path. The implementation sends one authenticated GET request to the official api.cline.bot usage-limits endpoint, maps the five-hour, weekly, and monthly windows, and does not log response bodies.
  • swift test --filter ClinePass: 9 tests passed across 3 suites.
  • make check: locales, docs links, generated parser hash, package tests, SwiftFormat, and strict SwiftLint all passed; 0 lint violations.
  • Final maintainer autoreview: no accepted or actionable findings.
  • Exact-head CI: all required checks green, including both macOS test shards, both Linux CLI builds, lint, aggregate gate, and GitGuardian.

Live account verification was unavailable for this provider. Merge commit: ee84dca1a734b3c9c97f7d274237f7a73d7c4f49.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 auth-provider 🚨 Merging this PR could break OAuth, tokens, provider routing, model choice, or credentials. P2 Normal priority bug or improvement with limited blast radius. rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants