feat(llm_cli): add xAI Grok Build CLI adapter as grok-cli provider

[AniketR10]

Fixes #2552

Describe the changes you have made in this PR -

Adds support for xAI's Grok Build CLI as a new local-CLI LLM provider (grok-cli), so users on Grok Build can use the same onboarding and runtime flow as the other CLI adapters (Codex, Claude Code, etc.). It includes the adapter itself (binary discovery, --version/auth detection, headless grok -p invocation, and clear failure messages), registry/config/wizard wiring so it's selectable and reported by opensre doctor, secure forwarding of XAI_API_KEY only to the Grok subprocess, unit tests mirroring the existing adapters, and docs covering setup and usage.

Demo/Screenshot for feature changes and bug fixes -

Screencast.From.2026-05-30.10-45-40.mp4

---

Code Understanding and AI Usage

Did you use AI assistance (ChatGPT, Claude, Copilot, etc.) to write any part of this code?

• No, I wrote all the code myself
• Yes, I used AI assistance (continue below)

If you used AI assistance:

• I have reviewed every single line of the AI-generated code
• I can explain the purpose and logic of each function/component I added
• I have tested edge cases and understand how the code handles them
• I have modified the AI output to follow this project's coding standards and conventions

Explain your implementation approach:

Followed the existing CLI adapter pattern: GrokCLIAdapter implements the shared contract and reuses common helpers for binary resolution, version probe, and timeouts. Auth is best-effort (no grok auth status), treating XAI_API_KEY or a login session file as authenticated. The key is forwarded only to the Grok subprocess (not the shared allowlist) to avoid leaks, and --always-approve is omitted so OpenSRE drives its own tools. Registry/config/wizard wiring is mechanical, with tests mirroring the other adapters.

---

Checklist before requesting a review

• I have added proper PR title and linked to the issue
• I have performed a self-review of my code
• I can explain the purpose of every function, class, and logic block I added
• I understand why my changes work and have tested them thoroughly
• I have considered potential edge cases and how my code handles them
• If it is a core feature, I have added thorough tests
• My code follows the project's style guidelines and conventions

---

Note: Please check Allow edits from maintainers if you would like us to assist in the PR.

[github-actions]

Greptile code review

This repo uses Greptile for automated review. Before merge, aim for Confidence Score: 5/5 with zero unresolved review threads — see CONTRIBUTING.md.

Run a review — add a PR comment with:

@greptile review

Give it ~5-10 minutes (sometimes longer) for results, then fix feedback and re-trigger until you reach Confidence Score: 5/5.

Optional: automate with the greploop skill.

[greptile-apps]

Greptile Summary

This PR adds grok-cli as a new local-CLI LLM provider, wiring xAI's Grok Build CLI (grok -p) into the existing adapter pattern alongside Codex, Claude Code, Copilot, and others.

• Core adapter (grok_cli.py): implements binary resolution, best-effort auth detection (env key → session file), headless grok -p --output-format plain --no-auto-update invocation, and XAI_API_KEY scoped exclusively to the Grok subprocess via XAI_CLI_ENV_KEYS — matching the security pattern used by the Copilot adapter.
• Config/registry wiring (app/config.py, registry.py, wizard/config.py): adds "grok-cli" to all required sites (LLMProvider, KEYLESS_LLM_PROVIDERS, validate_provider, CLI_PROVIDER_REGISTRY, SUPPORTED_PROVIDERS).
• Tests and docs: comprehensive unit tests mirroring peer adapters, plus provider-table row, setup section, and a groq/grok disambiguation note in llm-providers.mdx.

Confidence Score: 5/5

Safe to merge. The adapter follows existing patterns faithfully, credential scoping is correctly implemented, and all required config/registry wiring sites are updated.

The changes are well-contained — a new adapter file, its registry/config wiring, and a test suite. The XAI_API_KEY isolation via CLIInvocation.env is correct and matches the Copilot precedent. Auth detection logic has been carefully reviewed and the OSError-continue fix is in place. No defects were found on the runtime path.

No files require special attention.

Important Files Changed

Filename	Overview
app/integrations/llm_cli/grok_cli.py	New adapter implementing binary resolution, best-effort auth detection, headless grok -p invocation, and XAI_API_KEY scoping. Logic is clean and consistent with peer adapters.
app/integrations/llm_cli/env_overrides.py	Adds XAI_CLI_ENV_KEYS constant scoping XAI_API_KEY and XAI_BASE_URL exclusively to the Grok subprocess, matching the security pattern used for Copilot.
app/integrations/llm_cli/registry.py	Registers grok-cli in CLI_PROVIDER_REGISTRY with the correct factory and GROK_CLI_MODEL env key.
app/cli/wizard/config.py	Adds GROK_CLI_MODELS tuple and ProviderOption for grok-cli with correct credential_kind="cli" and empty api_key_env, consistent with other CLI providers.
app/config.py	Adds "grok-cli" to LLMProvider Literal, KEYLESS_LLM_PROVIDERS, and LLMSettings.validate_provider() — all three required sites.
tests/integrations/llm_cli/test_grok_cli_adapter.py	Comprehensive test suite covering auth classification, detect/build/parse/explain_failure, env forwarding, and registry wiring. One test asserts a hardcoded timeout without pinning the GROK_CLI_TIMEOUT_SECONDS env var.
app/integrations/llm_cli/AGENTS.md	Documents the new grok_cli.py adapter row with accurate invocation flags and auth-detection summary.
docs/llm-providers.mdx	Adds grok-cli row to the provider table and a dedicated setup section with env var docs, auth caveats, and a groq/grok disambiguation note.

Sequence Diagram

sequenceDiagram
    participant Runner as OpenSRE Runner
    participant Adapter as GrokCLIAdapter
    participant Resolver as BinaryResolver
    participant Env as os.environ
    participant Grok as grok CLI subprocess

    Runner->>Adapter: detect()
    Adapter->>Resolver: resolve_cli_binary(GROK_CLI_BIN, "grok", fallbacks)
    Resolver-->>Adapter: binary_path
    Adapter->>Grok: grok --version (probe, 5s timeout)
    Grok-->>Adapter: version string
    Adapter->>Env: XAI_API_KEY present?
    alt API key set
        Env-->>Adapter: "True - logged_in=True"
    else No API key
        Adapter->>Adapter: scan ~/.grok-build/, ~/.grok/ for session files
        Adapter-->>Adapter: "logged_in=True/False/None"
    end
    Adapter-->>Runner: CLIProbe(installed, version, logged_in, detail)

    Runner->>Adapter: build(prompt, model, workspace)
    Adapter->>Env: nonempty_env_values(XAI_CLI_ENV_KEYS)
    Env-->>Adapter: XAI_API_KEY, XAI_BASE_URL (if set)
    Adapter-->>Runner: "CLIInvocation(argv, env={NO_COLOR:1, ...xAI creds})"

    Runner->>Grok: "exec CLIInvocation (cwd=workspace, timeout=300s)"
    Grok-->>Runner: stdout, stderr, returncode

    alt "returncode == 0"
        Runner->>Adapter: parse(stdout, stderr, returncode)
        Adapter-->>Runner: stdout.strip()
    else "returncode != 0"
        Runner->>Adapter: explain_failure(stdout, stderr, returncode)
        Adapter-->>Runner: error message
    end

Loading

_{Reviews (3): Last reviewed commit: "fix(grok-cli): don't abandon credential ..." | Re-trigger Greptile}

[AniketR10]

@muddlebee i was in not in good health from past few days, so couldnt work on it, will get it done asap

[AniketR10]

@greptile review

[AniketR10]

@muddlebee please review

[Devesh36]

Add demo also update .env.example

[AniketR10]

@Devesh36 @muddlebee added the demo and .env.example