feat(vertex-ai): route Vertex AI through standard openshell provider pipeline

[jeffmaury]

Summary

• Add flags support to CreateProviderOptions and SecretValue interfaces, enabling bare positional arguments for openshell provider create
• When a _flag configuration property is detected, non-password config values are returned as workspace environment variables instead of provider config — this lets Vertex AI use ADC authentication through the standard ensureModelSecretFromConfig path
• Forward config and flags through OpenshellSecretAdapter.createSecret (fixes a pre-existing gap where config was defined on SecretValue but never forwarded)

Test plan

• Unit tests for OpenshellCli.createProvider with bare flag arguments
• Unit tests for empty credentials accepted when flags are present
• Unit tests for OpenshellSecretAdapter forwarding config and flags
• Unit tests for ensureModelSecretFromConfig returning environment variables when _flag is set
• All 220 existing tests pass
• TypeScript type check clean

Fixes #2245

🤖 Generated with Claude Code

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds an optional flags field to the CreateProviderOptions and SecretValue interfaces, threads it through OpenshellCli.createProvider and OpenshellSecretAdapter.createSecret, and reworks ensureModelSecretFromConfig in AgentWorkspaceManager to detect a ._flag config entry and return a computed environment-variable map instead of a boolean result.

Changes

Vertex AI flags support in provider/secret pipeline

Layer / File(s)	Summary
API contracts: flags on CreateProviderOptions and SecretValue packages/api/src/openshell-gateway-info.ts, packages/api/src/secret-info.ts	Adds flags?: string[] to both CreateProviderOptions and SecretValue interfaces.
OpenShell CLI: accept and pass flags to provider create packages/main/src/plugin/openshell-cli/openshell-cli.ts, packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts	Updates the credential-empty guard to allow invocation when flags are present, appends each options.flags entry to the CLI args array, and adds/updates tests for both behaviors.
Secret adapter: forward config and flags to createProvider packages/main/src/plugin/secret-manager/openshell-secret-adapter.ts, packages/main/src/plugin/secret-manager/openshell-secret-adapter.spec.ts	Passes options.value.config and options.value.flags through to createProvider; tests assert undefined passthrough and populated-fields forwarding.
Agent workspace: ensureModelSecretFromConfig returns env map packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts, packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts	Changes return type of ensureModelSecretFromConfig from boolean to { handled, environment }, adds ._flag detection to build a flat env map (e.g., GOOGLE_VERTEX_PROJECT) instead of value.config, updates ensureModelSecret to return that map, and adds the Vertex AI config-path test.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• openkaiden/kaiden#1762: Modifies the same ensureModelSecret/ensureModelSecretFromConfig logic in AgentWorkspaceManager around how provider credentials are transformed into SecretCreateOptions.
• openkaiden/kaiden#2101: Introduces OpenshellSecretAdapter.createSecret and the OpenShell secret-manager backend that this PR extends with config/flags forwarding.
• openkaiden/kaiden#2137: Modifies the same createProvider CLI wiring in openshell-cli.ts that this PR extends for flags support.

Suggested reviewers

• fbricon
• gastoner
• benoitf

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main objective: routing Vertex AI through the standard openshell provider pipeline, which is the primary focus of this PR.
Description check	✅ Passed	The description is well-related to the changeset, explaining the key modifications including flags support, environment variable handling, and forwarding logic.
Linked Issues check	✅ Passed	The PR successfully implements all requirements from issue #2245: adds flags support for Vertex AI, handles environment variables when _flag is detected, forwards config/flags properly, and allows empty credentials with flags.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to implementing Vertex AI support through the openshell provider pipeline. No out-of-scope modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts (1)

251-292: 🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

Environment variables are computed but never applied to the workspace configuration.

The function now returns Promise<Record<string, string>>, but the caller at line 125 doesn't capture the return value:

await this.ensureModelSecret(options);

When the config-based path at lines 257-258 returns result.environment, those environment variables are lost. They should be applied to options.workspaceConfiguration.environment (similar to the pattern at lines 282-289) before returning.

Additionally, the try-finally block at lines 257-261 has an empty finally clause that serves no purpose and should be removed.

🔧 Proposed fix to apply environment variables

     try {
       const result = await this.ensureModelSecretFromConfig(options);
-      if (result.handled) return result.environment;
-    } finally {
-      /* empty */
-    }
+      if (result.handled) {
+        // Apply environment variables to workspace configuration
+        if (Object.keys(result.environment).length > 0) {
+          options.workspaceConfiguration ??= {};
+          options.workspaceConfiguration.environment ??= [];
+          for (const [name, value] of Object.entries(result.environment)) {
+            options.workspaceConfiguration.environment = options.workspaceConfiguration.environment.filter(
+              e => e.name !== name,
+            );
+            options.workspaceConfiguration.environment.push({ name, value });
+          }
+        }
+        return {};
+      }
+    } catch {
+      // Fall through to legacy path
+    }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts` around
lines 251 - 292, The ensureModelSecret method returns environment variables from
the config-based path at lines 257-258 but those variables are never applied to
the workspace configuration and are lost. When result.environment is returned
from ensureModelSecretFromConfig, apply those environment variables to
options.workspaceConfiguration.environment before returning, following the same
pattern used at lines 282-289 where result.environmentVariable is pushed to the
environment array. Additionally, remove the empty try-finally block at lines
257-261 as it serves no purpose.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts`:
- Around line 251-292: The ensureModelSecret method returns environment
variables from the config-based path at lines 257-258 but those variables are
never applied to the workspace configuration and are lost. When
result.environment is returned from ensureModelSecretFromConfig, apply those
environment variables to options.workspaceConfiguration.environment before
returning, following the same pattern used at lines 282-289 where
result.environmentVariable is pushed to the environment array. Additionally,
remove the empty try-finally block at lines 257-261 as it serves no purpose.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4e69dd9e-eeec-40a0-ba3c-e645a45042df

📥 Commits

Reviewing files that changed from the base of the PR and between 677e04b and 7a62306.

📒 Files selected for processing (8)

• packages/api/src/openshell-gateway-info.ts
• packages/api/src/secret-info.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/secret-manager/openshell-secret-adapter.spec.ts
• packages/main/src/plugin/secret-manager/openshell-secret-adapter.ts

📜 Review details

⏰ Context from checks skipped due to timeout. (10)

• GitHub Check: smoke-e2e-tests (prod) / ubuntu-24.04 (ollama)
• GitHub Check: unit tests / windows-2022
• GitHub Check: smoke-e2e-tests (dev) / ubuntu-24.04 (ollama)
• GitHub Check: Windows
• GitHub Check: macOS
• GitHub Check: unit tests / ubuntu-24.04
• GitHub Check: unit tests / macos-15
• GitHub Check: linter, formatters
• GitHub Check: typecheck
• GitHub Check: Linux

🧰 Additional context used

📓 Path-based instructions (4)

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

Use /@/ path aliases instead of relative paths for imports outside the current directory's module group; use relative imports only for sibling modules within the same directory

Files:

• packages/api/src/secret-info.ts
• packages/main/src/plugin/secret-manager/openshell-secret-adapter.ts
• packages/main/src/plugin/secret-manager/openshell-secret-adapter.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/api/src/openshell-gateway-info.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts

packages/main/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

packages/main/src/**/*.{ts,tsx}: Use ipcHandle() to expose handlers in the main process with naming convention <registry-name>:<action> (e.g., container-provider-registry:listContainers)
Use apiSender.send() to send events from main process to renderer for real-time updates
Long-running operations should use TaskManager.createTask() with title and action configuration

Files:

• packages/main/src/plugin/secret-manager/openshell-secret-adapter.ts
• packages/main/src/plugin/secret-manager/openshell-secret-adapter.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts

packages/{main,renderer,preload}/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Container operations must include engineId parameter to identify the container engine

Files:

• packages/main/src/plugin/secret-manager/openshell-secret-adapter.ts
• packages/main/src/plugin/secret-manager/openshell-secret-adapter.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts

**/*.spec.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.spec.{ts,tsx,js,jsx}: Use test() instead of it() for test cases in Vitest unit tests
Use vi.mock(import('...')) for auto-mocking modules in unit tests; avoid manual mock factories when possible
Use vi.resetAllMocks() in beforeEach hooks instead of vi.clearAllMocks() for resetting mocks between tests
When an auto-mocked function or class method needs a real implementation, use vi.mocked(...) with the prototype pattern for class methods: vi.mocked(MyClass.prototype.myMethod).mockImplementation(...)

Files:

• packages/main/src/plugin/secret-manager/openshell-secret-adapter.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts

🧠 Learnings (2)

📚 Learning: 2026-05-12T17:14:02.153Z

Learnt from: MarsKubeX
Repo: openkaiden/kaiden PR: 1850
File: packages/renderer/src/lib/agent-workspaces/AgentWorkspaceList.svelte:66-70
Timestamp: 2026-05-12T17:14:02.153Z
Learning: When reviewing code that uses `AgentWorkspaceSummaryUI.runtime`, treat it as a required, non-null `string` per the `openkaiden/kdn-api` 0.12.0 schema. Therefore, code like `a.runtime.localeCompare(b.runtime)` is safe and should not trigger warnings about possible `undefined`/`null` values or suggestions to use nullish coalescing/optional chaining for `runtime` (unless the current local types still mark `runtime` as optional, indicating a schema/version mismatch).

Applied to files:

• packages/api/src/secret-info.ts
• packages/main/src/plugin/secret-manager/openshell-secret-adapter.ts
• packages/main/src/plugin/secret-manager/openshell-secret-adapter.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/api/src/openshell-gateway-info.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts

📚 Learning: 2026-03-09T08:47:09.657Z

Learnt from: benoitf
Repo: kortex-hub/kortex PR: 1077
File: packages/main/src/plugin/skill/skill-manager.ts:80-109
Timestamp: 2026-03-09T08:47:09.657Z
Learning: In the kortex-hub/kortex repository, IPC handlers (via ipcHandle()) may be registered directly inside feature manager/service classes (e.g., SkillManager in packages/main/src/plugin/skill/skill-manager.ts) rather than exclusively in packages/main/src/plugin/index.ts. Treat this as an accepted design pattern for files under the plugin directory. Reviewers should not require centralization in index.ts; allow IPC registration proximity to the feature that owns the handler. When reviewing code, accept direct ipcHandle() registrations inside feature managers and ensure the pattern is consistently applied across similar feature-manager modules.

Applied to files:

• packages/main/src/plugin/secret-manager/openshell-secret-adapter.ts
• packages/main/src/plugin/secret-manager/openshell-secret-adapter.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts

🔇 Additional comments (12)

packages/api/src/openshell-gateway-info.ts (1)

128-128: LGTM!

packages/api/src/secret-info.ts (1)

39-39: LGTM!

packages/main/src/plugin/openshell-cli/openshell-cli.ts (2)

283-283: LGTM!

---

292-296: LGTM!

packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts (1)

766-766: LGTM!

Also applies to: 778-827

packages/main/src/plugin/secret-manager/openshell-secret-adapter.ts (1)

56-57: LGTM!

packages/main/src/plugin/secret-manager/openshell-secret-adapter.spec.ts (1)

58-59: LGTM!

Also applies to: 69-93

packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts (4)

290-300: LGTM!

---

315-319: LGTM!

---

340-369: LGTM!

---

381-381: LGTM!

packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts (1)

1138-1214: LGTM!

[fbricon]

I'm confused as flags are defined as string[] yet only the 1st flag is being used

[codecov]

Codecov Report

❌ Patch coverage is 87.50000% with 5 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
.../plugin/agent-workspace/agent-workspace-manager.ts	86.11%	5 Missing ⚠️

📢 Thoughts on this report? Let us know!

[fbricon]

openshell doc mentions --from-gcloud-adc, why can't we use that instead of __from_gcloud_adc?