Problem
has_usable_secret() only filters obvious placeholders (empty, "changeme", "dummy"). It does not validate provider-specific key formats. A garbled or wrong-provider key (e.g. an OpenAI key pasted into ANTHROPIC_API_KEY) passes the filter and fails on the first API call with a cryptic 401.
Proposed Solution
Add lightweight prefix/format checks for known providers:
- OpenAI: starts with
sk- (classic) or sk-proj- (project)
- Anthropic: starts with
sk-ant-
- OpenRouter: starts with
sk-or-
Emit a warning during provider resolution if the key does not match the expected format. Advisory only — do not block, since providers may change formats.
Problem
has_usable_secret()only filters obvious placeholders (empty, "changeme", "dummy"). It does not validate provider-specific key formats. A garbled or wrong-provider key (e.g. an OpenAI key pasted into ANTHROPIC_API_KEY) passes the filter and fails on the first API call with a cryptic 401.Proposed Solution
Add lightweight prefix/format checks for known providers:
sk-(classic) orsk-proj-(project)sk-ant-sk-or-Emit a warning during provider resolution if the key does not match the expected format. Advisory only — do not block, since providers may change formats.