fix(auth): improve missing API key guidance for model selection

[liuxiaopai-ai]

Summary

Describe the problem and fix in 2–5 bullets:

• Problem: when a selected model fails due to missing provider API key, the error is technically correct but not actionable enough (for example, users do not see the exact env var/config key to set).
• Why it matters: model switching in TUI/interactive flows feels broken/confusing and increases setup friction.
• What changed: missing-key errors now include provider-specific env var hints (for example $GEMINI_API_KEY) and the exact config path (models.providers.<provider>.apiKey) to set.
• What did NOT change (scope boundary): auth resolution logic/order is unchanged; this PR only improves missing-key guidance text.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: Warning Message When Selecting a Model with API KEY Not Configured is Not Helpful #31544
• Related fix(agents): recover reasoning-only vLLM OpenAI-compat replies #31746

User-visible / Behavior Changes

• Missing provider API key errors now tell users exactly what to set next (env var + config path), instead of only generic auth-store guidance.

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS (local test run)
• Runtime/container: Node 22 + pnpm
• Model/provider: google, zai missing-key cases
• Integration/channel (if any): N/A
• Relevant config (redacted): default auth store + empty provider key env

Steps

1. Attempt auth resolution for a provider without configured key (for example google).
2. Observe thrown missing-key error.
3. Validate the message includes provider-specific env/config hints.

Expected

• Error includes actionable hints such as $GEMINI_API_KEY and models.providers.google.apiKey.

Actual

• Matches expected with updated tests.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios:
  • pnpm test src/agents/model-auth.profiles.test.ts
  • pnpm check
• Edge cases checked:
  • multi-env hint provider (zai) includes both $ZAI_API_KEY and $Z_AI_API_KEY
  • single-env hint provider (google) includes $GEMINI_API_KEY
• What you did not verify:
  • full interactive TUI flow end-to-end on a remote Linux host

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert commit fix(auth): add provider-specific missing-key guidance.
• Files/config to restore: src/agents/model-auth.ts.
• Known bad symptoms reviewers should watch for: unexpected wording regressions in missing-key error messages.

Risks and Mitigations

List only real risks for this PR. Add/remove entries as needed. If none, write None.

• Risk: copy text changes could make tests brittle if message wording changes frequently.
  • Mitigation: tests assert key actionable substrings (env/config hints) instead of full exact message blocks.

[greptile-apps]

Greptile Summary

This PR enhances missing API key error messages with provider-specific guidance, making setup failures more actionable for users.

• Extracted env var mapping to PROVIDER_API_KEY_ENV_MAP constant for reusability across functions
• Added resolveProviderApiKeyEnvHints() to provide contextual environment variable names for each provider (handles multi-env cases like zai → $ZAI_API_KEY or $Z_AI_API_KEY)
• Enhanced error messages to include specific env var hints and exact config paths (e.g., models.providers.google.apiKey)
• Added test coverage for both single-env (google) and multi-env (zai) provider error messages
• Maintains consistency between resolveProviderApiKeyEnvHints() and resolveEnvApiKey() logic

The changes are purely additive to error messaging - no modifications to auth resolution logic or order.

Confidence Score: 5/5

• This PR is safe to merge - it only improves error message text without changing any authentication logic
• Score reflects that this is a low-risk change: (1) only modifies error message content, (2) well-tested with passing tests, (3) logic consistency verified between hint function and actual resolution, (4) backward compatible with no breaking changes, (5) clean refactoring that improves maintainability
• No files require special attention

_{Last reviewed commit: 8fccb0f}

[steipete]

Thanks for the PR! Multiple PRs address issue #31544 (missing API key guidance). Keeping #31554 as the earliest submission. Closing to reduce noise. This is an AI-assisted triage review. If we got this wrong, feel free to reopen — happy to revisit.