Summary
The entire src/commands/onboard-auth.* cluster (13 files, ~2,500 LoC) has zero production callers. It's a complete parallel credential-management layer that the live onboarding wizard never touches. Delete the cluster.
Evidence
Grep verification:
git grep -rn "from.*commands/onboard-auth['\"]" src/
→ returns only files inside the cluster itself + zai-endpoint-detect.ts (also test-only)
Live onboarding chain (none imports onboard-auth.*):
src/commands/onboard.ts → onboard-interactive.ts | onboard-non-interactive.tsonboard-non-interactive.ts → onboard-non-interactive/local.ts (live) | remote.tssrc/wizard/onboarding.ts is the actual credential persistence layer for the 4 fork runtimes (Claude/Gemini/Codex/OpenCode), calling src/agents/auth-profiles.ts::upsertAuthProfile directly at lines 117, 127, 155, 183, 222, 233, etc.src/commands/onboard-non-interactive/local/auth-choice.ts::applyNonInteractiveAuthChoice is an explicit no-op stub with the header comment // Gutted in RemoteClaw fork (Middleware Boundary Principle) — so even the non-interactive auth-choice path is dead.
Conclusion: Every symbol in the onboard-auth.* cluster is reachable only through its own test files or through the dead onboard-auth.ts barrel which has no production importer.
Files to Delete
The barrel
src/commands/onboard-auth.ts (119 LoC) — pure re-export barrel over the dead sub-files
Config builders (per-provider)
src/commands/onboard-auth.config-core.ts (576 LoC) — applies cfg.models.providers.* for Zai, OpenRouter, Moonshot, KimiCode, Synthetic, Xiaomi, Venice, Together, Huggingface, Xai, Mistral, Kilocode, Qianfan (all Pi-era third-party LLM providers)src/commands/onboard-auth.config-gateways.ts — Vercel AI Gateway + Cloudflare AI Gateway aliasessrc/commands/onboard-auth.config-litellm.ts — LiteLLM default model alias (25 LoC)src/commands/onboard-auth.config-minimax.ts (231 LoC) — MiniMax M2.5 hosted + local + Anthropic-compat variantssrc/commands/onboard-auth.config-opencode.ts (33 LoC) — NOTE: this is "OpenCode Zen" hosted gateway, NOT the OpenCode CLI runtime. The actual OpenCode CLI runtime at src/middleware/runtimes/opencode.ts manages its own .opencode/config.json independently and never imports from this file.src/commands/onboard-auth.config-shared.ts — helpers applyProviderConfigWithDefaultModel, applyProviderConfigWithDefaultModels, applyProviderConfigWithModelCatalog (already stubbed to return cfg), plus applyOnboardAuthAgentModelsAndProviders and applyAgentDefaultModelPrimary (real code, reachable only via dead barrel)
Credentials layer
src/commands/onboard-auth.credentials.ts (511 LoC) — credential setters (setAnthropicApiKey, setOpenaiApiKey, setGeminiApiKey, setZaiApiKey, setMinimaxApiKey, writeOAuthCredentials, etc.). Contains some real implementations (OAuth sibling sync, env-var secret-ref resolution) but every setter routes through upsertAuthProfile, which live code (src/wizard/onboarding.ts) calls directly without this intermediary.src/commands/onboard-auth.models.ts (227 LoC) — model constants, catalogs, and build*ModelDefinition helpers for MiniMax, Moonshot, Zai, Mistral, Xai, Kilocode, Qianfan, Xiaomi
Tests
src/commands/onboard-auth.test.ts (751 LoC) — tests for the barrel's entire API surfacesrc/commands/onboard-auth.config-shared.test.ts — tests for applyOnboardAuthAgentModelsAndProviderssrc/commands/onboard-auth.config-core.kilocode.test.ts (195 LoC) — tests for Kilocode helperssrc/commands/onboard-non-interactive.provider-auth.test.ts (741 LoC) — 741 lines of tests asserting config values like cfg.auth?.profiles?.["vercel-ai-gateway:default"]?.provider === "vercel-ai-gateway", but the handler that would write those (applyNonInteractiveAuthChoice) is an explicit no-op. These tests exercise dead handlers and pass trivially or fail silently. The only remaining use is importing MINIMAX_API_BASE_URL / MINIMAX_CN_API_BASE_URL constants from the barrel.
Cascades Unlocked by This Gut
These files become unreachable after the cluster deletes — they can be swept in the same PR or a follow-up:
src/agents/huggingface-models.ts — empty catalog stub; only consumed by onboard-auth.config-core.tssrc/agents/synthetic-models.ts — samesrc/agents/together-models.ts — samesrc/agents/venice-models.ts — samesrc/agents/models-config.providers.ts — samesrc/secrets/provider-env-vars.ts — empty PROVIDER_ENV_VARS = {} stub; only consumed by onboard-auth.credentials.tssrc/commands/zai-endpoint-detect.ts — only reachable via the onboard-auth.* cluster tests; verify.
Risk Assessment
Real-implementation sub-pieces to audit before deletion:
onboard-auth.credentials.ts::writeOAuthCredentials — OAuth sibling-sync logic. Search for any non-onboard-auth caller before deleting:
git grep -rn "writeOAuthCredentials" src/
onboard-auth.config-shared.ts::applyOnboardAuthAgentModelsAndProviders — mutates cfg.agents.defaults.models and cfg.models.providers. Not called outside the cluster.onboard-auth.models.ts::build*ModelDefinition helpers — model catalog builders. Not called outside the cluster.
If any of these turn out to have a legitimate non-cluster caller, extract the needed function before deletion.
Acceptance Criteria
Out of Scope
- The Pi-era third-party provider stubs (
huggingface-models, synthetic-models, together-models, venice-models, models-config.providers, secrets/provider-env-vars) that become unreachable — these are included in the sibling re-gut issue; either sweep them together here, or leave them for that issue (pick one).
commands/onboard-provider-auth-flags.ts — this file IS alive (registers 24 CLI flags on the onboard command), but most of those flags are dead. Tracked as a separate issue.
References
- Related:
src/wizard/onboarding.ts — the live credential persistence path for the 4 fork runtimes
- Related:
src/agents/auth-profiles.ts::upsertAuthProfile — canonical credential writer used by the wizard
- Related:
src/commands/onboard-non-interactive/local/auth-choice.ts::applyNonInteractiveAuthChoice — explicit no-op stub confirming non-interactive auth is gutted
- Audit source: targeted provider/model obsolescence audit, fork HEAD
44b4f92b12, 2026-04-13
Summary
The entire
src/commands/onboard-auth.*cluster (13 files, ~2,500 LoC) has zero production callers. It's a complete parallel credential-management layer that the live onboarding wizard never touches. Delete the cluster.Evidence
Grep verification:
Live onboarding chain (none imports
onboard-auth.*):src/commands/onboard.ts→onboard-interactive.ts|onboard-non-interactive.tsonboard-non-interactive.ts→onboard-non-interactive/local.ts(live) |remote.tssrc/wizard/onboarding.tsis the actual credential persistence layer for the 4 fork runtimes (Claude/Gemini/Codex/OpenCode), callingsrc/agents/auth-profiles.ts::upsertAuthProfiledirectly at lines 117, 127, 155, 183, 222, 233, etc.src/commands/onboard-non-interactive/local/auth-choice.ts::applyNonInteractiveAuthChoiceis an explicit no-op stub with the header comment// Gutted in RemoteClaw fork (Middleware Boundary Principle)— so even the non-interactive auth-choice path is dead.Conclusion: Every symbol in the
onboard-auth.*cluster is reachable only through its own test files or through the deadonboard-auth.tsbarrel which has no production importer.Files to Delete
The barrel
src/commands/onboard-auth.ts(119 LoC) — pure re-export barrel over the dead sub-filesConfig builders (per-provider)
src/commands/onboard-auth.config-core.ts(576 LoC) — appliescfg.models.providers.*for Zai, OpenRouter, Moonshot, KimiCode, Synthetic, Xiaomi, Venice, Together, Huggingface, Xai, Mistral, Kilocode, Qianfan (all Pi-era third-party LLM providers)src/commands/onboard-auth.config-gateways.ts— Vercel AI Gateway + Cloudflare AI Gateway aliasessrc/commands/onboard-auth.config-litellm.ts— LiteLLM default model alias (25 LoC)src/commands/onboard-auth.config-minimax.ts(231 LoC) — MiniMax M2.5 hosted + local + Anthropic-compat variantssrc/commands/onboard-auth.config-opencode.ts(33 LoC) — NOTE: this is "OpenCode Zen" hosted gateway, NOT the OpenCode CLI runtime. The actual OpenCode CLI runtime atsrc/middleware/runtimes/opencode.tsmanages its own.opencode/config.jsonindependently and never imports from this file.src/commands/onboard-auth.config-shared.ts— helpersapplyProviderConfigWithDefaultModel,applyProviderConfigWithDefaultModels,applyProviderConfigWithModelCatalog(already stubbed toreturn cfg), plusapplyOnboardAuthAgentModelsAndProvidersandapplyAgentDefaultModelPrimary(real code, reachable only via dead barrel)Credentials layer
src/commands/onboard-auth.credentials.ts(511 LoC) — credential setters (setAnthropicApiKey,setOpenaiApiKey,setGeminiApiKey,setZaiApiKey,setMinimaxApiKey,writeOAuthCredentials, etc.). Contains some real implementations (OAuth sibling sync, env-var secret-ref resolution) but every setter routes throughupsertAuthProfile, which live code (src/wizard/onboarding.ts) calls directly without this intermediary.src/commands/onboard-auth.models.ts(227 LoC) — model constants, catalogs, andbuild*ModelDefinitionhelpers for MiniMax, Moonshot, Zai, Mistral, Xai, Kilocode, Qianfan, XiaomiTests
src/commands/onboard-auth.test.ts(751 LoC) — tests for the barrel's entire API surfacesrc/commands/onboard-auth.config-shared.test.ts— tests forapplyOnboardAuthAgentModelsAndProviderssrc/commands/onboard-auth.config-core.kilocode.test.ts(195 LoC) — tests for Kilocode helperssrc/commands/onboard-non-interactive.provider-auth.test.ts(741 LoC) — 741 lines of tests asserting config values likecfg.auth?.profiles?.["vercel-ai-gateway:default"]?.provider === "vercel-ai-gateway", but the handler that would write those (applyNonInteractiveAuthChoice) is an explicit no-op. These tests exercise dead handlers and pass trivially or fail silently. The only remaining use is importingMINIMAX_API_BASE_URL/MINIMAX_CN_API_BASE_URLconstants from the barrel.Cascades Unlocked by This Gut
These files become unreachable after the cluster deletes — they can be swept in the same PR or a follow-up:
src/agents/huggingface-models.ts— empty catalog stub; only consumed byonboard-auth.config-core.tssrc/agents/synthetic-models.ts— samesrc/agents/together-models.ts— samesrc/agents/venice-models.ts— samesrc/agents/models-config.providers.ts— samesrc/secrets/provider-env-vars.ts— emptyPROVIDER_ENV_VARS = {}stub; only consumed byonboard-auth.credentials.tssrc/commands/zai-endpoint-detect.ts— only reachable via theonboard-auth.*cluster tests; verify.Risk Assessment
Real-implementation sub-pieces to audit before deletion:
onboard-auth.credentials.ts::writeOAuthCredentials— OAuth sibling-sync logic. Search for any non-onboard-authcaller before deleting:onboard-auth.config-shared.ts::applyOnboardAuthAgentModelsAndProviders— mutatescfg.agents.defaults.modelsandcfg.models.providers. Not called outside the cluster.onboard-auth.models.ts::build*ModelDefinitionhelpers — model catalog builders. Not called outside the cluster.If any of these turn out to have a legitimate non-cluster caller, extract the needed function before deletion.
Acceptance Criteria
pnpm checkpassespnpm testpasses (remove tests for deleted code; do not convert them to runtime mocks)git grep -rn "onboard-auth" src/returns zero hits (except historical changelog/docs entries)git grep -rn "from.*commands/onboard-auth" src/returns zero hitssrc/wizard/onboarding.tscredential persistence flow still works end-to-end (manual smoke test: runremoteclaw onboardand confirm Claude/Gemini/Codex/OpenCode profiles can be written)Out of Scope
huggingface-models,synthetic-models,together-models,venice-models,models-config.providers,secrets/provider-env-vars) that become unreachable — these are included in the sibling re-gut issue; either sweep them together here, or leave them for that issue (pick one).commands/onboard-provider-auth-flags.ts— this file IS alive (registers 24 CLI flags on theonboardcommand), but most of those flags are dead. Tracked as a separate issue.References
src/wizard/onboarding.ts— the live credential persistence path for the 4 fork runtimessrc/agents/auth-profiles.ts::upsertAuthProfile— canonical credential writer used by the wizardsrc/commands/onboard-non-interactive/local/auth-choice.ts::applyNonInteractiveAuthChoice— explicit no-op stub confirming non-interactive auth is gutted44b4f92b12, 2026-04-13