feat: add Custom API Settings for proxy services

[DK625]

Add UI for configuring proxy services (OpenRouter, LiteLLM, custom deployments) in the onboarding wizard, eliminating the need for manual .env file editing.

Features:

• Collapsible Custom API Settings section in onboarding wizard
• Base URL input for proxy endpoint configuration
• Secure Auth Token field with show/hide toggle
• Custom Model name mapping (e.g., gemini-claude-sonnet-4-5)
• Auto-updates .env with ANTHROPIC_BASE_URL, ANTHROPIC_AUTH_TOKEN, AUTO_BUILD_MODEL
• Intelligent fallback path detection for dev/production modes
• Input validation and user-friendly error messages

Benefits:

• Enables cost-effective proxy usage without technical knowledge
• Faster provider switching and testing
• Safer configuration through UI validation
• Better support for enterprise deployments

Changes:

• insights_runner.py: Read AUTO_BUILD_MODEL from environment
• settings-handlers.ts: IPC handler to update .env file
• settings-api.ts: Preload API for saveCustomApiSettings
• OAuthStep.tsx: Custom API Settings UI component
• ipc.ts: Type definitions for custom API settings

Co-Authored-By: Claude [email protected]

🤖 Generated with Claude Code

Base Branch

• This PR targets the develop branch (required for all feature/fix PRs)
• This PR targets main (hotfix only - maintainers)

Description

Related Issue

Closes #

Type of Change

• 🐛 Bug fix
• ✨ New feature
• 📚 Documentation
• ♻️ Refactor
• 🧪 Test

Area

• Frontend
• Backend
• Fullstack

Commit Message Format

Follow conventional commits: <type>: <subject>

Types: feat, fix, docs, style, refactor, test, chore

Example: feat: add user authentication system

Checklist

• I've synced with develop branch
• I've tested my changes locally
• I've followed the code principles (SOLID, DRY, KISS)
• My PR is small and focused (< 400 lines ideally)

CI/Testing Requirements

• All CI checks pass
• All existing tests pass
• New features include test coverage
• Bug fixes include regression tests

Screenshots

Before	After

Feature Toggle

• Behind localStorage flag: use_feature_name
• Behind settings toggle
• Behind environment variable/config
• N/A - Feature is complete and ready for all users

Breaking Changes

Breaking: Yes / No

Details:

Summary by CodeRabbit

• New Features

  • Custom API Settings in onboarding: users can enter Base URL, Auth Token (show/hide) and optional Model, then save to app configuration.
  • Frontend exposes a Save action and a new renderer/preload API to persist those settings.
  • Localization added for the Custom API UI (English & French).

• Chores

  • Default AI model selection now respects an environment-driven setting when no model is specified.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR makes the backend runner's default model environment-driven (model param now optional) and adds frontend support to save custom API settings (base URL, auth token, optional model) into the backend .env via a new IPC channel, preload API, and onboarding UI.

Changes

Cohort / File(s)	Summary
Backend model configuration apps/backend/runners/insights_runner.py	run_with_sdk model param changed to optional (None); added os import; when model is None it resolves from AUTO_BUILD_MODEL env var with fallback "claude-sonnet-4-5-20250929"; CLI --model default set to None; model set before prompt building/logging.
Frontend IPC & settings handler apps/frontend/src/main/ipc-handlers/settings-handlers.ts, apps/frontend/src/shared/constants/ipc.ts	Added SETTINGS_SAVE_CUSTOM_API ('settings:saveCustomApi') IPC channel and main-process handler that detects backend path, validates, reads/creates .env, updates/appends env keys (ANTHROPIC_BASE_URL, ANTHROPIC_AUTH_TOKEN, NO_PROXY when applicable, DISABLE_TELEMETRY, DISABLE_COST_WARNINGS, API_TIMEOUT_MS, and AUTO_BUILD_MODEL if provided), writes file, and returns structured IPCResult with error cases.
Frontend preload API & types apps/frontend/src/preload/api/settings-api.ts, apps/frontend/src/shared/types/ipc.ts	Added saveCustomApiSettings(settings: { baseUrl: string; authToken: string; model?: string; }) => Promise<IPCResult> to preload API and IPC types; implementation invokes IPC_CHANNELS.SETTINGS_SAVE_CUSTOM_API.
Frontend onboarding UI & i18n apps/frontend/src/renderer/components/onboarding/OAuthStep.tsx, apps/frontend/src/shared/i18n/locales/en/onboarding.json, apps/frontend/src/shared/i18n/locales/fr/onboarding.json	Added collapsible "Custom API Settings" UI with inputs for Base URL, Auth Token (show/hide), optional Model, and Save/Cancel actions; handleSaveCustomApi validates and calls preload API; i18n strings added for en/fr. Note: implementation appears duplicated in two insertion points.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant UI as OAuthStep (renderer)
    participant Preload as SettingsAPI (preload)
    participant IPC as Electron IPC
    participant Handler as settings-handler (main)
    participant FS as Backend .env / Filesystem

    User->>UI: Enter baseUrl, authToken, (optional) model
    User->>UI: Click "Save"
    UI->>UI: Validate inputs
    alt valid
        UI->>Preload: saveCustomApiSettings({baseUrl, authToken, model})
        Preload->>IPC: invoke 'settings:saveCustomApi' with settings
        IPC->>Handler: deliver settings
        rect rgb(235,245,255)
            Handler->>Handler: locate autoBuildPath (detect/backups)
            Handler->>FS: read existing .env (if present)
            Handler->>Handler: update or append env keys (ANTHROPIC_*, NO_PROXY, AUTO_BUILD_MODEL, etc.)
            Handler->>FS: write .env
        end
        alt success
            Handler->>IPC: return success IPCResult
            IPC->>Preload: resolve
            Preload->>UI: notify success
            UI->>User: show success
        else error
            Handler->>IPC: return error IPCResult
            IPC->>Preload: reject
            Preload->>UI: show error
            UI->>User: show error
        end
    else invalid
        UI->>User: show validation error
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• AndyMik90
• AlexMadera

Poem

🐰
I hopped through front and back with glee,
Tuned envs and UI for all to see.
A model from the air, a token kept neat,
.env updated — tidy and sweet.
Hooray — a rabbit's settings treat! 🎉

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: add Custom API Settings for proxy services' directly and clearly summarizes the main feature being added—a Custom API Settings capability for configuring proxy services, which aligns with the primary objective of the PR.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3ba207e and 0a26f5a.

📒 Files selected for processing (1)

• apps/frontend/src/main/ipc-handlers/settings-handlers.ts

🧰 Additional context used

📓 Path-based instructions (2)

apps/frontend/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

apps/frontend/src/**/*.{ts,tsx}: Always use translation keys with useTranslation() for all user-facing text in React/TypeScript frontend components - use format namespace:section.key (e.g., navigation:items.githubPRs)
Never use hardcoded strings in JSX/TSX files for user-facing text - always reference translation keys from apps/frontend/src/shared/i18n/locales/

Files:

• apps/frontend/src/main/ipc-handlers/settings-handlers.ts

apps/frontend/**/*.{ts,tsx}

⚙️ CodeRabbit configuration file

apps/frontend/**/*.{ts,tsx}: Review React patterns and TypeScript type safety.
Check for proper state management and component composition.

Files:

• apps/frontend/src/main/ipc-handlers/settings-handlers.ts

🧬 Code graph analysis (1)

apps/frontend/src/main/ipc-handlers/settings-handlers.ts (3)

apps/frontend/src/shared/constants/ipc.ts (1)

• IPC_CHANNELS (6-368)

apps/frontend/src/main/settings-utils.ts (1)

• readSettingsFile (29-43)

apps/frontend/src/shared/constants/config.ts (1)

• DEFAULT_APP_SETTINGS (19-52)

🪛 ast-grep (0.40.3)

apps/frontend/src/main/ipc-handlers/settings-handlers.ts

[warning] 507-507: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(^${escapedKey}=.*$, 'm')
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html

(regexp-from-variable)

🔇 Additional comments (7)

apps/frontend/src/main/ipc-handlers/settings-handlers.ts (7)

2-2: LGTM! Import consolidation addresses previous feedback.

The static import of readFileSync is now properly included with the other fs imports, eliminating the unnecessary dynamic import that was flagged in the previous review.

---

450-455: LGTM! Proper IPC handler registration.

The handler correctly uses IPC_CHANNELS.SETTINGS_SAVE_CUSTOM_API constant (addressing previous feedback) and has appropriate type signatures for the custom API settings.

---

457-487: Robust path resolution with comprehensive fallbacks.

The path detection logic is well-structured with multiple fallback strategies and proper validation. The error message helpfully lists the searched paths, making debugging easier for users.

---

489-498: LGTM! Proper .env file handling.

The code correctly handles both existing and new .env files, with helpful logging for debugging.

---

500-515: Excellent escaping implementation addresses previous feedback.

The helper functions properly handle special characters:

• escapeRegex correctly escapes all regex metacharacters
• updateEnvVar uses function replacement to prevent $ interpretation in values (addressing previous feedback)

Regarding the static analysis ReDoS warning: This is a false positive. The key parameter receives only hardcoded strings from the code (e.g., 'ANTHROPIC_BASE_URL'), not user input. While escapeRegex is good defensive programming, the actual risk is negligible since keys are controlled by the application.

---

517-534: Environment variables properly configured.

The code updates all necessary environment variables with appropriate error handling. The URL parsing for NO_PROXY is safely wrapped in a try-catch, preventing failures if the base URL is malformed.

Note: NO_PROXY is set to only the hostname. While this is sufficient for most proxy scenarios, some advanced configurations might require additional entries (e.g., IP ranges, ports). Users can manually edit the .env file if needed.

---

536-549: LGTM! Proper file write and error handling.

The code correctly writes the .env file with normalized formatting (trimmed with single trailing newline) and includes comprehensive error handling with helpful logging.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🎉 Thanks for your first PR!

A maintainer will review it soon. Please make sure:

• Your branch is synced with develop
• CI checks pass
• You've followed our contribution guide

Welcome to the Auto Claude community!

[coderabbitai]

Actionable comments posted: 6

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7751588 and 7e5c824.

📒 Files selected for processing (5)

• apps/backend/runners/insights_runner.py
• apps/frontend/src/main/ipc-handlers/settings-handlers.ts
• apps/frontend/src/preload/api/settings-api.ts
• apps/frontend/src/renderer/components/onboarding/OAuthStep.tsx
• apps/frontend/src/shared/types/ipc.ts

🧰 Additional context used

📓 Path-based instructions (3)

apps/frontend/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

apps/frontend/src/**/*.{ts,tsx}: Always use translation keys with useTranslation() for all user-facing text in React/TypeScript frontend components - use format namespace:section.key (e.g., navigation:items.githubPRs)
Never use hardcoded strings in JSX/TSX files for user-facing text - always reference translation keys from apps/frontend/src/shared/i18n/locales/

Files:

• apps/frontend/src/preload/api/settings-api.ts
• apps/frontend/src/shared/types/ipc.ts
• apps/frontend/src/main/ipc-handlers/settings-handlers.ts
• apps/frontend/src/renderer/components/onboarding/OAuthStep.tsx

apps/frontend/**/*.{ts,tsx}

⚙️ CodeRabbit configuration file

apps/frontend/**/*.{ts,tsx}: Review React patterns and TypeScript type safety.
Check for proper state management and component composition.

Files:

• apps/frontend/src/preload/api/settings-api.ts
• apps/frontend/src/shared/types/ipc.ts
• apps/frontend/src/main/ipc-handlers/settings-handlers.ts
• apps/frontend/src/renderer/components/onboarding/OAuthStep.tsx

apps/backend/**/*.py

📄 CodeRabbit inference engine (CLAUDE.md)

apps/backend/**/*.py: Always use the Claude Agent SDK (create_client() from core.client) for AI interactions - NEVER use anthropic.Anthropic() directly
Use create_client() from apps/backend/core/client.py with proper parameters: project_dir, spec_dir, model, agent_type, and optional max_thinking_tokens

Files:

• apps/backend/runners/insights_runner.py

---

⚙️ CodeRabbit configuration file

apps/backend/**/*.py: Focus on Python best practices, type hints, and async patterns.
Check for proper error handling and security considerations.
Verify compatibility with Python 3.12+.

Files:

• apps/backend/runners/insights_runner.py

🧠 Learnings (1)

📚 Learning: 2025-12-19T15:00:48.233Z

Learnt from: AndyMik90
Repo: AndyMik90/Auto-Claude PR: 41
File: auto-claude/qa/loop.py:126-136
Timestamp: 2025-12-19T15:00:48.233Z
Learning: In auto-claude/qa/loop.py, when creating clients for QA fixer sessions (including human feedback processing), use get_phase_model(spec_dir, "qa", model) instead of hardcoding "sonnet" as the fallback to support dynamic model selection based on profiles.

Applied to files:

• apps/backend/runners/insights_runner.py

🧬 Code graph analysis (2)

apps/frontend/src/preload/api/settings-api.ts (1)

apps/frontend/src/renderer/components/settings/utils/hookProxyFactory.ts (1)

• settings (15-15)

apps/frontend/src/renderer/components/onboarding/OAuthStep.tsx (4)

apps/frontend/src/renderer/components/settings/utils/hookProxyFactory.ts (1)

• setError (19-19)

.design-system/src/components/Button.tsx (1)

• Button (10-44)

.design-system/src/lib/icons.ts (2)

• ChevronRight (23-23)
• Check (21-21)

.design-system/src/components/Input.tsx (1)

• Input (4-24)

🪛 ast-grep (0.40.3)

apps/frontend/src/main/ipc-handlers/settings-handlers.ts

[warning] 497-497: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(^${key}=.*$, 'm')
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html

(regexp-from-variable)

🔇 Additional comments (9)

apps/frontend/src/shared/types/ipc.ts (1)

211-216: LGTM!

The type definition for saveCustomApiSettings is correctly added to the ElectronAPI interface. The signature matches the implementation in the IPC handler and preload API.

apps/frontend/src/main/ipc-handlers/settings-handlers.ts (1)

506-527: LGTM on the env variable updates.

The logic for updating environment variables is correct. The try/catch around URL parsing for NO_PROXY is good defensive coding. Writing the file with trim() + '\n' ensures clean formatting.

apps/backend/runners/insights_runner.py (4)

12-12: LGTM!

Adding import os to support environment variable reading is appropriate.

---

136-136: LGTM!

Changing the default to None allows for environment-based resolution, which is the correct approach for this feature.

---

156-158: LGTM!

The environment variable resolution with fallback is well implemented. Reading from AUTO_BUILD_MODEL with a sensible default ensures backward compatibility while enabling configuration flexibility.

---

343-345: LGTM!

The CLI argument change correctly reflects the new environment-based default behavior, and the help text clearly documents the precedence.

apps/frontend/src/renderer/components/onboarding/OAuthStep.tsx (2)

63-69: LGTM!

The new state variables follow the existing patterns in the component and are appropriately named for their purpose.

---

292-320: LGTM!

The handler has proper validation, loading state management, and error handling. The success message correctly informs users about the restart requirement.

apps/frontend/src/preload/api/settings-api.ts (1)

26-31: LGTM on the interface definition.

The saveCustomApiSettings method is correctly defined in the SettingsAPI interface with proper typing.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 08985f7 and 3ba207e.

📒 Files selected for processing (3)

• apps/frontend/src/main/ipc-handlers/settings-handlers.ts
• apps/frontend/src/preload/api/settings-api.ts
• apps/frontend/src/shared/types/ipc.ts

🧰 Additional context used

📓 Path-based instructions (2)

apps/frontend/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

apps/frontend/src/**/*.{ts,tsx}: Always use translation keys with useTranslation() for all user-facing text in React/TypeScript frontend components - use format namespace:section.key (e.g., navigation:items.githubPRs)
Never use hardcoded strings in JSX/TSX files for user-facing text - always reference translation keys from apps/frontend/src/shared/i18n/locales/

Files:

• apps/frontend/src/preload/api/settings-api.ts
• apps/frontend/src/shared/types/ipc.ts
• apps/frontend/src/main/ipc-handlers/settings-handlers.ts

apps/frontend/**/*.{ts,tsx}

⚙️ CodeRabbit configuration file

apps/frontend/**/*.{ts,tsx}: Review React patterns and TypeScript type safety.
Check for proper state management and component composition.

Files:

• apps/frontend/src/preload/api/settings-api.ts
• apps/frontend/src/shared/types/ipc.ts
• apps/frontend/src/main/ipc-handlers/settings-handlers.ts

🧬 Code graph analysis (3)

apps/frontend/src/preload/api/settings-api.ts (1)

apps/frontend/src/shared/constants/ipc.ts (1)

• IPC_CHANNELS (6-368)

apps/frontend/src/shared/types/ipc.ts (1)

apps/frontend/src/renderer/components/settings/utils/hookProxyFactory.ts (1)

• settings (15-15)

apps/frontend/src/main/ipc-handlers/settings-handlers.ts (2)

apps/frontend/src/main/settings-utils.ts (1)

• readSettingsFile (29-43)

apps/frontend/src/shared/constants/config.ts (1)

• DEFAULT_APP_SETTINGS (19-52)

🪛 ast-grep (0.40.3)

apps/frontend/src/main/ipc-handlers/settings-handlers.ts

[warning] 513-513: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(^${escapedKey}=.*$, 'm')
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html

(regexp-from-variable)

🔇 Additional comments (3)

apps/frontend/src/shared/types/ipc.ts (1)

211-216: LGTM!

The type definition is consistent with the IPC handler and preload API implementations. The optional model field and Promise<IPCResult> return type correctly reflect the backend behavior.

apps/frontend/src/main/ipc-handlers/settings-handlers.ts (1)

522-544: LGTM on the env var updates and file write logic.

The environment variable updates, URL hostname extraction for NO_PROXY, and file write handling are well-implemented. The static analysis warning about regex construction (line 513) is a false positive since all key values are controlled internal constants, not user input.

apps/frontend/src/preload/api/settings-api.ts (1)

27-32: LGTM!

The interface definition and implementation are correctly wired. The IPC_CHANNELS.SETTINGS_SAVE_CUSTOM_API constant is used consistently (addressing the past review), and the type signature matches the handler and ElectronAPI interface.

Also applies to: 61-67

[CLAassistant]

All committers have signed the CLA.