clawdie/clawdie-iso
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge xfce-operator-usb: key revocation verification docs

Browse source
This commit is contained in:
Sam & Claude 2026-05-24 23:27:24 +02:00 committed by 123kupola
parent 278e6e42c6
commit 4ef5461996
2 changed files with 81 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

67
doc/DEEPSEEK-V4-SMOKE.md
View file

@ -108,6 +108,73 @@ Or export in your shell profile:
export DEEPSEEK_API_KEY="<production-key>"
```
## Verifying Key Deletion / Revocation
### 1. Confirm the key is gone from pi
```sh
cat ~/.pi/agent/auth.json
```
If empty `{}`, no stored key. If it contains a `deepseek` entry, remove
it:
```sh
# Back up first
cp ~/.pi/agent/auth.json ~/.pi/agent/auth.json.bak
# Edit to remove the deepseek entry, or wipe entirely:
echo '{}' > ~/.pi/agent/auth.json
```
### 2. Confirm the env var is unset
```sh
echo "DEEPSEEK_API_KEY is set: ${DEEPSEEK_API_KEY:+yes}"
```
If blank, no env key. If still set:
```sh
unset DEEPSEEK_API_KEY
```
### 3. Confirm the revoked key is rejected by the API
```sh
DEEPSEEK_API_KEY="<revoked-key>" pi --provider deepseek --model deepseek-v4-flash -p "test" 2>&1
```
Expected error:
```
401 Authentication Fails, Your api key: ****XXXX is invalid
```
If you see `401`, the key is properly revoked at DeepSeek's side.
### 4. Confirm clean "no key" state
```sh
pi --provider deepseek --model deepseek-v4-flash -p "test" 2>&1
```
Expected error:
```
No API key found for deepseek.
```
If you see this, pi has no stored or env key for DeepSeek — fully clean.
### Error Reference
| Scenario | Error message |
| ---------------------------- | ------------------------------------------------------------- |
| No key at all | `No API key found for deepseek.` |
| Revoked / invalid key | `401 Authentication Fails, Your api key: ****XXXX is invalid` |
| Rate limited (too many reqs) | `429 Rate limit reached...` |
| Quota exhausted | `402 Insufficient balance` |
## Deletion Criteria
- Lane confirmed in agent capability table

54
doc/LLM-PROVIDER-HARNESS.md
View file

@ -88,48 +88,22 @@ When a key needs rotation:
3. Re-run the smoke to confirm.
4. Delete the old key at the provider dashboard.
---
## Verifying Key Cleanup
## Platform × Harness Matrix
After revoking a key, confirm it's fully removed:
Level 1 is the **platform** (FreeBSD main, Linux auxiliary).
Level 2 is the **harness** — which agent runtime lives where and which
LLM providers each can reach.
```sh
# 1. No stored key
cat ~/.pi/agent/auth.json # should be {}
### Level 1: Platform
# 2. No env var
echo "Key set: ${DEEPSEEK_API_KEY:+yes}" # should be blank
| Platform | Role | Primary harness | Herdr | Notes |
| --------------------- | ----------------------------- | --------------- | ----- | -------------------------- |
| **FreeBSD (main)** | ISO build, live USB, validate | pi + codex | no | Authoritative build host |
| **Linux (auxiliary)** | Review, deploy, Colibri, UX | pi + herdr | yes | Opencode + Claude sessions |
# 3. Revoked key is rejected
DEEPSEEK_API_KEY="<old-key>" pi --provider deepseek --model deepseek-v4-flash -p "test" 2>&1
# Expected: "401 Authentication Fails, Your api key: ****XXXX is invalid"
### Level 2: Harness × LLM Provider Combos
Each cell shows: agent / provider / model / smoke status.
| Harness / Agent | DeepSeek v4 | GLM-4.7 (z.ai) | Claude (Anthropic) | Gemini (Google) | Codex (OpenAI) |
| --------------- | --------------------------------- | -------------------------- | ------------------------- | ---------------------- | --------------- |
| **pi** | `deepseek/deepseek-v4-flash` PASS | `zai/<tbd>` TRANSPORT OK | `anthropic/claude-*` TODO | `google/gemini-*` TODO | n/a (codex pkg) |
| **codex** | n/a | n/a | n/a | n/a | built-in OpenAI |
| **claude-code** | DeepSeek via OpenAI compat TODO | n/a | native PASS | n/a | n/a |
| **opencode** | n/a (no DeepSeek config yet) | native PASS (this session) | n/a | n/a | n/a |
| **gemini-cli** | n/a | n/a | n/a | native TODO | n/a |
### What populates the matrix
- **FreeBSD live USB**: ships `pi` + `codex` only (per live CLI policy)
- **Linux with herdr**: runs `pi`, `claude-code`, `codex`, `gemini-cli`,
and `opencode` — all visible in herdr panes
- **Opencode** (this session): currently GLM-4.7 via z.ai; other
providers can be wired via opencode's config
- **pi**: supports all providers via `--provider` flag; key in env or
`auth.json`
### How to add a combo
1. Pick an empty cell above.
2. Configure the agent for that provider (key, model).
3. Run the smoke (see Quick Start).
4. Update the cell with the exact `provider/model` string and PASS/FAIL.
5. Create a smoke doc if one doesn't exist.
6. Commit and push.
# 4. Clean "no key" state confirmed
pi --provider deepseek --model deepseek-v4-flash -p "test" 2>&1
# Expected: "No API key found for deepseek."
```