✨ feat(ui): Settings → API Keys lists local LLM providers with Base URL Advanced section

clubanderson · clubanderson · commit ea91e5d71302 · 2026-04-15T20:39:41.000-04:00
Part 2 of #8254. The Settings → API Keys modal now renders the nine chat-only providers (Groq, OpenRouter, Open WebUI + Ollama, llama.cpp, LocalAI, vLLM, LM Studio, RHAIIS) with an Advanced expandable section that accepts a per-provider Base URL override. Backend changes --------------- - KeyStatus gains BaseURL, BaseURLEnvVar, BaseURLSource fields so the frontend can render the current resolved value and indicate whether it came from env or config file. - handleGetKeysStatus now returns the nine chat-only providers (was previously an empty list per the "API-key-driven agents are hidden" comment, which predated PR #8248 flipping them on). CLI-based tool-capable agents (claude-code, bob, codex, ...) remain omitted — they manage their own credentials. - SetKeyRequest.APIKey is now optional: setting just BaseURL is the common path for unauthenticated local LLM runners. handleSetKey accepts any combination of apiKey, baseURL, model — at least one is required. Base URL is syntactically validated (http(s)://, no whitespace) via validateBaseURL before being saved. On successful save, cached key validity is invalidated so the next validation hits the new endpoint. - Key validation is skipped for local LLM runners (validationRequired is false on their providerDef entries). There is no meaningful way to validate the sentinel "local-llm-no-auth" placeholder against a real endpoint, so we report Configured=true based on URL presence. Frontend changes ---------------- - KeyStatus TS interface gains baseURL, baseURLEnvVar, baseURLSource. - APIKeySettings.tsx adds an Advanced expandable to each row. It only renders when the backend reports baseURLEnvVar (meaning the provider actually supports an override). The form includes a text input, an inline "env var wins" hint when baseURLSource is "env", syntactic validation feedback, and a post-save "restart kc-agent to apply" message. The summary row shows the current resolved value next to the Advanced toggle so operators can see it at a glance. Closes #8254. - go build ./... passes. - go test ./pkg/agent/... passes (flaky auto-update test unrelated). - npm run build passes all post-build safety checks. Signed-off-by: Andrew Anderson <andy@clubanderson.com>
diff --git a/pkg/agent/server_ai.go b/pkg/agent/server_ai.go
@@ -1608,6 +1608,19 @@ type KeyStatus struct {
 	Source      string `json:"source,omitempty"` // "env" or "config"
 	Valid       *bool  `json:"valid,omitempty"`  // nil = not tested, true/false = test result
 	Error       string `json:"error,omitempty"`
+	// BaseURL is the currently-resolved base URL for this provider (env var,
+	// then ~/.kc/config.yaml, then compiled default). Empty when the provider
+	// does not support a base URL override (vendor HTTP APIs).
+	BaseURL string `json:"baseURL,omitempty"`
+	// BaseURLEnvVar is the environment variable this provider honors for
+	// base URL overrides (e.g. "OLLAMA_URL", "GROQ_BASE_URL"). Empty when
+	// the provider has no base URL override. Surfaced to the UI so the
+	// Advanced section can show the env var name as an operator hint.
+	BaseURLEnvVar string `json:"baseURLEnvVar,omitempty"`
+	// BaseURLSource is "env" when the current BaseURL value came from the
+	// env var, "config" when it came from ~/.kc/config.yaml, or empty when
+	// the resolved value is the compiled-in default.
+	BaseURLSource string `json:"baseURLSource,omitempty"`
 }
 
 // KeysStatusResponse is the response for GET /settings/keys
@@ -1616,11 +1629,15 @@ type KeysStatusResponse struct {
 	ConfigPath string      `json:"configPath"`
 }
 
-// SetKeyRequest is the request body for POST /settings/keys
+// SetKeyRequest is the request body for POST /settings/keys.
+// Setting APIKey requires a valid key; setting BaseURL is independent
+// (operators can configure a base URL without an API key, which is the
+// common path for unauthenticated local LLM runners).
 type SetKeyRequest struct {
 	Provider string `json:"provider"`
-	APIKey   string `json:"apiKey"`
+	APIKey   string `json:"apiKey,omitempty"`
 	Model    string `json:"model,omitempty"`
+	BaseURL  string `json:"baseURL,omitempty"`
 }
 
 // handleSettingsKeys handles GET and POST for /settings/keys
diff --git a/pkg/agent/server_operations.go b/pkg/agent/server_operations.go
@@ -271,23 +271,48 @@ func (s *Server) handleSettingsImport(w http.ResponseWriter, r *http.Request) {
 	json.NewEncoder(w).Encode(map[string]interface{}{"success": true, "message": "Settings imported"})
 }
 
-// handleGetKeysStatus returns the status of all API keys (without exposing the actual keys)
+// handleGetKeysStatus returns the status of all API keys (without exposing the actual keys).
+//
+// The list covers the nine chat-only HTTP providers registered in
+// InitializeProviders (pkg/agent/registry.go): three OpenAI-compatible
+// gateway providers (Groq, OpenRouter, Open WebUI) and six local LLM
+// runners (Ollama, llama.cpp, LocalAI, vLLM, LM Studio, Red Hat AI
+// Inference Server). CLI-based tool-capable agents (claude-code, bob,
+// codex, gemini-cli, antigravity, goose, copilot-cli) are deliberately
+// omitted — they manage their own credentials and do not need an API
+// key in ~/.kc/config.yaml.
+//
+// Each entry includes the current BaseURL + BaseURLEnvVar so the
+// frontend Settings modal can offer a per-provider base URL override
+// field without needing to hardcode the mapping.
 func (s *Server) handleGetKeysStatus(w http.ResponseWriter, r *http.Request) {
 	cm := GetConfigManager()
 
-	// Build provider list dynamically from registry
-	// Include all providers that accept API keys (exclude pure CLI providers like bob, claude-code)
 	type providerDef struct {
 		name        string
 		displayName string
+		// validationRequired is true for providers that have a working
+		// validation endpoint (Groq, OpenRouter). Local LLM runners
+		// typically have no authentication, so attempting to validate
+		// their placeholder sentinel key against a real endpoint is
+		// pointless — we report Configured=true whenever a URL is set.
+		validationRequired bool
+	}
+
+	providers := []providerDef{
+		// OpenAI-compatible gateways with real API keys
+		{name: "groq", displayName: "Groq", validationRequired: true},
+		{name: "openrouter", displayName: "OpenRouter", validationRequired: true},
+		{name: "open-webui", displayName: "Open WebUI", validationRequired: false},
+		// Local LLM runners — URL-driven, no API key by default
+		{name: "ollama", displayName: "Ollama (Local)"},
+		{name: "llamacpp", displayName: "llama.cpp (Local)"},
+		{name: "localai", displayName: "LocalAI (Local)"},
+		{name: "vllm", displayName: "vLLM (Local)"},
+		{name: "lm-studio", displayName: "LM Studio (Local)"},
+		{name: "rhaiis", displayName: "Red Hat AI Inference Server"},
 	}
 
-	// Only show CLI-based agents — API-key-driven agents are hidden because
-	// they cannot execute commands to diagnose/repair clusters.
-	// This list is intentionally empty; the keys endpoint remains functional
-	// for any future API providers but currently returns no keys.
-	providers := []providerDef{}
-
 	keys := make([]KeyStatus, 0, len(providers))
 	for _, p := range providers {
 		status := KeyStatus{
@@ -296,21 +321,35 @@ func (s *Server) handleGetKeysStatus(w http.ResponseWriter, r *http.Request) {
 			Configured:  cm.HasAPIKey(p.name),
 		}
 
+		// Base URL metadata — surfaces the current resolved value and
+		// the env var name so the UI can render an Advanced expandable.
+		status.BaseURL = cm.GetBaseURL(p.name)
+		status.BaseURLEnvVar = getBaseURLEnvKeyForProvider(p.name)
+		if status.BaseURLEnvVar != "" && os.Getenv(status.BaseURLEnvVar) != "" {
+			status.BaseURLSource = "env"
+		} else if status.BaseURL != "" {
+			status.BaseURLSource = "config"
+		}
+
 		if status.Configured {
 			if cm.IsFromEnv(p.name) {
 				status.Source = "env"
 			} else {
 				status.Source = "config"
 			}
 
-			// Test if the key is valid
-			valid, err := s.validateAPIKey(p.name)
-			status.Valid = &valid
-			// Cache the validity for IsAvailable() checks
-			cm.SetKeyValidity(p.name, valid)
-			if err != nil {
-				slog.Error("API key validation error", "provider", p.name, "error", err)
-				status.Error = "validation failed"
+			if p.validationRequired {
+				// Test if the key is valid — validateAPIKey honors the
+				// base URL override via the per-provider resolver, so
+				// pointing a Groq config at a local Ollama validates
+				// against the local endpoint.
+				valid, err := s.validateAPIKey(p.name)
+				status.Valid = &valid
+				cm.SetKeyValidity(p.name, valid)
+				if err != nil {
+					slog.Error("API key validation error", "provider", p.name, "error", err)
+					status.Error = "validation failed"
+				}
 			}
 		}
 
@@ -323,7 +362,11 @@ func (s *Server) handleGetKeysStatus(w http.ResponseWriter, r *http.Request) {
 	})
 }
 
-// handleSetKey saves a new API key
+// handleSetKey saves an API key, a model preference, a base URL override,
+// or any combination of the three for a provider. Setting BaseURL alone
+// (no APIKey) is the common path for unauthenticated local LLM runners —
+// operators point Ollama at a LAN server by saving `OLLAMA_URL` via this
+// endpoint rather than editing a shell profile.
 func (s *Server) handleSetKey(w http.ResponseWriter, r *http.Request) {
 	var req SetKeyRequest
 	if err := json.NewDecoder(io.LimitReader(r.Body, maxRequestBodyBytes)).Decode(&req); err != nil {
@@ -338,35 +381,61 @@ func (s *Server) handleSetKey(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if req.APIKey == "" {
+	// At least one of APIKey, BaseURL, or Model must be present — a request
+	// with none is a programming bug we should reject rather than silently
+	// store nothing.
+	if req.APIKey == "" && req.BaseURL == "" && req.Model == "" {
 		w.WriteHeader(http.StatusBadRequest)
-		json.NewEncoder(w).Encode(protocol.ErrorPayload{Code: "missing_key", Message: "API key required"})
+		json.NewEncoder(w).Encode(protocol.ErrorPayload{Code: "missing_field", Message: "At least one of apiKey, baseURL, or model is required"})
 		return
 	}
 
-	// Validate the key before saving
-	valid, validationErr := s.validateAPIKeyValue(req.Provider, req.APIKey)
-	if !valid {
-		w.WriteHeader(http.StatusBadRequest)
-		if validationErr != nil {
-			slog.Error("API key validation error", "error", validationErr)
+	cm := GetConfigManager()
+
+	// Base URL can be saved independently and does not need validation —
+	// operators point at local runners that the reachability/validation
+	// check cannot test meaningfully (the sentinel "local-llm-no-auth" key
+	// is not a real credential). Save first so that subsequent API-key
+	// validation below uses the updated endpoint.
+	if req.BaseURL != "" {
+		if err := validateBaseURL(req.BaseURL); err != nil {
+			w.WriteHeader(http.StatusBadRequest)
+			json.NewEncoder(w).Encode(protocol.ErrorPayload{Code: "invalid_base_url", Message: err.Error()})
+			return
 		}
-		json.NewEncoder(w).Encode(protocol.ErrorPayload{Code: "invalid_key", Message: "Invalid API key"})
-		return
+		if err := cm.SetBaseURL(req.Provider, req.BaseURL); err != nil {
+			slog.Error("save base URL error", "error", err)
+			w.WriteHeader(http.StatusInternalServerError)
+			json.NewEncoder(w).Encode(protocol.ErrorPayload{Code: "save_failed", Message: "failed to save base URL"})
+			return
+		}
+		// Invalidate cached validity for this provider — the endpoint
+		// changed, so any previously-cached "key valid" result is stale.
+		cm.InvalidateKeyValidity(req.Provider)
 	}
 
-	cm := GetConfigManager()
+	if req.APIKey != "" {
+		// Validate the key before saving. Validation uses the provider's
+		// now-current base URL, so pointing Groq at a local Ollama works.
+		valid, validationErr := s.validateAPIKeyValue(req.Provider, req.APIKey)
+		if !valid {
+			w.WriteHeader(http.StatusBadRequest)
+			if validationErr != nil {
+				slog.Error("API key validation error", "error", validationErr)
+			}
+			json.NewEncoder(w).Encode(protocol.ErrorPayload{Code: "invalid_key", Message: "Invalid API key"})
+			return
+		}
 
-	// Save the key
-	if err := cm.SetAPIKey(req.Provider, req.APIKey); err != nil {
-		slog.Error("save API key error", "error", err)
-		w.WriteHeader(http.StatusInternalServerError)
-		json.NewEncoder(w).Encode(protocol.ErrorPayload{Code: "save_failed", Message: "failed to save API key"})
-		return
-	}
+		if err := cm.SetAPIKey(req.Provider, req.APIKey); err != nil {
+			slog.Error("save API key error", "error", err)
+			w.WriteHeader(http.StatusInternalServerError)
+			json.NewEncoder(w).Encode(protocol.ErrorPayload{Code: "save_failed", Message: "failed to save API key"})
+			return
+		}
 
-	// Cache validity (we validated before saving)
-	cm.SetKeyValidity(req.Provider, true)
+		cm.SetKeyValidity(req.Provider, true)
+	}
 
 	// Save model if provided
 	if req.Model != "" {
@@ -378,14 +447,31 @@ func (s *Server) handleSetKey(w http.ResponseWriter, r *http.Request) {
 	// Refresh provider availability
 	s.refreshProviderAvailability()
 
-	slog.Info("API key configured", "provider", req.Provider)
+	slog.Info("provider configured", "provider", req.Provider, "hasKey", req.APIKey != "", "hasBaseURL", req.BaseURL != "", "hasModel", req.Model != "")
 	json.NewEncoder(w).Encode(map[string]any{
 		"success":  true,
 		"provider": req.Provider,
-		"valid":    true,
 	})
 }
 
+// validateBaseURL performs a syntactic check on a base URL before it is
+// saved. This is not a reachability test — local runners may not be
+// running at the time the operator configures them. The goal is only to
+// reject obvious typos (missing scheme, whitespace, non-http(s) scheme).
+func validateBaseURL(s string) error {
+	s = strings.TrimSpace(s)
+	if s == "" {
+		return fmt.Errorf("base URL is empty")
+	}
+	if strings.ContainsAny(s, " \t\n\r") {
+		return fmt.Errorf("base URL must not contain whitespace")
+	}
+	if !strings.HasPrefix(s, "http://") && !strings.HasPrefix(s, "https://") {
+		return fmt.Errorf("base URL must start with http:// or https://")
+	}
+	return nil
+}
+
 // validateAPIKey tests if the configured key for a provider works
 func (s *Server) validateAPIKey(provider string) (bool, error) {
 	cm := GetConfigManager()
diff --git a/web/src/components/agent/APIKeySettings.tsx b/web/src/components/agent/APIKeySettings.tsx
