feat: add synthetic gateway keys#27170
Conversation
This stack of pull requests is managed by Graphite. Learn more about stacking. |
|
@codex review |
Dogfood UAT passed for the full three-PR stack. PR1 coverage:
The same preserved database was then migrated through #27171 and #27172 successfully. A full OAuth2 authorization-code refresh was not run manually, but the equivalent active-generation key deletion was exercised deterministically. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: dbede83294
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
dbede83 to
edea7df
Compare
|
@codex review |
|
Codex Review: Didn't find any major issues. Keep them coming! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
edea7df to
ab1009d
Compare
ab1009d to
500b588
Compare
|
@codex review |
|
Codex Review: Didn't find any major issues. Hooray! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Final-stack targeted dogfood passed after the FK-decoupling fix.
This supplements the earlier full UI/API/database UAT and validates the final rewritten stack heads. |

Summary
Add a per-user synthetic API key for chatd AI Gateway attribution. Chatd resolves the key from the chat owner, renews it before expiry, discards the generated bearer token, and preserves the previous key during renewal so in-flight requests remain valid.
Migration 000543 deliberately removes the foreign keys from the legacy message and queue
api_key_idcolumns while chatd continues stamping them for rolling compatibility. Stale IDs are tolerated because routing useschats.owner_id. Individual key deletion, delete-all, and password reset remove the key and mapping without changing chat history or queue versions, and the next lookup remints the key.This is the first PR in a three-PR rollout and must be fully deployed before #27171.
Refs https://linear.app/codercom/issue/CODAGT-561/maintain-synthetic-api-key-per-user-per-chat