Symptom
In the first-run Setup flow, the Runtime Scan table can show Claude Code and Codex as installed while leaving AI access stuck at Login check pending:
Runtime CLI AI access
Claude Code Installed Login check pending
Codex Installed Login check pending
opencode Installed Needs AI key
Pi Missing CLI not installed
This is confusing for users who already authenticated with claude login / codex login: Setup still says "Connect one runtime to AI access" and the primary CTA remains Add AI credential, implying that an API key is required.
Related Codex context: codex://threads/019f3d7b-63b5-75a1-aefa-69c8d405f16a
Current behavior
The Setup model currently combines two signals:
/api/workspaces/agents -> CLI binary installed on PATH
Alice vault credentials -> compatible API key exists
It does not probe or consume Claude/Codex local subscription login state. For installed Claude/Codex with no Alice vault key, the UI intentionally renders Login check pending.
Relevant code:
ui/src/components/first-run-guide-model.ts: Claude/Codex are marked as login runtimes, but chainReady is only installed && compatibleCredentialCount > 0.
ui/src/components/FirstRunGuide.spec.ts: explicitly asserts installed Claude/Codex are not usable until a runtime probe exists.
src/webui/routes/workspaces.ts: /api/workspaces/agents only reports PATH binary availability.
src/workspaces/agent-credential-readiness.ts: workspace launch readiness separately treats non-loginless agents as runtime-login ready.
Why this matters
There are currently two inconsistent meanings of "ready":
Setup readiness: requires Alice vault API key
Workspace launch path: treats Claude/Codex as runtime-login ready
That mismatch makes subscribed Claude/Codex users look blocked even when their runtime can actually launch.
Proposed fix
Pick one of these paths:
- Minimal UX fix: when Claude/Codex are installed and no compatible vault key exists, treat them as a usable runtime-login path in Setup and show something like
Ready via CLI login or Uses CLI login instead of Login check pending.
- Fuller fix: add a real runtime login probe for Claude/Codex, expose it through the agents/readiness API, then render explicit states:
Ready via CLI login
Run claude login / codex login
Login check failed
Recheck login
Either way, the first-run CTA should not funnel subscription-login users only toward Add AI credential.
Symptom
In the first-run Setup flow, the Runtime Scan table can show Claude Code and Codex as installed while leaving AI access stuck at
Login check pending:This is confusing for users who already authenticated with
claude login/codex login: Setup still says "Connect one runtime to AI access" and the primary CTA remainsAdd AI credential, implying that an API key is required.Related Codex context: codex://threads/019f3d7b-63b5-75a1-aefa-69c8d405f16a
Current behavior
The Setup model currently combines two signals:
It does not probe or consume Claude/Codex local subscription login state. For installed Claude/Codex with no Alice vault key, the UI intentionally renders
Login check pending.Relevant code:
ui/src/components/first-run-guide-model.ts: Claude/Codex are marked as login runtimes, butchainReadyis onlyinstalled && compatibleCredentialCount > 0.ui/src/components/FirstRunGuide.spec.ts: explicitly asserts installed Claude/Codex are not usable until a runtime probe exists.src/webui/routes/workspaces.ts:/api/workspaces/agentsonly reports PATH binary availability.src/workspaces/agent-credential-readiness.ts: workspace launch readiness separately treats non-loginless agents asruntime-loginready.Why this matters
There are currently two inconsistent meanings of "ready":
That mismatch makes subscribed Claude/Codex users look blocked even when their runtime can actually launch.
Proposed fix
Pick one of these paths:
Ready via CLI loginorUses CLI logininstead ofLogin check pending.Ready via CLI loginRun claude login / codex loginLogin check failedRecheck loginEither way, the first-run CTA should not funnel subscription-login users only toward
Add AI credential.