egutierrez
18b5ffdfd9
Launching from the App Hub (or any double-click) no longer needs AGENTS_API_KEY manually injected. Order of resolution: 1. AGENTS_API_KEY env var → apikey_source = "env" 2. `pass agentes/api-key` shell → apikey_source = "pass" 3. neither → apikey_source = "missing" On Windows the fallback shells via `wsl.exe -e sh -c "pass ... | head -n1"` so the secret stays in the WSL user's GnuPG keychain (never copied to a Windows file). On Linux it's a direct popen of `pass ...`. Failure mode: GPG agent locked → empty output → "missing" state in UI with a "Retry pass" button (user runs `pass agentes/api-key` once to unlock the agent, clicks Retry, app refetches without restart). Connection panel shows the active source: ✓ loaded from AGENTS_API_KEY env var ✓ loaded via `pass agentes/api-key` ⚠ apikey not found (env empty + pass failed) --connect-test uses the same two-tier resolution so e2e exercises the production code path. E2E: renamed test_connect_fails_without_apikey → test_connect_falls_back_to_pass_when_env_empty. Verifies that with empty env, the .exe still returns OK N. Skips if `pass` is locked. All 24 tests passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>