Add Rovo Dev provider with monthly credit tracking

[sameemcodes]

Summary

Adds Rovo Dev as a new CodexBar provider, tracking monthly credit usage for Atlassian's AI coding agent.

What's new

• UsageProvider.rovodev + IconStyle.rovodev enum cases
• RovoDevSettingsReader — reads ROVODEV_API_TOKEN, ROVODEV_EMAIL, ROVODEV_API_URL env vars + ~/.rovodev/config.yml billing site
• RovoDevUsageFetcher — Basic auth (email:apiToken) against https://api.atlassian.com/rovodev/v3/credits/check; parses monthlyUsed/monthlyTotal with daily fallback; surfaces status (OK, RATE_LIMITED, USER_BLOCKED)
• RovoDevProviderDescriptor — api-only fetch strategy; resolves credentials from env vars or token accounts
• RovoDevProviderImplementation — settings fields for Atlassian email + API token with link to id.atlassian.com
• RovoDevSettingsStore — rovoDevAPIToken (→ apiKey) + rovoDevEmail (→ workspaceID)
• ProviderConfigEnvironment — applyRovoDevOverrides injects both ROVODEV_API_TOKEN and ROVODEV_EMAIL into fetch env
• ProviderTokenResolver: rovoDevToken() + rovoDevResolution()
• LogCategories: rovoDevUsage log category
• UsageStore: debug log entry for rovodev
• 14 unit tests: settings reader, JSON parser, URL builder, snapshot conversion, error cases
• docs/rovodev.md: full setup guide, how it works, credential resolution order, troubleshooting
• docs/providers.md: summary table row + detailed entry

Auth approach

HTTP Basic auth: base64(email:apiToken) — the same Atlassian API token used with acli rovodev auth login. No OAuth flow needed.

Credential resolution order

1. ROVODEV_API_TOKEN + ROVODEV_EMAIL environment variables
2. Settings UI (email + API token in Preferences → Providers → Rovo Dev)
3. Token accounts (label = email, token = API token)

Plans supported

Plan	Credits
Rovo Dev Free	350 credits / user / month / site
Rovo Dev Standard	2,000 credits / user / month

Commands run

swift build  # 0 new errors
swiftformat --lint Sources/CodexBarCore/Providers/RovoDev/ Sources/CodexBar/Providers/RovoDev/ Tests/CodexBarTests/RovoDevUsageFetcherTests.swift  # 0/6 files require formatting

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 13, 2026, 6:26 AM ET / 10:26 UTC.

Summary
This PR adds an experimental, disabled-by-default Rovo Dev provider with Atlassian email/API-token credential handling, monthly credit fetching, menu/CLI rendering, docs, and focused tests.

Reproducibility: not applicable. as a bug reproduction; this PR adds a new provider. Source inspection confirms current main has no Rovo Dev provider, while the remaining validation gap is real-provider proof rather than reproducing an existing bug.

Review metrics: 2 noteworthy metrics.

• Diff surface: 30 files changed, +1320/-25. The provider addition spans core fetch/config code, app settings/rendering, widget and CLI surfaces, docs, and tests.
• Fetcher coverage: 30 RovoDevUsageFetcher tests reported in maintainer proof. Focused tests cover parser, URL, endpoint-override, and error behavior, but they do not prove live monthly-credit success.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🦪 silver shellfish
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Fix the remaining-balance precedence case for exhausted Rovo credit payloads.
• [P1] Add redacted latest-head CodexBar app or CLI proof showing credentials resolve and a successful monthly-credit response is fetched.
• [P1] Get explicit maintainer acceptance of the undocumented endpoint and Basic-auth contract before merge.

Proof guidance:

• [P1] Needs stronger real behavior proof before merge: The copied live JSON is a blocked/anonymous response, not latest-head CodexBar proof of a successful paid-account monthly-credit fetch; add redacted terminal output, logs, copied live output, recording, or diagnostic screenshot and update the PR body to trigger re-review, or ask a maintainer to comment @clawsweeper re-review.

Risk before merge

• [P1] The PR adds a new auth-provider path that sends Atlassian email plus API token to an undocumented Atlassian endpoint, and the available live proof still does not show a successful paid-account monthly-credit fetch through CodexBar.
• [P1] The latest head can under-report exhausted Rovo quota when the endpoint returns both an explicit zero used value and a zero remaining value.

Maintainer options:

1. Fix parser and require paid-account proof (recommended)
   Patch the remaining-balance precedence case, then require redacted latest-head CodexBar app or CLI output showing credentials resolve and monthly credits fetch successfully before maintainer sign-off.
2. Accept experimental endpoint risk
   Maintainers may intentionally merge the disabled-by-default provider as experimental while owning the risk that Atlassian changes or rejects the undocumented endpoint for normal paid accounts.
3. Pause until the contract is clearer
   If successful provider-path proof cannot be produced, keep the PR open or close it until a supported endpoint, credential contract, or narrower integration path exists.

Next step before merge

• [P1] Human review is needed for successful paid-account proof and endpoint/auth sign-off; the remaining parser repair is small, but proof and product acceptance cannot be supplied by an automated repair lane.

Security
Cleared: No concrete security or supply-chain defect was found; endpoint overrides are HTTPS-normalized before Basic auth, and the remaining concern is auth-contract proof rather than a line-level security bug.

Review findings

• [P1] Prefer remaining balance for exhausted Rovo credits — Sources/CodexBarCore/Providers/RovoDev/RovoDevUsageFetcher.swift:134-135

Review details

Best possible solution:

Fix the remaining used-versus-remaining parsing case, then merge only after redacted latest-head CodexBar app or CLI proof shows a successful paid-account monthly-credit fetch and a maintainer accepts the undocumented endpoint/auth contract.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a bug reproduction; this PR adds a new provider. Source inspection confirms current main has no Rovo Dev provider, while the remaining validation gap is real-provider proof rather than reproducing an existing bug.

Is this the best way to solve the issue?

No, not yet: the provider shape mostly follows existing patterns, but the parser should prefer remaining-derived usage when that is the reliable exhausted-quota signal, and the undocumented endpoint needs successful CodexBar proof or explicit maintainer acceptance.

Full review comments:

• [P1] Prefer remaining balance for exhausted Rovo credits — Sources/CodexBarCore/Providers/RovoDev/RovoDevUsageFetcher.swift:134-135
usedCredits returns monthlyUsed before considering monthlyTotal/monthlyRemaining. The PR discussion records exhausted Rovo payloads that can report monthlyUsed: 0 with monthlyRemaining: 0, so this renders 0 / 2000 credits instead of full usage; prefer the remaining-derived value when total and remaining are present, at least for exhausted or limit statuses.
  Confidence: 0.86

Overall correctness: patch is incorrect
Overall confidence: 0.86

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against a2b56ea2b362.

Label changes

Label justifications:

• P2: This is a normal-priority provider addition with limited blast radius because the provider is disabled by default, but it still affects credentials and quota reporting.
• merge-risk: 🚨 auth-provider: The PR introduces new Atlassian email/API-token routing to an undocumented endpoint without successful latest-head paid-account provider proof.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🦪 silver shellfish.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The copied live JSON is a blocked/anonymous response, not latest-head CodexBar proof of a successful paid-account monthly-credit fetch; add redacted terminal output, logs, copied live output, recording, or diagnostic screenshot and update the PR body to trigger re-review, or ask a maintainer to comment @clawsweeper re-review.

Evidence reviewed

Acceptance criteria:

• [P1] make check.
• [P1] swift test --filter RovoDevUsageFetcherTests.
• [P1] swift test --filter CLISnapshotTests.

What I checked:

• Repository policy read: AGENTS.md was read in full; its provider-testing guidance, no-unprompted-live-provider-probe rule, and focused-test preference affected this review. (AGENTS.md:25, a2b56ea2b362)
• Current main does not already implement Rovo Dev: A current-main search over Sources, Tests, docs, and CHANGELOG found no Rovo Dev symbols, so the PR is not obsolete or implemented on main. (a2b56ea2b362)
• Provider is new, disabled by default, and API-only: The PR head registers Rovo Dev as a non-primary provider with defaultEnabled: false and .auto/.api source modes. (Sources/CodexBarCore/Providers/RovoDev/RovoDevProviderDescriptor.swift:21, 94f626bf7b8f)
• Remaining quota parsing defect: usedCredits returns an explicit used value before considering total/remaining, so an exhausted payload with monthlyUsed: 0, monthlyRemaining: 0, and monthlyTotal: 2000 would render as 0 used instead of full usage. (Sources/CodexBarCore/Providers/RovoDev/RovoDevUsageFetcher.swift:133, 94f626bf7b8f)
• Endpoint/auth risk documented in PR docs: The new docs state that Atlassian does not publish the credits endpoint or Basic-auth contract as a public API, so compatibility can change without notice. (docs/rovodev.md:20, 94f626bf7b8f)
• PR discussion proof status: The maintainer repair comment reports make check and focused tests, but explicitly says the available live proof only shows a blocked/anonymous response rather than a successful paid-account monthly-credit fetch through CodexBar. (94f626bf7b8f)

Likely related people:

• steipete: Current main blame routes the provider registry/config scaffolding through Peter Steinberger, and the PR history shows a maintainer repair series across Rovo integration, auth hardening, rendering, docs, and tests. (role: recent provider/config area contributor and exact-head repair author; confidence: high; commits: 7717813b9eed, 244deab06ae8, e129af2d184b; files: Sources/CodexBarCore/Providers/ProviderDescriptor.swift, Sources/CodexBarCore/Config/ProviderConfigEnvironment.swift, Sources/CodexBar/Providers/Shared/ProviderImplementationRegistry.swift)
• kiranmagic7: Recent current-main work added another API provider path and touched ProviderConfigEnvironment, the same config override surface this PR extends for Rovo Dev credentials. (role: adjacent provider config contributor; confidence: medium; commits: 2c7283b6fe45; files: Sources/CodexBarCore/Config/ProviderConfigEnvironment.swift)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0a08870478

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Fix unresolved tokenAccounts access

In the inspected ProviderFetchContext definition (Sources/CodexBarCore/Providers/ProviderFetchPlan.swift), there is no tokenAccounts property—only selectedTokenAccountID and environment/settings fields—so adding this fallback makes the new Rovo Dev provider fail to compile as soon as this strategy is built. The selected account is already projected through the environment in the app/CLI fetch context, so this needs to resolve through the existing token-account/environment path or add the missing context support.

Useful? React with 👍 / 👎.

[sameemcodes]

Fixed in commit 4ddda02.

ProviderFetchContext has no tokenAccounts property — you are correct. Credentials are resolved exclusively from context.env, which is populated by ProviderConfigEnvironment.applyRovoDevOverrides (injecting ROVODEV_API_TOKEN + ROVODEV_EMAIL from the settings-stored values). Simplified resolveCredentials to a single guard reading from context.env, and removed the isAvailable tokenAccounts fallback from the implementation as well. Zero new compile errors after the fix.

[sameemcodes]

Clawsweeper review fixes (commit 743a83e)

[P1] Fixed — ProviderImplementationRegistry missing case

Added case .rovodev: RovoDevProviderImplementation() to makeImplementation(for:). Without this the switch was non-exhaustive and the app target would fail to compile.

[P2] Fixed — supportsAPIKeyOverride now returns true for .rovodev

Added .rovodev to directAPIKeyEnvironmentKey returning RovoDevSettingsReader.apiTokenEnvironmentKey. The documented CLI path codexbar config set-api-key --provider rovodev --stdin now works correctly.

[P2] Fixed — removed unsupported token-account credential claim from docs

Token accounts cannot carry two separate credentials (email + API token), so they are not a valid auth path. Docs now state this explicitly and direct users to env vars or Settings.

---

Live API proof (redacted)

Hit https://api.atlassian.com/rovodev/v3/credits/check with Basic auth during development to validate the parser:

{
  "status": "USER_BLOCKED",
  "message": "Sorry, you are blocked from accessing the Rovo API...",
  "balance": {
    "dailyUsed": 0,
    "dailyTotal": null,
    "dailyRemaining": null,
    "monthlyUsed": null,
    "monthlyTotal": null,
    "monthlyRemaining": null
  },
  "modelUsages": {
    "Claude Haiku 4.5": 91295,
    "Claude Sonnet 4.6": 2394221
  },
  "retryAfterSeconds": null,
  "isInternal": true,
  "accountType": "ANONYMOUS"
}

Note: USER_BLOCKED / isInternal: true is expected for internal Atlassian accounts which use ASAP auth rather than API token Basic auth. A regular paid user account would return status: "OK" with monthly credit fields populated. The parser handles all status variants and null-safe monthly→daily fallback correctly.

Build: zero new compile errors after all fixes (swift build clean excluding pre-existing KeyboardShortcuts macro issue).
Tests: RovoDevUsageFetcherTests parser tests validate the response shape against the live JSON above.
Format: swiftformat passes on all changed files.

[sameemcodes]

Clawsweeper second-pass fixes (commit 5988160)

[P1] Fixed — descriptor registered in ProviderDescriptorRegistry

Added .rovodev: RovoDevProviderDescriptor.descriptor to the descriptors dict in ProviderDescriptor.swift. Without this, bootstrap iterates .rovodev from UsageProvider.allCases and hits preconditionFailure("Missing ProviderDescriptor for rovodev") before the app can start.

[P2] Fixed — .rovodev added to CodexBarConfigValidator.workspaceIDProviders

Added .rovodev to the workspaceIDProviders array in CodexBarConfigValidation.swift. Email is stored in workspaceID for this two-credential provider (email + API token). Without this fix, a valid Rovo Dev config reports a spurious workspace_unused validation warning.

All 6 commits now pass swift build with zero new errors.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26815148422
• Updated: 2026-06-02T11:00:10.050Z

[sameemcodes]

@clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26815392177
• Updated: 2026-06-02T11:06:31.612Z

[steipete]

Maintainer repair pushed on exact head dcb264a1.

Changes:

• rebased onto current main
• completed provider registration/config/settings integration
• fail-closed HTTPS endpoint overrides before attaching Basic auth
• reject generic HTTP 200/403 error envelopes instead of accepting empty usage
• derive used credits from total/remaining and keep monthly/daily windows paired
• avoid reporting 100% remaining when blocked responses contain no balance
• render credit details correctly in menu, card, and CLI output
• corrected the documented credential setup path

Proof:

• make check
• swift test --filter RovoDevUsageFetcherTests: 30 passed
• swift test --filter CLISnapshotTests: 25 passed
• exact-head Codex autoreview: clean after addressing five actionable findings

Fresh GitHub CI is now running. I am not merging this autonomously: the endpoint and Basic-auth contract are undocumented, and the available live proof only shows a blocked/anonymous response rather than a successful paid-account monthly-credit fetch through CodexBar.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: dcb264a193

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Prefer remaining balance for exhausted Rovo credits

When Rovo Dev reports an exhausted Standard trial, the current credits/check payload can include monthlyRemaining: 0 and monthlyTotal: 2000 while also setting monthlyUsed: 0; this branch returns that explicit zero before deriving total - remaining, so exhausted accounts render as 0 / 2000 credits and 0% used. Prefer the derived remaining-based value when total and remaining are present (or at least for limit-exceeded statuses) so the menu reflects the actual cap.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 94f626bf7b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Apply the selected Rovo billing site to credit checks

For Rovo Dev users whose credits are tied to a selected Atlassian site (common with Free or multi-site accounts), this request ignores the atlassianBillingSite/cloudId that ACLI stores in ~/.rovodev/config.yml; Atlassian documents that setting as the site whose credit allocation Rovo Dev CLI should use (https://support.atlassian.com/rovo/docs/manage-rovo-dev-cli-settings/). Because the fetcher only calls the global credits/check URL with email/token, those accounts can get 403 or the wrong allocation even though acli rovodev is configured and works, so the provider should read/apply the billing site or otherwise mirror the CLI auth context before checking credits.

Useful? React with 👍 / 👎.

[steipete]

Exact head 94f626bf7b8fb29da3b9a67eecf5b7c754f3845e is fully green.

Holding merge for provider-contract acceptance. The implementation still depends on an undocumented endpoint/Basic-auth shape and lacks paid-account proof; CI cannot validate that external contract.