Add Rovo Dev provider with monthly credit tracking

[sameemcodes]

Summary

• add experimental Rovo Dev monthly credit tracking
• authenticate with Atlassian email plus a scoped API token
• expose credit usage in app, CLI, menu, diagnostics, and provider settings
• add provider icon, documentation, config routing, and focused parser/rendering coverage

API status

Atlassian documents Rovo Dev credit allowances, dashboard usage, API-token login, and the read:rovodev:limits scope. Current ACLI debug output uses GET /rovodev/v3/credits/check; an Atlassian staff answer publicly confirms that endpoint's authorization semantics, and a separate public ACLI trace shows the balance schema implemented here. Atlassian still does not publish it as a supported public API, so the provider and docs label this integration experimental.

• Official scoped-token instructions
• Atlassian staff confirmation of the v3 credits endpoint
• Public ACLI v3 response trace

Hardening

• require both email and API token for fetch and diagnose paths
• recommend a scoped token containing only read:rovodev:limits
• reject insecure or credential-bearing endpoint overrides before attaching Basic auth
• disable automatic URLSession cookie handling
• reject negative, inconsistent, or out-of-window quota values
• prefer authoritative total/remaining values over stale explicit usage
• reject generic HTTP 200/403 payloads rather than reporting false quota
• use current explicit provider registries instead of removed macro registration

Verification

Exact head: 85804bce8295878462e096c8150a3d881bac8a59

• 92 focused Rovo/config/widget/menu tests passed
• 46 focused Rovo/diagnose tests passed after the final review fix
• make check passed; generated parser hash current; SwiftFormat and SwiftLint clean
• focused autoreviews clean (0.86)
• final current-main whole-branch autoreview clean (0.78), no accepted/actionable findings
• configuration provider-ID regression passed after adding rovodev
• website/provider docs now cover all 54 provider IDs; all 21 site locales pass
• local Safari visual proof shows the Rovo Dev card and SVG icon fit beside Zed and the authoring card
• regenerated 1200×630 social image inspected; documentation follow-up autoreview clean (0.92)
• contributor reported a live response from the endpoint on the original implementation

Live boundary

Maintainer live setup reached Atlassian's scoped-token form and confirmed read:rovodev:limits is the dedicated usage/limits scope. No token was created because persistent API-key creation requires action-time confirmation and immediate 1Password storage, and this account's Rovo entitlement is not yet proven. No exact-head maintainer account-success claim is made.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 19, 2026, 10:39 AM ET / 14:39 UTC.

Summary
The PR adds an experimental Atlassian Rovo Dev provider with Atlassian email plus scoped API-token auth, monthly credit fetching, app/CLI/settings/docs integration, assets, and focused tests.

Reproducibility: not applicable. This PR adds a new provider rather than fixing broken existing behavior. The validation gap is successful latest-head paid-account Rovo proof, not a current-main reproduction path.

Review metrics: 2 noteworthy metrics.

• Diff surface: 39 files changed, +1560/-107. The provider addition spans core fetch/config code, app settings/rendering, CLI diagnostics, widget exclusions, docs, assets, and tests.
• Credential inputs: 3 inputs added: email, API token, API URL override. The new provider path handles sensitive auth material and endpoint override behavior, so proof and sign-off matter beyond unit coverage.

Root-cause cluster
Relationship: fixed_by_candidate
Canonical: #237
Summary: This PR is the current implementation candidate for the accepted Rovo Dev provider request; the older Rovo Dev PR is closed unmerged and not a safe canonical landing path.

Members:

• canonical: Suggestion: Atlassian Rovo Dev CLI provider #237 - The related open issue requests Atlassian Rovo Dev provider support and is cross-referenced by this PR.
• superseded: Add Atlassian Rovo Dev provider #676 - The earlier Rovo Dev provider PR is closed unmerged after collaborator concerns and is not the current viable landing path.

Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🐚 platinum hermit
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Add redacted latest-head CodexBar CLI or app proof from a paid Rovo Dev account.
• Get explicit maintainer acceptance of the undocumented endpoint, Basic-auth contract, and site-scoped behavior.

Proof guidance:

• [P1] Needs stronger real behavior proof before merge: The PR has blocked/anonymous endpoint output and maintainer setup confirmation, but not a successful latest-head CodexBar paid-account monthly-credit fetch. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• [P1] The PR depends on an undocumented Atlassian credits/check endpoint and Basic-auth shape, so CI and parser tests cannot prove the external provider contract will keep working.
• [P1] The available real evidence is a blocked/anonymous endpoint response plus setup confirmation, not a successful latest-head CodexBar paid-account monthly-credit fetch.
• [P1] Site-scoped behavior remains unresolved for Free or multi-site accounts: the branch docs mention per-site Free credits, while the fetcher calls the global credits/check endpoint with only email/token.

Maintainer options:

1. Require proof and contract sign-off (recommended)
   Before merge, require redacted latest-head CodexBar app or CLI output showing a successful paid-account monthly-credit fetch plus explicit maintainer acceptance of the endpoint/auth/site behavior.
2. Accept disabled experimental risk
   Maintainers may intentionally merge the disabled-by-default provider while owning the risk that Atlassian rejects or changes the undocumented contract for normal accounts.
3. Pause for a CLI or site-aware path
   If successful proof cannot be produced, keep this PR open or close it later in favor of an implementation that mirrors the Rovo CLI billing-site context.

Next step before merge

• [P1] Human review is needed for provider-contract acceptance and successful paid-account proof; automation cannot supply external account validation.

Security
Cleared: No concrete security or supply-chain defect was found in the inspected diff; the remaining concern is provider auth-contract proof rather than a line-level security issue.

Review details

Best possible solution:

Merge only after a maintainer accepts the undocumented endpoint/auth/site contract and redacted latest-head CodexBar app or CLI output proves a successful paid-account monthly-credit fetch.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this PR adds a new provider rather than fixing broken existing behavior. The validation gap is successful latest-head paid-account Rovo proof, not a current-main reproduction path.

Is this the best way to solve the issue?

Unclear, not yet: the implementation follows CodexBar's provider descriptor/settings/test patterns, but the endpoint/auth/site contract needs maintainer acceptance and successful real-account proof before it is the best solution.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 2fd5bccf040e.

Label changes

Label justifications:

• P2: This is a bounded disabled-by-default provider enhancement with limited blast radius but real auth-provider integration work.
• merge-risk: 🚨 auth-provider: The PR introduces Atlassian email/API-token routing to an undocumented credits endpoint without successful latest-head paid-account proof.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR has blocked/anonymous endpoint output and maintainer setup confirmation, but not a successful latest-head CodexBar paid-account monthly-credit fetch. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

What I checked:

• Repository policy read: AGENTS.md was read fully; its provider/auth guidance affects this review by favoring existing provider patterns, focused parser/provider tests, and avoiding live provider probes or Keychain-triggering validation without explicit request. (AGENTS.md:1, 2fd5bccf040e)
• Vision sign-off boundary: VISION.md supports new provider coverage that follows existing patterns, but flags new features and provider additions with unclear auth/privacy behavior as needing sign-off. (VISION.md:1, 2fd5bccf040e)
• Current main lacks Rovo Dev: Current main has no Rovo/RovoDev matches across source, tests, docs, README, or changelog, and UsageProvider still ends at chutes. (Sources/CodexBarCore/Providers/Providers.swift:58, 2fd5bccf040e)
• Latest release lacks Rovo Dev: The v0.36.1 tag lists 53 provider IDs and has no Rovo Dev provider entry, so the feature has not shipped in the latest release. (docs/providers.md:11, 06fea2c897cc)
• PR scope: The current head changes 39 files with 1560 additions and 107 deletions across provider code, settings/rendering, CLI diagnostics, widget exclusions, docs, assets, and tests. (85804bce8295)
• Provider auth path: The fetcher validates endpoint overrides, disables automatic cookies, and attaches Basic auth built from the configured Atlassian email and API token before calling the Rovo credits endpoint. (Sources/CodexBarCore/Providers/RovoDev/RovoDevUsageFetcher.swift:193, 85804bce8295)

Likely related people:

• steipete: Owner comments and branch commits show steipete rebased and hardened the provider, then explicitly held merge for endpoint/auth contract acceptance and paid-account proof. (role: recent PR repair owner and product decision owner; confidence: high; commits: 4a0ef00dbcf4, 71a57722451e, b039a58e0d11; files: Sources/CodexBarCore/Providers/RovoDev/RovoDevUsageFetcher.swift, Sources/CodexBarCore/Config/ProviderConfigEnvironment.swift, Sources/CodexBar/Providers/RovoDev/RovoDevProviderImplementation.swift)
• Yuxin-Qiao: Current-main blame routes the shared provider enum/descriptor/config scaffolding through Yuxin Qiao, and the related issue discussion shows them asking for real Rovo CLI usage fixtures before a safer implementation. (role: recent provider registry contributor and adjacent provider reviewer; confidence: medium; commits: 421bf576abc0; files: Sources/CodexBarCore/Providers/Providers.swift, Sources/CodexBarCore/Providers/ProviderDescriptor.swift, Sources/CodexBarCore/Config/ProviderConfigEnvironment.swift)
• ratulsarna: ratulsarna closed the earlier Rovo Dev provider PR with correctness concerns around cookie-source selection and profile parsing, which is useful history for reviewing this replacement path. (role: prior Rovo reviewer; confidence: medium; files: Sources/CodexBarCore/Providers/RovoDev/RovoDevUsageFetcher.swift, Sources/CodexBar/Providers/RovoDev/RovoDevProviderImplementation.swift)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0a08870478

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[sameemcodes]

Clawsweeper review fixes (commit 743a83e)

[P1] Fixed — ProviderImplementationRegistry missing case

Added case .rovodev: RovoDevProviderImplementation() to makeImplementation(for:). Without this the switch was non-exhaustive and the app target would fail to compile.

[P2] Fixed — supportsAPIKeyOverride now returns true for .rovodev

Added .rovodev to directAPIKeyEnvironmentKey returning RovoDevSettingsReader.apiTokenEnvironmentKey. The documented CLI path codexbar config set-api-key --provider rovodev --stdin now works correctly.

[P2] Fixed — removed unsupported token-account credential claim from docs

Token accounts cannot carry two separate credentials (email + API token), so they are not a valid auth path. Docs now state this explicitly and direct users to env vars or Settings.

---

Live API proof (redacted)

Hit https://api.atlassian.com/rovodev/v3/credits/check with Basic auth during development to validate the parser:

{
  "status": "USER_BLOCKED",
  "message": "Sorry, you are blocked from accessing the Rovo API...",
  "balance": {
    "dailyUsed": 0,
    "dailyTotal": null,
    "dailyRemaining": null,
    "monthlyUsed": null,
    "monthlyTotal": null,
    "monthlyRemaining": null
  },
  "modelUsages": {
    "Claude Haiku 4.5": 91295,
    "Claude Sonnet 4.6": 2394221
  },
  "retryAfterSeconds": null,
  "isInternal": true,
  "accountType": "ANONYMOUS"
}

Note: USER_BLOCKED / isInternal: true is expected for internal Atlassian accounts which use ASAP auth rather than API token Basic auth. A regular paid user account would return status: "OK" with monthly credit fields populated. The parser handles all status variants and null-safe monthly→daily fallback correctly.

Build: zero new compile errors after all fixes (swift build clean excluding pre-existing KeyboardShortcuts macro issue).
Tests: RovoDevUsageFetcherTests parser tests validate the response shape against the live JSON above.
Format: swiftformat passes on all changed files.

[sameemcodes]

Clawsweeper second-pass fixes (commit 5988160)

[P1] Fixed — descriptor registered in ProviderDescriptorRegistry

Added .rovodev: RovoDevProviderDescriptor.descriptor to the descriptors dict in ProviderDescriptor.swift. Without this, bootstrap iterates .rovodev from UsageProvider.allCases and hits preconditionFailure("Missing ProviderDescriptor for rovodev") before the app can start.

[P2] Fixed — .rovodev added to CodexBarConfigValidator.workspaceIDProviders

Added .rovodev to the workspaceIDProviders array in CodexBarConfigValidation.swift. Email is stored in workspaceID for this two-credential provider (email + API token). Without this fix, a valid Rovo Dev config reports a spurious workspace_unused validation warning.

All 6 commits now pass swift build with zero new errors.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26815148422
• Updated: 2026-06-02T11:00:10.050Z

[sameemcodes]

@clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26815392177
• Updated: 2026-06-02T11:06:31.612Z

[steipete]

Maintainer repair pushed on exact head dcb264a1.

Changes:

• rebased onto current main
• completed provider registration/config/settings integration
• fail-closed HTTPS endpoint overrides before attaching Basic auth
• reject generic HTTP 200/403 error envelopes instead of accepting empty usage
• derive used credits from total/remaining and keep monthly/daily windows paired
• avoid reporting 100% remaining when blocked responses contain no balance
• render credit details correctly in menu, card, and CLI output
• corrected the documented credential setup path

Proof:

• make check
• swift test --filter RovoDevUsageFetcherTests: 30 passed
• swift test --filter CLISnapshotTests: 25 passed
• exact-head Codex autoreview: clean after addressing five actionable findings

Fresh GitHub CI is now running. I am not merging this autonomously: the endpoint and Basic-auth contract are undocumented, and the available live proof only shows a blocked/anonymous response rather than a successful paid-account monthly-credit fetch through CodexBar.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: dcb264a193

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 94f626bf7b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Apply the selected Rovo billing site to credit checks

For Rovo Dev users whose credits are tied to a selected Atlassian site (common with Free or multi-site accounts), this request ignores the atlassianBillingSite/cloudId that ACLI stores in ~/.rovodev/config.yml; Atlassian documents that setting as the site whose credit allocation Rovo Dev CLI should use (https://support.atlassian.com/rovo/docs/manage-rovo-dev-cli-settings/). Because the fetcher only calls the global credits/check URL with email/token, those accounts can get 403 or the wrong allocation even though acli rovodev is configured and works, so the provider should read/apply the billing site or otherwise mirror the CLI auth context before checking credits.

Useful? React with 👍 / 👎.

[steipete]

Exact head 94f626bf7b8fb29da3b9a67eecf5b7c754f3845e is fully green.

Holding merge for provider-contract acceptance. The implementation still depends on an undocumented endpoint/Basic-auth shape and lacks paid-account proof; CI cannot validate that external contract.

[sameemcodes]

Resolve merge conflicts