#7813: feat(onboard): validate Venice API keys during setup

## Summary Adds Venice API key validation during onboarding to prevent users from entering invalid keys (e.g., placeholder keys like `VENICE-INFERENCE-KEY-...`). ## Changes ### New file: `venice-api-key-validation.ts` - `checkSuspiciousKeyFormat(key)` - Fast format check for known bad patterns: - `INFERENCE-KEY` placeholder pattern - `VENICE-` prefix (real keys don't have this) - OpenAI/Stripe key formats (wrong provider) - Generic placeholders like `YOUR_API_KEY` - Very short keys (<20 chars) - `validateVeniceApiKey(key)` - Full validation including API call: - Format check first (fast, no network) - Test request to `POST /chat/completions` with minimal payload - Returns `{ valid, error?, warning? }` - Gracefully handles network errors (doesn't block onboarding) - `createVeniceKeyValidator()` - Factory for prompter-compatible validator ### Updated: `auth-choice.apply.api-providers.ts` (interactive flow) - Validates CLI-provided tokens before accepting - Validates environment variable keys when user confirms usage - Retry loop for manual entry (up to 3 attempts) - Clear error messages with link to get valid key ### Updated: `onboard-non-interactive/local/auth-choice.ts` - Validates key before storing in non-interactive mode - Fails with helpful error message if key is invalid ## Test Coverage New test file with 15 tests covering: - Suspicious format detection - Placeholder pattern matching - Valid key acceptance (in test mode) - Empty/short key rejection - Validator factory function ## User Experience **Before:** User enters invalid key → stored → fails later with confusing API errors **After:** User enters invalid key → immediate feedback: ``` ❌ This API key is invalid or has been revoked. Please get a valid API key from https://venice.ai/settings/api ``` ## Testing ```bash # TypeScript compiles npx tsc --noEmit # New tests pass npx vitest run src/commands/venice-api-key-validation.test.ts # Existing auth tests pass npx vitest run src/commands/auth-choice.test.ts ``` <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR adds Venice API key validation during onboarding by introducing a new `venice-api-key-validation` module (fast suspicious-format checks + optional live `/chat/completions` probe) and wiring it into both interactive and non-interactive auth flows. In the interactive flow, CLI/env/manual-entered Venice keys are validated before being stored, with retry/cancel behavior and user-facing guidance; in the non-interactive flow, Venice keys are validated before persisting. Overall the changes fit cleanly into the existing onboarding/auth-choice structure (provider-specific branches in `applyAuthChoiceApiProviders` and `applyNonInteractiveAuthChoice`) and centralize validation logic in a dedicated helper module that’s re-exported via `onboard-auth.ts` for reuse. <h3>Confidence Score: 4/5</h3> - This PR is generally safe to merge and improves onboarding correctness, with a small logic gap around validating already-stored profile keys. - Core logic is isolated in a new validation module with test coverage, and interactive/non-interactive flows are updated in straightforward ways. The main concern is that non-interactive onboarding skips validation when the key comes from an existing profile, which can allow invalid/revoked keys to pass through the very flow this PR aims to harden. - src/commands/onboard-non-interactive/local/auth-choice.ts <!-- greptile_other_comments_section --> **Context used:** - Context from `dashboard` - CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8)) - Context from `dashboard` - AGENTS.md ([source](https://app.greptile.com/review/custom-context?memory=0d0c8278-ef8e-4d6c-ab21-f5527e322f13)) <!-- /greptile_comment -->