auth

Well-known providers mapped to the env var that holds their API key.

Used by has_provider_credentials to verify credentials before model creation, so the UI can show a warning icon and a specific error message (e.g., "ANTHROPIC_API_KEY not set") instead of letting the provider fail at call time.

Providers not listed here fall through to the config-file check or the langchain registry fallback.

Get the glyph set for the current charset mode.

Check whether the terminal is in ASCII charset mode.

Convenience wrapper so widgets can branch on charset without importing both _detect_charset_mode and CharsetMode.

Reset module-level caches so the next call recomputes from scratch.

Intended for tests and for the /reload command.

Get available models dynamically from installed LangChain provider packages.

Imports model profiles from each provider package and extracts model names.

Results are cached after the first call; use clear_caches() to reset.

Return the env var name that holds credentials for a provider.

Checks the config file first (user override), then falls back to the hardcoded PROVIDER_API_KEY_ENV map.

Return credential readiness details for a provider.

Combines config, well-known provider metadata, optional provider auth, and implicit-auth provider metadata before attempting model creation:

1. Config-file providers (config.toml [models.providers.<name>]):
   • If the section declares api_key_env, that env var is checked via resolve_env_var() (which honors DEEPAGENTS_CLI_ prefixes).
   • If the section has class_path but no api_key_env, the provider is assumed to manage its own auth (e.g., custom headers, JWT, mTLS).
   • If neither api_key_env nor class_path is set, falls through to provider-specific defaults.
2. Hardcoded registry (PROVIDER_API_KEY_ENV): a module-level dict mapping well-known provider names to their canonical env var (e.g., "anthropic" → "ANTHROPIC_API_KEY"). The env var is checked via resolve_env_var().
3. Implicit auth providers (e.g., Vertex AI ADC): a missing env var is not treated as missing credentials.
4. Optional auth env vars (OPTIONAL_AUTH_ENV): when present, mark the provider as configured for hosted/cloud use.
5. No-auth-required providers (NO_AUTH_REQUIRED_PROVIDERS): default local endpoints report NOT_REQUIRED; non-local endpoints fall back to UNKNOWN so the SDK can decide.
6. Unknown providers not present in any source defer auth failures to the provider SDK.

Use has_provider_credentials() when compatibility with the historic True/False/None contract is required.

Return whichever env var name actually carries the resolved value.

Mirrors resolve_env_var's precedence: when the prefixed variant is present in os.environ (even empty), it wins; otherwise the canonical name is returned. Useful for UI labels that need to reflect what the CLI is actually reading rather than the canonical name.

Open the URL from a Rich link style on click, if present.

Rich Style(link=...) embeds OSC 8 terminal hyperlinks, but Textual's mouse capture intercepts normal clicks before the terminal can act on them. By handling the Textual click event directly we open the URL with a single click, matching the behavior of links in the Markdown widget.

URLs that fail the safety check (e.g. containing hidden Unicode or homograph domains) are blocked and not opened; the event bubbles and a warning is logged and displayed as a Textual notification.

On success the event is stopped so it does not bubble further. On failure (e.g. no browser available in a headless environment) the error is logged at debug level and the event bubbles normally.

Parsed model configuration from config.toml.

Instances are immutable once constructed. The providers mapping is wrapped in MappingProxyType to prevent accidental mutation of the globally cached singleton returned by load().

Origin of a CONFIGURED credential, used to discriminate display.

Outcome of an AuthPromptScreen interaction.

The three outcomes need to stay distinguishable because callers in the recovery path retry the original failing operation only on SAVED — retrying after DELETED would loop into the same missing-credentials error indefinitely.

Confirmation overlay shown before clearing a stored credential.

Patterned on DeleteThreadConfirmScreen so the destructive prompt feels consistent across the CLI. Always dismisses with True on confirm or False on cancel; the caller does the actual delete.

Modal that captures and persists an API key for one provider.

Dismissal values are members of AuthResult so callers in the recovery path can distinguish "user just saved a key — retry the failed operation" from "user just cleared their key — don't retry, that would loop into the same error" from "user cancelled — leave state alone".

Modal that lists configured providers and lets the user manage keys.

Reachable via the /auth slash command. Always dismisses with None; state changes are persisted by AuthPromptScreen and reflected by re-rendering the option list when this screen is reopened or after a save/delete completes.

User-level credential storage for model providers.

Persists API keys (and, in the future, OAuth tokens) under ~/.deepagents/.state/auth.json (file mode 0600, parent 0700) so users can enter credentials directly in the TUI rather than exporting environment variables before launch.

Security notes:

• The stored value (ApiKeyCredential.key) must never be logged, formatted via %r/!r, or interpolated into exception messages — every helper here reports only structural facts ("set credential for provider X").
• The file is written via O_EXCL | 0o600 to a temp path, then atomically replaced. A second chmod 0600 runs on the final path so filesystems that ignore the create-mode argument still end up with private perms. Permission failures are reported back to the caller in WriteOutcome.warnings so the UI can surface them to the user — logger.warning alone is invisible inside a Textual TUI session.
• On Windows, POSIX mode bits don't apply; the chmod calls are best-effort and skipped silently.

LangChain brand colors and semantic constants for the CLI.

Single source of truth for color values used in Python code (Rich markup, Content.styled, Content.from_markup). CSS-side styling should reference Textual CSS variables: built-in variables ($primary, $background, $text-muted, $error-muted, etc.) are set via register_theme() in DeepAgentsApp.__init__, while the few app-specific variables ($mode-bash, $mode-command, $skill, $skill-hover, $tool, $tool-hover) are backed by these constants via App.get_theme_variable_defaults().

Code that needs custom CSS variable values should call get_css_variable_defaults(dark=...). For the full semantic color palette, look up the ThemeColors instance via get_registry().

Users can define custom themes in ~/.deepagents/config.toml under [themes.<name>] sections. Each new theme section must include label (str); dark (bool) defaults to False if omitted (set to True for dark themes). Color fields are optional and fall back to the built-in dark/light palette based on the dark flag. Sections whose name matches a built-in theme override its colors without replacing it. See _load_user_themes() for details.