fix(engine): validate auth before creating git snapshot

Fixes bounty issue #1652

Previously, the session would create a git snapshot before calling
run_agent_loop(), but authentication was only validated when making
the actual API request inside run_agent_loop(). This caused git
snapshots to be created even when authentication would fail.

This fix adds a validate_auth() method to the ModelClient trait that
performs a lightweight auth check before creating any side effects.
The session now calls validate_auth() before creating the git snapshot,
ensuring early failure on invalid credentials.

Author: factorydroid

cortex-engine/src/client/backend.rs

@@ -241,6 +241,17 @@ impl ModelClient for BackendClient {
         &self.capabilities
     }
 
+    async fn validate_auth(&self) -> Result<()> {
+        // Use existing health_check to validate connectivity and auth
+        match self.health_check().await {
+            Ok(true) => Ok(()),
+            Ok(false) => Err(CortexError::BackendUnavailable(
+                "Backend health check failed".to_string(),
+            )),
+            Err(e) => Err(e),
+        }
+    }
+
     async fn complete(&self, request: CompletionRequest) -> Result<ResponseStream> {
         let url = format!("{}/api/v1/completions/stream", self.base_url);
 

cortex-engine/src/client/cortex.rs

@@ -301,6 +301,17 @@ impl ModelClient for CortexClient {
         &self.capabilities
     }
 
+    async fn validate_auth(&self) -> Result<()> {
+        // Use existing health_check to validate connectivity and auth
+        match self.health_check().await {
+            Ok(true) => Ok(()),
+            Ok(false) => Err(CortexError::BackendUnavailable(
+                "Cortex backend health check failed".to_string(),
+            )),
+            Err(e) => Err(e),
+        }
+    }
+
     async fn complete(&self, request: CompletionRequest) -> Result<ResponseStream> {
         let url = format!("{}/v1/responses", self.base_url);
         let body = self.build_request(&request);

cortex-engine/src/client/mod.rs

@@ -48,6 +48,11 @@ pub trait ModelClient: Send + Sync {
     /// Get model capabilities.
     fn capabilities(&self) -> &ModelCapabilities;
 
+    /// Validate authentication credentials before making requests.
+    /// This allows checking auth early to avoid side effects on auth failure.
+    /// Returns Ok(()) if auth is valid, or an error if authentication fails.
+    async fn validate_auth(&self) -> Result<()>;
+
     /// Send a completion request and get a stream of responses.
     async fn complete(&self, request: CompletionRequest) -> Result<ResponseStream>;
 

cortex-engine/src/client/openai.rs

@@ -108,6 +108,31 @@ impl ModelClient for OpenAiClient {
         &self.capabilities
     }
 
+    async fn validate_auth(&self) -> Result<()> {
+        // Make a lightweight models list request to validate the API key
+        let response = self
+            .client
+            .get(format!("{}/models", self.base_url))
+            .header("Authorization", format!("Bearer {}", self.api_key))
+            .timeout(std::time::Duration::from_secs(10))
+            .send()
+            .await?;
+
+        if response.status().is_success() {
+            Ok(())
+        } else if response.status() == reqwest::StatusCode::UNAUTHORIZED {
+            Err(CortexError::AuthenticationError {
+                message: "Invalid API key".to_string(),
+            })
+        } else {
+            let status = response.status();
+            let body = response.text().await.unwrap_or_default();
+            Err(CortexError::model(format!(
+                "Auth validation failed {status}: {body}"
+            )))
+        }
+    }
+
     async fn complete(&self, request: CompletionRequest) -> Result<ResponseStream> {
         let mut req = self.build_request(&request);
         req.stream = Some(true);

cortex-engine/src/client/openai_compatible.rs

@@ -386,6 +386,37 @@ impl<T: OpenAICompatibleClient> ModelClient for T {
         OpenAICompatibleClient::capabilities(self)
     }
 
+    async fn validate_auth(&self) -> Result<()> {
+        // Make a lightweight models list request to validate the API key
+        let mut http_request = self
+            .http_client()
+            .get(format!("{}/models", self.base_url()))
+            .header("Authorization", format!("Bearer {}", self.api_key()))
+            .timeout(std::time::Duration::from_secs(10));
+
+        // Add any provider-specific headers
+        for (key, value) in self.additional_headers() {
+            http_request = http_request.header(&key, &value);
+        }
+
+        let response = http_request.send().await?;
+
+        if response.status().is_success() {
+            Ok(())
+        } else if response.status() == reqwest::StatusCode::UNAUTHORIZED {
+            Err(CortexError::AuthenticationError {
+                message: format!("{} API key is invalid", self.provider_name()),
+            })
+        } else {
+            let status = response.status();
+            let body = response.text().await.unwrap_or_default();
+            Err(CortexError::model(format!(
+                "{} auth validation failed {status}: {body}",
+                self.provider_name()
+            )))
+        }
+    }
+
     async fn complete(&self, request: CompletionRequest) -> Result<ResponseStream> {
         let mut req = build_openai_request(&request);
         req.stream = Some(true);

cortex-engine/src/session.rs

@@ -30,7 +30,7 @@ use crate::error::{CortexError, Result};
 use crate::rollout::reader::{RolloutItem, get_events, get_session_meta};
 use crate::rollout::recorder::SessionMeta;
 use crate::rollout::{RolloutRecorder, SESSIONS_SUBDIR, get_rollout_path, read_rollout};
-use crate::skills::{SkillsManager, render_skills_section, try_get_skills_manager};
+use crate::skills::{render_skills_section, try_get_skills_manager};
 use crate::summarization::SummarizationStrategy;
 use crate::tools::context::ToolOutputChunk;
 use crate::tools::{ToolContext, ToolRouter};
@@ -503,6 +503,22 @@ impl Session {
         }))
         .await;
 
+        // Validate authentication before creating any side effects (like git snapshots)
+        // This ensures we fail early if credentials are invalid
+        if let Err(e) = self.client.validate_auth().await {
+            tracing::error!("Authentication validation failed: {}", e);
+            self.emit(EventMsg::Error(ErrorEvent {
+                message: format!("Authentication failed: {}", e),
+                cortex_error_info: None,
+            }))
+            .await;
+            self.emit(EventMsg::TaskComplete(TaskCompleteEvent {
+                last_agent_message: None,
+            }))
+            .await;
+            return Err(e);
+        }
+
         // Fast git-based snapshot (uses git write-tree, instant)
         // Only track if the cwd is a git repository (has .git directory)
         let is_git_repo = self.config.cwd.join(".git").exists()
@@ -1797,12 +1813,12 @@ fn build_system_prompt_with_skills(config: &Config, skills_section: Option<&str>
     }
 
     // Add skills section if provided
-    if let Some(skills) = skills_section {
-        if !skills.is_empty() {
-            additional.push_str("\n## Available Skills\n");
-            additional.push_str(skills);
-            additional.push('\n');
-        }
+    if let Some(skills) = skills_section
+        && !skills.is_empty()
+    {
+        additional.push_str("\n## Available Skills\n");
+        additional.push_str(skills);
+        additional.push('\n');
     }
 
     prompt = prompt.replace("{{ADDITIONAL_CONTEXT}}", &additional);