fix: support Devin auth from the Devin - Next app

[validatedev]

Description

Devin showed "Run devin auth login or sign in to Devin and try again." for users on the Devin - Next pre-release channel. The windsurf → devin migration dropped the retired Windsurf plugin's windsurf-next variant, so the Devin plugin only read the stable ~/Library/Application Support/Devin/... auth DB. A user with only Devin - Next installed (no stable Devin app, no devin auth login CLI credentials) had no readable auth source.

This branch:

1. Reads auth from both installs: probes the stable Devin and the Devin - Next app state DBs, restoring parity with the old windsurf / windsurf-next variants.
2. Tries every install's token: probe now attempts each token the cloud hasn't already rejected, deduped by (apiKey, server), so a stale token in one install can't mask a valid one in another.

Verified live: confirmed working on a real Devin - Next account via bun tauri dev: the call to server.codeium.com (ideName: devin) succeeded for the migrated account. No new request/response fields are exposed (the apiKey was already sent), so no host-API redaction changes were needed.

Related Issue

Fixes #553.

Type of Change

• Bug fix
• New feature
• New provider plugin
• Documentation
• Performance improvement
• Other (describe below)

Testing

• I ran bun run build and it succeeded
• I ran bun run test and all tests pass
• I tested the change locally with bun tauri dev

Screenshots

No UI/layout changes, behavior fix only.

• Before: Devin panel showed "Run devin auth login or sign in to Devin and try again."
• After: Devin panel renders Weekly/Daily quota for Devin - Next users.

Checklist

• I read CONTRIBUTING.md
• My PR targets the main branch
• I did not introduce new dependencies without justification

Summary by CodeRabbit

• New Features
  • Expanded plugin to support authentication across multiple Devin installation variants with automatic fallback to alternative sources when primary authentication is unavailable
  • Enhanced authentication efficiency by preventing duplicate retry attempts when identical credentials are detected across different installation sources

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 33ba48e5-a780-4fbe-9d89-b57fed8b4e42

📥 Commits

Reviewing files that changed from the base of the PR and between 2a6b580 and 6387109.

📒 Files selected for processing (1)

• plugins/devin/plugin.js

---

📝 Walkthrough

Walkthrough

This PR introduces multi-source app authentication for the Devin plugin, allowing it to attempt auth from multiple Devin install variants and deduplicate retry attempts by API key and server combination. The probe flow now accumulates attempted auth fingerprints to prevent stale tokens in one install from shadowing valid credentials in another.

Changes

Multi-source Devin app authentication

Layer / File(s)	Summary
App auth sources and loading plugins/devin/plugin.js	APP_AUTH_SOURCES enumerates multiple Devin install variants with their SQLite state DB paths. readAppAuth(ctx, variant) queries variant.stateDb and tags returned auth with source: variant.source.
Auth deduplication and probe flow plugins/devin/plugin.js	probe(ctx) now maintains an attempts array, fingerprints credentials (API key + effective API server URL), attempts credentials.toml first, iterates APP_AUTH_SOURCES, skips already-attempted auths, and uses authFingerprint(auth) and alreadyAttempted(attempts, auth) for deduplication.
Multi-source auth test coverage plugins/devin/plugin.test.js	Adds NEXT_STATE_DB constant. mockAppAuth returns auth only for the stable STATE_DB and empty for others. New tests verify reading auth from the "Devin - Next" variant when stable is absent and fallback behavior when a stable token is rejected (401).

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: support Devin auth from the Devin - Next app' clearly and concisely describes the main change—extending auth support to the Devin - Next app variant.
Linked Issues check	✅ Passed	The PR fully addresses issue #553 by implementing multi-install auth probing, deduplication logic, and fallback behavior to support both Devin stable and Devin - Next variants.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the linked issue: auth probing from multiple install variants, deduplication by fingerprint, and test coverage for fallback behavior.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/devin-next-state-db

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[validatedev]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. You're on a roll.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

🧹 Nitpick comments (1)

plugins/devin/plugin.js (1)

140-146: ⚡ Quick win

Load app auth sources lazily in probe().

loadAppAuths() queries every configured SQLite DB before the first app token is tried. That makes the success path do extra I/O and can surface noise from optional installs even when the earlier source would have succeeded. Iterating APP_AUTH_SOURCES directly in probe() keeps the fallback behavior but short-circuits sooner.

♻️ Suggested shape

-  function loadAppAuths(ctx) {
-    var auths = []
-    for (var i = 0; i < APP_AUTH_SOURCES.length; i++) {
-      var auth = readAppAuth(ctx, APP_AUTH_SOURCES[i])
-      if (auth) auths.push(auth)
-    }
-    return auths
-  }
...
-    var appAuths = loadAppAuths(ctx)
-    for (var i = 0; i < appAuths.length; i++) {
-      var appAuth = appAuths[i]
+    for (var i = 0; i < APP_AUTH_SOURCES.length; i++) {
+      var appAuth = readAppAuth(ctx, APP_AUTH_SOURCES[i])
+      if (!appAuth) continue
       if (alreadyAttempted(attempts, appAuth)) continue
       sawApiKey = true
       attempts.push(authFingerprint(appAuth))
       var appAttempt = tryAuth(ctx, appAuth)

Also applies to: 313-318

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/devin/plugin.js` around lines 140 - 146, loadAppAuths eagerly reads
every configured SQLite source which causes extra I/O and noise; instead, change
probe() to iterate APP_AUTH_SOURCES and call readAppAuth(ctx, source)
one-by-one, returning immediately when a truthy auth is found (short-circuiting)
rather than preloading them all in loadAppAuths; update the other similar site
(the code around readAppAuth usage at the second location referenced) to follow
the same lazy, short-circuiting pattern so only necessary DBs are queried.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@plugins/devin/plugin.js`:
- Around line 140-146: loadAppAuths eagerly reads every configured SQLite source
which causes extra I/O and noise; instead, change probe() to iterate
APP_AUTH_SOURCES and call readAppAuth(ctx, source) one-by-one, returning
immediately when a truthy auth is found (short-circuiting) rather than
preloading them all in loadAppAuths; update the other similar site (the code
around readAppAuth usage at the second location referenced) to follow the same
lazy, short-circuiting pattern so only necessary DBs are queried.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: c7a4a3fd-0d49-4f51-bc23-ab404dd3d886

📥 Commits

Reviewing files that changed from the base of the PR and between 8a5b337 and 2a6b580.

📒 Files selected for processing (2)

• plugins/devin/plugin.js
• plugins/devin/plugin.test.js

[cubic-dev-ai]

No issues found across 2 files

_{Re-trigger cubic}

[robinebers]

Perfect, LGTM