fix(auth): load OAuth tokens from keyring for API clients

Fixes bounty issue #1546

After successful OAuth device flow login, the access token is saved to
the system keyring by cortex-login, but the API clients (BackendClient,
CortexClient) were only checking environment variables for auth tokens.

This fix:
- Adds get_auth_token() and has_valid_auth() functions to cortex-login
  that retrieve OAuth tokens from the system keyring
- Updates BackendClient::new() to fall back to keyring if env vars are
  not set
- Updates CortexClient::new() to load OAuth tokens from keyring
- Adds cortex-login as a dependency to cortex-engine

Now when a user completes OAuth device authorization, the token is
automatically used for API requests without requiring additional
configuration.

Author: factorydroid

Cargo.lock

@@ -20,6 +20,7 @@ cortex-common = { workspace = true }
 cortex-mcp-types = { path = "../cortex-mcp-types" }
 cortex-utils-git = { path = "../cortex-utils/git" }
 cortex-keyring-store = { path = "../cortex-keyring-store", features = ["serde"] }
+cortex-login = { path = "../cortex-login" }
 
 # New feature crates (Phase 1)
 cortex-lsp = { path = "../cortex-lsp" }

cortex-engine/Cargo.toml

@@ -37,10 +37,16 @@ impl BackendClient {
             .build()
             .unwrap_or_else(|_| Client::new());
 
-        // Get auth token from environment
+        // Get auth token with priority:
+        // 1. Environment variables (cortex_AUTH_TOKEN, cortex_API_KEY)
+        // 2. System keyring (OAuth tokens from device flow login)
         let auth_token = std::env::var("cortex_AUTH_TOKEN")
             .or_else(|_| std::env::var("cortex_API_KEY"))
-            .ok();
+            .ok()
+            .or_else(|| {
+                // Fall back to keyring for OAuth tokens
+                cortex_login::get_auth_token()
+            });
 
         Self {
             client,

cortex-engine/src/client/backend.rs

@@ -63,6 +63,9 @@ impl CortexClient {
             .build()
             .unwrap_or_else(|_| Client::new());
 
+        // Try to load OAuth token from keyring (device flow login)
+        let auth_token = cortex_login::get_auth_token();
+
         Self {
             client,
             base_url: base_url.unwrap_or_else(|| {
@@ -76,7 +79,7 @@ impl CortexClient {
                 context_window: 200_000,
                 max_output_tokens: Some(8192),
             },
-            auth_token: None,
+            auth_token,
             api_key: None,
             expected_price_version: None,
         }

cortex-engine/src/client/cortex.rs

@@ -94,6 +94,8 @@ pub fn create_client(
                 model.to_string(),
                 base_url.map(std::string::ToString::to_string),
             );
+            // CortexClient::new() already loads auth from keyring,
+            // but if an explicit api_key is provided, use that instead
             if !api_key.is_empty() {
                 client = client.with_api_key(api_key.to_string());
             }

cortex-engine/src/client/mod.rs

@@ -718,6 +718,77 @@ pub fn safe_format_key(key: &str) -> String {
     format!("{prefix}***{suffix}")
 }
 
+/// Get the current authentication token from keyring storage.
+///
+/// This function attempts to load the auth token from the system keyring.
+/// It returns the access token for OAuth auth or the API key for API key auth.
+/// If the token is expired, it will return None.
+///
+/// # Returns
+/// * `Some(String)` - The authentication token if available and valid
+/// * `None` - If no token is stored or the token is expired
+///
+/// # Example
+/// ```ignore
+/// if let Some(token) = cortex_login::get_auth_token() {
+///     // Use the token for API requests
+///     client.with_auth_token(token);
+/// }
+/// ```
+pub fn get_auth_token() -> Option<String> {
+    match load_from_keyring() {
+        Ok(Some(auth_data)) => {
+            // Check if token is expired
+            if auth_data.is_expired() {
+                tracing::debug!("Auth token is expired");
+                return None;
+            }
+            // Return the appropriate token based on auth mode
+            auth_data.get_token().map(|s| s.to_string())
+        }
+        Ok(None) => {
+            tracing::debug!("No auth data found in keyring");
+            None
+        }
+        Err(e) => {
+            tracing::warn!("Failed to load auth from keyring: {}", e);
+            None
+        }
+    }
+}
+
+/// Check if valid authentication is available in keyring storage.
+///
+/// This function checks if there is a valid (non-expired) auth token
+/// stored in the system keyring without actually retrieving the token value.
+///
+/// # Returns
+/// * `true` - If a valid authentication token exists
+/// * `false` - If no token exists or the token is expired
+///
+/// # Example
+/// ```ignore
+/// if cortex_login::has_valid_auth() {
+///     println!("User is authenticated");
+/// } else {
+///     println!("Please run 'cortex login' to authenticate");
+/// }
+/// ```
+pub fn has_valid_auth() -> bool {
+    match load_from_keyring() {
+        Ok(Some(auth_data)) => {
+            // Check if token exists and is not expired
+            if auth_data.is_expired() {
+                return false;
+            }
+            // Check if we actually have a token
+            auth_data.get_token().is_some()
+        }
+        Ok(None) => false,
+        Err(_) => false,
+    }
+}
+
 /// Migrate from legacy storage to secure storage.
 pub fn migrate_to_secure_storage(cortex_home: &Path) -> Result<bool> {
     // Try to load from legacy file

cortex-login/src/lib.rs

@@ -0,0 +1 @@
+/root/cortex-cli/target