feat(zoo-gateway): auth callback and multi-profile token sync

[JamesRobert20]

Summary

• Propagates OAuth callback token to all ClineProvider instances (sequential writes to avoid profile-store races)
• Seeds/syncs zoo-gateway profiles, including non-active profiles for model fetch
• Clears in-memory active profile on sign-out even when disk is already clean

Part 3 of the Zoo Gateway stack. Depends on PR2 (stacked on #344).

Test plan

• handleUri multi-instance + serialization tests
• webviewMessageHandler separate-profile lookup test
• Manual: sign in/out across multiple profiles

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 2286aa3a-244c-4087-8d0f-c24e9daecaea

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/zoo-gateway-auth-sync

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 88.26087% with 27 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/core/webview/ClineProvider.ts	83.75%	13 Missing ⚠️
src/api/providers/zoo-gateway.ts	91.66%	7 Missing and 1 partial ⚠️
src/core/webview/webviewMessageHandler.ts	88.23%	6 Missing ⚠️

📢 Thoughts on this report? Let us know!

[proyectoauraorg]

Review: Auth Callback + Multi-Profile Token Sync

Verdict: ✅ Approved (with security notes for future hardening)

Verified

• ✅ handleUri.spec.ts — 8 tests pass (multi-instance fan-out, sequential serialization)
• ✅ ClineProvider.spec.ts — 82 tests pass (6 new auth profile sync tests)
• ✅ webviewMessageHandler.spec.ts — 44 tests pass (2 new sign-out tests)
• ✅ Sequential execution of callbacks avoids profile-store race conditions
• ✅ Sign-out clears tokens from ALL zoo-gateway profiles (correct symmetry)
• ✅ Model list fetch recovers credentials from non-active profiles

Security Notes (future hardening, not blockers)

1. Token storage: zooSessionToken is stored in JSON-serialized ProviderSettings on disk. VS Code's globalStorage is OS-protected, but migrating to SecretStorage would add an extra layer of defense.
2. Base URL validation: zooGatewayBaseUrl is derived from getZooCodeBaseUrl(). In production this is fine, but a misconfigured ZOO_CODE_BASE_URL env var could route tokens to an unintended host. Consider adding domain validation.

Both are hardening improvements for a future iteration, not blockers for this PR.

Dependency

Depends on #345. After #345 merges, this should rebase cleanly.