Add Devin usage provider

[coygeek]

Summary

• add Devin as a web-backed usage provider with icon, settings, provider registration, widget/config integration, docs, and changelog coverage
• import the current auth1_session from Chrome local storage and infer the organization slug/internal ID from current Devin storage shapes
• parse daily and weekly quota usage from the current billing quota endpoint, without importing refresh tokens or deriving Auth0 endpoints
• retry viable Chrome profiles and treat empty app settings as absent so discovered organization metadata is preserved

Fixes #800

Verification

• swift test --filter DevinUsageFetcherTests (19 tests)
• swift test --filter ProviderIconResourcesTests
• swift test --filter ProviderSettingsDescriptorTests
• make check
• local autoreview: clean, no actionable findings
• existing authenticated Chrome profile: Devin Usage & Limits loaded; /api/<redacted-org>/billing/quota/usage returned HTTP 200
• bundled CLI: returned fresh Daily and Weekly windows from the Chrome session
• freshly packaged and signed CodexBar.app: Peekaboo selected Devin and verified Updated just now, Daily, Weekly, and quota bars with no login or organization error

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 11, 2026, 4:02 AM ET / 08:02 UTC.

Summary
Adds a Devin usage provider that imports a Chrome local-storage session or accepts a manual bearer token, discovers organization metadata, fetches daily and weekly quotas, and integrates settings, CLI, docs, icons, and tests.

Reproducibility: not applicable. This PR adds a new opt-in provider rather than reporting broken established behavior. Focused tests establish source behavior but do not replace proof from a real Devin account.

Review metrics: 3 noteworthy metrics.

• Provider surface: 26 files, +1,824/-9. The PR spans credential discovery, network parsing, settings, registration, documentation, widget exhaustiveness, and tests.
• Focused coverage: 392-line Devin test suite. The branch includes substantial parser, session-discovery, retry, normalization, and request coverage.
• Auth scope: Chrome-only automatic import. The final hardening narrows automatic credential discovery and avoids probing unrelated browsers by default.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🧂 unranked krab
Patch quality: 🐚 platinum hermit
Result: blocked until real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Attach redacted live output or media showing the final head fetches and renders fresh Daily and Weekly quota results.
• Restore the current-main widget package reference.
• Obtain explicit maintainer acceptance of the browser bearer-token boundary.

Proof guidance:

• [P1] Needs real behavior proof before merge: The PR body describes successful real runs but supplies no inspectable screenshot, recording, terminal output, linked artifact, or redacted log from the final head; add proof with account, organization, endpoint, and token details redacted, then update the PR body to retrigger review or ask a maintainer to comment @clawsweeper re-review.

Mantis proof suggestion
A native app recording would materially verify provider selection and rendered quota bars, paired with redacted terminal or log output for the authenticated fetch path. A maintainer can ask Mantis to capture proof by posting a new PR comment that starts with the OpenClaw Mantis account mention, followed by:

visual task: show Devin enabled in CodexBar and verify fresh Daily and Weekly quota bars render from a signed-in Chrome session, with all account and organization details redacted.

Risk before merge

• [P1] Automatic mode reads a live bearer credential from undocumented Devin browser storage; changes to token semantics or storage shape could break authentication and require urgent provider maintenance.
• [P1] The integration depends on an undocumented quota endpoint and organization metadata shapes, creating an ongoing compatibility burden that maintainers must knowingly accept.
• [P1] No inspectable redacted artifact currently demonstrates that the final hardened head fetches and renders real Devin quotas.

Maintainer options:

1. Finish the hardened provider (recommended)
   Restore the widget reference, approve the browser credential boundary, and attach inspectable redacted live proof from the final head before merge.
2. Accept undocumented provider upkeep
   Maintainers may merge after proof while explicitly owning future breakage from Devin local-storage and private endpoint changes.
3. Pause browser-session support
   Pause or close the PR if reading undocumented browser authentication material is outside the desired provider boundary.

Next step before merge

• [P1] The decisive blockers are contributor-supplied live account proof and maintainer judgment on the browser credential boundary; automation cannot provide either, although the project-file cleanup itself is mechanical.

Security
Needs attention: The hardened branch avoids refresh tokens but still reads and transmits a browser bearer credential through an undocumented provider integration.

Review findings

• [P3] Restore the normalized widget package reference — WidgetExtension/CodexBarWidgetExtension.xcodeproj/project.pbxproj:23

Review details

Best possible solution:

Keep the access-token-only, Chrome-only design, restore the normalized widget project reference, and merge only after maintainers accept the credential boundary and reviewers can inspect redacted live CLI or app proof from the final head.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this PR adds a new opt-in provider rather than reporting broken established behavior. Focused tests establish source behavior but do not replace proof from a real Devin account.

Is this the best way to solve the issue?

Mostly yes: the hardened access-token-only, Chrome-only path fits the existing browser-backed provider architecture, but unrelated widget metadata should be reverted and the credential boundary needs explicit maintainer approval.

Full review comments:

• [P3] Restore the normalized widget package reference — WidgetExtension/CodexBarWidgetExtension.xcodeproj/project.pbxproj:23
  Revert this package display-name and UUID change to current main's CodexBar reference. Commit bd921a61 deliberately normalized this shared metadata, and the Devin integration only needs the widget source switches; carrying the reversal recreates unrelated Xcode project churn.
  Confidence: 0.98

Overall correctness: patch is correct
Overall confidence: 0.92

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 9015e94901c4.

Label changes

Label changes:

• add rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🧂 unranked krab and patch quality is 🐚 platinum hermit.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🦪 silver shellfish, so this older rating label is no longer current.

Label justifications:

• P2: This is a useful opt-in provider feature with bounded default-user impact but meaningful authentication review requirements.
• merge-risk: 🚨 auth-provider: The provider imports and sends a live Devin bearer session token, so undocumented authentication changes can disable the integration.
• merge-risk: 🚨 security-boundary: Automatic mode reads authentication material from browser local storage and therefore crosses a sensitive local credential boundary.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🧂 unranked krab and patch quality is 🐚 platinum hermit.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body describes successful real runs but supplies no inspectable screenshot, recording, terminal output, linked artifact, or redacted log from the final head; add proof with account, organization, endpoint, and token details redacted, then update the PR body to retrigger review or ask a maintainer to comment @clawsweeper re-review.

Evidence reviewed

Security concerns:

• [medium] Approve browser bearer-token import boundary — Sources/CodexBarCore/Providers/Devin/DevinSessionImporter.swift:97
  The importer searches Devin-specific Chrome local-storage values for an access token sent to app.devin.ai; maintainers should explicitly accept this credential access and its future compatibility burden before merge.
  Confidence: 0.94

What I checked:

• Current-head hardening: The latest commit removes refresh-token handling, limits automatic discovery to Chrome profiles, retries viable sessions, tightens organization discovery, and expands focused coverage. (Sources/CodexBarCore/Providers/Devin/DevinSessionImporter.swift:42, 20bfc18e46a0)
• Constrained request destination: The fetcher constructs requests beneath https://app.devin.ai and sends the imported token as a bearer credential to the quota endpoint candidates. (Sources/CodexBarCore/Providers/Devin/DevinUsageFetcher.swift:177, 20bfc18e46a0)
• Project-reference regression: The branch reverses a deliberate current-main normalization of the shared widget package reference from CodexBar back to codexbar without a Devin-related need. (WidgetExtension/CodexBarWidgetExtension.xcodeproj/project.pbxproj:23, bd921a61e72b)
• Runtime proof record: The PR body reports a successful HTTP response, fresh CLI windows, and packaged-app quota bars, but provides no inspectable redacted output, screenshot, recording, log, or linked artifact from the final head. (20bfc18e46a0)
• Current check state: GitGuardian completed successfully on the current head; build and lint/test jobs were still running during review and were not treated as correctness evidence. (20bfc18e46a0)
• Clean read-only review: The checkout remained clean after all source, history, discussion, and status inspection. (9015e94901c4)

Likely related people:

• steipete: Authored the current-head Devin hardening rewrite, has extensive recent history across browser-backed provider infrastructure, and authored the widget-reference normalization being reversed. (role: recent feature and provider-framework contributor; confidence: high; commits: 20bfc18e46a0, bd921a61e72b; files: Sources/CodexBarCore/Providers/Devin/DevinSessionImporter.swift, Sources/CodexBarCore/Providers/Devin/DevinUsageFetcher.swift, Tests/CodexBarTests/DevinUsageFetcherTests.swift)
• Larry Hao: Introduced the recent Manus browser-session provider, an adjacent pattern for web-backed authentication and usage fetching. (role: adjacent provider introducer; confidence: medium; commits: eb867d6d7764; files: Sources/CodexBarCore/Providers/Manus)
• serezha93: Introduced the shared provider HTTP transport seam used by the Devin fetcher and its injected transport tests. (role: shared transport contributor; confidence: medium; commits: f62bb8c8d564; files: Sources/CodexBarCore/Providers)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[Yuxin-Qiao]

Heads up on the lint-build-test fail — the "1 violation, 1 serious" is a single line_length hit, not two issues:

Sources/CodexBarCore/Providers/Devin/DevinUsageSnapshot.swift:15:1
Line Length Violation: currently 123 chars, limit 120 (line_length)

(The arm64 build cancel is a runner shutdown, not code — that one is fine.)

Two small fixes that should clear CI and also resolve one of ClawSweeper's P2 findings:

1. DevinUsageSnapshot.swift:15 — split the string:

   "No Devin organization was found. Open an app.devin.ai/org/... page " +
   "or set the organization in Devin settings."

2. WidgetExtension/CodexBarWidgetExtension.xcodeproj/project.pbxproj (L23 + L45) — main normalized the package ref back to CodexBar in bd921a61, so reverting the two devin-codexbar entries keeps the shared project clean.

The auth/privacy review and live proof are still on your side of the table, of course. Happy to recheck CI after you push a fix.

[steipete]

Landed as be4818c68c1af34d6e56428d889f7754374c0f40.

Verification:

• swift test --filter DevinUsageFetcherTests — 19 tests passed.
• make check — SwiftFormat and SwiftLint passed.
• Codex autoreview — no actionable findings.
• Authenticated Chrome E2E — current Devin quota endpoint returned HTTP 200.
• Bundled CLI E2E — Devin usage returned daily and weekly quota windows.
• Packaged app + Peekaboo E2E — Devin menu rendered fresh daily/weekly usage without login or organization errors.
• GitHub CI — macOS lint/test, Linux x64/arm64 build/test/smoke, and GitGuardian all passed.