Add Devin usage provider

[coygeek]

Summary

• add Devin as a web-backed usage provider with icon, settings, provider registration, and widget/config integration
• import app.devin.ai browser sessions, infer org slug/internal org IDs from current Devin local-storage shapes, and refresh expired Auth0 access tokens
• parse daily/weekly quota usage and show Devin as a web source instead of a missing CLI

Fixes #800

Verification

• swift test --filter DevinUsageFetcherTests
• swift test --filter ProviderSettingsDescriptorTests
• make check
• CODEXBAR_SIGNING=adhoc ./Scripts/package_app.sh
• relaunched the freshly packaged CodexBar.app; logs showed expired token refresh followed by successful quota fetch

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 1, 2026, 3:32 AM ET / 07:32 UTC.

Summary
Adds a web-backed Devin usage provider with settings, browser local-storage/Auth0 token import, quota parsing, provider/widget/config registration, and tests.

Reproducibility: not applicable. This PR adds a new provider capability rather than reporting a broken existing behavior. I did source and diff review, and avoided live browser/provider probes because the repository policy requires explicit request for validation that can touch real accounts or prompts.

Review metrics: 3 noteworthy metrics.

• Changed surface: 21 files, +1850/-8. This is a broad provider addition spanning core fetch/auth code, app settings, widgets, config validation, resources, and tests.
• Auth surface: 1 local-storage importer and 1 Auth0 refresh path added. The new provider handles browser session tokens and refresh tokens, which needs maintainer-visible privacy review.
• Widget project metadata: 1 Xcode project reference changed. The PR changes project metadata that current main recently normalized, independent of Devin provider behavior.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🦐 gold shrimp
Result: blocked until real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Add redacted live proof of an expired-token refresh and successful Devin quota fetch; update the PR body so ClawSweeper can re-review automatically, or ask a maintainer to comment @clawsweeper re-review if it does not trigger.
• Remove the devin-codexbar Xcode project package-reference churn and preserve current main's CodexBar reference.
• [P1] Get maintainer sign-off on the browser local-storage/Auth0 refresh-token approach before merge.

Proof guidance:

• [P1] Needs real behavior proof before merge: The PR body lists commands and describes successful logs, but it does not include inspectable redacted logs, terminal output, screenshots, recordings, or linked artifacts showing a live Devin quota fetch after the change. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• [P1] The provider reads browser local storage for access/refresh tokens and refreshes Auth0 access tokens, so auth/privacy behavior needs explicit maintainer approval beyond unit tests.
• [P1] The PR body lists commands and says logs showed a successful quota fetch, but it does not include redacted terminal output, logs, screenshots, or another inspectable live proof artifact.
• [P1] The widget project change reintroduces a contributor-local package name, which can make the Xcode project drift from current main's normalized reference.

Maintainer options:

1. Gate on Devin auth proof and cleanup (recommended)
   Require redacted live quota-fetch evidence, remove the widget project package-name churn, and get maintainer approval for the browser-token import path before merge.
2. Approve the auth model explicitly
   A maintainer can accept the browser local-storage and Auth0 refresh-token approach as an intentional provider-auth design after reviewing the privacy implications.
3. Pause if auth scope is too broad
   If maintainers do not want core to own this browser-token integration yet, pause this PR and keep the linked feature request open for a narrower design.

Next step before merge

• [P1] Needs contributor-supplied real Devin proof and maintainer auth/privacy sign-off; automation cannot provide the contributor's live account evidence.

Security
Needs attention: The diff intentionally adds sensitive browser-token import and refresh-token handling, so it needs maintainer auth/privacy review before merge.

Review findings

• [P2] Preserve the normalized widget package reference — WidgetExtension/CodexBarWidgetExtension.xcodeproj/project.pbxproj:23

Review details

Best possible solution:

Land a narrow Devin provider after auth/privacy sign-off, preserving the normalized widget project reference and adding redacted live Devin quota-fetch proof to the PR.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this PR adds a new provider capability rather than reporting a broken existing behavior. I did source and diff review, and avoided live browser/provider probes because the repository policy requires explicit request for validation that can touch real accounts or prompts.

Is this the best way to solve the issue?

Unclear: adding Devin fits the provider direction, but this branch is not yet the best merge path until auth/privacy sign-off, inspectable real behavior proof, and the widget project metadata cleanup are handled.

Full review comments:

• [P2] Preserve the normalized widget package reference — WidgetExtension/CodexBarWidgetExtension.xcodeproj/project.pbxproj:23
  This hunk reintroduces a checkout-specific package name (devin-codexbar) into the widget Xcode project. Current main recently normalized this reference back to CodexBar, and the Devin provider does not need a project metadata rename, so merging this would make the shared project carry contributor-local branch state.
  Confidence: 0.91

Overall correctness: patch is incorrect
Overall confidence: 0.86

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 4756ba06bf42.

Label changes

Label changes:

• add P2: This is a normal-priority provider feature with limited blast radius but nontrivial auth/privacy review needs.
• add merge-risk: 🚨 auth-provider: Merging adds new provider credential discovery, bearer-token settings, and Auth0 refresh behavior for Devin.
• add merge-risk: 🚨 security-boundary: Merging makes core read browser local storage for sensitive Devin session material and handle refresh tokens.
• add rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🦐 gold shrimp.
• add status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body lists commands and describes successful logs, but it does not include inspectable redacted logs, terminal output, screenshots, recordings, or linked artifacts showing a live Devin quota fetch after the change. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Label justifications:

• P2: This is a normal-priority provider feature with limited blast radius but nontrivial auth/privacy review needs.
• merge-risk: 🚨 auth-provider: Merging adds new provider credential discovery, bearer-token settings, and Auth0 refresh behavior for Devin.
• merge-risk: 🚨 security-boundary: Merging makes core read browser local storage for sensitive Devin session material and handle refresh tokens.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🦐 gold shrimp.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body lists commands and describes successful logs, but it does not include inspectable redacted logs, terminal output, screenshots, recordings, or linked artifacts showing a live Devin quota fetch after the change. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

Security concerns:

• [medium] Review browser-token import and refresh flow — Sources/CodexBarCore/Providers/Devin/DevinUsageFetcher.swift:273
  The provider reads Auth0 session material from app.devin.ai browser local storage and later posts refresh-token data through the imported refresh session. That may be acceptable for this provider, but maintainers should explicitly approve the boundary and require redacted proof/logging before it lands.
  Confidence: 0.74

What I checked:

• Repository policy read: AGENTS.md was read fully; it steered the review away from live provider/browser validation and toward parser/source inspection for auth-sensitive behavior. (AGENTS.md:27, 4756ba06bf42)
• Vision fit and sign-off boundary: VISION.md supports provider coverage but explicitly calls out new features and provider auth/privacy behavior as needing sign-off. (VISION.md:3, 4756ba06bf42)
• New Devin provider behavior: The PR head adds a Devin web fetch strategy that resolves browser/manual auth and returns a web-backed usage result. (Sources/CodexBarCore/Providers/Devin/DevinProviderDescriptor.swift:35, 94a4a3e37b3a)
• Auth-sensitive implementation surface: The PR reads app.devin.ai Chromium local storage and constructs sessions from access/refresh token data, which is an intentional but maintainer-sign-off-worthy auth boundary. (Sources/CodexBarCore/Providers/Devin/DevinSessionImporter.swift:264, 94a4a3e37b3a)
• Widget project regression: The PR head reintroduces a checkout-specific widget package reference name, while current main normalized that reference back to CodexBar in bd921a6. (WidgetExtension/CodexBarWidgetExtension.xcodeproj/project.pbxproj:23, 94a4a3e37b3a)
• Current-main provenance for widget reference: Current main's widget project package reference was normalized by a recent commit, so the PR's devin-codexbar name is stale branch-local churn rather than a Devin feature requirement. (WidgetExtension/CodexBarWidgetExtension.xcodeproj/project.pbxproj:25, bd921a61e72b)

Likely related people:

• Peter Steinberger: Recent history shows Peter touched the provider registry/settings snapshot architecture, Deepgram provider registration, and the widget package-reference normalization that this PR would partly undo. (role: recent provider/platform area contributor; confidence: high; commits: 4c9e6a87009b, 9a369ad8e0f1, bd921a61e72b; files: Sources/CodexBarCore/Providers/ProviderDescriptor.swift, Sources/CodexBar/Providers/Shared/ProviderImplementationRegistry.swift, Sources/CodexBarCore/Providers/ProviderSettingsSnapshot.swift)
• Coooolfan: Coooolfan introduced the Windsurf provider, including the existing WindsurfDevinSessionImporter local-storage pattern that is closest to the new Devin session importer. (role: introduced adjacent Devin-session importer pattern; confidence: medium; commits: 3c0f07223e8e; files: Sources/CodexBarCore/Providers/Windsurf/WindsurfDevinSessionImporter.swift, Sources/CodexBarCore/Providers/Windsurf/WindsurfProviderDescriptor.swift)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.