fix(web): show env keys checkbox in add project dialog

[lraphael]

Problem

When adding a project that contains sensitive keys in .env (e.g. ANTHROPIC_API_KEY), the add fails with a 422 error. The "Allow env keys" checkbox was supposed to appear in the error message after the failed attempt, but it was not visible — leaving users with no way to opt in through the UI. The only workaround was setting allow_target_repo_keys: true in ~/.archon/config.yaml.

Summary

• Add the "Allow env keys (I understand the risk)" checkbox directly into the add project form so it is always visible
• Remove the broken error-state checkbox and unused isEnvLeakError helper
• Reset checkbox state when cancelling the add form

Test plan

• Open Settings → Projects → + Add Project
• Verify "Allow env keys (I understand the risk)" checkbox is visible below the path input
• Add a repo with sensitive .env keys without checking → should fail with error
• Check the checkbox, click Add again → should succeed
• Cancel and reopen → checkbox should be unchecked

[coderabbitai]

📝 Walkthrough

Walkthrough

The "Add Project" UI in SettingsPage is refactored: the inline single-row form is replaced with a stacked container that always includes an "Allow env keys (I understand the risk)" checkbox controlled by allowEnvKeys. The Cancel action now clears allowEnvKeys in addition to closing the form and clearing addPath.

Changes

Cohort / File(s)	Summary
Add Project Form Enhancement packages/web/src/routes/SettingsPage.tsx	Reworked "Add Project" from inline to stacked layout. Removed local isEnvLeakError helper and its conditional rendering. Added persistent consent checkbox (allowEnvKeys) under the form, made checkbox controlled, and updated Cancel handler to reset allowEnvKeys and addPath.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped by the form with a curious blink,
A checkbox now sits where the fields used to link.
"Allow env keys?" — I nod with a thump,
Stack it up tidy; then I jump! ✨

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The PR description clearly explains the problem and test plan but is missing several required template sections including UX Journey, Architecture Diagram, Label Snapshot, Change Metadata, Validation Evidence, Security Impact, Compatibility, Human Verification, Side Effects, and Rollback Plan.	Add the missing required sections from the template to provide comprehensive documentation: include UX Journey diagrams, Architecture changes, Label Snapshot metadata, validation evidence with command results, security impact assessment, compatibility notes, human verification details, side effects analysis, and rollback procedures.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and concisely describes the main change: moving the env keys checkbox into the add project dialog.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/web/src/routes/SettingsPage.tsx`:
- Around line 423-433: The checkbox for toggling env keys (bound to allowEnvKeys
and setAllowEnvKeys) was added inline in the form but the old conditional
error-state checkbox that also renders on env-leak errors remained, causing
duplicate controls; remove the duplicated JSX error-state checkbox block that
renders when an env-leak/error condition is present (the conditional label/input
that also uses allowEnvKeys/onChange) so only the new in-form checkbox remains,
and ensure nothing else conditionally renders another control bound to
allowEnvKeys.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 86a073b3-29dd-4d92-85ad-80923300f41f

📥 Commits

Reviewing files that changed from the base of the PR and between 536584d and 8b37539.

📒 Files selected for processing (1)

• packages/web/src/routes/SettingsPage.tsx

[Wirasm]

Closing — the env-keys consent checkbox and the entire consent UI were removed in #1169 (merged into dev). Repos now register without scanning or consent. The allowEnvKeys field no longer exists in the API schema. Thanks for identifying the original UX gap — the root fix turned out to be removing the gate entirely rather than improving its UI.