AI cleanup: strip the stranded plaintext key from settings.json and delete dead opt-out commands

Two follow-ups to the AI-search fixes, both around the pre-`ai.cloudProvider` schema refactor:

**Plaintext key no longer lingers in `settings.json`.** The old schema left three flat keys behind — `ai.openaiApiKey` (a PLAINTEXT key), `ai.openaiBaseUrl`, `ai.openaiModel`. Nothing reads them (the key lives in the OS secret store, model/baseUrl in `ai.cloudProviderConfigs`), and the registry-driven save loop only manages registered ids, so they sat in `settings.json` forever — a plaintext key in Time Machine and cloud backups, exactly what the secret-store move was meant to prevent. `ai-config.ts::migrateLegacyOpenAiKeys` now lifts a stranded `ai.openaiApiKey` into the secret store if that's its only copy (so a tester who never re-entered it doesn't lose it AND gets working AI back), then deletes all three on startup. Split `migrateApiKeysFromSettings` into two independent steps so the flat-key cleanup still runs when `ai.cloudProviderConfigs` is missing/malformed (it used to early-return there). New raw-store helpers `getRawStoreValue` / `deleteRawStoreKeys` reach the non-registry keys.

**Deleted dead opt-out machinery.** `opt_in_ai`, `is_ai_opted_out`, and the `AiState.opted_out` field had no readers after the onboarding revamp (`ai.provider` is the source of truth). Removed the commands, their IPC registration + specta collection, the TS wrappers, and the field. Kept `uninstall_ai` — it's still wired to the Uninstall button in `AiLocalSection.svelte`, so the old "orphan" doc note was wrong on that one.

Fixed the stale `lib/ai/CLAUDE.md` claim that `ai.openai*` are registry settings; regenerated bindings. knip didn't catch the dead wrappers because `tauri-commands/**` is in its ignore list (IPC boundary).

Author: vdavid

apps/desktop/src-tauri/src/ai/CLAUDE.md

@@ -32,7 +32,7 @@ Three provider modes:
 
 Core: `get_ai_status`, `get_ai_model_info`, `get_ai_runtime_status`, `configure_ai`, `start_ai_server`, `stop_ai_server`, `check_ai_connection`, `start_ai_download`, `cancel_ai_download`, `get_folder_suggestions`, `stream_folder_suggestions`, `cancel_folder_suggestions`. Note: `get_system_memory_info` moved to top-level `system_memory.rs`.
 API keys: `save_ai_api_key`, `get_ai_api_key`, `delete_ai_api_key`, `has_ai_api_key` (in `api_keys.rs`).
-Orphan (no frontend callers after the onboarding revamp; flagged for follow-up cleanup): `uninstall_ai`, `opt_in_ai`, `is_ai_opted_out`. The post-FDA AI offer toast is gone, so `dismiss_ai_offer` and `opt_out_ai` were deleted with it.
+Also: `uninstall_ai` (the Uninstall button in `AiLocalSection.svelte`). The dead opt-out machinery (`opt_in_ai`, `is_ai_opted_out`, `dismiss_ai_offer`, `opt_out_ai`, and the `AiState.opted_out` field) was removed with the onboarding revamp — `ai.provider` is the single source of truth for whether AI is on.
 
 ## Startup flow
 
@@ -83,7 +83,6 @@ The frontend (`AiSection.svelte`) tracks `installStep` state and displays "Step
 - Binary re-extraction is possible if model exists but binary is missing.
 - Download guard: `download_in_progress` flag prevents concurrent downloads.
 - Server logs written to `llama-server.log` in the AI dir for debugging.
-- `opted_out` field in `AiState` is legacy. `ai.provider` in frontend settings store is the source of truth.
 - OpenAI config (api_key, base_url, model) stored in `ManagerState` so suggestions.rs can read without settings files. The api_key originates from the OS secret store (`api_keys.rs`), pushed in via `configure_ai`.
 - `configure_ai` is idempotent -- frontend calls it on startup and whenever any AI setting changes.
 - `ModelInfo` includes `kv_bytes_per_token` and `base_overhead_bytes` for frontend memory estimation.

apps/desktop/src-tauri/src/ai/manager.rs

@@ -350,25 +350,6 @@ fn uninstall_ai_sync() {
     }
 }
 
-/// Re-enables AI features after opting out.
-#[tauri::command]
-#[specta::specta]
-pub fn opt_in_ai() {
-    let mut manager = MANAGER.lock_ignore_poison();
-    if let Some(ref mut m) = *manager {
-        m.state.opted_out = false;
-        save_state(&m.ai_dir, &m.state);
-    }
-}
-
-/// Returns whether the user has opted out of AI features.
-#[tauri::command]
-#[specta::specta]
-pub fn is_ai_opted_out() -> bool {
-    let manager = MANAGER.lock_ignore_poison();
-    manager.as_ref().is_some_and(|m| m.state.opted_out)
-}
-
 /// Model info returned to frontend.
 #[derive(Debug, Clone, serde::Serialize, specta::Type)]
 #[serde(rename_all = "camelCase")]
@@ -1195,7 +1176,6 @@ mod tests {
         assert_eq!(state.pid, None);
         assert_eq!(state.installed_model_id, "ministral-3b-instruct-q4km");
         assert_eq!(state.dismissed_until, None);
-        assert!(!state.opted_out);
     }
 
     #[test]
@@ -1206,7 +1186,6 @@ mod tests {
             pid: Some(12345),
             installed_model_id: String::from("ministral-3b-instruct-q4km"),
             dismissed_until: None,
-            opted_out: false,
             model_download_complete: true,
             partial_download_started: None,
         };
@@ -1219,18 +1198,6 @@ mod tests {
         assert!(parsed.model_download_complete);
     }
 
-    #[test]
-    fn test_state_with_opted_out() {
-        let state = AiState {
-            opted_out: true,
-            ..Default::default()
-        };
-
-        let json = serde_json::to_string(&state).unwrap();
-        let parsed: AiState = serde_json::from_str(&json).unwrap();
-        assert!(parsed.opted_out);
-    }
-
     #[test]
     fn test_get_ai_status_no_manager() {
         // When manager is not initialized, status is Unavailable

apps/desktop/src-tauri/src/ai/mod.rs

@@ -172,8 +172,6 @@ pub struct AiState {
     /// Unix timestamp (seconds).
     #[serde(default)]
     pub dismissed_until: Option<u64>,
-    #[serde(default)]
-    pub opted_out: bool,
     /// Verified by file size.
     #[serde(default)]
     pub model_download_complete: bool,
@@ -194,7 +192,6 @@ impl Default for AiState {
             pid: None,
             installed_model_id: default_model_id(),
             dismissed_until: None,
-            opted_out: false,
             model_download_complete: false,
             partial_download_started: None,
         }

apps/desktop/src-tauri/src/ipc.rs

@@ -516,8 +516,6 @@ pub fn builder() -> Builder<tauri::Wry> {
         crate::ai::manager::start_ai_download,
         crate::ai::manager::cancel_ai_download,
         crate::ai::manager::uninstall_ai,
-        crate::ai::manager::opt_in_ai,
-        crate::ai::manager::is_ai_opted_out,
         crate::ai::api_keys::save_ai_api_key,
         crate::ai::api_keys::get_ai_api_key,
         crate::ai::api_keys::delete_ai_api_key,

apps/desktop/src-tauri/src/ipc_collectors.rs

@@ -155,8 +155,6 @@ pub(crate) fn collect_cross_platform_types(types: &mut Types) -> Vec<Function> {
         crate::system_strings::get_localized_system_strings,
         crate::ai::manager::cancel_ai_download,
         crate::ai::manager::uninstall_ai,
-        crate::ai::manager::opt_in_ai,
-        crate::ai::manager::is_ai_opted_out,
         crate::ai::api_keys::save_ai_api_key,
         crate::ai::api_keys::get_ai_api_key,
         crate::ai::api_keys::delete_ai_api_key,

apps/desktop/src/lib/ai/CLAUDE.md

@@ -33,9 +33,11 @@ Intel Macs with an explanatory tooltip (controlled by `AiRuntimeStatus.localAiSu
 
 ### AI settings in registry
 
-Settings `ai.provider`, `ai.openaiApiKey`, `ai.openaiBaseUrl`, `ai.openaiModel`, `ai.localContextSize` are defined in
-`settings-registry.ts`. The main layout calls `configureAi(...)` after `initSettingsApplier()` to push config to
-backend.
+Settings `ai.provider`, `ai.cloudProvider`, `ai.cloudProviderConfigs`, `ai.localContextSize` are defined in
+`settings-registry.ts`. The main layout calls `configureAi(...)` after `initSettingsApplier()` to push config to backend
+(the API key is fetched separately from the OS secret store). The pre-refactor flat keys (`ai.openaiApiKey`,
+`ai.openaiBaseUrl`, `ai.openaiModel`) are gone from the registry; `ai-config.ts::migrateLegacyOpenAiKeys` lifts any
+stranded plaintext `ai.openaiApiKey` into the secret store and deletes all three on startup.
 
 ### The wizard owns AI consent
 

apps/desktop/src/lib/ipc/bindings.ts

@@ -1165,10 +1165,6 @@ export const commands = {
    *  Async because file deletion may block briefly.
    */
   uninstallAi: () => __TAURI_INVOKE<void>('uninstall_ai'),
-  // Re-enables AI features after opting out.
-  optInAi: () => __TAURI_INVOKE<void>('opt_in_ai'),
-  // Returns whether the user has opted out of AI features.
-  isAiOptedOut: () => __TAURI_INVOKE<boolean>('is_ai_opted_out'),
   saveAiApiKey: (providerId: string, apiKey: string) =>
     typedError<null, AiApiKeyError>(__TAURI_INVOKE('save_ai_api_key', { providerId, apiKey })),
   /**

apps/desktop/src/lib/settings/ai-config.test.ts

@@ -15,18 +15,23 @@ import { describe, it, expect, vi, beforeEach } from 'vitest'
 
 const saveAiApiKey = vi.fn<(id: string, key: string) => Promise<null>>(() => Promise.resolve(null))
 const getAiApiKey = vi.fn<(id: string) => Promise<string>>(() => Promise.resolve(''))
+const hasAiApiKey = vi.fn<(id: string) => Promise<boolean>>(() => Promise.resolve(false))
 const configureAi = vi.fn<
   (provider: string, contextSize: number, apiKey: string, baseUrl: string, model: string) => Promise<null>
 >(() => Promise.resolve(null))
 
 vi.mock('$lib/tauri-commands', () => ({
   saveAiApiKey: (id: string, key: string) => saveAiApiKey(id, key),
   getAiApiKey: (id: string) => getAiApiKey(id),
+  hasAiApiKey: (id: string) => hasAiApiKey(id),
   configureAi: (provider: string, contextSize: number, apiKey: string, baseUrl: string, model: string) =>
     configureAi(provider, contextSize, apiKey, baseUrl, model),
 }))
 
 const settingsMap: Record<string, string> = {}
+// Backs the raw-store helpers (`getRawStoreValue`/`deleteRawStoreKeys`) the legacy-key migration
+// uses for non-registry keys; in a real app these hit the Tauri store plugin.
+const rawStoreMap: Record<string, string> = {}
 vi.mock('$lib/settings', async (importOriginal) => {
   const actual = await importOriginal<Record<string, unknown>>()
   return {
@@ -35,6 +40,14 @@ vi.mock('$lib/settings', async (importOriginal) => {
     setSetting: (id: string, value: string) => {
       settingsMap[id] = value
     },
+    getRawStoreValue: (key: string) => Promise.resolve(rawStoreMap[key]),
+    deleteRawStoreKeys: (keys: readonly string[]) => {
+      for (const k of keys) {
+        // eslint-disable-next-line @typescript-eslint/no-dynamic-delete -- test fixture
+        delete rawStoreMap[k]
+      }
+      return Promise.resolve()
+    },
   }
 })
 
@@ -71,10 +84,16 @@ function resetState(): void {
     // eslint-disable-next-line @typescript-eslint/no-dynamic-delete -- test fixture reset
     delete settingsMap[k]
   }
+  for (const k of Object.keys(rawStoreMap)) {
+    // eslint-disable-next-line @typescript-eslint/no-dynamic-delete -- test fixture reset
+    delete rawStoreMap[k]
+  }
   saveAiApiKey.mockReset()
   saveAiApiKey.mockResolvedValue(null)
   getAiApiKey.mockReset()
   getAiApiKey.mockResolvedValue('')
+  hasAiApiKey.mockReset()
+  hasAiApiKey.mockResolvedValue(false)
   configureAi.mockReset()
   configureAi.mockResolvedValue(null)
   addToast.mockReset()
@@ -180,6 +199,40 @@ describe('migrateApiKeysFromSettings', () => {
     await migrateApiKeysFromSettings()
     expect(saveAiApiKey).not.toHaveBeenCalled()
   })
+
+  it('lifts a stranded legacy ai.openaiApiKey into the secret store, then drops the flat keys', async () => {
+    rawStoreMap['ai.openaiApiKey'] = 'sk-legacy-123'
+    rawStoreMap['ai.openaiBaseUrl'] = 'https://api.openai.com/v1'
+    rawStoreMap['ai.openaiModel'] = 'gpt-4o-mini'
+    hasAiApiKey.mockResolvedValue(false) // not yet in the secret store
+
+    await migrateApiKeysFromSettings()
+
+    expect(saveAiApiKey).toHaveBeenCalledWith('openai', 'sk-legacy-123')
+    expect(rawStoreMap['ai.openaiApiKey']).toBeUndefined()
+    expect(rawStoreMap['ai.openaiBaseUrl']).toBeUndefined()
+    expect(rawStoreMap['ai.openaiModel']).toBeUndefined()
+  })
+
+  it('drops the flat keys without re-saving when the secret store already has the key', async () => {
+    rawStoreMap['ai.openaiApiKey'] = 'sk-legacy-123'
+    hasAiApiKey.mockResolvedValue(true) // already migrated
+
+    await migrateApiKeysFromSettings()
+
+    expect(saveAiApiKey).not.toHaveBeenCalled()
+    expect(rawStoreMap['ai.openaiApiKey']).toBeUndefined()
+  })
+
+  it('keeps the legacy key if the secret-store save fails (never loses the only copy)', async () => {
+    rawStoreMap['ai.openaiApiKey'] = 'sk-legacy-123'
+    hasAiApiKey.mockResolvedValue(false)
+    saveAiApiKey.mockRejectedValueOnce(new Error('keychain locked'))
+
+    await migrateApiKeysFromSettings()
+
+    expect(rawStoreMap['ai.openaiApiKey']).toBe('sk-legacy-123')
+  })
 })
 
 describe('pushConfigToBackend', () => {

apps/desktop/src/lib/settings/ai-config.ts

@@ -23,8 +23,8 @@
  * settings UI all reach for. `sections/` is reserved for UI subcomponents.
  */
 
-import { getSetting, setSetting, resolveCloudConfig } from '$lib/settings'
-import { configureAi, getAiApiKey, saveAiApiKey } from '$lib/tauri-commands'
+import { getSetting, setSetting, resolveCloudConfig, getRawStoreValue, deleteRawStoreKeys } from '$lib/settings'
+import { configureAi, getAiApiKey, saveAiApiKey, hasAiApiKey } from '$lib/tauri-commands'
 import { getAppLogger } from '$lib/logging/logger'
 import { addToast } from '$lib/ui/toast'
 import { describeSecretError } from './sections/ai-secret-error'
@@ -36,8 +36,9 @@ const secretErrorToastId = 'ai-secret-store-error'
 
 /**
  * One-time migration: move `apiKey` fields out of `ai.cloudProviderConfigs` (settings.json) into
- * the OS secret store. Runs idempotently at startup; once the JSON blob no longer contains any
- * `apiKey` field, this is a near-zero-cost no-op.
+ * the OS secret store, then (via `migrateLegacyOpenAiKeys`) lift + drop the even older flat
+ * `ai.openaiApiKey` / `ai.openaiBaseUrl` / `ai.openaiModel` keys. Runs idempotently at startup;
+ * once the JSON blob and the flat keys are gone, this is a near-zero-cost no-op.
  *
  * Per-provider semantics: if saving to the secret store fails for one provider, that provider's
  * `apiKey` stays in settings.json so the user can retry later. Other providers still migrate.
@@ -47,6 +48,14 @@ const secretErrorToastId = 'ai-secret-store-error'
  * step temporarily handles plaintext keys).
  */
 export async function migrateApiKeysFromSettings(): Promise<void> {
+  // Two independent steps. The flat-key cleanup runs even when the cloud-config blob is
+  // missing or malformed (a returning user might have ONLY the pre-refactor flat keys).
+  await migrateCloudProviderConfigKeys()
+  await migrateLegacyOpenAiKeys()
+}
+
+/** Lifts `apiKey` fields out of the `ai.cloudProviderConfigs` JSON blob into the secret store. */
+async function migrateCloudProviderConfigKeys(): Promise<void> {
   const raw = getSetting('ai.cloudProviderConfigs')
   let parsed: Record<string, Record<string, unknown> | undefined>
   try {
@@ -85,6 +94,37 @@ export async function migrateApiKeysFromSettings(): Promise<void> {
   }
 }
 
+/**
+ * The pre-`ai.cloudProvider` schema stored OpenAI config as three flat keys:
+ * `ai.openaiApiKey` (a PLAINTEXT key), `ai.openaiBaseUrl`, `ai.openaiModel`. The current code
+ * reads none of them (the key lives in the OS secret store; model/baseUrl in
+ * `ai.cloudProviderConfigs`), and the registry-driven save loop only manages registered ids, so
+ * they'd otherwise linger in `settings.json` forever — a plaintext key sitting in Time Machine
+ * and cloud backups, exactly what the secret-store move was meant to prevent.
+ *
+ * This lifts the flat key into the secret store under `openai` IF that's its only copy (so a
+ * tester who set it pre-refactor and never re-entered it doesn't lose it AND gets working AI
+ * back), then drops all three dead keys. Idempotent: once the keys are gone it's a no-op.
+ */
+const LEGACY_OPENAI_KEYS = ['ai.openaiApiKey', 'ai.openaiBaseUrl', 'ai.openaiModel'] as const
+
+async function migrateLegacyOpenAiKeys(): Promise<void> {
+  const legacyKey = (await getRawStoreValue<string>('ai.openaiApiKey')) ?? ''
+  if (legacyKey.length > 0 && !(await hasAiApiKey('openai'))) {
+    try {
+      await saveAiApiKey('openai', legacyKey)
+      logger.info('Lifted a legacy flat OpenAI API key into the secret store')
+    } catch (e) {
+      // Don't delete the only copy if we couldn't preserve it; retry next launch.
+      logger.warn("Couldn't move the legacy OpenAI key to the secret store; leaving settings.json untouched: {error}", {
+        error: e,
+      })
+      return
+    }
+  }
+  await deleteRawStoreKeys(LEGACY_OPENAI_KEYS)
+}
+
 /**
  * Push current AI config (provider, context size, cloud credentials) to the Rust backend. The API
  * key is fetched from the OS secret store; the rest comes from `settings.json`. Surfaces secret

apps/desktop/src/lib/settings/index.ts

@@ -48,7 +48,9 @@ export type { SettingsSection } from './settings-registry'
 
 // Store
 export {
+  deleteRawStoreKeys,
   forceSave,
+  getRawStoreValue,
   getSetting,
   initializeSettings,
   isModified,