Configuration-gated integrations
Settings
Model Providers (BYO)
Selected provider: openrouter. Only Codex edits the repo directly; OpenRouter, OpenAI-compatible, and Ollama return strict JSON plans that RiskRadar applies itself. Required env shows names only, never secret values.
| Provider | Status | Applies via | Model edits repo | Required env |
|---|---|---|---|---|
| Codex CLI (workspace editor) | unavailable | codex-workspace-edit | yes | CODEX_BIN, CODEX_ENABLED |
| OpenRouter (plan advisor) ★ | configured | riskradar-applies-plan | no | RISKRADAR_LLM_API_KEY, RISKRADAR_AGENT_MODEL |
| OpenAI-compatible (plan advisor) | configured | riskradar-applies-plan | no | RISKRADAR_LLM_BASE_URL, RISKRADAR_LLM_API_KEY, RISKRADAR_AGENT_MODEL |
| Anthropic Claude (plan advisor) | configured | riskradar-applies-plan | no | RISKRADAR_ANTHROPIC_API_KEY, RISKRADAR_AGENT_MODEL |
| Grok / xAI (plan advisor) | configured | riskradar-applies-plan | no | RISKRADAR_GROK_API_KEY, RISKRADAR_AGENT_MODEL |
| Ollama / local (plan advisor) | configured | riskradar-applies-plan | no | RISKRADAR_LLM_BASE_URL, RISKRADAR_AGENT_MODEL |
| Deterministic npm fixer | configured | riskradar-deterministic | no | · |
| Integration | Status | Message | Required env |
|---|---|---|---|
| Local database | available | Using file-backed local persistence at /tmp/riskradar-demo.db.json | · |
| GitHub | configured | GitHub API calls are enabled. | GITHUB_TOKEN |
| OSV API | configured | Using https://api.osv.dev/v1/querybatch for fallback scans. | · |
| OSV-Scanner CLI | unavailable | Install osv-scanner for lockfile-accurate recursive scans. | · |
| EPSS | configured | Using https://api.first.org/data/v1/epss when CVEs exist. | · |
| CISA KEV | configured | Using https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json for active exploitation enrichment. | · |
| Codex CLI | unavailable | Install/authenticate Codex CLI or set CODEX_BIN. | · |
| OpenAI SDK | configured | OpenAI SDK Responses API adapter is enabled. | OPENAI_API_KEY |
| Vercel AI SDK | configured | AI Gateway adapter is enabled. | AI_GATEWAY_API_KEY, VERCEL_OIDC_TOKEN |
| Telegram | not_configured | Set TELEGRAM_BOT_TOKEN, TELEGRAM_ALLOWED_CHAT_IDS, and APPROVAL_HMAC_SECRET. | TELEGRAM_BOT_TOKEN, TELEGRAM_ALLOWED_CHAT_IDS, APPROVAL_HMAC_SECRET |
| Vercel | not_configured | Set VERCEL_TOKEN for real deployment API lookups; local .vercel mapping still works. | VERCEL_TOKEN |
| OpenClaw | not_configured | OpenClaw is optional. Enable with OPENCLAW_ENABLED=true and install the OpenClaw CLI. | · |
| SBOM | unavailable | Install Syft or set SYFT_BIN for real SBOM generation. | · |
| Local roots | not_configured | Set RISKRADAR_LOCAL_ROOTS before adding local folders. | · |
Agent Adapters
| Adapter | Status | Workspace edits | Message |
|---|---|---|---|
| Codex CLI | configured | yes | Uses authenticated Codex CLI/subscription flow where available; only adapter allowed to edit workspaces directly. |
| OpenAI SDK | configured | plan only | Uses official OpenAI SDK Responses API for remediation plans. |
| Vercel AI SDK / AI Gateway | configured | plan only | Uses AI SDK provider/model strings through Vercel AI Gateway. |
| Deterministic npm fixer | configured | yes | Updates direct npm dependencies to known fixed versions and validates in a disposable workspace. |
| Manual remediation | configured | plan only | Always available; creates a human-readable remediation plan only. |