feat(ui): display proxy API key and improve onboarding/security warnings

Improve startup and launcher TUI onboarding and security messaging:

- Refine initial-setup wording to clarify .env and provider credential responsibilities.
- Add an explicit security warning when a .env exists but PROXY_API_KEY is not set.
- Surface the actual PROXY_API_KEY value in the launcher and startup logs (or show "Not Set (INSECURE!)" when missing).
- Simplify onboarding detection to only trigger on a missing .env file (PROXY_API_KEY no longer forces onboarding).

src/proxy_app/launcher_tui.py

@@ -239,30 +239,45 @@ class LauncherTUI:
         ))
         self.console.print("[dim]GitHub: [blue underline]https://github.com/Mirrowel/LLM-API-Key-Proxy[/blue underline][/dim]")
         
-        # Show warning if needed
+        # Show warning if .env file doesn't exist
         if show_warning:
             self.console.print()
             self.console.print(Panel(
                 Text.from_markup(
-                    "⚠️  [bold yellow]CONFIGURATION REQUIRED[/bold yellow]\n\n"
-                    "The proxy cannot start because:\n"
-                    "  ❌ No .env file found (or)\n"
-                    "  ❌ PROXY_API_KEY is not set in .env\n\n"
+                    "⚠️  [bold yellow]INITIAL SETUP REQUIRED[/bold yellow]\n\n"
+                    "The proxy needs initial configuration:\n"
+                    "  ❌ No .env file found\n\n"
                     "Why this matters:\n"
-                    "  • The .env file stores your proxy's authentication key\n"
-                    "  • The PROXY_API_KEY protects your proxy from unauthorized access\n"
-                    "  • Without it, the proxy cannot securely start\n\n"
+                    "  • The .env file stores your credentials and settings\n"
+                    "  • PROXY_API_KEY protects your proxy from unauthorized access\n"
+                    "  • Provider API keys enable LLM access\n\n"
                     "What to do:\n"
                     "  1. Select option \"3. Manage Credentials\" to launch the credential tool\n"
                     "  2. The tool will create .env and set up PROXY_API_KEY automatically\n"
-                    "  3. You can also add LLM provider credentials while you're there\n\n"
-                    "⚠️  Important: While provider credentials are optional for startup,\n"
-                    "   the proxy won't do anything useful without them. See README.md\n"
-                    "   for supported providers and setup instructions."
+                    "  3. You can add provider credentials (API keys or OAuth)\n\n"
+                    "⚠️  Note: The credential tool adds PROXY_API_KEY by default.\n"
+                    "   You can remove it later if you want an unsecured proxy."
                 ),
                 border_style="yellow",
                 expand=False
             ))
+        # Show security warning if PROXY_API_KEY is missing (but .env exists)
+        elif not os.getenv("PROXY_API_KEY"):
+            self.console.print()
+            self.console.print(Panel(
+                Text.from_markup(
+                    "⚠️  [bold red]SECURITY WARNING: PROXY_API_KEY Not Set[/bold red]\n\n"
+                    "Your proxy is currently UNSECURED!\n"
+                    "Anyone can access it without authentication.\n\n"
+                    "This is a serious security risk if your proxy is accessible\n"
+                    "from the internet or untrusted networks.\n\n"
+                    "👉 [bold]Recommended:[/bold] Set PROXY_API_KEY in .env file\n"
+                    "   Use option \"2. Configure Proxy Settings\" → \"3. Set Proxy API Key\"\n"
+                    "   or option \"3. Manage Credentials\""
+                ),
+                border_style="red",
+                expand=False
+            ))
         
         # Show config
         self.console.print()
@@ -271,7 +286,13 @@ class LauncherTUI:
         self.console.print(f"   Host:                {self.config.config['host']}")
         self.console.print(f"   Port:                {self.config.config['port']}")
         self.console.print(f"   Request Logging:     {'✅ Enabled' if self.config.config['enable_request_logging'] else '❌ Disabled'}")
-        self.console.print(f"   Proxy API Key:       {'✅ Set' if os.getenv('PROXY_API_KEY') else '❌ Not Set'}")
+        
+        # Show actual API key value
+        proxy_key = os.getenv('PROXY_API_KEY')
+        if proxy_key:
+            self.console.print(f"   Proxy API Key:       {proxy_key}")
+        else:
+            self.console.print("   Proxy API Key:       [red]Not Set (INSECURE!)[/red]")
         
         # Show status summary
         self.console.print()

src/proxy_app/main.py

@@ -37,9 +37,17 @@ if args.add_credential:
 
 # If we get here, we're ACTUALLY running the proxy - NOW show startup messages and start timer
 _start_time = time.time()
+
+# Get proxy API key for display
+proxy_api_key = os.getenv("PROXY_API_KEY")
+if proxy_api_key:
+    key_display = f"✓ {proxy_api_key}"
+else:
+    key_display = "✗ Not Set (INSECURE - anyone can access!)"
+
 print("━" * 70)
 print(f"Starting proxy on {args.host}:{args.port}")
-print(f"Proxy API Key: {'✓ Set' if os.getenv('PROXY_API_KEY') else '✗ Not Set'}")
+print(f"Proxy API Key: {key_display}")
 print(f"GitHub: https://github.com/Mirrowel/LLM-API-Key-Proxy")
 print("━" * 70)
 print("Loading server components...")
@@ -115,6 +123,19 @@ class ModelList(BaseModel):
 _elapsed = time.time() - _start_time
 print(f"✓ Server ready in {_elapsed:.2f}s ({_plugin_count} providers discovered in {_provider_time:.2f}s)")
 
+# Clear screen and reprint header for clean startup view
+# This pushes loading messages up (still in scroll history) but shows a clean final screen
+import os as _os_module
+_os_module.system('cls' if _os_module.name == 'nt' else 'clear')
+
+# Reprint header
+print("━" * 70)
+print(f"Starting proxy on {args.host}:{args.port}")
+print(f"Proxy API Key: {key_display}")
+print(f"GitHub: https://github.com/Mirrowel/LLM-API-Key-Proxy")
+print("━" * 70)
+print(f"✓ Server ready in {_elapsed:.2f}s ({_plugin_count} providers discovered in {_provider_time:.2f}s)")
+
 
 # Note: Debug logging will be added after logging configuration below
 
@@ -848,14 +869,11 @@ if __name__ == "__main__":
         Check if the proxy needs onboarding (first-time setup).
         Returns True if onboarding is needed, False otherwise.
         """
-        # Check 1: Does .env file exist?
+        # Only check if .env file exists
+        # PROXY_API_KEY is optional (will show warning if not set)
         if not ENV_FILE.is_file():
             return True
         
-        # Check 2: Is PROXY_API_KEY set in environment?
-        if not PROXY_API_KEY:
-            return True
-        
         return False
 
     def show_onboarding_message():
@@ -867,25 +885,21 @@ if __name__ == "__main__":
         ))
         console.print("[bold yellow]⚠️  Configuration Required[/bold yellow]\n")
         
-        console.print("The proxy cannot start because:")
-        if not ENV_FILE.is_file():
-            console.print("  [red]❌ No .env file found[/red]")
-        else:
-            console.print("  [red]❌ PROXY_API_KEY is not set in .env[/red]")
+        console.print("The proxy needs initial configuration:")
+        console.print("  [red]❌ No .env file found[/red]")
         
         console.print("\n[bold]Why this matters:[/bold]")
-        console.print("  • The .env file stores your proxy's authentication key")
-        console.print("  • The PROXY_API_KEY protects your proxy from unauthorized access")
-        console.print("  • Without it, the proxy cannot securely start")
+        console.print("  • The .env file stores your credentials and settings")
+        console.print("  • PROXY_API_KEY protects your proxy from unauthorized access")
+        console.print("  • Provider API keys enable LLM access")
         
         console.print("\n[bold]What happens next:[/bold]")
-        console.print("  1. We'll create a .env file with a default PROXY_API_KEY")
+        console.print("  1. We'll create a .env file with PROXY_API_KEY")
         console.print("  2. You can add LLM provider credentials (API keys or OAuth)")
         console.print("  3. The proxy will then start normally")
         
-        console.print("\n[bold yellow]⚠️  Important:[/bold yellow] While provider credentials are optional for startup,")
-        console.print("   the proxy won't do anything useful without them. See [bold cyan]README.md[/bold cyan]")
-        console.print("   for supported providers and setup instructions.\n")
+        console.print("\n[bold yellow]⚠️  Note:[/bold yellow] The credential tool adds PROXY_API_KEY by default.")
+        console.print("   You can remove it later if you want an unsecured proxy.\n")
         
         console.input("[bold green]Press Enter to launch the credential setup tool...[/bold green]")