Skip to content

fix: allow apiKey omission for local embedding providers#151

Open
eisen0419 wants to merge 1 commit intoCortexReach:masterfrom
eisen0419:fix/issue-133-no-apikey-hardening
Open

fix: allow apiKey omission for local embedding providers#151
eisen0419 wants to merge 1 commit intoCortexReach:masterfrom
eisen0419:fix/issue-133-no-apikey-hardening

Conversation

@eisen0419
Copy link

@eisen0419 eisen0419 commented Mar 10, 2026

Summary

Follow-up to PR #93 — hardens the no-apiKey path with provider-aware validation and unit test coverage that doesn't require a running local server.

Changes

  • index.ts: Added isLocalProvider() helper to detect local endpoints (localhost/127.0.0.1/[::1]/0.0.0.0)
    • Local providers: apiKey is optional, falls back to dummy 'ollama' key with console warning
    • Cloud providers: fail early with clear error message at config time
  • test/no-apikey-local-provider.test.mjs: 4 test cases covering:
    • Local provider without apiKey → uses dummy key
    • Cloud provider without apiKey → throws
    • Local provider with explicit apiKey → uses provided key
    • No baseURL + no apiKey → throws

Test plan

  • All 4 new tests pass (no local server required)
  • Existing behavior preserved for all configured providers
  • CI note: plugin-manifest-regression failure is a pre-existing version mismatch on master

Closes #133

fix: allow apiKey omission for local embedding providers
b3747d9 
Detect local providers (localhost/127.0.0.1/[::1]/0.0.0.0) via baseURL
and use a dummy 'ollama' key when apiKey is not provided. Cloud providers
still fail early with a clear error message at config time.

Closes CortexReach#133
@AliceLJY
Copy link
Collaborator

AliceLJY commented Mar 10, 2026

Review: fix: allow apiKey omission for local embedding providers

Verdict: Fix-then-merge — two items to address.

✅ What's working

  • isLocalProvider() correctly handles all four loopback forms: localhost, 127.0.0.1, [::1], 0.0.0.0
  • resolveEnvVars() is called on baseURL before the check — env-var-based URLs (e.g. ${LOCAL_EMBEDDING_URL}) resolve correctly
  • Fallback dummy key "ollama" is a reasonable default, warning is clear
  • Cloud provider path still throws — no regression for existing users
  • All 4 tests pass; test covers the key branches without requiring a running server

🔴 Blocking

npm test not updatedno-apikey-local-provider.test.mjs is missing from package.json scripts. Third PR in a row with this issue.

Fix: append && node --test test/no-apikey-local-provider.test.mjs to the test script.

🟡 Suggested before merge

openclaw.plugin.json schema not updated. embedding.required still includes "apiKey", but the fix makes it optional for local providers. This causes a mismatch between the schema (used by UI and docs) and the actual runtime behavior — users reading the schema will think apiKey is always mandatory.

Suggested fix: make apiKey optional in the schema and update the uiHints description:

// Remove "apiKey" from embedding.required (or remove required entirely)
// Update uiHints.embedding.apiKey.help to mention local providers explicitly

⚪ Non-blocking

isLocalProvider() uses .test() on the full URL string — a baseURL like http://myserver-localhost.corp:8080 would match localhost and be treated as local (skipping apiKey check). Low real-world risk since embedding baseURLs are almost always clean loopback addresses, but anchoring to the hostname portion would be safer:

/^https?:\/\/(localhost|127\.0\.0\.1|\[::1\]|0\.0\.0\.0)(:\d+)?(\\/|$)/i

Clean fix overall. The resolveEnvVars call on baseURL before the local-provider check is a nice touch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Follow-up: harden no-apiKey embedding path for local providers

2 participants

@eisen0419 @AliceLJY