feat(reviewer): cloud Ollama bearer auth via OLLAMA_API_KEY env #60

Merged

pdurlej merged 1 commit from claude/feat-cloud-ollama-auth into main

2026-05-27 23:42:41 +02:00

claude commented

2026-05-27 23:38:02 +02:00

Collaborator

Why

pdurlej/platform#527 smoke test for the platform#524 wave revealed that patchwarden review-run, even after the MERGE_BASE workflow fix (platform#528), hits Connection refused against 127.0.0.1:11434 — there's no local Ollama on the runner and ollama_client.py had no way to authenticate against cloud Ollama. The reviewer lane is wired but cannot actually produce findings without local Ollama deployment.

This PR adds the missing pluming: optional bearer-token auth + env-var-driven endpoint override. Together with a runner-local PLATFORMCTL_CANARY_ENV setting OLLAMA_API_KEY (sourced from infisical:/home-platform/providers/OLLAMA_CLOUD_API_KEY) and OLLAMA_BASE_URL=https://ollama.com, the workflow can target cloud Ollama without changing the lane config or CLI invocation.

What changes

File	Change
`src/patchwarden/ollama_client.py`	`OllamaRequest.api_key: str \| None = None`. `_attempt` builds the headers dict (Content-Type always; Authorization: Bearer when api_key truthy). `_urllib_transport` signature gains `headers` parameter and forwards it verbatim to `urllib.request.Request`. `Transport` type updated accordingly.
`src/patchwarden/review_run.py`	`_findings_from_ollama` reads `OLLAMA_BASE_URL` + `OLLAMA_API_KEY` from `os.environ` and passes them to `OllamaRequest`. Both optional — unset leaves the dataclass defaults (127.0.0.1:11434, no auth) intact.
`tests/test_ollama_client.py`	All transport mock stubs updated mechanically to accept the new `headers` parameter. New `AuthHeaderTests` (4 tests).
`tests/test_review_run.py`	Transport mock stubs updated mechanically.

Backward compatibility

Local Ollama path unchanged: no OLLAMA_API_KEY set → no Authorization header → request looks identical to today's traffic.
OLLAMA_BASE_URL unset → falls back to OLLAMA_DEFAULT_BASE_URL = "http://127.0.0.1:11434".
OLLAMA_API_KEY="" (common env-var artifact) explicitly treated as no auth — never emits a malformed Bearer header.
Fallback model attempt reuses the same bearer (same endpoint = same auth scope; cloud fallback would 401 otherwise — covered by new test).

D20 sovereignty

Unchanged. This is transport plumbing only. The model still only suspects; Patchwarden's deterministic policy gate still decides merge eligibility. No new authority, no APPROVED path, no merge endpoint — tests/test_d20_architectural_boundary.py still passes.

D21 (M2 amendment) compatibility

This is wiring of an existing capability to a different endpoint, not a new core capability. It does not add a new CLI subcommand, does not change schema versions, does not bind new runtime deps (stdlib-only urllib already in use), does not expand the dogfood lane. It enables the existing Ollama call path to function in the actual deployment environment per platform#527 evidence.

Tests

PYTHONPATH=src python3 -m unittest discover tests
Ran 156 tests in 0.082s
OK

152 baseline + 4 new AuthHeaderTests:

test_no_api_key_omits_authorization_header — default path stays unauthenticated
test_api_key_sets_bearer_authorization_header — Bearer token format correct
test_api_key_propagated_on_fallback_attempt — fallback reuses auth
test_empty_string_api_key_treated_as_no_auth — empty env-var artifact safe

Smoke evidence after merge (planned)

Operator updates runner-local PLATFORMCTL_CANARY_ENV file with:
- OLLAMA_API_KEY=<infisical OLLAMA_CLOUD_API_KEY value>
- OLLAMA_BASE_URL=https://ollama.com (or whichever cloud endpoint)
pdurlej/platform#527 re-runs (push empty commit for synchronize).
review-run reaches Ollama with auth → either gets real findings OR a meaningful HTTP response (not connection refused).
post-findings --execute posts a comment to #527 — evidence-confirmed full loop.
Follow-up PR in pdurlej/patchwarden updates docs/operations/dogfood-actual-vs-mental-model.md to mark Luka 1+2 as evidence-confirmed.

Refs: pdurlej/platform#527, pdurlej/platform#528, pdurlej/patchwarden#48 #49 #54

## Why `pdurlej/platform#527` smoke test for the `platform#524` wave revealed that `patchwarden review-run`, even after the `MERGE_BASE` workflow fix (`platform#528`), hits `Connection refused` against `127.0.0.1:11434` — there's no local Ollama on the runner and `ollama_client.py` had no way to authenticate against cloud Ollama. The reviewer lane is *wired* but cannot actually produce findings without local Ollama deployment. This PR adds the missing pluming: optional bearer-token auth + env-var-driven endpoint override. Together with a runner-local `PLATFORMCTL_CANARY_ENV` setting `OLLAMA_API_KEY` (sourced from `infisical:/home-platform/providers/OLLAMA_CLOUD_API_KEY`) and `OLLAMA_BASE_URL=https://ollama.com`, the workflow can target cloud Ollama without changing the lane config or CLI invocation. ## What changes | File | Change | |---|---| | `src/patchwarden/ollama_client.py` | `OllamaRequest.api_key: str \| None = None`. `_attempt` builds the headers dict (Content-Type always; Authorization: Bearer when api_key truthy). `_urllib_transport` signature gains `headers` parameter and forwards it verbatim to `urllib.request.Request`. `Transport` type updated accordingly. | | `src/patchwarden/review_run.py` | `_findings_from_ollama` reads `OLLAMA_BASE_URL` + `OLLAMA_API_KEY` from `os.environ` and passes them to `OllamaRequest`. Both optional — unset leaves the dataclass defaults (127.0.0.1:11434, no auth) intact. | | `tests/test_ollama_client.py` | All transport mock stubs updated mechanically to accept the new `headers` parameter. New `AuthHeaderTests` (4 tests). | | `tests/test_review_run.py` | Transport mock stubs updated mechanically. | ## Backward compatibility - Local Ollama path unchanged: no `OLLAMA_API_KEY` set → no `Authorization` header → request looks identical to today's traffic. - `OLLAMA_BASE_URL` unset → falls back to `OLLAMA_DEFAULT_BASE_URL = "http://127.0.0.1:11434"`. - `OLLAMA_API_KEY=""` (common env-var artifact) explicitly treated as no auth — never emits a malformed `Bearer ` header. - Fallback model attempt reuses the same bearer (same endpoint = same auth scope; cloud fallback would 401 otherwise — covered by new test). ## D20 sovereignty Unchanged. This is **transport plumbing** only. The model still only suspects; Patchwarden's deterministic policy gate still decides merge eligibility. No new authority, no APPROVED path, no merge endpoint — `tests/test_d20_architectural_boundary.py` still passes. ## D21 (M2 amendment) compatibility This is **wiring of an existing capability to a different endpoint**, not a new core capability. It does not add a new CLI subcommand, does not change schema versions, does not bind new runtime deps (stdlib-only urllib already in use), does not expand the dogfood lane. It enables the *existing* Ollama call path to function in the actual deployment environment per `platform#527` evidence. ## Tests ``` PYTHONPATH=src python3 -m unittest discover tests Ran 156 tests in 0.082s OK ``` 152 baseline + 4 new `AuthHeaderTests`: 1. `test_no_api_key_omits_authorization_header` — default path stays unauthenticated 2. `test_api_key_sets_bearer_authorization_header` — Bearer token format correct 3. `test_api_key_propagated_on_fallback_attempt` — fallback reuses auth 4. `test_empty_string_api_key_treated_as_no_auth` — empty env-var artifact safe ## Smoke evidence after merge (planned) 1. Operator updates runner-local `PLATFORMCTL_CANARY_ENV` file with: - `OLLAMA_API_KEY=<infisical OLLAMA_CLOUD_API_KEY value>` - `OLLAMA_BASE_URL=https://ollama.com` (or whichever cloud endpoint) 2. `pdurlej/platform#527` re-runs (push empty commit for `synchronize`). 3. `review-run` reaches Ollama with auth → either gets real findings OR a meaningful HTTP response (not connection refused). 4. `post-findings --execute` posts a comment to `#527` — evidence-confirmed full loop. 5. Follow-up PR in `pdurlej/patchwarden` updates `docs/operations/dogfood-actual-vs-mental-model.md` to mark Luka 1+2 as evidence-confirmed. Refs: `pdurlej/platform#527`, `pdurlej/platform#528`, `pdurlej/patchwarden#48 #49 #54`

Rows
Columns