Problem
Heddle integrates CyberLoop for semantic drift detection, and Heddle can authenticate OpenAI requests through its stored OpenAI OAuth credential path. Today CyberLoop appears to assume an OpenAI Platform API key for embedding/auth setup, so Heddle has to disable CyberLoop-powered drift detection when the active OpenAI credential is OAuth-backed.
This leaves Heddle with two credential paths:
- API-key mode: CyberLoop drift detection can run.
- OAuth mode: Heddle can run the model, but CyberLoop drift detection is unavailable because CyberLoop cannot consume the bearer token credential Heddle already resolved.
Desired behavior
CyberLoop should accept a bearer token credential in addition to the existing API-key path, so callers such as Heddle can provide the same OpenAI credential they are already using for runtime requests.
This would let Heddle unify the credential path and enable CyberLoop drift detection in OpenAI OAuth mode instead of requiring users to switch to Platform API-key mode only for embeddings.
Proposed shape
Support an auth option roughly equivalent to:
type OpenAiAuth =
| { type: 'apiKey'; apiKey: string }
| { type: 'bearer'; token: string };Then use the resolved auth to set the outbound OpenAI-compatible request header:
Authorization: Bearer <apiKey> for existing API-key mode, preserving current behavior.Authorization: Bearer <token> for bearer-token mode.
Exact API shape can follow CyberLoop's existing constructor/config style. The important part is that callers can pass a bearer token without mapping it into an API-key-only field.
Acceptance criteria
- CyberLoop keeps the current API-key behavior working unchanged.
- CyberLoop exposes a documented way to configure bearer-token auth for OpenAI-compatible embedding/model calls.
- Bearer-token auth is used for the same outbound OpenAI-compatible requests that currently use the API key.
- Tests cover both API-key and bearer-token header construction.
- Heddle can enable drift detection while its active OpenAI credential is OAuth-backed, without requiring
OPENAI_API_KEY or PERSONAL_OPENAI_API_KEY solely for CyberLoop embeddings.
Heddle integration context
Current Heddle behavior blocks the drift observer in OpenAI OAuth mode with a message along the lines of:
CyberLoop drift detection requires OpenAI Platform API-key mode for embeddings; active auth is OpenAI account sign-in.
Once CyberLoop accepts bearer tokens, Heddle can pass the resolved OAuth access token into the CyberLoop embedding path and remove that OAuth-mode drift limitation.
Problem
Heddle integrates CyberLoop for semantic drift detection, and Heddle can authenticate OpenAI requests through its stored OpenAI OAuth credential path. Today CyberLoop appears to assume an OpenAI Platform API key for embedding/auth setup, so Heddle has to disable CyberLoop-powered drift detection when the active OpenAI credential is OAuth-backed.
This leaves Heddle with two credential paths:
Desired behavior
CyberLoop should accept a bearer token credential in addition to the existing API-key path, so callers such as Heddle can provide the same OpenAI credential they are already using for runtime requests.
This would let Heddle unify the credential path and enable CyberLoop drift detection in OpenAI OAuth mode instead of requiring users to switch to Platform API-key mode only for embeddings.
Proposed shape
Support an auth option roughly equivalent to:
Then use the resolved auth to set the outbound OpenAI-compatible request header:
Authorization: Bearer <apiKey>for existing API-key mode, preserving current behavior.Authorization: Bearer <token>for bearer-token mode.Exact API shape can follow CyberLoop's existing constructor/config style. The important part is that callers can pass a bearer token without mapping it into an API-key-only field.
Acceptance criteria
OPENAI_API_KEYorPERSONAL_OPENAI_API_KEYsolely for CyberLoop embeddings.Heddle integration context
Current Heddle behavior blocks the drift observer in OpenAI OAuth mode with a message along the lines of:
Once CyberLoop accepts bearer tokens, Heddle can pass the resolved OAuth access token into the CyberLoop embedding path and remove that OAuth-mode drift limitation.