Detect Ollama WorkOS sign-in redirects#1944
Conversation
|
@clawsweeper re-review |
|
🦞🧹 I asked ClawSweeper to review this item again. |
|
Codex review: needs maintainer review before merge. Reviewed July 7, 2026, 6:33 AM ET / 10:33 UTC. Summary Reproducibility: yes. source-reproducible with PR proof: current main follows a 200 final response into parsing, while the PR body captures the real Ollama/WorkOS chain ending at Review metrics: 2 noteworthy metrics.
Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Risk before merge
Maintainer options:
Next step before merge
Security Review detailsBest possible solution: Land the narrow provider fix after maintainer review and required checks pass, keeping redirect classification scoped to known Ollama and WorkOS sign-in surfaces. Do we have a high-confidence way to reproduce the issue? Yes, source-reproducible with PR proof: current main follows a 200 final response into parsing, while the PR body captures the real Ollama/WorkOS chain ending at Is this the best way to solve the issue? Yes. The final-response URL classifier is a narrow fix, the latest maintainer commit preserves non-200 network errors, and focused tests cover the observed terminal landing plus negative cases. AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against 30ae39a7ee83. Label changesLabel justifications:
Evidence reviewedWhat I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
Review history (10 earlier review cycles; latest 8 shown)
|
3b77acc to
9356bd2
Compare
|
@clawsweeper re-review |
|
🦞🧹 I asked ClawSweeper to review this item again. |
|
@clawsweeper re-review |
|
@clawsweeper re-review |
|
🦞🧹 I asked ClawSweeper to review this item again. |
|
@clawsweeper re-review |
|
🦞🧹 I asked ClawSweeper to review this item again. |
|
@clawsweeper re-review |
|
@clawsweeper re-review |
|
🦞🧹 I asked ClawSweeper to review this item again. |
|
@clawsweeper re-review |
|
🦞🧹 I asked ClawSweeper to review this item again. |
|
@clawsweeper re-review |
d76fbc7 to
c5945ae
Compare
|
@clawsweeper re-review |
|
🦞🧹 I asked ClawSweeper to review this item again. |
The committed proof image was a 1x1 placeholder, not real evidence. Executable test output in the PR description replaces it.
WorkOS AuthKit serves the hosted authorize flow from auth.workos.com (and historically api.workos.com). Matching only api.workos.com misses the canonical auth.workos.com redirect, so an expired session would fall through to a parse failure instead of sign-in recovery. Match any *.workos.com host carrying the /user_management/authorize path, and cover auth.workos.com plus a non-WorkOS negative case in the test.
…ired The real unauthenticated Ollama/WorkOS redirect chain (verified live) terminates on a hosted sign-in page at signin.ollama.com with HTTP 200, so the final-URL sign-in check previously fell through to a parseFailed error. Classify any landing on signin.ollama.com as a sign-in redirect so the fetcher surfaces invalidCredentials and CodexBar can advance to the next cookie candidate / show sign-in guidance. Add a test case for the signin.ollama.com terminal landing.
9f25aeb to
c571a0c
Compare
|
Maintainer verification on exact head
Patch surface: 5 files, +112/-7. The change is isolated to Ollama response classification, focused tests, provider docs, and changelog credit for @joeVenner. |
Summary
/signinredirects before attempting usage parsing*.workos.comhost carrying the/user_management/authorizepathsignin.ollama.comterminal landing as an expired session (previously fell through to a parse failure)invalidCredentials) so CodexBar advances to the next cookie candidate instead of a misleading parser failureLive runtime proof
A live probe linked against
CodexBarCoredrove the realOllamaUsageFetcheragainsthttps://ollama.com/settingswith a synthetic (invalid) session cookie and a redirect logger. No real account or secret was used; the captured chain is the real unauthenticated Ollama/WorkOS sign-in flow, and the fetcher now surfacesinvalidCredentials(previouslyparseFailed):The real chain is
ollama.com/settings → /signin → api.workos.com/user_management/authorize → signin.ollama.com(HTTP 200). All three sign-in surfaces are now classified as sign-in redirects:/signinonollama.com, the WorkOS*.workos.com/user_management/authorizeintermediate hop, and thesignin.ollama.comterminal landing — so the fetcher throwsinvalidCredentialsand CodexBar can advance to the next cookie candidate / show sign-in guidance instead of a confusingMissing Ollama usage dataparse error.Note for the maintainer
The broadened
*.workos.comhost match survives WorkOS host changes/CNAMEs; the previous exacthost == "api.workos.com"match would missauth.workos.com. No CHANGELOG entry is included (release-owned); the maintainer can credit@joeVennerat release time as with the merged Ollama follow-ups. No live authenticated account was available, so the expired-session recovery path is the real-runtime proof; the injected-transport test suite (20 tests) covers the matcher cases deterministically, includingauth.workos.com,api.workos.com,signin.ollama.com, and anexample.comnegative case.Testing
swift test --disable-sandbox --filter OllamaUsageFetcherTests(20 passed, incl.signin.ollama.comterminal-landing case)ollama.com/ WorkOS sign-in flow (1.67s) →invalidCredentialsswift buildclean