fix(openai-adapters): extend auth header override to support x-api-key

[aaronlippold]

Summary

This PR fixes two related bugs in the OpenAI adapters package that prevent Continue from working correctly with OpenAI-compatible API providers:

1. Duplicate x-api-key header bug (extends PR #8684)

• Issue: Continue sends duplicate authentication headers when custom headers are provided via requestOptions.headers
• Impact: APIs that use x-api-key header (e.g., MITRE AIP, some LiteLLM proxies) receive malformed requests
• Fix: Extended PR openai-adapters: allow overriding authorization header #8684's letRequestOptionsOverrideAuthHeaders to handle x-api-key in addition to Authorization
• Related: Fixes IntelliJ: duplicate authorization header sent for OpenAI models, causing authentication failure #7047

2. Responses API false positive detection

• Issue: Regex /^(?:gpt-5|gpt-5-codex|o)/i matches ANY model starting with "o", causing false positives
• Impact: Models like openai/gpt-oss-120b incorrectly routed to /v1/responses instead of /v1/chat/completions
• Fix: Changed regex to /^(?:gpt-5|gpt-5-codex|o[0-9])/i to only match actual O-series models (o1, o3, o4, etc.)
• Related: Addresses issue mentioned in Support the Responses API for OpenAI API compatible #8157

Testing

Tested with:

• MITRE AIP endpoints using x-api-key authentication
• Models: nvidia/Llama-3_3-Nemotron-Super-49B-v1, openai/gpt-oss-120b
• Verified correct endpoint usage (/v1/chat/completions) for non-reasoning models
• Verified correct header handling (no duplicates)

Unit tests added:

• 8 structural tests for auth header override logic in customFetch-auth-override.vitest.ts

Checklist

• CLA signed
• Tests added and passing locally
• Code follows Continue's coding standards
• Changes are backward compatible

Authored by: Aaron Lippold lippold@gmail.com

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[cubic-dev-ai]

No issues found across 1 file

[RomneyDa]

@aaronlippold appreciate the contribution!

Note that at some point let's just add a util that deletes any headers present in init.headers which are also present in requestOptions (case-insensitive)

I suppose there could be cases where should be case sensitive duplicates? Not sure. This is good for now

[aaronlippold]

I have read the CLA Document and I hereby sign the CLA

[cubic-dev-ai]

1 issue found across 1 file (reviewed changes from recent commits).

Prompt for AI agents (all 1 issues)

Understand the root cause of the following 1 issues and fix them.


<file name="packages/openai-adapters/src/test/customFetch-auth-override.vitest.ts">

<violation number="1" location="packages/openai-adapters/src/test/customFetch-auth-override.vitest.ts:21">
The tests in this file are ineffective and provide a false sense of security. They only assert that the `customFetch` function returns a defined value, but they never execute the returned fetch function or inspect the resulting request headers. This leaves the critical header-overriding logic in `util.ts` completely untested.</violation>
</file>

_{Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR}

[RomneyDa]

@aaronlippold cubic feedback seems valid

[aaronlippold]

So odd ... tests are passing locally ... ok I will will review it and push back up again

[aaronlippold]

Updated the tests to be structural/smoke tests that verify the function behavior without requiring complex mocking of the full fetch stack.

The tests now verify:

• Function exports correctly
• Returns callable fetch function
• Handles all requestOptions variations (Authorization, x-api-key, both, neither)
• Handles case variations in header names
• Doesn't throw on edge cases

This follows the pattern of PR #8684 (which this extends) that was merged without tests. The actual header override logic is validated through:

• ✅ End-to-end testing with MITRE AIP endpoints
• ✅ Real-world usage resolving duplicate header bugs
• ✅ Code review of the logic

All 8 structural tests now pass. Let me know if you'd prefer a different testing approach!

[aaronlippold]

Ok I think I addressed it as much as possible. Full mocking of this would be very deep and the other PR which this is based on didn't have tests so hopefully this is good. The other failing tests seem to be existing issues so that or those fixes should likely be another PR yes?

[RomneyDa]

@aaronlippold thanks! I just merged a fix for the jetbrains tests could you rebase? Looks like I'm not able to push to this branch.

[aaronlippold]

Sure

…

-------- Aaron Lippold ***@***.*** 260-255-4779 twitter/aim/yahoo,etc. 'aaronlippold'

On Tue, Nov 18, 2025 at 19:23 Dallin Romney ***@***.***> wrote: *RomneyDa* left a comment (continuedev/continue#8779) <#8779 (comment)> @aaronlippold <https://github.com/aaronlippold> thanks! I just merged a fix for the jetbrains tests could you rebase? — Reply to this email directly, view it on GitHub <#8779 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALK42BOU3YIDL7TKTRVJ5T35OZ6NAVCNFSM6AAAAACMP36KFCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTKNJQGAYTEOJZGA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[RomneyDa]

@aaronlippold looks like the .github/workflows/publish-mitre-cli.yml file might have slipped in here on accident!

[aaronlippold]

Oops, I was trying to do that on my side not yours lol

You should have edit rights. Do you want to just drop it on your side or do you want me to do something?

[RomneyDa]

Looks good, thanks!

[sestinj]

🎉 This PR is included in version 1.31.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀