Follow-up: harden no-apiKey embedding path for local providers

[rwmjhb]

Summary

PR #93 fixed issue #71 by making embedding.apiKey optional so local providers like Ollama can start without authentication. The core fix is useful and should remain, but there are two follow-up areas worth tightening.

Follow-up items

1. Add stable test coverage for the no-apiKey path

• The PR added test/ollama-no-apikey.test.mjs, but it depends on a local Ollama instance.
• Add unit-level coverage that does not require a running local server, so CI can reliably lock in the expected config/embedder behavior.

2. Revisit the no-key-required fallback strategy

• Today, missing embedding.apiKey falls back to a dummy value and emits a warning.
• This is convenient for local providers, but it also changes failure behavior for cloud providers from config-time failure to runtime failure.
• Consider a more provider-aware path so local providers can omit keys cleanly while cloud providers still fail early and clearly.

Context

This is not a regression report against PR #93. It is a follow-up hardening task so the Ollama/local-provider fix has better long-term test and behavior guarantees.

[AliceLJY]

Closing this follow-up old-baseline hardening thread for cleanup. The repo now only tracks work against the current 'master' baseline.\n\nIf the no-apiKey local-provider path still needs hardening on latest 'master', please reopen as a fresh issue or send a PR against current 'master' with the exact remaining gap.