[Bug] Ollama custom headers not forwarded

[KimFischer2000]

Summary

OpenClaw's Ollama connector drops custom provider headers (e.g. X-OLLAMA-KEY) whenever the agent falls back to createOllamaStreamFn. Gateways behind HAProxy/TLS expect that header, otherwise the server replies 403 (Verification failed). Currently only direct REST calls (e.g. curl) work, because the CLI takes the header from the provider config; internal chat runs ignore it.

Impact

• Any OpenClaw deployment using a protected Ollama endpoint fails to run agents (403 errors on /v1/chat/completions).
• Admins can't finish the installer or start the gateway without manually editing bundled JS files.
• Affects all entry points (reply-*.js, pi-embedded-*.js, subagent, plugin SDK) since they all call createOllamaStreamFn(baseUrl) with no headers.

Repro

1. Configure a custom provider in openclaw.json:

   {
     "models": {
       "providers": {
         "ollama": {
           "baseUrl": "https://ollama.example.com/v1",
           "headers": {
             "X-OLLAMA-KEY": "SECRET"
           }
         }
       }
     }
   }

2. Start OpenClaw (openclaw gateway).
3. Send any chat request.
4. Ollama logs show 403 because the header was never forwarded.

Direct curl with the header works:

curl -H "X-OLLAMA-KEY: SECRET" https://ollama.example.com/v1/models

Root Cause

createOllamaStreamFn(baseUrl) ignores provider headers. All agent runners only pass the base URL, so Ollama never receives auth tokens.

Proposed Fix

1. Update createOllamaStreamFn (in all bundled locations) to accept an optional defaultHeaders map, merge it with per-request headers, and attach them to every fetch.
2. Pass providerConfig?.headers whenever a stream function is created:

   const providerConfig = cfg?.models?.providers?.[model.provider];
   const ollamaBaseUrl = model.baseUrl || providerConfig?.baseUrl || OLLAMA_NATIVE_BASE_URL;
   agent.streamFn = createOllamaStreamFn(ollamaBaseUrl, providerConfig?.headers);

3. Update the plugin SDK .d.ts so third-party skills can also set headers.

Hotfix / Diff Summary

• Added normalizeHeaderRecord() + defaultHeaders parameter in:
  • dist/model-selection-*.js
  • dist/model-auth-*.js
  • dist/plugin-sdk/model-selection-*.js
  • dist/auth-profiles-*.js
• Patched all activeSession.agent.streamFn = createOllamaStreamFn(...) calls to pass providerConfig?.headers (reply-*.js, pi-embedded-*.js, subagent-registry, plugin SDK).
• Adjusted plugin-sdk/agents/ollama-stream.d.ts signature.

Without this change, any secured Ollama server is unusable with OpenClaw.

[Sid-Qin]

PR #27490 addresses the root cause — provider headers configured in openclaw.json are silently dropped in both inline model resolution and registry model lookup. The fix ensures custom headers (including auth tokens like X-OLLAMA-KEY) are properly merged into model objects and forwarded to the upstream API.