feat(memory-lancedb): native Azure OpenAI support

[Restry]

This PR adds native Azure OpenAI support to the memory-lancedb plugin.

It automatically detects Azure endpoints (via ) and injects the required header and query parameter (defaulting to ).

This allows users to use Azure OpenAI for embeddings without needing an intermediate proxy like LiteLLM or OneAPI, significantly reducing friction for enterprise users.

[Restry]

This PR (re)implements native Azure OpenAI support for the plugin, addressing the feedback from closed PR #25.

Key Features:

1. Auto-Detection: Automatically detects Azure endpoints by checking for in .
2. Seamless Auth: Injects the required header instead of .
3. API Versioning: Injects the required query parameter (defaults to stable).

Why Native?
While proxy solutions (LiteLLM/OneAPI) exist, they introduce significant friction for enterprise users who just want to point to their Azure resource. This change is minimal, safe, and dramatically improves the out-of-the-box experience for Azure users.

I am committed to adding tests and making configurable if this direction is accepted.

[Restry]

This PR (re)implements native Azure OpenAI support for the memory-lancedb plugin, addressing the feedback from closed PR #25.

Key Features:

1. Auto-Detection: Automatically detects Azure endpoints by checking for .openai.azure.com in baseUrl.
2. Seamless Auth: Injects the required api-key header instead of Authorization: Bearer.
3. API Versioning: Injects the required api-version query parameter (defaults to 2024-02-01 stable).

Why Native?
While proxy solutions (LiteLLM/OneAPI) exist, they introduce significant friction for enterprise users who just want to point baseUrl to their Azure resource. This change is minimal, safe, and dramatically improves the out-of-the-box experience for Azure users.

I am committed to adding tests and making api-version configurable if this direction is accepted.

[greptile-apps]

Greptile Summary

This PR adds native Azure OpenAI support to the memory-lancedb plugin's Embeddings class by detecting Azure endpoints (via .openai.azure.com in baseUrl) and automatically injecting the api-key header and api-version query parameter required by Azure OpenAI's REST API. This is a clean, minimal change that avoids requiring a proxy such as LiteLLM.

• The detection heuristic (baseUrl?.includes(".openai.azure.com")) is reliable for all standard Azure OpenAI resource URLs.
• The api-key header injection is the correct mechanism for Azure authentication through the OpenAI SDK.
• The api-version is hardcoded to "2024-02-01" — one of the earlier GA releases — with no way for users to override it via config. config.ts's assertAllowedKeys does not accept an apiVersion field, so users on tenants that deprecate 2024-02-01, or those needing features from a newer API version, currently have no path to configure this.

Confidence Score: 4/5

• PR is safe to merge; it adds correct Azure auth headers but pins a specific API version that cannot be overridden by users.
• The Azure detection and header injection logic is functionally correct and will work for current Azure OpenAI embedding models. The single concern is the hardcoded api-version: "2024-02-01" with no config-level escape hatch, which is a maintainability issue rather than a correctness bug today.
• extensions/memory-lancedb/index.ts (line 179) and the companion extensions/memory-lancedb/config.ts (which would need an apiVersion field added to support user-configurable versions).

Prompt To Fix All With AI

This is a comment left during a code review.
Path: extensions/memory-lancedb/index.ts
Line: 179

Comment:
**Hardcoded `api-version` with no override path**

The Azure API version is pinned to `"2024-02-01"`, which is one of the earlier GA releases. Azure OpenAI regularly releases new API versions and eventually retires old ones. Users who need features from newer versions (or whose tenant deprecates `2024-02-01`) will have no recourse short of forking the plugin.

Looking at `config.ts`, the `assertAllowedKeys` guard at line 108 only allows `["apiKey", "model", "baseUrl", "dimensions"]`, so there is currently no way to pass an `apiVersion` setting through the plugin config.

Consider:
1. Adding an optional `apiVersion` field to the `embedding` section of `config.ts` (and updating `assertAllowedKeys` to accept it), and
2. Using that value here with a sensible default.

```suggestion
            defaultQuery: { "api-version": "2024-08-01-preview" },
```

At minimum, bumping the default to a more recent stable version reduces the risk of hitting a sudden deprecation.

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: 805ad58}

[greptile-apps]

Hardcoded api-version with no override path

The Azure API version is pinned to "2024-02-01", which is one of the earlier GA releases. Azure OpenAI regularly releases new API versions and eventually retires old ones. Users who need features from newer versions (or whose tenant deprecates 2024-02-01) will have no recourse short of forking the plugin.

Looking at config.ts, the assertAllowedKeys guard at line 108 only allows ["apiKey", "model", "baseUrl", "dimensions"], so there is currently no way to pass an apiVersion setting through the plugin config.

Consider:

1. Adding an optional apiVersion field to the embedding section of config.ts (and updating assertAllowedKeys to accept it), and
2. Using that value here with a sensible default.

Suggested change

	defaultQuery: { "api-version": "2024-02-01" },
	defaultQuery: { "api-version": "2024-08-01-preview" },

At minimum, bumping the default to a more recent stable version reduces the risk of hitting a sudden deprecation.

Prompt To Fix With AI

This is a comment left during a code review.
Path: extensions/memory-lancedb/index.ts
Line: 179

Comment:
**Hardcoded `api-version` with no override path**

The Azure API version is pinned to `"2024-02-01"`, which is one of the earlier GA releases. Azure OpenAI regularly releases new API versions and eventually retires old ones. Users who need features from newer versions (or whose tenant deprecates `2024-02-01`) will have no recourse short of forking the plugin.

Looking at `config.ts`, the `assertAllowedKeys` guard at line 108 only allows `["apiKey", "model", "baseUrl", "dimensions"]`, so there is currently no way to pass an `apiVersion` setting through the plugin config.

Consider:
1. Adding an optional `apiVersion` field to the `embedding` section of `config.ts` (and updating `assertAllowedKeys` to accept it), and
2. Using that value here with a sensible default.

```suggestion
            defaultQuery: { "api-version": "2024-08-01-preview" },
```

At minimum, bumping the default to a more recent stable version reduces the risk of hitting a sudden deprecation.

How can I resolve this? If you propose a fix, please make it concise.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 805ad58f05

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Handle Azure AI Foundry hosts in endpoint detection

The new Azure detection only checks for .openai.azure.com, so valid Azure AI Foundry endpoints such as https://<resource>.services.ai.azure.com/... are not treated as Azure and therefore do not get the required api-key header / api-version query injection. OpenClaw already classifies both host families as Azure in src/commands/onboard-custom.ts, so this mismatch will cause memory embedding calls against *.services.ai.azure.com to be sent with OpenAI-style auth and fail at runtime.

Useful? React with 👍 / 👎.

[clawsweeper]

Codex review: needs real behavior proof before merge.

Summary
The PR adds Azure endpoint detection to memory-lancedb’s direct OpenAI-compatible embedding client, injects api-key and api-version defaults, adds mocked constructor coverage, and adds a changelog entry.

Reproducibility: yes. for the PR defects: source inspection gives a high-confidence path using memory-lancedb with embedding.provider: "openai", an API key, a deployment/model, and an Azure resource baseUrl. The current path still posts /embeddings from the supplied base URL and the PR does not add an API-version config surface.

Real behavior proof
Needs real behavior proof before merge: Only mocked/unit/CI proof is present; before merge add a redacted Azure run log, terminal screenshot, live output, recording, or linked artifact that hides API keys, IPs, phone numbers, and private endpoints, then update the PR body for automatic re-review or ask @clawsweeper re-review.

Next step before merge
Needs maintainer/product review and contributor real Azure behavior proof; ClawSweeper should not queue an automated repair while the external proof gate is failing.

Security
Cleared: The diff changes one plugin’s outbound embedding request construction plus tests/changelog, with no dependency, workflow, script, lockfile, secret-storage, or package-publishing changes.

Review findings

• [P2] Build deployment-scoped Azure embedding URLs — extensions/memory-lancedb/index.ts:359
• [P2] Omit bearer auth for Azure API-key requests — extensions/memory-lancedb/index.ts:358-362
• [P2] Expose the Azure API version in config — extensions/memory-lancedb/index.ts:363

Review details

Best possible solution:

Add Azure-aware memory-lancedb request shaping with parsed hostname detection, deployment-scoped embedding URLs, explicit API-version configuration, docs/changelog, focused tests, and redacted live Azure proof while preserving the generic OpenAI-compatible path.

Do we have a high-confidence way to reproduce the issue?

Yes for the PR defects: source inspection gives a high-confidence path using memory-lancedb with embedding.provider: "openai", an API key, a deployment/model, and an Azure resource baseUrl. The current path still posts /embeddings from the supplied base URL and the PR does not add an API-version config surface.

Is this the best way to solve the issue?

No. The narrow constructor patch is not the best fix because native Azure support needs URL normalization, bearer-auth suppression, API-version configuration, docs, and runtime proof rather than hard-coded SDK defaults.

Full review comments:

• [P2] Build deployment-scoped Azure embedding URLs — extensions/memory-lancedb/index.ts:359
  For the resource-root workflow described by this PR, baseUrl: "https://resource.openai.azure.com" still leaves embed() posting to /embeddings instead of /openai/deployments/{deployment}/embeddings. Normalize Azure base URLs or require and validate a deployment-scoped base URL before treating this as native Azure support.
  Confidence: 0.92
• [P2] Omit bearer auth for Azure API-key requests — extensions/memory-lancedb/index.ts:358-362
  Passing apiKey keeps openai-node bearer auth enabled, and adding defaultHeaders.api-key does not suppress the generated Authorization: Bearer ... header. Azure API-key requests should send the Azure key header without also sending an invalid bearer credential.
  Confidence: 0.88
• [P2] Expose the Azure API version in config — extensions/memory-lancedb/index.ts:363
  The patch hard-codes api-version=2024-02-01, while memory-lancedb config still rejects any apiVersion setting. Users whose Azure tenant requires a different version would have to fork the plugin to change this value.
  Confidence: 0.9
• [P2] Parse Azure hostnames instead of searching the full URL — extensions/memory-lancedb/index.ts:354
baseUrl?.includes(".openai.azure.com") can match path or query text and misses Azure host families OpenClaw already recognizes elsewhere, including *.services.ai.azure.com and *.cognitiveservices.azure.com. Parse the URL hostname and check known suffixes.
  Confidence: 0.84

Overall correctness: patch is incorrect
Overall confidence: 0.91

What I checked:

• Current main request path: Current main constructs new OpenAI({ apiKey, baseURL }) and always posts embeddings to /embeddings, so Azure resource-root URLs are not converted into deployment-scoped embedding URLs. (extensions/memory-lancedb/index.ts:355, 29689c62d079)
• Config surface lacks API version: The memory-lancedb config type and allowed embedding keys include provider/apiKey/model/baseUrl/dimensions, but no API-version field or UI hint. (extensions/memory-lancedb/config.ts:61, 29689c62d079)
• PR head scope: The live PR file list for head e7e1ffa1... changes only CHANGELOG.md, extensions/memory-lancedb/index.test.ts, and extensions/memory-lancedb/index.ts; config.ts and docs are not updated. (extensions/memory-lancedb/index.ts:354, e7e1ffa1a435)
• Azure REST contract: Microsoft’s Azure OpenAI reference documents embeddings as POST https://{endpoint}/openai/deployments/{deployment-id}/embeddings?api-version=..., requires the api-version query parameter, and documents API-key auth through the api-key header.
• OpenAI SDK auth contract: openai-node v6.36.0 builds Authorization: Bearer <apiKey> from apiKey before merging defaultHeaders, so adding api-key alone does not make the Azure request omit bearer auth.
• Existing Azure pattern in OpenClaw: The OpenAI image provider parses URL hostnames, recognizes .openai.azure.com, .services.ai.azure.com, and .cognitiveservices.azure.com, resolves an Azure API version, and builds deployment-scoped Azure URLs. (extensions/openai/image-generation-provider.ts:72, 29689c62d079)

Likely related people:

• steipete: Recently maintained the memory-lancedb embedding auth/transport path and adjacent Azure OpenAI request-shaping patterns in the OpenAI provider. (role: recent maintainer; confidence: high; commits: 2057713af54b, 1fde7dbc0eef, 719ec4f2927a; files: extensions/memory-lancedb/index.ts, extensions/memory-lancedb/config.ts, extensions/openai/image-generation-provider.ts)
• rish2jain: Introduced the memory-lancedb custom baseUrl and dimensions support that this PR extends for Azure endpoints. (role: introduced related config surface; confidence: medium; commits: 6675aacb5eb4; files: extensions/memory-lancedb/index.ts, extensions/memory-lancedb/config.ts)
• vincentkoc: Recently maintained memory-lancedb runtime behavior around embedding encoding, hook enablement, and recall latency. (role: adjacent maintainer; confidence: medium; commits: 3e020a16507c, 3dc3bf65d203, d55c7ea997c0; files: extensions/memory-lancedb/index.ts)

Remaining risk / open question:

• No real Azure runtime proof has been posted yet; mocked constructor coverage cannot prove the request succeeds against Azure OpenAI.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 29689c62d079.

[BradGroux]

Prepared this one for maintainer review/CI.\n\nChanges made on top of the original patch:\n- Rebased onto current origin/main.\n- Preserved the newer lazy OpenAI client loading path while adding Azure OpenAI api-key and api-version configuration.\n- Added focused memory-lancedb coverage for Azure OpenAI constructor options.\n- Added the missing changelog attribution.\n\nPrepared head: e7e1ffa1a435dc1b9718169c0277566cad47eb5d\n\nLocal verification:\n- node scripts/test-projects.mjs extensions/memory-lancedb/index.test.ts ✅ after final rebase\n- pnpm build ✅ before final rebase\n- pnpm check ✅ before final rebase\n\nFresh CI is running now.