Hotfix | Red team base_url env var fix

[yuval-qf]

Description

Motivation and Context

Type of Change

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📝 Documentation update
• 🎨 Code style/refactoring (no functional changes)
• 🧪 Test updates
• 🔧 Configuration/build changes

Changes Made

Screenshots/Examples (if applicable)

Checklist

• I have read the CONTRIBUTING.md guide
• My code follows the code style of this project (PEP 8, type hints, docstrings)
• I have run uv run black . to format my code
• I have run uv run flake8 . and fixed all issues
• I have run uv run mypy --config-file .mypy.ini . and addressed type checking issues
• I have run uv run bandit -c .bandit.yaml -r . for security checks
• I have added tests that prove my fix is effective or that my feature works
• I have run uv run pytest and all tests pass
• I have manually tested my changes
• I have updated the documentation accordingly
• I have added/updated type hints for new/modified functions
• My changes generate no new warnings
• I have checked my code for security issues
• Any dependent changes have been merged and published

Testing

Test Configuration:

• Python version:
• OS:
• Other relevant details:

Test Steps:
1.
2.
3.

Additional Notes

Related Issues/PRs

• Fixes #
• Related to #
• Depends on #

---

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e1a2c69 and 79bb96d.

📒 Files selected for processing (1)

• rogue/evaluator_agent/red_team/openai_api_red_team_attacker_agent.py

---

Summary by CodeRabbit

• Chores

  • Version bumped to 0.4.1

• Improvements

  • Qualifire API base URL can be configured via QUALIFIRE_BASE_URL with a safe fallback
  • Debug configuration updated to load environment variables from a .env file
  • OpenAI integration now accepts API key or bearer token authentication for remote calls

Walkthrough

This PR makes Qualifire configuration environment-driven: hardcoded Qualifire URLs are replaced with os.getenv("QUALIFIRE_BASE_URL", "https://app.qualifire.ai"), service method signatures allow an optional URL, an OpenAI API key path is added for litellm calls, VERSION is bumped to 0.4.1, and the VSCode launch config now loads an .env file.

Changes

Cohort / File(s)	Summary
IDE & Version \.vscode/launch.json, VERSION	Adds envFile reference to load ${workspaceFolder}/.env in the "Rogue TUI" launch config; bumps version from 0.4.0 to 0.4.1.
Server API Models rogue/server/api/red_team.py	ReportToQualifireRequest.qualifire_url default changed to os.getenv("QUALIFIRE_BASE_URL", "https://app.qualifire.ai") (two occurrences).
Service Layer rogue/server/services/qualifire_service.py	report_red_team_scan signature: qualifire_url changed from str = "" to Optional[str] = None; service uses QUALIFIRE_BASE_URL fallback.
SDK Types sdks/python/rogue_sdk/types.py	Added import os; ReportSummaryRequest.qualifire_url default now reads os.getenv("QUALIFIRE_BASE_URL", "https://app.qualifire.ai").
Evaluator Agent (OpenAI auth) rogue/evaluator_agent/red_team/openai_api_red_team_attacker_agent.py	Adds propagation of an API key/bearer token into litellm acompletion calls when auth type is API_KEY or BEARER_TOKEN by building and spreading api_key_kwargs alongside headers.

Sequence Diagram(s)

mermaid
sequenceDiagram
autonumber
participant Agent as "Evaluator Agent"
participant Litellm as "litellm client"
participant OpenAI as "OpenAI API"
Agent->>Litellm: prepare acompletion request (headers + api_key_kwargs)
Litellm->>OpenAI: send request with API key / bearer token
OpenAI-->>Litellm: response
Litellm-->>Agent: proxied completion response

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feature/red team report FIRE 1004 #155: Modifies the same Qualifire reporting modules and overlaps with environment-variable defaults and service/SDK changes.
• feature/FIRE 779 get the api key from env #46: Related to environment-variable sourcing for Qualifire configuration and API key wiring across CLI/server flows.
• FIRE-748 | Installation scripts #31: Touches the same .vscode/launch.json envFile launch configuration change.

Suggested reviewers

• drorIvry
• osher-qualifire

Poem

🐰 I nibble code and hop with cheer,
Env vars whisper, URLs appear.
Keys tucked gently into the call,
Versions bumped — I twitch my all.
Hooray for configs, green and clear! 🌱

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is entirely empty—all template sections remain as unfilled placeholders with no actual implementation details, motivation, changes, testing info, or issue references provided.	Fill in all critical sections: Description, Motivation and Context, Type of Change (check the bug fix option), Changes Made (list the actual modifications), Testing details, and Related Issues/PRs links.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main change: a hotfix addressing the Red Team base URL environment variable configuration.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch hotfix/rogue-openai-api-report

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

> [!CAUTION]

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

rogue/server/api/red_team.py (1)

313-316: ⚠️ Potential issue | 🟠 Major

Align report URL env var with QUALIFIRE_BASE_URL to avoid mismatched links.
The default now pulls QUALIFIRE_BASE_URL, but the report URL generation still uses QUALIFIRE_URL at Line 313-316, so the returned link can point to a different host than the one used for reporting.

🔧 Suggested fix

-                    base_url = os.getenv(
-                        "QUALIFIRE_URL",
-                        "https://app.qualifire.ai",
-                    )
+                    base_url = os.getenv(
+                        "QUALIFIRE_BASE_URL",
+                        "https://app.qualifire.ai",
+                    )

Also applies to: 346-349

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@rogue/server/api/red_team.py` around lines 313 - 316, The report URL
generation currently reads os.getenv("QUALIFIRE_URL",
"https://app.qualifire.ai") which mismatches the rest of the code that uses
QUALIFIRE_BASE_URL; update both occurrences that set base_url (the assignments
that use os.getenv("QUALIFIRE_URL", ...), around the base_url variable in
red_team.py) to read os.getenv("QUALIFIRE_BASE_URL", "https://app.qualifire.ai")
so the generated report links use the same QUALIFIRE_BASE_URL as reporting and
avoid host mismatches.

rogue/server/services/qualifire_service.py (1)

46-51: ⚠️ Potential issue | 🟡 Minor

Add type hints for report_red_team_scan parameters and return type.
This keeps the method compliant with the repository typing rule.

🧩 Suggested update

-from typing import Optional
+from typing import Any, Optional
@@
-from rogue_sdk.types import EvaluationResults, ReportSummaryRequest
+from rogue_sdk.types import EvaluationResults, ReportSummaryRequest, RedTeamJob
@@
-    def report_red_team_scan(
-        job,
-        report,
-        qualifire_api_key: str,
-        qualifire_url: Optional[str] = None,
-    ):
+    def report_red_team_scan(
+        job: RedTeamJob,
+        report: Any,
+        qualifire_api_key: str,
+        qualifire_url: Optional[str] = None,
+    ) -> dict[str, Any]:

As per coding guidelines: Use type hints for all function signatures.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@rogue/server/services/qualifire_service.py` around lines 46 - 51, Annotate
the report_red_team_scan signature with explicit types and a return type (e.g.
add "from typing import Any, Dict, Optional" if not present) and change the
signature to something like: def report_red_team_scan(job: Any, report:
Dict[str, Any], qualifire_api_key: str, qualifire_url: Optional[str] = None) ->
Optional[Dict[str, Any]]; ensure you update any internal uses to satisfy the
chosen types and adjust imports at the top of the module if needed.

🧹 Nitpick comments (2)

rogue/server/api/red_team.py (1)

346-349: Avoid import-time env capture for qualifire_url defaults.
Using os.getenv at class definition time freezes the value at import; default_factory reads it when the model is instantiated.

♻️ Recommended refactor

-from pydantic import BaseModel
+from pydantic import BaseModel, Field
@@
-    qualifire_url: str = os.getenv(
-        "QUALIFIRE_BASE_URL",
-        "https://app.qualifire.ai",
-    )
+    qualifire_url: str = Field(
+        default_factory=lambda: os.getenv(
+            "QUALIFIRE_BASE_URL",
+            "https://app.qualifire.ai",
+        ),
+    )

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@rogue/server/api/red_team.py` around lines 346 - 349, The qualifire_url
default is being captured at import time via os.getenv which freezes its value;
change the Pydantic/Dataclass field qualifire_url to use a default_factory that
calls os.getenv("QUALIFIRE_BASE_URL", "https://app.qualifire.ai") so the
environment is read when the model is instantiated, and remove the module-level
os.getenv usage to avoid import-time capture.

sdks/python/rogue_sdk/types.py (1)

1012-1015: Avoid import-time env capture for qualifire_url defaults.
Prefer default_factory so the env value is read when the model instance is created.

♻️ Recommended refactor

-    qualifire_url: Optional[str] = os.getenv(
-        "QUALIFIRE_BASE_URL",
-        "https://app.qualifire.ai",
-    )
+    qualifire_url: Optional[str] = Field(
+        default_factory=lambda: os.getenv(
+            "QUALIFIRE_BASE_URL",
+            "https://app.qualifire.ai",
+        ),
+    )

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@sdks/python/rogue_sdk/types.py` around lines 1012 - 1015, The current code
captures QUALIFIRE_BASE_URL at import time by assigning qualifire_url =
os.getenv(...); change this to use a runtime default_factory so the environment
is read when a model instance is created: replace the top-level assignment with
a model field that uses default_factory (e.g., Field(default_factory=lambda:
os.getenv("QUALIFIRE_BASE_URL", "https://app.qualifire.ai")) or
dataclasses.field(default_factory=...) depending on the model type) for the
qualifire_url field so the env var is resolved at instantiation instead of
import.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@rogue/server/api/red_team.py`:
- Around line 313-316: The report URL generation currently reads
os.getenv("QUALIFIRE_URL", "https://app.qualifire.ai") which mismatches the rest
of the code that uses QUALIFIRE_BASE_URL; update both occurrences that set
base_url (the assignments that use os.getenv("QUALIFIRE_URL", ...), around the
base_url variable in red_team.py) to read os.getenv("QUALIFIRE_BASE_URL",
"https://app.qualifire.ai") so the generated report links use the same
QUALIFIRE_BASE_URL as reporting and avoid host mismatches.

In `@rogue/server/services/qualifire_service.py`:
- Around line 46-51: Annotate the report_red_team_scan signature with explicit
types and a return type (e.g. add "from typing import Any, Dict, Optional" if
not present) and change the signature to something like: def
report_red_team_scan(job: Any, report: Dict[str, Any], qualifire_api_key: str,
qualifire_url: Optional[str] = None) -> Optional[Dict[str, Any]]; ensure you
update any internal uses to satisfy the chosen types and adjust imports at the
top of the module if needed.

---

Nitpick comments:
In `@rogue/server/api/red_team.py`:
- Around line 346-349: The qualifire_url default is being captured at import
time via os.getenv which freezes its value; change the Pydantic/Dataclass field
qualifire_url to use a default_factory that calls
os.getenv("QUALIFIRE_BASE_URL", "https://app.qualifire.ai") so the environment
is read when the model is instantiated, and remove the module-level os.getenv
usage to avoid import-time capture.

In `@sdks/python/rogue_sdk/types.py`:
- Around line 1012-1015: The current code captures QUALIFIRE_BASE_URL at import
time by assigning qualifire_url = os.getenv(...); change this to use a runtime
default_factory so the environment is read when a model instance is created:
replace the top-level assignment with a model field that uses default_factory
(e.g., Field(default_factory=lambda: os.getenv("QUALIFIRE_BASE_URL",
"https://app.qualifire.ai")) or dataclasses.field(default_factory=...) depending
on the model type) for the qualifire_url field so the env var is resolved at
instantiation instead of import.

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 30f622e and e1a2c69.

📒 Files selected for processing (5)

• .vscode/launch.json
• VERSION
• rogue/server/api/red_team.py
• rogue/server/services/qualifire_service.py
• sdks/python/rogue_sdk/types.py