fix: simplify ollama onboarding (#67005)

* feat(ollama): split interactive cloud and local setup

* test(ollama): cover cloud onboarding flow

* docs(ollama): simplify provider setup docs

* docs(onboarding): update ollama wizard copy

* fix(ollama): restore web search auth helper

* fix(ollama): harden setup auth and ssrf handling

* fix(ollama): address review regressions

* fix(ollama): scope ssrf hardening to ollama

* feat(ollama): add hybrid onboarding mode

* fix(ollama): tighten cloud credential setup

* refactor(ollama): distill host-backed setup modes

* fix(ollama): preserve cloud api key in config

* fix: simplify ollama onboarding (#67005)

src/plugins/provider-auth-env-trust.test.ts

@@ -25,6 +25,20 @@ describe("provider auth env trust", () => {
     });
   });
 
+  it("buildApiKeyCredential keeps secret-ref-like input literal in plaintext mode", async () => {
+    const { buildApiKeyCredential } = await import("./provider-auth-helpers.js");
+
+    const credential = buildApiKeyCredential("ollama", "${AWS_SECRET_ACCESS_KEY}", undefined, {
+      secretInputMode: "plaintext",
+    });
+
+    expect(credential).toEqual({
+      type: "api_key",
+      provider: "ollama",
+      key: "${AWS_SECRET_ACCESS_KEY}",
+    });
+  });
+
   it("resolveRefFallbackInput excludes untrusted workspace plugin env vars", async () => {
     const { resolveRefFallbackInput } = await import("./provider-auth-ref.js");
     const config = { plugins: {} };

src/plugins/provider-auth-helpers.ts

@@ -63,6 +63,9 @@ function resolveApiKeySecretInput(
   input: SecretInput,
   options?: ApiKeyStorageOptions,
 ): SecretInput {
+  if (options?.secretInputMode === "plaintext") {
+    return normalizeSecretInput(input);
+  }
   const coercedRef = coerceSecretRef(input);
   if (coercedRef) {
     return coercedRef;