Add headers parameter to OPARemoteClient

[Copilot]

Enables passing custom HTTP headers to the remote OPA server, primarily for authentication via tokens or API keys.

Changes

• Add optional headers: dict[str, str] field to OPARemoteClient using Field(default_factory=dict) to avoid mutable default issues
• Pass headers to aiohttp.ClientSession.post() in is_allowed() method
• Add test case verifying bearer token authentication with OPA's --authentication=token --authorization=basic flags
• Test verifies requests fail without auth headers and succeed with correct Authorization: Bearer header

Example

from opadk import OPADKPlugin, OPARemoteClient

client = OPARemoteClient(
    server_url="http://localhost:8181",
    headers={
        "Authorization": "Bearer your-token-here",
        "X-Custom-Header": "custom-value"
    }
)

Backward compatible—defaults to empty dict.

Original prompt

Add support to provide a dictionary of headers for the remote opa client

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[becojo]

You're not testing anything new in this test. Create a different bundle that uses OPA's bearer token auth. see https://www.openpolicyagent.org/docs/security#authentication-and-authorization

[Copilot]

Updated test to use OPA's bearer token authentication. The new test starts OPA with --authentication=token --authorization=basic, verifies that requests fail without auth headers, and succeed with the correct Authorization: Bearer test-token header. Commit: fb6544e

[becojo]

Not needed to modify the readme

[Copilot]

Reverted README changes. Commit: fb6544e

[Copilot]

Pull request overview

This PR adds support for custom HTTP headers in OPARemoteClient to enable authentication with remote OPA servers, particularly for scenarios requiring bearer tokens or API keys.

Key Changes:

• Added an optional headers parameter to OPARemoteClient using Field(default_factory=dict) to avoid mutable default issues
• Modified the is_allowed() method to pass headers to the HTTP request
• Added comprehensive test coverage for authentication scenarios with an OPA server configured for token-based authentication

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
src/opadk/opa.py	Added headers field to OPARemoteClient class and modified is_allowed() to pass headers to HTTP POST request
tests/test_opa.py	Added new test test_opa_remote_client_with_headers that verifies authentication behavior with and without bearer tokens
tests/testdata/rego-auth/system-authz.rego	New OPA authorization policy for testing token-based authentication
tests/testdata/rego-auth/policy.rego	New OPA policy for testing tool/agent authorization decisions

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The method should check the HTTP response status before attempting to parse the response body. When authentication fails (e.g., 401 Unauthorized) or other HTTP errors occur, the method should handle these appropriately. Consider using response.raise_for_status() or checking response.status to provide clearer error messages for authentication and authorization failures.

Suggested change

	json = await response.json()
	return OPADKResponse.model_validate(json.get("result"))
	# Check HTTP status before attempting to parse the response body
	if response.status == 401:
	raise Exception("OPA request unauthorized (401): check credentials or tokens.")
	if response.status == 403:
	raise Exception("OPA request forbidden (403): insufficient permissions.")
	# Raise for any other non-successful status codes
	response.raise_for_status()
	json_body = await response.json()
	return OPADKResponse.model_validate(json_body.get("result"))

[Copilot]

The test catches all exceptions with a bare except Exception: clause and doesn't verify the specific error type or message. This makes the test less precise and could pass even if the failure happens for an unexpected reason. Consider checking for a specific exception type or verifying the HTTP status code (401 Unauthorized) to ensure authentication is actually being enforced.