Bug Description
hermes model resolves a named provider's key_env for /models discovery, but the model picker should treat that key as request-only and must not persist the resolved secret back into config.yaml.
The intended credential behavior is simple:
- If
key_env is configured, resolve it and use that environment value for the /models request.
- If
key_env is not configured, use inline api_key for the /models request.
- When saving config, write only the original inline
provider_info["api_key"]; never write the value resolved from key_env.
Minimal Config
providers:
crs-henkee:
name: CRS Henkee
base_url: http://127.0.0.1:3000/api/v1
key_env: HERMES_CRS_HENKEE_KEY
transport: anthropic_messages
model: claude-opus-4-7
default_model: claude-opus-4-7
custom_providers: []Expected Behavior
The picker should use HERMES_CRS_HENKEE_KEY for the live /models request, then only persist the selected model/default_model. The actual cr_... secret should remain environment-only.
Why This Matters
key_env is the recommended way to avoid plaintext API keys in config.- Model selection should not silently downgrade credential hygiene.
- Runtime provider resolution and auxiliary model calls already rely on env-based credentials.
Bug Description
hermes modelresolves a named provider'skey_envfor/modelsdiscovery, but the model picker should treat that key as request-only and must not persist the resolved secret back intoconfig.yaml.The intended credential behavior is simple:
key_envis configured, resolve it and use that environment value for the/modelsrequest.key_envis not configured, use inlineapi_keyfor the/modelsrequest.provider_info["api_key"]; never write the value resolved fromkey_env.Minimal Config
Expected Behavior
The picker should use
HERMES_CRS_HENKEE_KEYfor the live/modelsrequest, then only persist the selected model/default_model. The actualcr_...secret should remain environment-only.Why This Matters
key_envis the recommended way to avoid plaintext API keys in config.