bug(auth): API keys in ~/.hermes/.env not resolved by credential_pool._seed_from_env

[zons-zhaozhy]

Bug

When API keys are stored in ~/.hermes/.env (not in shell environment), credential_pool._seed_from_env() only checks os.environ and misses them. Additionally, hermes_cli/auth.py:_resolve_api_key_provider_secret() does not fall back to the credential pool when no env var is found.

Reproduction

1. Remove all API key env vars from shell (e.g. unset OPENAI_API_KEY)
2. Store key in ~/.hermes/.env: OPENAI_API_KEY=sk-...
3. Start hermes with a provider that requires the key
4. Observe: "No API key found" despite .env having the key

Expected Behavior

1. _seed_from_env() should also check ~/.hermes/.env via hermes_cli.config.get_env_value()
2. _resolve_api_key_provider_secret() should fall back to credential_pool.load_pool() when env vars are empty

Environment

• hermes-agent latest main
• Any provider using API key auth
• Keys stored in ~/.hermes/.env instead of shell env vars

[alt-glitch]

Likely duplicate of #15914 — same root cause: _resolve_api_key_provider_secret() only reads os.environ, not credential_pool. Fix PR at #15920.

[teknium1]

Fixed in #16101 (salvage of #15920 by @zons-zhaozhy). Both points addressed: _seed_from_env() uses get_env_value() (checks ~/.hermes/.env), and _resolve_api_key_provider_secret() falls back to credential_pool.load_pool().

#16101