bug: credential pool reads stale os.environ instead of fresh .env — test documents correct behavior but code doesn't match

[wali-reheman]

Bug Description

_get_env_prefer_dotenv() in agent/credential_pool.py is supposed to prefer the user's deliberate ~/.hermes/.env config over stale inherited os.environ vars from parent processes (Codex CLI, test scripts, etc.).

The function signature says it prefers .env:

# Prefer ~/.hermes/.env over os.environ — the user's config file is the
# authoritative source for Hermes credentials.
def _get_env_prefer_dotenv(key: str) -> str:
    env_file = load_env()
    val = env_file.get(key) or os.environ.get(key) or ""
    return val.strip()

But in practice, os.environ values leak in through the credential pool initialization, causing stale keys to shadow fresh .env edits.

Evidence

Two tests in tests/tools/test_credential_pool_env_fallback.py and tests/agent/test_credential_pool.py document the correct expected behavior:

# test_load_pool_prefers_dotenv_over_stale_os_environ
"""Regression for #18254: stale OPENROUTER_API_KEY in os.environ (inherited
from a parent shell) must NOT shadow the fresh key in ~/.hermes/.env."""
# Expects: .env key wins
# Actual: stale os.environ key wins

Both tests consistently fail with:

AssertionError: Expected .env to win, got 'sk-or-STALE-from-shell'

Root Cause Analysis

The _get_env_prefer_dotenv function itself appears correct (.env checked before os.environ). The bug is likely in where/how load_hermes_home() resolves during credential pool initialization — in some code paths the HERMES_HOME env var points to the wrong directory, so load_env() reads the wrong .env file or no .env at all, falling through to os.environ.

The test sets HERMES_HOME via monkeypatch but other parts of the credential pool initialization may bypass this and read the real filesystem .env.

Impact

• After key rotation in ~/.hermes/.env, users get persistent 401 errors because the stale shell-exported key is still being used
• The issue affects any user who has environment variables exported in their shell profile (common for Codex/Claude CLI users)

References

• Original regression: issue [Bug]: auth.json credential cache ignores .env changes — stale key persists #18254
• Test coverage: tests/agent/test_credential_pool.py::test_load_pool_prefers_dotenv_over_stale_os_environ, tests/tools/test_credential_pool_env_fallback.py::TestCredentialPoolSeedsFromDotEnv::test_dotenv_wins_over_stale_os_environ

[0xDevNinja]

Picking this up. Quick diagnostic before patching:

• test_load_pool_prefers_dotenv_over_stale_os_environ actually passes on current main — _seed_from_env already routes through _get_env_prefer_dotenv (agent/credential_pool.py:1389), so the pool gets seeded with the fresh .env value.
• The failing test is the older test_os_environ_still_wins_over_dotenv (tests/tools/test_credential_pool_env_fallback.py:109), which still asserts the old os.environ-first behavior and contradicts the new one.
• The 401-after-rotation user impact still holds, but the live failure path is _resolve_api_key_provider_secret (hermes_cli/auth.py:557) — it still calls get_env_value(), which checks os.environ first. So the pool gets seeded correctly with the fresh key, but resolution still returns the stale shell export.

Plan: hoist the prefer-dotenv helper into hermes_cli/config.py as a shared utility, swap _resolve_api_key_provider_secret over to it, drop the closure in credential_pool.py, flip the contradictory old test to assert .env wins (matching the docstring rule the rest of the code is enforcing). PR shortly.

[alt-glitch]

Related to #18254 (closed, fix merged as #18755). The reporter indicates the merged fix may be incomplete — _seed_from_env() path resolution may bypass the corrected _get_env_prefer_dotenv() in some code paths. See also open PR #20602 which appears to address remaining gaps.