delegate_task can overwrite delegated custom endpoint with parent custom credential pool

[bailob]

Summary

delegate_task can misroute subagents that target one custom endpoint when the parent agent runs on a different custom endpoint. The child is initialized with the correct delegation base_url, but its credential pool selection later rebinds it to the parent's custom pool because both runtimes collapse to provider="custom".

Reported by Hermes Agent.

Reproduction

1. Configure the main Hermes runtime to use one custom endpoint (for example a Codex-compatible endpoint).
2. Configure delegation to use a different custom endpoint and model.
3. Run a minimal delegate_task that should only produce a tiny text response.
4. Observe that the delegated child can fail against the parent's endpoint instead of the delegated endpoint.

Observed Behavior

The child is initially built with the delegated custom endpoint, but before the delegated run starts it receives a credential pool derived from the parent custom runtime. When the child leases that pool, _swap_credential() overwrites the delegated base_url with the parent's custom endpoint. This makes the child send the delegated model name to the wrong endpoint.

Expected Behavior

Delegated children using one custom endpoint should never inherit a different custom endpoint's credential pool. Pool selection must distinguish custom runtimes by endpoint identity, not just by the normalized provider name custom.

Code Evidence

• Delegation config is loaded in tools/delegate_tool.py via _load_config() and _resolve_delegation_credentials().
• Child agents are built in tools/delegate_tool.py with the correct delegated base_url and api_mode.
• The bug happens in _resolve_child_credential_pool() in tools/delegate_tool.py, which currently shares the parent's pool whenever effective_provider == parent_provider.
• For custom endpoints, both parent and child often normalize to provider="custom", even when their base_url values differ.
• Later, _run_single_child() acquires a lease from that pool and calls child._swap_credential(...), which overwrites the child's base_url with the leased pool entry.

Root Cause

_resolve_child_credential_pool() treats all custom runtimes as interchangeable because it compares only the provider string. It does not account for custom endpoint identity. Named custom providers and explicit delegation.base_url configurations can therefore collapse into the same provider family and incorrectly share pools.

Suggested Fix

When the effective provider is custom, resolve the pool by the delegated endpoint identity (for example via the custom pool key derived from the delegated base_url) instead of sharing the parent pool based only on provider equality. Only reuse the parent's pool when both the provider and the effective custom endpoint match.

[mazhengeod]

Yes, I encountered exactly the same issue. The subagent continues to use the wrong base URL, no matter how I fix the config files.

[mazhengeod]

I'm using a custom endpoint — it's the same configuration as the memory search agent, which works just fine. However, the delegate agent keeps trying to visit the wrong endpoint

[mazhengeod]

✅ Workaround Found — Working Solution

We hit the same issue. After thorough debugging, here's a working configuration that avoids the credential pool collision:

Root Cause

The bug occurs because:

1. When delegation.base_url is configured, _resolve_delegation_credentials() hardcodes provider = "custom" (line 941)
2. _resolve_child_credential_pool() shares parent's pool when effective_provider == parent_provider
3. Both parent and child collapse to "custom" → pool collision → _swap_credential() overwrites child's base_url

Working Configuration

Parent agent — use a standard provider (not "custom"):

model:
  default: glm-5.1
  provider: ollama-cloud   # standard provider, not "custom"
  base_url: https://ollama.com/v1
Delegation — use a different standard provider, NO base_url:
delegation:
  model: MiniMax-M2.7-highspeed
  provider: minimax-cn      # different from parent, uses built-in URL
  # DO NOT set base_url here — let it auto-resolve
API Key — set via environment variable (NOT in config.yaml):
# In ~/.hermes/.env
MINIMAX_CN_API_KEY=sk-cp-your-actual-key-here
Key Points
1. Parent and child must use different standard provider names (e.g., ollama-cloud vs minimax-cn)
2. Don't put base_url in delegation config — it triggers the hardcoded "custom" path
3. API keys go in ~/.hermes/.env, not in the api_key field of config.yaml
4. Standard providers (minimax-cn, openrouter, nous, etc.) auto-resolve their built-in URLs
Verified Working
🔌 Provider: minimax-cn  ✅ (not "custom")
🌐 Endpoint: https://api.minimaxi.com/anthropic  ✅
✅ delegate_task works correctly
Status
This is a workaround, not a code fix. The real fix would require modifying _resolve_child_credential_pool() to distinguish custom endpoints by identity, not just provider name.

[UnstoppableCurry]

One concrete failure mode to check here is that the child runtime starts with the delegated base_url, but the later credential-pool lookup collapses both runtimes to something like provider="custom". At that point the pool key no longer distinguishes parent endpoint A from child endpoint B, so the child can be rebound to the parent's custom pool even though delegation passed the right URL earlier.

A fix I would try/test:

1. Add a regression where parent uses custom endpoint A, delegate_task targets custom endpoint B, and the child makes one model call. Assert the outbound request host is B, not A.
2. Key the credential pool with a stable endpoint identity, not only the provider label. For custom providers that usually means provider + normalized_base_url or a redacted base_url_hash.
3. Treat the delegated base_url as part of the child runtime boundary. After child config resolution, later auth/profile selection should not silently backfill from parent runtime state.
4. Add one debug line at the final request boundary with redacted provider, base_url_hash, and credential profile id. That makes this class of bug visible without leaking keys.
5. If existing config depends on provider=custom, keep that public name for compatibility but introduce an internal custom_endpoint_id for routing/auth separation.

This also gives a clean test shape: same API key name, two different base URLs, parent delegates child, child must never inherit the parent's resolved endpoint after pool selection.

Disclosure: this is a ConvertModel helper account. This exact issue maps to custom endpoint, subagent, and team relay isolation; ConvertModel tests Codex/Claude Code-compatible routing and enterprise relay setups here: https://convertmodel.net.

[rainleon]

Confirming this bug is still present in v0.14.0 (2026.5.16).

Additional detail from debugging session:

The credential rotation happens in _run_single_child() lines 1340-1348. The sequence is:

1. _build_child_agent correctly initializes child with base_url=http://localhost:1234/v1 (confirmed in logs: OpenAI client created (agent_init, shared=True) ... base_url=http://localhost:1234/v1)
2. 36ms later, _run_single_child calls child_pool.acquire_lease() → child._swap_credential(leased_entry)
3. The leased entry comes from the parent pool (pointing to the parent's endpoint), overwriting the child's base_url

Why config workarounds fail:

• Removing delegation.base_url and relying on delegation.provider: custom:lmstudio-gemma4 still resolves to provider="custom" (via resolve_runtime_provider)
• All custom_providers entries normalize to bare "custom" regardless of their qualified name
• credential_pool_strategies has no "disabled" option
• The parent's credential pool is auto-created by resolve_runtime_provider and cannot be suppressed via config

Minimal fix suggestion: In _resolve_child_credential_pool, compare base_url in addition to provider name, or skip pool sharing entirely when override_base_url differs from the parent's base_url.