fix(model-picker): require real credentials in section 1 (api_key path)#20705
Closed
tymrtn wants to merge 1 commit into
Closed
fix(model-picker): require real credentials in section 1 (api_key path)#20705tymrtn wants to merge 1 commit into
tymrtn wants to merge 1 commit into
Conversation
Section 1 of list_authenticated_providers checked
hermes_id in store.get('credential_pool', {})
which gave false positives for entries with empty list values, surfacing
providers (e.g. huggingface, opencode-go, minimax(-cn), zai) in the
/model picker that the user never authenticated to. Selecting one
routed every turn to a dead endpoint and 401'd.
Sister fix 4607242 closed this same class of bug in sections 2 and
2b but missed section 1. This patch mirrors that approach: drop the
key-presence test on the auth store and use
agent.credential_pool.load_pool(hermes_id).has_credentials() — which
verifies real credentials exist (env, singletons, pool entries).
Adds a regression test (tests/hermes_cli/test_picker_empty_credential_pool.py)
covering the empty-list pathological case and the positive path.
Updates one existing overlay test that relied on the leaky behavior to
use the same load_pool stub pattern instead.
No new public APIs. Safe minimal change.
This was referenced May 16, 2026
Closed
Contributor
|
Closing as already fixed on Triage notes (medium confidence): If you still see this on the latest version, please reopen with reproduction steps. (Bulk-closed during a CLI triage sweep.) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Section 1 of
list_authenticated_providers(theapi_keyauth path inhermes_cli/model_switch.py) was checking:This gave false positives for entries whose value is an empty list — a state that occurs naturally after credential rotation or partial seeding. The picker therefore surfaced providers the user never authenticated to (huggingface, opencode-go, minimax / minimax-cn, zai, …). Selecting one of those routes every turn at a dead endpoint and 401s.
Sister fix
46072425fclosed the same class of bug in sections 2 and 2b but missed section 1. (PR #20703 tried to paper over the symptom with a config-side allowlist; that's been closed in favor of this focused fix.)Fix
Drop the key-presence test on the auth store and use the same pattern already used elsewhere in the function:
load_pool().has_credentials()checks that real credentials exist (env vars, singletons, and pool entries, with the usual seeding paths) — empty lists no longer leak through.Tests
tests/hermes_cli/test_picker_empty_credential_pool.pycredential_pool['huggingface'] = []⇒ NOT in returned slugs.test_mapped_provider_credential_pool_visibility(intest_overlay_slug_resolution.py) to validate via the new pool path instead of the leaky bandaid it previously asserted.tests/hermes_cli/ -k 'model_switch or picker or list_auth or overlay'→ 185 passed.Scope
list_authenticated_providers.