fix(doctor): suppress stale direct-key issues when oauth is healthy (salvage of #26704)#26853
Merged
kshitijk4poor merged 2 commits intoMay 16, 2026
Conversation
Fixes NousResearch#26693 `hermes doctor` currently promotes invalid direct API keys into the final summary even when the matching OAuth path is already healthy. That makes the setup look more broken than it really is. This change keeps the failed API Connectivity row visible but stops treating it as a blocking summary issue when a healthy OAuth fallback already exists for the same provider family. Covered cases: - Gemini OAuth + invalid direct Gemini key - MiniMax OAuth + invalid direct MiniMax key Based on NousResearch#26704 by @worlldz.
4 tasks
teknium1
pushed a commit
that referenced
this pull request
May 17, 2026
_has_healthy_oauth_fallback_for_apikey_provider() covers Gemini and MiniMax (added by #26853) but omits xAI. The xAI provider profile (plugins/model-providers/xai/__init__.py) has auth_type="api_key" and env_vars=("XAI_API_KEY",), so it enters the generic API-key connectivity loop. When XAI_API_KEY fails a 401 probe but xAI OAuth is healthy, the failure is promoted to the blocking summary even though xAI works fine via OAuth — the same false-positive #26853 fixed for Gemini and MiniMax. Fix: import get_xai_oauth_auth_status alongside the existing two helpers and add the "xai" branch. get_xai_oauth_auth_status() already exists in hermes_cli/auth.py and returns {"logged_in": True} when a valid OAuth token is present. Symmetric with the Gemini and MiniMax branches introduced in #26853. No behavior change for providers without an OAuth path.
gweeteve
pushed a commit
to gweeteve/hermes-agent
that referenced
this pull request
Jun 2, 2026
_has_healthy_oauth_fallback_for_apikey_provider() covers Gemini and MiniMax (added by NousResearch#26853) but omits xAI. The xAI provider profile (plugins/model-providers/xai/__init__.py) has auth_type="api_key" and env_vars=("XAI_API_KEY",), so it enters the generic API-key connectivity loop. When XAI_API_KEY fails a 401 probe but xAI OAuth is healthy, the failure is promoted to the blocking summary even though xAI works fine via OAuth — the same false-positive NousResearch#26853 fixed for Gemini and MiniMax. Fix: import get_xai_oauth_auth_status alongside the existing two helpers and add the "xai" branch. get_xai_oauth_auth_status() already exists in hermes_cli/auth.py and returns {"logged_in": True} when a valid OAuth token is present. Symmetric with the Gemini and MiniMax branches introduced in NousResearch#26853. No behavior change for providers without an OAuth path.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #26693
Salvages #26704 by @worlldz.
Why a salvage PR
#26704was branched one commit beforec4bda3f27("fix(doctor): generate config from defaults when template file is missing") landed onmain. As a result, its diff against currentmainwould have silently reverted the newDEFAULT_CONFIGfallback in theconfig.yaml not foundbranch back to the oldmanual_issues.append(...)behavior.Plain
git cherry-pick 6fdeb9965onto currentorigin/mainauto-merges cleanly — git's 3-way merge recognisesc4bda3f27is already present and applies only the new helper + summary-suppression hunk. The resulting tree has both fixes: theDEFAULT_CONFIGfallback AND the OAuth-aware summary gate. Author attribution is preserved.What this PR does
When
hermes doctorruns and a direct provider API-key probe fails (HTTP 401), but the matching OAuth path for that provider family is already healthy, the failed row stays visible in the API Connectivity section but is no longer promoted into the final blocking summary.Covered cases:
Verification
Pytest:
E2E matrix (subprocess pinned to this branch, faked httpx + auth helpers):
GOOGLE_API_KEYMINIMAX_API_KEYGOOGLE_API_KEY(control)Negative control confirms the gate only fires when an OAuth fallback exists for the same family — providers without an OAuth path are unaffected.
Ruff:
All checks passed!on the 3 touched files.Commits
bb7c3c9bb(author: @worlldz) — original fix from fix(doctor): suppress stale direct-key issues when oauth is healthy #26704, cherry-picked.cf8b977b7— addsworlldztoAUTHOR_MAPinscripts/release.pysocontributor_audit.py --strictstays clean.