Skip to content

fix(cli): empty credential pool entries no longer authenticate provider (#28140)#28190

Closed
Sisuthros wants to merge 1 commit into
NousResearch:mainfrom
Sisuthros:fix/empty-credential-pool
Closed

fix(cli): empty credential pool entries no longer authenticate provider (#28140)#28190
Sisuthros wants to merge 1 commit into
NousResearch:mainfrom
Sisuthros:fix/empty-credential-pool

Conversation

@Sisuthros

@Sisuthros Sisuthros commented May 18, 2026
edited
Loading

Copy link
Copy Markdown

Summary

Closes #28140.

When the user removes an API-key env var (e.g. MINIMAX_CN_API_KEY) from .env, an empty credential_pool array left behind in ~/.hermes/auth.json (e.g. "minimax-cn": []) still caused the provider to appear authenticated in the /model picker.

Root cause

In hermes_cli/model_switch.py::list_authenticated_providers, the auth-store fallback checked only whether the provider key existed in the pool dict, not whether the value held any actual credentials:

if store and hermes_id in store.get("credential_pool", {}):
    has_creds = True

"minimax-cn": [] satisfies hermes_id in {...} even though the list is empty, so has_creds flipped to True with zero usable credentials, and the provider appeared in the /model picker.

Fix

Pull the list out and gate on its truthiness:

if store:
    pool_entries = store.get("credential_pool", {}).get(hermes_id) or []
    if pool_entries:
        has_creds = True

This matches the intent ("any usable credential in the pool?") and is consistent with how agent/credential_pool.py itself treats empty lists elsewhere.

Test plan

  • Added 4 unit tests in tests/hermes_cli/test_credential_pool_empty.py:
    • test_empty_credential_pool_does_not_authenticate_provider — the regression case
    • test_populated_credential_pool_does_authenticate_provider — sanity check: real entries still work
    • test_missing_credential_pool_key_does_not_authenticate_provider — no entry at all → hidden
    • test_env_var_still_authenticates_even_with_empty_pool — env-var path still wins
  • All 4 pass with the fix; the first one fails without it (verified true regression test)
  • No other tests touched (tests/hermes_cli/test_credential_pool_empty.py is new and self-contained)

outsourc-e
outsourc-e approved these changes May 18, 2026
View reviewed changes

@outsourc-e outsourc-e left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Validated locally on clean upstream/main worktree. Regression tests passed (4 passed). Correct fix for empty credential_pool entries; no security concerns.

@outsourc-e outsourc-e mentioned this pull request May 18, 2026
Closed
@alt-glitch alt-glitch added type/bug Something isn't working comp/cli CLI entry point, hermes_cli/, setup wizard area/auth Authentication, OAuth, credential pools P2 Medium — degraded but workaround exists labels May 18, 2026
@alt-glitch

alt-glitch commented May 18, 2026

Copy link
Copy Markdown
Collaborator

Duplicate of #20705 (also duplicated by #28150 and closed #26934). All fix the same empty credential_pool false-positive in list_authenticated_providers() section 1.

@Sisuthros Sisuthros force-pushed the fix/empty-credential-pool branch from ebc4c39 to 5a92b38 Compare May 18, 2026 21:01
@Sisuthros
fix(cli): empty credential pool entries no longer authenticate provider
b515e94 
Fixes NousResearch#28140.

When a user removed an API-key env var (e.g. `MINIMAX_CN_API_KEY`) from
their `.env`, an empty `credential_pool` array left behind in
`~/.hermes/auth.json` (e.g. `"minimax-cn": []`) still caused the
provider to appear authenticated in the `/model` picker.

Root cause was a presence-check on the dict key only:

```python
if store and hermes_id in store.get("credential_pool", {}):
    has_creds = True
```

`"minimax-cn": []` satisfies `hermes_id in {...}` even though the list
is empty, so `has_creds` flipped to True with zero actual credentials.

Fix: pull the list out and gate on its truthiness instead — matches the
intent ("any usable credential in the pool?") and is consistent with how
`agent/credential_pool.py` itself treats empty lists elsewhere.

Tests added (`tests/hermes_cli/test_credential_pool_empty.py`):
- Empty pool entry → provider hidden (the regression)
- Populated pool entry → provider shown (no over-correction)
- Missing pool key entirely → provider hidden
- Env-var set + empty pool → env wins, provider shown

All 4 pass with the fix, the regression test fails without it.
@Sisuthros Sisuthros force-pushed the fix/empty-credential-pool branch from 5a92b38 to b515e94 Compare May 18, 2026 21:05
@alt-glitch alt-glitch mentioned this pull request May 18, 2026
Closed
3 tasks
@teknium1

teknium1 commented May 24, 2026

Copy link
Copy Markdown
Contributor

Closing as superseded by #28312.

Triage notes (high confidence):
Same empty-credential-pool bug as #28150; fixed on main by 95846ed / PR #28312; model_switch.py:1235 now uses get() which returns falsy for [].

Thanks for the contribution — the underlying problem this PR addresses has been resolved by the linked PR on current main. If you believe this was closed in error, please comment and we'll reopen.

(Bulk-closed during a CLI PR triage sweep.)

@teknium1 teknium1 closed this May 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@outsourc-e outsourc-e outsourc-e approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/auth Authentication, OAuth, credential pools comp/cli CLI entry point, hermes_cli/, setup wizard P2 Medium — degraded but workaround exists type/bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Empty credential pool entries cause providers to show as authenticated in /model picker

4 participants

@Sisuthros @alt-glitch @teknium1 @outsourc-e