Skip to content

fix: setup wizard overwrites custom endpoint config (#4172)#4180

Merged
teknium1 merged 1 commit into
mainfrom
hermes/hermes-bf538de7
Mar 31, 2026
Merged

fix: setup wizard overwrites custom endpoint config (#4172)#4180
teknium1 merged 1 commit into
mainfrom
hermes/hermes-bf538de7

Conversation

@teknium1

@teknium1 teknium1 commented Mar 31, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes #4172. Supersedes #4174 (different root cause than described there).

The actual bug: _model_flow_custom() saved model.provider: "custom" and model.base_url to disk via its own cfg = load_config() / save_config(cfg) cycle — but never updated the setup wizard's in-memory config dict. The wizard's final save_config(config) at setup.py line 1752 then overwrote the custom settings with the stale default (model: "anthropic/claude-opus-4.6" string).

After this, resolve_requested_provider() saw no model.provider in config, returned "auto", and the auto-detection chain picked up stale OPENROUTER_API_KEY from .env → traffic routed to OpenRouter.

Every other provider in the setup wizard uses _set_model_provider(config, ...) which correctly updates the wizard's dict. The custom flow was the only one using a separate load_config().

Fix: After saving to disk, also mutate the caller's config dict so the wizard's final save preserves model.provider="custom" and the base_url. Both the model-name and no-model-name branches are covered.

What changed

  • hermes_cli/main.py_model_flow_custom() now syncs the passed config dict after its own save (+15 lines)
  • tests/hermes_cli/test_setup.py — Updated existing test to include the wizard's final save_config(config) call (the step that was previously untested), plus two new regression tests covering the Ollama and no-model-name scenarios

Test plan

  • 5002 tests pass (2 pre-existing failures unrelated to this change — broken by refactor: make config.yaml the single source of truth for endpoint URLs #4165's OPENAI_BASE_URL removal)
  • E2E: fresh install → custom endpoint → wizard's save_config → reload → resolve_requested_provider() returns "custom"
  • E2E: stale OPENROUTER_API_KEY + custom endpoint → custom endpoint wins, base_url points to localhost
  • E2E: no model name entered → model.provider and model.base_url still survive

@github-actions

github-actions Bot commented Mar 31, 2026

Copy link
Copy Markdown
Contributor

⚠️ Supply Chain Risk Detected

This PR contains patterns commonly associated with supply chain attacks. This does not mean the PR is malicious — but these patterns require careful human review before merging.

⚠️ WARNING: Install hook files modified

These files can execute code during package installation or interpreter startup.

Files:

tests/hermes_cli/test_setup.py

Automated scan triggered by supply-chain-audit. If this is a false positive, a maintainer can approve after manual review.

@teknium1 teknium1 force-pushed the hermes/hermes-bf538de7 branch from 88d422d to 2b4368f Compare March 31, 2026 06:16
@github-actions

github-actions Bot commented Mar 31, 2026

Copy link
Copy Markdown
Contributor

⚠️ Supply Chain Risk Detected

This PR contains patterns commonly associated with supply chain attacks. This does not mean the PR is malicious — but these patterns require careful human review before merging.

⚠️ WARNING: Install hook files modified

These files can execute code during package installation or interpreter startup.

Files:

tests/hermes_cli/test_setup.py

Automated scan triggered by supply-chain-audit. If this is a false positive, a maintainer can approve after manual review.

@teknium1
fix: setup wizard overwrites custom endpoint config (#4172)
f459bd4 
_model_flow_custom() saved model.provider and model.base_url to disk
via its own load_config/save_config cycle, but never updated the
setup wizard's in-memory config dict.  The wizard's final
save_config(config) then overwrote the custom settings with the
stale default string model value.

Fix: after saving to disk, also mutate the caller's config dict so
the wizard's final save preserves model.provider='custom' and the
base_url.  Both the model_name and no-model_name branches are
covered.

Added regression tests that simulate the full wizard flow including
the final save_config(config) call — the step that was previously
untested.
@teknium1 teknium1 force-pushed the hermes/hermes-bf538de7 branch from 2b4368f to f459bd4 Compare March 31, 2026 06:17
@github-actions

github-actions Bot commented Mar 31, 2026

Copy link
Copy Markdown
Contributor

⚠️ Supply Chain Risk Detected

This PR contains patterns commonly associated with supply chain attacks. This does not mean the PR is malicious — but these patterns require careful human review before merging.

⚠️ WARNING: Install hook files modified

These files can execute code during package installation or interpreter startup.

Files:

tests/hermes_cli/test_setup.py

Automated scan triggered by supply-chain-audit. If this is a false positive, a maintainer can approve after manual review.

@teknium1 teknium1 merged commit 89d8127 into main Mar 31, 2026
2 of 3 checks passed
@dieutx dieutx mentioned this pull request Mar 31, 2026
Closed
@teknium1 teknium1 mentioned this pull request Mar 31, 2026
Merged
6 tasks
@dieutx dieutx mentioned this pull request Apr 1, 2026
Closed
@corvusmod corvusmod mentioned this pull request May 6, 2026
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug] Provider auto-detection ignores model.provider in config.yaml — stale API keys override explicit custom endpoint

1 participant

@teknium1