From 3545d29422a5fa78db5696a4fd38e3ea2491e38d Mon Sep 17 00:00:00 2001
From: kshitijk4poor <82637225+kshitijk4poor@users.noreply.github.com>
Date: Mon, 22 Jun 2026 15:50:26 +0530
Subject: [PATCH] refactor(auth): drop dead select() fallback in anthropic pool
 resolver
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

/simplify-code QUALITY finding: the `if callable(_available_entries): ... else:
pool.select()` ladder was dead for the real CredentialPool type (`_available_entries`
is always a bound method) AND the select() fallback violated the helper's read-only
contract — select() -> _select_unlocked() runs _available_entries(clear_expired=True,
refresh=True), which persists to auth.json and triggers a network refresh. Call
_available_entries(clear_expired=False, refresh=False) directly inside the existing
try/except instead.

Also drops the now-dead `select=` stubs from the 6 pool tests (they only existed to
satisfy the removed fallback branch). Behavior unchanged; 6 pool tests pass and the
read-only / null-token contract tests were mutation-checked (flipping the flags /
removing the None-guard fails the respective test).
---
 agent/anthropic_adapter.py            | 22 ++++++----------------
 tests/agent/test_anthropic_adapter.py |  6 +-----
 2 files changed, 7 insertions(+), 21 deletions(-)

diff --git a/agent/anthropic_adapter.py b/agent/anthropic_adapter.py
index 762f551c5b8..c63c71da7bc 100644
--- a/agent/anthropic_adapter.py
+++ b/agent/anthropic_adapter.py
@@ -1175,25 +1175,15 @@ def _resolve_anthropic_pool_token() -> Optional[str]:
 
     try:
         pool = load_pool("anthropic")
+        # Enumerate read-only (clear_expired=False, refresh=False): never persist
+        # to auth.json or trigger a network refresh from a bare resolve. select()
+        # is deliberately NOT used — it runs clear_expired=True, refresh=True,
+        # which would violate this read-only contract.
+        entries = pool._available_entries(clear_expired=False, refresh=False)
     except Exception:
-        logger.debug("Failed to load Anthropic credential_pool", exc_info=True)
+        logger.debug("Failed to read Anthropic credential_pool", exc_info=True)
         return None
 
-    available_entries = getattr(pool, "_available_entries", None)
-    if callable(available_entries):
-        try:
-            entries = available_entries(clear_expired=False, refresh=False)
-        except Exception:
-            logger.debug("Failed to enumerate Anthropic credential_pool entries", exc_info=True)
-            entries = []
-    else:
-        try:
-            selected = pool.select()
-        except Exception:
-            logger.debug("Failed to select Anthropic credential_pool entry", exc_info=True)
-            selected = None
-        entries = [selected] if selected is not None else []
-
     for entry in entries:
         if getattr(entry, "auth_type", None) != AUTH_TYPE_OAUTH:
             continue
diff --git a/tests/agent/test_anthropic_adapter.py b/tests/agent/test_anthropic_adapter.py
index 1d1e4a5b670..109793d2719 100644
--- a/tests/agent/test_anthropic_adapter.py
+++ b/tests/agent/test_anthropic_adapter.py
@@ -347,7 +347,6 @@ class TestResolveAnthropicToken:
         )
         pool = SimpleNamespace(
             _available_entries=lambda **_kwargs: [pool_entry],
-            select=lambda: pool_entry,
         )
         monkeypatch.setattr("agent.credential_pool.load_pool", lambda provider: pool)
 
@@ -369,7 +368,6 @@ class TestResolveAnthropicToken:
         )
         pool = SimpleNamespace(
             _available_entries=lambda **_kwargs: [pool_entry],
-            select=lambda: pool_entry,
         )
         monkeypatch.setattr("agent.credential_pool.load_pool", lambda provider: pool)
 
@@ -389,7 +387,6 @@ class TestResolveAnthropicToken:
         broken_entry = SimpleNamespace(auth_type="oauth", access_token=None)
         pool = SimpleNamespace(
             _available_entries=lambda **_kwargs: [broken_entry],
-            select=lambda: broken_entry,
         )
         monkeypatch.setattr("agent.credential_pool.load_pool", lambda provider: pool)
 
@@ -410,7 +407,6 @@ class TestResolveAnthropicToken:
         api_key_entry = SimpleNamespace(auth_type="api_key", access_token="sk-pool-apikey")
         pool = SimpleNamespace(
             _available_entries=lambda **_kwargs: [api_key_entry],
-            select=lambda: api_key_entry,
         )
         monkeypatch.setattr("agent.credential_pool.load_pool", lambda provider: pool)
 
@@ -454,7 +450,7 @@ class TestResolveAnthropicToken:
             captured.update(kwargs)
             return [pool_entry]
 
-        pool = SimpleNamespace(_available_entries=_available_entries, select=lambda: pool_entry)
+        pool = SimpleNamespace(_available_entries=_available_entries)
         monkeypatch.setattr("agent.credential_pool.load_pool", lambda provider: pool)
 
         assert resolve_anthropic_token() == "pool-oauth-token"