fix(auth): make 'auth remove' for claude_code prevent re-seeding

Previously, removing a claude_code credential from the anthropic pool only printed a note — the next load_pool() re-seeded it from ~/.claude/.credentials.json. Now writes a 'suppressed_sources' flag to auth.json that _seed_from_singletons checks before seeding. Follows the pattern of env: source removal (clears .env var) and device_code removal (clears auth store state). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-06-09 08:21:50 +00:00 · 2026-04-10 15:12:11 +08:00 · 2026-04-10 15:12:11 +08:00 · 419b719c2b
commit 419b719c2b
parent f3fb3eded4
4 changed files with 71 additions and 2 deletions
--- a/agent/credential_pool.py
+++ b/agent/credential_pool.py
@ -1077,6 +1077,13 @@ def _seed_from_singletons(provider: str, entries: List[PooledCredential]) -> Tup
            ("claude_code", read_claude_code_credentials()),
        ):
            if creds and creds.get("accessToken"):
+                # Check if user explicitly removed this source
+                try:
+                    from hermes_cli.auth import is_source_suppressed
+                    if is_source_suppressed(provider, source_name):
+                        continue
+                except ImportError:
+                    pass
                active_sources.add(source_name)
                changed |= _upsert_entry(
                    entries,