fix(nous): don't use OAuth access_token as inference API key

When agent_key is missing from auth state (expired, not yet minted, or mint failed silently), the fallback chain fell through to access_token — an OAuth bearer token for the Nous portal API, not an inference credential. The Nous inference API returns 404 because the OAuth token is not a valid inference key. Remove the access_token fallback so an empty agent_key correctly triggers resolve_nous_runtime_credentials() to mint a fresh key. Closes #5562
2026-04-25 00:51:20 +00:00 · 2026-04-06 12:11:21 -04:00 · 2026-04-06 12:11:21 -04:00 · 85973e0082
commit 85973e0082
parent eceb89b824
1 changed files with 5 additions and 1 deletions
--- a/hermes_cli/runtime_provider.py
+++ b/hermes_cli/runtime_provider.py
@ -495,7 +495,11 @@ def _resolve_explicit_runtime(
            explicit_base_url
            or str(state.get("inference_base_url") or auth_mod.DEFAULT_NOUS_INFERENCE_URL).strip().rstrip("/")
        )
-        api_key = explicit_api_key or str(state.get("agent_key") or state.get("access_token") or "").strip()
+        # Only use agent_key for inference — access_token is an OAuth token for the
+        # portal API (minting keys, refreshing tokens), not for the inference API.
+        # Falling back to access_token sends an OAuth bearer token to the inference
+        # endpoint, which returns 404 because it is not a valid inference credential.
+        api_key = explicit_api_key or str(state.get("agent_key") or "").strip()
        expires_at = state.get("agent_key_expires_at") or state.get("expires_at")
        if not api_key:
            creds = resolve_nous_runtime_credentials(