fix: custom endpoint no longer leaks OPENROUTER_API_KEY (#560)

API key selection is now base_url-aware: when the resolved base_url targets OpenRouter, OPENROUTER_API_KEY takes priority (preserving the #289 fix). When hitting any other endpoint (Z.ai, vLLM, custom, etc.), OPENAI_API_KEY takes priority so the OpenRouter key doesn't leak. Applied in both the runtime provider resolver (the real code path) and the CLI initial default (for consistency). Fixes #560.
2026-04-27 01:11:40 +00:00 · 2026-03-06 17:16:14 -08:00 · 2026-03-06 17:16:14 -08:00 · 94053d75a6
commit 94053d75a6
parent 2a68099675
3 changed files with 63 additions and 7 deletions
--- a/hermes_cli/runtime_provider.py
+++ b/hermes_cli/runtime_provider.py
@ -72,12 +72,25 @@ def _resolve_openrouter_runtime(
        or OPENROUTER_BASE_URL
    ).rstrip("/")

-    api_key = (
-        explicit_api_key
-        or os.getenv("OPENROUTER_API_KEY")
-        or os.getenv("OPENAI_API_KEY")
-        or ""
-    )
+    # Choose API key based on whether the resolved base_url targets OpenRouter.
+    # When hitting OpenRouter, prefer OPENROUTER_API_KEY (issue #289).
+    # When hitting a custom endpoint, prefer OPENAI_API_KEY so the OpenRouter
+    # key doesn't leak to an unrelated provider (issue #560).
+    _is_openrouter_url = "openrouter.ai" in base_url
+    if _is_openrouter_url:
+        api_key = (
+            explicit_api_key
+            or os.getenv("OPENROUTER_API_KEY")
+            or os.getenv("OPENAI_API_KEY")
+            or ""
+        )
+    else:
+        api_key = (
+            explicit_api_key
+            or os.getenv("OPENAI_API_KEY")
+            or os.getenv("OPENROUTER_API_KEY")
+            or ""
+        )

    source = "explicit" if (explicit_api_key or explicit_base_url) else "env/config"