fix: avoid persisting borrowed credential secrets (#31416)

2026-05-29 06:31:32 +00:00 · 2026-05-25 03:32:08 -04:00 · 2026-05-25 03:32:08 -04:00 · d7c5d5dee5
commit d7c5d5dee5
parent 2b768535c9
6 changed files with 590 additions and 27 deletions
--- a/hermes_cli/auth.py
+++ b/hermes_cli/auth.py
@ -49,6 +49,7 @@ import yaml

 from hermes_cli.config import get_hermes_home, get_config_path, read_raw_config
 from hermes_constants import OPENROUTER_BASE_URL, secure_parent_dir
+from agent.credential_persistence import sanitize_borrowed_credential_payload
 from utils import atomic_replace, atomic_yaml_write, is_truthy_value

 logger = logging.getLogger(__name__)
@ -1168,14 +1169,23 @@ def read_credential_pool(provider_id: Optional[str] = None) -> Dict[str, Any]:


 def write_credential_pool(provider_id: str, entries: List[Dict[str, Any]]) -> Path:
-    """Persist one provider's credential pool under auth.json."""
+    """Persist one provider's credential pool under auth.json.
+
+    This is the final disk-boundary guard for borrowed/reference-only
+    credentials. Callers may pass raw dictionaries, so sanitize here even when
+    ``PooledCredential.to_dict()`` already did the same work upstream.
+    """
    with _auth_store_lock():
        auth_store = _load_auth_store()
        pool = auth_store.get("credential_pool")
        if not isinstance(pool, dict):
            pool = {}
            auth_store["credential_pool"] = pool
-        pool[provider_id] = list(entries)
+        pool[provider_id] = [
+            sanitize_borrowed_credential_payload(entry, provider_id)
+            if isinstance(entry, dict) else entry
+            for entry in entries
+        ]
        return _save_auth_store(auth_store)