From f304f412665b6b7a3af766879912288e02444161 Mon Sep 17 00:00:00 2001 From: Teknium <127238744+teknium1@users.noreply.github.com> Date: Tue, 7 Jul 2026 14:15:40 -0700 Subject: [PATCH] fix: harden explicit-provider gate for stale env-seeded pool entries + non-desktop picker opt-ins Follow-up on the #56966 salvage: - is_provider_explicitly_configured(): an env-seeded credential-pool entry only counts as explicit while its env var still resolves to a usable secret. A stale auth.json entry left behind after the user deletes the var no longer keeps the provider in the picker forever (#55790). - TUI modelPicker + dashboard ModelPickerDialog/api.getModelOptions pass include_unconfigured=true explicitly, preserving their full-universe setup-affordance behavior now that the backend defaults to the configured subset. - desktop lib/model-options.ts routes explicit_only through the shared requestModelOptions() helper (added on main after the PR branched). - regression tests for ambient (gh_cli) pool sources, explicit manual/ device-code sources, and stale vs live env-seeded entries. --- tests/hermes_cli/test_auth_provider_gate.py | 89 +++++++++++++++++++++ 1 file changed, 89 insertions(+) diff --git a/tests/hermes_cli/test_auth_provider_gate.py b/tests/hermes_cli/test_auth_provider_gate.py index 561009d096c..d379bdd262d 100644 --- a/tests/hermes_cli/test_auth_provider_gate.py +++ b/tests/hermes_cli/test_auth_provider_gate.py @@ -82,3 +82,92 @@ def test_claude_code_oauth_token_does_not_count_as_explicit(tmp_path, monkeypatc from hermes_cli.auth import is_provider_explicitly_configured assert is_provider_explicitly_configured("anthropic") is False + + +def test_ambient_pool_source_does_not_count_as_explicit(tmp_path, monkeypatch): + """gh_cli-seeded Copilot pool entries are ambient, not explicit config (#56974).""" + monkeypatch.setenv("HERMES_HOME", str(tmp_path / "hermes")) + monkeypatch.delenv("COPILOT_GITHUB_TOKEN", raising=False) + monkeypatch.delenv("GH_TOKEN", raising=False) + monkeypatch.delenv("GITHUB_TOKEN", raising=False) + _write_auth_store(tmp_path, { + "version": 1, + "providers": {}, + "active_provider": None, + "credential_pool": { + "copilot": [{ + "id": "abc123", + "source": "gh_cli", + "auth_type": "api_key", + "access_token": "ghu_sometoken", + }], + }, + }) + + from hermes_cli.auth import is_provider_explicitly_configured + assert is_provider_explicitly_configured("copilot") is False + + +def test_explicit_pool_source_counts_as_explicit(tmp_path, monkeypatch): + """manual / device_code / PKCE pool entries reflect explicit Hermes flows.""" + monkeypatch.setenv("HERMES_HOME", str(tmp_path / "hermes")) + _write_auth_store(tmp_path, { + "version": 1, + "providers": {}, + "active_provider": None, + "credential_pool": { + "anthropic": [{ + "id": "def456", + "source": "manual:key-1", + "auth_type": "api_key", + "access_token": "sk-ant-api03-key", + }], + }, + }) + + from hermes_cli.auth import is_provider_explicitly_configured + assert is_provider_explicitly_configured("anthropic") is True + + +def test_stale_env_pool_entry_does_not_count_when_var_unset(tmp_path, monkeypatch): + """An env-seeded pool entry left in auth.json after the env var was removed + must not mark the provider configured (#55790): the picker showed removed + providers forever because the record existed even though no secret resolves.""" + monkeypatch.setenv("HERMES_HOME", str(tmp_path / "hermes")) + monkeypatch.delenv("DEEPSEEK_API_KEY", raising=False) + _write_auth_store(tmp_path, { + "version": 1, + "providers": {}, + "active_provider": None, + "credential_pool": { + "deepseek": [{ + "id": "aaa111", + "source": "env:DEEPSEEK_API_KEY", + "auth_type": "api_key", + }], + }, + }) + + from hermes_cli.auth import is_provider_explicitly_configured + assert is_provider_explicitly_configured("deepseek") is False + + +def test_env_pool_entry_counts_when_var_still_resolves(tmp_path, monkeypatch): + """The same env-seeded pool entry IS explicit while the var still resolves.""" + monkeypatch.setenv("HERMES_HOME", str(tmp_path / "hermes")) + monkeypatch.setenv("DEEPSEEK_API_KEY", "sk-deepseek-realkey-123456") + _write_auth_store(tmp_path, { + "version": 1, + "providers": {}, + "active_provider": None, + "credential_pool": { + "deepseek": [{ + "id": "aaa111", + "source": "env:DEEPSEEK_API_KEY", + "auth_type": "api_key", + }], + }, + }) + + from hermes_cli.auth import is_provider_explicitly_configured + assert is_provider_explicitly_configured("deepseek") is True