mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-07-01 12:02:05 +00:00
`resolve_provider("auto")` checked `auth.json` `active_provider` BEFORE the
config.yaml `model.provider` and env-var API-key checks. So a user who was
OAuth-logged-into one provider (e.g. Anthropic) but had set an explicit
`model.provider` or exported an API key (e.g. `OPENAI_API_KEY`) was silently
routed to the stale OAuth provider — the override was invisible and surprising.
Reorder the auto-path so explicit intent wins (the order the issue asks for):
1. explicit CLI api_key/base_url
2. config.yaml `model.provider` (safety net — see below)
3. OPENAI_API_KEY / OPENROUTER_API_KEY env
4. OpenRouter credential pool
5. provider-specific API-key env vars
6. auth.json `active_provider` (OAuth) ← demoted to last-resort
7. AWS Bedrock credential chain
8. error
`active_provider` is still honored — it's just a last-resort fallback chosen
only when the user expressed no other preference, instead of overriding one.
The normal chat/gateway/TUI/ACP/status path already resolves config.provider
upstream in `resolve_requested_provider()` before "auto" is reached, so this
duplicate config check is the safety net for the lone direct caller
(`main.py` `resolve_provider("auto")`) and any future bypass. Because every
surface funnels through this one resolver, the fix propagates everywhere with
a single edit — no sibling path re-implements precedence.
Also add a one-shot WARN when resolution lands on `active_provider` while a
populated `model` config dict lacks a `provider` key — surfacing the silent
override the issue reported without breaking first-install.
Synthesizes the two competing PRs: #29615 (LifeJiggy — config-before-auth +
the silent-override framing) and #29809 (Minksgo — the env-before-auth
reorder). #29809 could not be merged directly (bundled unrelated, un-opt-in
cost-tagging telemetry); its reorder idea is incorporated here and credited.
Tests: tests/hermes_cli/test_provider_precedence.py — config/env beat stale
OAuth, OAuth still used as last resort, explicit request short-circuits, WARN
fires on silent fall-through. Full provider-resolution suites: 374 passed.
Fixes #29285
Co-authored-by: LifeJiggy <141562589+LifeJiggy@users.noreply.github.com>
Co-authored-by: Minksgo <153416856+Minksgo@users.noreply.github.com>
117 lines
5.3 KiB
Python
117 lines
5.3 KiB
Python
"""Regression tests for #29285 — provider precedence in resolve_provider("auto").
|
|
|
|
Explicit user intent (config.yaml model.provider, env-var API keys) must win
|
|
over a stale logged-in OAuth `active_provider` in auth.json. Before the fix,
|
|
`active_provider` sat above the env/config checks and silently overrode an
|
|
explicit choice — e.g. a user OAuth-logged-into Anthropic but with
|
|
OPENAI_API_KEY exported (or model.provider set) got routed to Anthropic.
|
|
"""
|
|
import pytest
|
|
|
|
from hermes_cli.auth import resolve_provider, AuthError
|
|
|
|
|
|
def _login(monkeypatch, provider_id):
|
|
"""Simulate a logged-in OAuth active_provider in auth.json."""
|
|
monkeypatch.setattr("hermes_cli.auth._load_auth_store",
|
|
lambda: {"active_provider": provider_id})
|
|
monkeypatch.setattr("hermes_cli.auth.get_auth_status",
|
|
lambda p: {"logged_in": p == provider_id})
|
|
|
|
|
|
def _config(monkeypatch, model_cfg):
|
|
monkeypatch.setattr("hermes_cli.config.load_config", lambda: {"model": model_cfg})
|
|
|
|
|
|
def _no_aws(monkeypatch):
|
|
# Neutralize any ambient AWS creds so Bedrock auto-detect can't interfere.
|
|
monkeypatch.setattr("agent.bedrock_adapter.has_aws_credentials", lambda: False)
|
|
|
|
|
|
def _clear_provider_env(monkeypatch):
|
|
for var in ("OPENAI_API_KEY", "OPENROUTER_API_KEY", "GLM_API_KEY", "ZAI_API_KEY",
|
|
"KIMI_API_KEY", "MINIMAX_API_KEY", "HERMES_INFERENCE_PROVIDER"):
|
|
monkeypatch.delenv(var, raising=False)
|
|
|
|
|
|
class TestProviderPrecedence:
|
|
def test_config_provider_beats_stale_oauth(self, monkeypatch):
|
|
"""config.yaml model.provider wins over a logged-in OAuth active_provider."""
|
|
_clear_provider_env(monkeypatch)
|
|
_no_aws(monkeypatch)
|
|
_login(monkeypatch, "anthropic") # stale OAuth login
|
|
_config(monkeypatch, {"provider": "zai", "default": "glm-4.6"})
|
|
assert resolve_provider("auto") == "zai"
|
|
|
|
def test_env_key_beats_stale_oauth(self, monkeypatch):
|
|
"""An exported provider API key wins over a logged-in OAuth active_provider."""
|
|
_clear_provider_env(monkeypatch)
|
|
_no_aws(monkeypatch)
|
|
_login(monkeypatch, "anthropic")
|
|
_config(monkeypatch, {"default": "some-model"}) # dict, NO provider key
|
|
monkeypatch.setenv("OPENAI_API_KEY", "sk-test-key")
|
|
assert resolve_provider("auto") == "openrouter"
|
|
|
|
def test_provider_specific_env_key_beats_stale_oauth(self, monkeypatch):
|
|
"""A provider-specific env key (GLM) wins over a logged-in OAuth provider."""
|
|
_clear_provider_env(monkeypatch)
|
|
_no_aws(monkeypatch)
|
|
_login(monkeypatch, "anthropic")
|
|
_config(monkeypatch, {})
|
|
monkeypatch.setenv("GLM_API_KEY", "test-glm-key")
|
|
assert resolve_provider("auto") == "zai"
|
|
|
|
def test_oauth_used_as_last_resort(self, monkeypatch):
|
|
"""With NO config provider and NO env keys, the logged-in OAuth provider
|
|
is still used (it's the last-resort fallback, not removed)."""
|
|
_clear_provider_env(monkeypatch)
|
|
_no_aws(monkeypatch)
|
|
_login(monkeypatch, "anthropic")
|
|
_config(monkeypatch, {}) # empty model config, no provider
|
|
assert resolve_provider("auto") == "anthropic"
|
|
|
|
def test_explicit_request_unaffected(self, monkeypatch):
|
|
"""An explicit requested provider short-circuits everything."""
|
|
_clear_provider_env(monkeypatch)
|
|
_login(monkeypatch, "anthropic")
|
|
assert resolve_provider("zai") == "zai"
|
|
|
|
def test_warns_on_silent_oauth_fallthrough(self, monkeypatch, caplog):
|
|
"""A populated model dict lacking `provider` that falls through to OAuth
|
|
emits a WARN so the silent override is visible (#29285)."""
|
|
import logging
|
|
_clear_provider_env(monkeypatch)
|
|
_no_aws(monkeypatch)
|
|
_login(monkeypatch, "anthropic")
|
|
_config(monkeypatch, {"default": "claude-x"}) # populated, no provider
|
|
with caplog.at_level(logging.WARNING, logger="hermes_cli.auth"):
|
|
assert resolve_provider("auto") == "anthropic"
|
|
assert any("no `provider` key" in r.message for r in caplog.records)
|
|
|
|
def test_warns_when_env_key_preempts_oauth(self, monkeypatch, caplog):
|
|
"""When an exported API key preempts a logged-in OAuth provider, a WARN
|
|
makes the silent routing switch visible (#29285)."""
|
|
import logging
|
|
_clear_provider_env(monkeypatch)
|
|
_no_aws(monkeypatch)
|
|
_login(monkeypatch, "anthropic") # OAuth into anthropic
|
|
_config(monkeypatch, {})
|
|
monkeypatch.setenv("GLM_API_KEY", "test-glm-key") # unrelated key present
|
|
with caplog.at_level(logging.WARNING, logger="hermes_cli.auth"):
|
|
assert resolve_provider("auto") == "zai"
|
|
assert any("preempting your" in r.message for r in caplog.records)
|
|
|
|
def test_openrouter_pool_beats_stale_oauth(self, monkeypatch):
|
|
"""An OpenRouter credential-pool entry (no env var) wins over a logged-in
|
|
OAuth provider — the pool rung sits above OAuth (#42130 + #29285)."""
|
|
_clear_provider_env(monkeypatch)
|
|
_no_aws(monkeypatch)
|
|
_login(monkeypatch, "anthropic")
|
|
_config(monkeypatch, {})
|
|
|
|
class _Pool:
|
|
def has_credentials(self):
|
|
return True
|
|
|
|
monkeypatch.setattr("agent.credential_pool.load_pool", lambda name: _Pool())
|
|
assert resolve_provider("auto") == "openrouter"
|