hermes-agent/tests/hermes_cli/test_provider_precedence.py
kshitijk4poor 2af1678bfc fix(auth): explicit provider intent beats stale OAuth active_provider (#29285)
`resolve_provider("auto")` checked `auth.json` `active_provider` BEFORE the
config.yaml `model.provider` and env-var API-key checks. So a user who was
OAuth-logged-into one provider (e.g. Anthropic) but had set an explicit
`model.provider` or exported an API key (e.g. `OPENAI_API_KEY`) was silently
routed to the stale OAuth provider — the override was invisible and surprising.

Reorder the auto-path so explicit intent wins (the order the issue asks for):

  1. explicit CLI api_key/base_url
  2. config.yaml `model.provider`            (safety net — see below)
  3. OPENAI_API_KEY / OPENROUTER_API_KEY env
  4. OpenRouter credential pool
  5. provider-specific API-key env vars
  6. auth.json `active_provider` (OAuth)      ← demoted to last-resort
  7. AWS Bedrock credential chain
  8. error

`active_provider` is still honored — it's just a last-resort fallback chosen
only when the user expressed no other preference, instead of overriding one.

The normal chat/gateway/TUI/ACP/status path already resolves config.provider
upstream in `resolve_requested_provider()` before "auto" is reached, so this
duplicate config check is the safety net for the lone direct caller
(`main.py` `resolve_provider("auto")`) and any future bypass. Because every
surface funnels through this one resolver, the fix propagates everywhere with
a single edit — no sibling path re-implements precedence.

Also add a one-shot WARN when resolution lands on `active_provider` while a
populated `model` config dict lacks a `provider` key — surfacing the silent
override the issue reported without breaking first-install.

Synthesizes the two competing PRs: #29615 (LifeJiggy — config-before-auth +
the silent-override framing) and #29809 (Minksgo — the env-before-auth
reorder). #29809 could not be merged directly (bundled unrelated, un-opt-in
cost-tagging telemetry); its reorder idea is incorporated here and credited.

Tests: tests/hermes_cli/test_provider_precedence.py — config/env beat stale
OAuth, OAuth still used as last resort, explicit request short-circuits, WARN
fires on silent fall-through. Full provider-resolution suites: 374 passed.

Fixes #29285

Co-authored-by: LifeJiggy <141562589+LifeJiggy@users.noreply.github.com>
Co-authored-by: Minksgo <153416856+Minksgo@users.noreply.github.com>
2026-06-27 19:49:02 -07:00

117 lines
5.3 KiB
Python

"""Regression tests for #29285 — provider precedence in resolve_provider("auto").
Explicit user intent (config.yaml model.provider, env-var API keys) must win
over a stale logged-in OAuth `active_provider` in auth.json. Before the fix,
`active_provider` sat above the env/config checks and silently overrode an
explicit choice — e.g. a user OAuth-logged-into Anthropic but with
OPENAI_API_KEY exported (or model.provider set) got routed to Anthropic.
"""
import pytest
from hermes_cli.auth import resolve_provider, AuthError
def _login(monkeypatch, provider_id):
"""Simulate a logged-in OAuth active_provider in auth.json."""
monkeypatch.setattr("hermes_cli.auth._load_auth_store",
lambda: {"active_provider": provider_id})
monkeypatch.setattr("hermes_cli.auth.get_auth_status",
lambda p: {"logged_in": p == provider_id})
def _config(monkeypatch, model_cfg):
monkeypatch.setattr("hermes_cli.config.load_config", lambda: {"model": model_cfg})
def _no_aws(monkeypatch):
# Neutralize any ambient AWS creds so Bedrock auto-detect can't interfere.
monkeypatch.setattr("agent.bedrock_adapter.has_aws_credentials", lambda: False)
def _clear_provider_env(monkeypatch):
for var in ("OPENAI_API_KEY", "OPENROUTER_API_KEY", "GLM_API_KEY", "ZAI_API_KEY",
"KIMI_API_KEY", "MINIMAX_API_KEY", "HERMES_INFERENCE_PROVIDER"):
monkeypatch.delenv(var, raising=False)
class TestProviderPrecedence:
def test_config_provider_beats_stale_oauth(self, monkeypatch):
"""config.yaml model.provider wins over a logged-in OAuth active_provider."""
_clear_provider_env(monkeypatch)
_no_aws(monkeypatch)
_login(monkeypatch, "anthropic") # stale OAuth login
_config(monkeypatch, {"provider": "zai", "default": "glm-4.6"})
assert resolve_provider("auto") == "zai"
def test_env_key_beats_stale_oauth(self, monkeypatch):
"""An exported provider API key wins over a logged-in OAuth active_provider."""
_clear_provider_env(monkeypatch)
_no_aws(monkeypatch)
_login(monkeypatch, "anthropic")
_config(monkeypatch, {"default": "some-model"}) # dict, NO provider key
monkeypatch.setenv("OPENAI_API_KEY", "sk-test-key")
assert resolve_provider("auto") == "openrouter"
def test_provider_specific_env_key_beats_stale_oauth(self, monkeypatch):
"""A provider-specific env key (GLM) wins over a logged-in OAuth provider."""
_clear_provider_env(monkeypatch)
_no_aws(monkeypatch)
_login(monkeypatch, "anthropic")
_config(monkeypatch, {})
monkeypatch.setenv("GLM_API_KEY", "test-glm-key")
assert resolve_provider("auto") == "zai"
def test_oauth_used_as_last_resort(self, monkeypatch):
"""With NO config provider and NO env keys, the logged-in OAuth provider
is still used (it's the last-resort fallback, not removed)."""
_clear_provider_env(monkeypatch)
_no_aws(monkeypatch)
_login(monkeypatch, "anthropic")
_config(monkeypatch, {}) # empty model config, no provider
assert resolve_provider("auto") == "anthropic"
def test_explicit_request_unaffected(self, monkeypatch):
"""An explicit requested provider short-circuits everything."""
_clear_provider_env(monkeypatch)
_login(monkeypatch, "anthropic")
assert resolve_provider("zai") == "zai"
def test_warns_on_silent_oauth_fallthrough(self, monkeypatch, caplog):
"""A populated model dict lacking `provider` that falls through to OAuth
emits a WARN so the silent override is visible (#29285)."""
import logging
_clear_provider_env(monkeypatch)
_no_aws(monkeypatch)
_login(monkeypatch, "anthropic")
_config(monkeypatch, {"default": "claude-x"}) # populated, no provider
with caplog.at_level(logging.WARNING, logger="hermes_cli.auth"):
assert resolve_provider("auto") == "anthropic"
assert any("no `provider` key" in r.message for r in caplog.records)
def test_warns_when_env_key_preempts_oauth(self, monkeypatch, caplog):
"""When an exported API key preempts a logged-in OAuth provider, a WARN
makes the silent routing switch visible (#29285)."""
import logging
_clear_provider_env(monkeypatch)
_no_aws(monkeypatch)
_login(monkeypatch, "anthropic") # OAuth into anthropic
_config(monkeypatch, {})
monkeypatch.setenv("GLM_API_KEY", "test-glm-key") # unrelated key present
with caplog.at_level(logging.WARNING, logger="hermes_cli.auth"):
assert resolve_provider("auto") == "zai"
assert any("preempting your" in r.message for r in caplog.records)
def test_openrouter_pool_beats_stale_oauth(self, monkeypatch):
"""An OpenRouter credential-pool entry (no env var) wins over a logged-in
OAuth provider — the pool rung sits above OAuth (#42130 + #29285)."""
_clear_provider_env(monkeypatch)
_no_aws(monkeypatch)
_login(monkeypatch, "anthropic")
_config(monkeypatch, {})
class _Pool:
def has_credentials(self):
return True
monkeypatch.setattr("agent.credential_pool.load_pool", lambda name: _Pool())
assert resolve_provider("auto") == "openrouter"