fix(model): avoid persisting key_env-resolved secrets to providers entry (#16372)

When 'hermes model' runs against a providers: (keyed-schema) entry that relies only on key_env, the picker resolves the env var for the live /models request and then wrote a synthesized 'api_key: ${KEY_ENV}' back to the providers.<key> entry. That's redundant — the runtime already resolves from key_env directly — and it clutters configs that intentionally keep credentials out of config.yaml. Only persist provider_entry['api_key'] when the user originally had an inline value (literal secret or ${VAR} template). Entries that declared only key_env stay clean on save. Fixes #15803.
2026-04-28 06:51:16 +08:00 · 2026-04-26 21:52:12 -07:00
parent 9f1b1977bc
commit 8258f4dcb7
2 changed files with 146 additions and 1 deletions
--- a/hermes_cli/main.py
+++ b/hermes_cli/main.py
@@ -3332,7 +3332,26 @@ def _model_flow_named_custom(config, provider_info):
            provider_entry = providers_cfg.get(provider_key)
            if isinstance(provider_entry, dict):
                provider_entry["default_model"] = model_name
-                if config_api_key and not str(provider_entry.get("api_key", "") or "").strip():
+                # Only persist an inline api_key when the user originally had
+                # one (either a literal secret or a ``${VAR}`` template). When
+                # the entry relies on ``key_env``, do not synthesize a
+                # ``${key_env}`` api_key — the runtime already resolves the
+                # key from ``key_env`` directly, and writing the resolved
+                # secret (or even a synthesized template) would silently
+                # downgrade credential hygiene on entries that intentionally
+                # keep plaintext out of ``config.yaml``. See issue #15803.
+                original_api_key_ref = str(
+                    provider_info.get("api_key_ref", "") or ""
+                ).strip()
+                original_api_key = str(
+                    provider_info.get("api_key", "") or ""
+                ).strip()
+                had_inline_api_key = bool(original_api_key_ref or original_api_key)
+                if (
+                    had_inline_api_key
+                    and config_api_key
+                    and not str(provider_entry.get("api_key", "") or "").strip()
+                ):
                    provider_entry["api_key"] = config_api_key
                if key_env and not str(provider_entry.get("key_env", "") or "").strip():
                    provider_entry["key_env"] = key_env