fix: stop /model from silently rerouting direct providers to OpenRouter (#10300) (#10780)

detect_provider_for_model() silently remapped models to OpenRouter when the direct provider's credentials weren't found via env vars. Three bugs: 1. Credential check only looked at env vars from PROVIDER_REGISTRY, missing credential pool entries, auth store, and OAuth tokens 2. When env var check failed, silently returned ('openrouter', slug) instead of the direct provider the model actually belongs to 3. Users with valid credentials via non-env-var mechanisms (pool, OAuth, Claude Code tokens) got silently rerouted Fix: - Expand credential check to also query credential pool and auth store - Always return the direct provider match regardless of credential status -- let client init handle missing creds with a clear error rather than silently routing through the wrong provider Same philosophy as the provider-required fix: don't guess, don't silently reroute, error clearly when something is missing. Closes #10300
2026-04-28 06:51:16 +08:00 · 2026-04-16 02:27:20 -07:00
parent e4cd62d07d
commit f2f9d0c819
1 changed files with 23 additions and 10 deletions
--- a/hermes_cli/models.py
+++ b/hermes_cli/models.py
@@ -1061,7 +1061,8 @@ def detect_provider_for_model(
            break

    if direct_match:
-        # Check if we have credentials for this provider
+        # Check if we have credentials for this provider — env vars,
+        # credential pool, or auth store entries.
        has_creds = False
        try:
            from hermes_cli.auth import PROVIDER_REGISTRY
@@ -1074,16 +1075,28 @@ def detect_provider_for_model(
                        break
        except Exception:
            pass
+        # Also check credential pool and auth store — covers OAuth,
+        # Claude Code tokens, and other non-env-var credentials (#10300).
+        if not has_creds:
+            try:
+                from agent.credential_pool import load_pool
+                pool = load_pool(direct_match)
+                if pool.has_credentials():
+                    has_creds = True
+            except Exception:
+                pass
+        if not has_creds:
+            try:
+                from hermes_cli.auth import _load_auth_store
+                store = _load_auth_store()
+                if direct_match in store.get("providers", {}) or direct_match in store.get("credential_pool", {}):
+                    has_creds = True
+            except Exception:
+                pass

-        if has_creds:
-            return (direct_match, name)
-
-        # No direct creds — try to find this model on OpenRouter instead
-        or_slug = _find_openrouter_slug(name)
-        if or_slug:
-            return ("openrouter", or_slug)
-        # Still return the direct provider — credential resolution will
-        # give a clear error rather than silently using the wrong provider
+        # Always return the direct provider match.  If credentials are
+        # missing, the client init will give a clear error rather than
+        # silently routing through the wrong provider (#10300).
        return (direct_match, name)

    # --- Step 2: check OpenRouter catalog ---