From ddbb1520c9b16ba3447f1d8b3b06105ec97c74f2 Mon Sep 17 00:00:00 2001 From: claude-ceo-assistant Date: Fri, 8 May 2026 03:34:17 +0000 Subject: [PATCH] test(credential-pool): invert obsolete os.environ-wins test for #18254 fix The stale invariant "os.environ wins over .env" was deliberately inverted in 2ef1ad2 ("fix: prefer ~/.hermes/.env over os.environ when seeding credential pool"). The fix targets the case where a parent shell (Codex CLI, harness scripts) exports a stale OPENROUTER_API_KEY, the user updates ~/.hermes/.env with a fresh value, and Hermes silently 401s because auth.json cached the stale env-var. Rename + invert this test to assert the new invariant (.env wins). The positive load_pool coverage already exists in tests/agent/test_credential_pool.py::test_load_pool_prefers_dotenv_over_stale_os_environ (added in 0a6865b alongside the fix); this case still serves a purpose because it exercises _seed_from_env directly, which is a separate code path from load_pool. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../test_credential_pool_env_fallback.py | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/tests/tools/test_credential_pool_env_fallback.py b/tests/tools/test_credential_pool_env_fallback.py index 938484f0..b157bb87 100644 --- a/tests/tools/test_credential_pool_env_fallback.py +++ b/tests/tools/test_credential_pool_env_fallback.py @@ -106,10 +106,20 @@ class TestCredentialPoolSeedsFromDotEnv: assert active_sources == set() assert entries == [] - def test_os_environ_still_wins_over_dotenv(self, isolated_hermes_home, monkeypatch): - """get_env_value checks os.environ first — verify seeding picks that up.""" - _write_env_file(isolated_hermes_home, DEEPSEEK_API_KEY="sk-dotenv-stale") - monkeypatch.setenv("DEEPSEEK_API_KEY", "sk-env-fresh-xyz") + def test_dotenv_wins_over_stale_os_environ(self, isolated_hermes_home, monkeypatch): + """.env should win over a stale os.environ value. + + Inverted from the pre-#18254 behaviour. Stale env vars inherited + from parent shells (Codex CLI, test harnesses) used to shadow + deliberate updates to ~/.hermes/.env, causing auth.json to cache + an outdated key and silent 401 errors. The invariant now is: + when a key appears in both sources, .env wins. + + Sister coverage in tests/agent/test_credential_pool.py exercises + the load_pool path; this case exercises _seed_from_env directly. + """ + _write_env_file(isolated_hermes_home, DEEPSEEK_API_KEY="sk-dotenv-fresh") + monkeypatch.setenv("DEEPSEEK_API_KEY", "sk-env-stale-xyz") from agent.credential_pool import _seed_from_env entries = [] @@ -118,7 +128,7 @@ class TestCredentialPoolSeedsFromDotEnv: assert changed is True seeded = [e for e in entries if e.source == "env:DEEPSEEK_API_KEY"] assert len(seeded) == 1 - assert seeded[0].access_token == "sk-env-fresh-xyz" + assert seeded[0].access_token == "sk-dotenv-fresh" class TestAuthResolvesFromDotEnv: