fix(config): endpoint-derived API keys outrank provider defaults in selectRuntimeApiKey#682
Merged
Merged
Conversation
selectRuntimeApiKey ordered provider-default keys before endpoint-derived keys, so a 'custom' provider pointed at api.anthropic.com or generativelanguage.googleapis.com with OPENAI_API_KEY also set sent the OpenAI key to the wrong API (auth failure). Repro: getHarnessProviderConfig with LIMINAL_HARNESS_BASE_URL=https://api.anthropic.com/v1. The endpoint is what the request hits, so its keys win; first-class providers are unaffected because their provider and endpoint key sets coincide. Regression test covers anthropic/google endpoints with both keys set, plus the unchanged OpenAI-compatible custom path. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug
selectRuntimeApiKey()insrc/config/ProviderRuntime.tsbuilt its non-generic candidate list as[...providerKeys, ...endpointKeys]. For provider'custom',apiKeyEnvNamesForProviderreturns['OPENAI_API_KEY'], which therefore outranked the endpoint-derived keys.Consequence: a custom endpoint pointed at
api.anthropic.com(endpoint keysANTHROPIC_API_KEY/ANTHROPIC_AUTH_TOKEN) orgenerativelanguage.googleapis.com(GOOGLE_API_KEY/GEMINI_API_KEY) withOPENAI_API_KEYalso set in the environment sent the OpenAI key to the wrong API → auth failure.Concrete repro path:
getHarnessProviderConfig()(src/harness/MultiProviderConfig.ts) withLIMINAL_HARNESS_BASE_URL=https://api.anthropic.com/v1callsselectRuntimeApiKeywithprovider='custom'andgenericFirstfalse.Fix
One-line precedence reorder: endpoint-derived keys now come before provider-default keys. Rationale: the endpoint is what the request actually hits, so its keys must win.
First-class providers are unaffected — for every menu provider (minimax, glm, kimi, moonshot, openai, openrouter, ollama, lmstudio),
apiKeyEnvNamesForEndpointresolves to the same key set asapiKeyEnvNamesForProvider(verified per-host throughdetectProviderAdapter/detectProviderLabel), so the reorder only changes behavior when provider and endpoint genuinely diverge — which is exactly the bug case.configuredApiKey/currentApiKeystill rank first;genericFirstblock ordering is unchanged.Tests (TDD)
New regression test (red → green): anthropic and google endpoints with both the OpenAI key and the endpoint key set assert the exact endpoint key is selected; a plain OpenAI-compatible custom endpoint asserts
OPENAI_API_KEYstill applies.pnpm exec eslint src/config/ProviderRuntime.tsclean.Relation to #681
#681 (open) documents the menu-vs-adapter layering and pins URL→adapter routing; this PR fixes the real key-precedence edge found during that investigation. Edits are placed away from #681's hunks (different function / different test position), so the two merge independently in either order.
🤖 Generated with Claude Code