fix: vanilla-agent onboarding — auth cast, available-models 404 fallback#265
Merged
outsourc-e merged 2 commits intomainfrom May 3, 2026
Merged
fix: vanilla-agent onboarding — auth cast, available-models 404 fallback#265outsourc-e merged 2 commits intomainfrom
outsourc-e merged 2 commits intomainfrom
Conversation
added 2 commits
May 3, 2026 09:36
…h proper 401
isAuthenticated() returns boolean. The previous pattern:
const authResult = isAuthenticated(request)
if (authResult !== true) return authResult as unknown as Response
silenced the TypeScript error but threw HTTPError -> 500 at runtime
because the framework received `false` instead of a Response. This
broke /api/connection-status entirely on protected setups (causing
ONBOARDING_KEY to never persist on fresh installs) and would have
broken the just-merged /api/system-metrics in the same way.
Replace with the canonical pattern used by every other API route:
if (!isAuthenticated(request)) {
return json({ error: 'Unauthorized' }, { status: 401 })
}
Refs #261 (which spotted the pattern in connection-status), #246
(which copied the broken pattern into system-metrics).
…on vanilla agent
Vanilla hermes-agent (any version through 2026-05) does not expose
`/api/available-models` \u2014 that endpoint is legacy fork-only. The chat
composer + settings dialog hit `/api/claude-proxy/api/available-models`
expecting it to work, get 404, and fall through to broken UI states
where the model picker is empty.
Fix: when proxying GET /api/available-models and the upstream returns
404, synthesize a compatible `{ models: [...] }` response from
/v1/models filtered by ?provider= so the picker keeps working.
Also: read the bearer token at request time using the same precedence
as the rest of the codebase (HERMES_API_TOKEN || CLAUDE_API_TOKEN ||
module-level BEARER_TOKEN). PR #234 fixed this in openai-compat-api.ts;
this catches the proxy path that was missed.
Refs #261.
This was referenced May 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three small fixes that together unblock onboarding on a fresh
pnpm installagainst vanillanousresearch/hermes-agent(any version through 2026-05).1.
isAuthenticated() as unknown as Responsecast was throwing 500 at runtimeisAuthenticated()returnsboolean, notResponse. The cast silenced the TypeScript error but threwHTTPError → 500at runtime because the framework receivedfalse, not a Response. This broke/api/connection-statusentirely on protected setups, preventingONBOARDING_KEYfrom persisting on fresh installs.PR #246 (just-merged) copied the same broken pattern into
/api/system-metrics. Both now use the canonical pattern:Refs #261 (which spotted the cast in
connection-status.ts).2.
/api/claude-proxy/api/available-modelsreturned 404 on vanilla agentVanilla hermes-agent doesn't expose
/api/available-models— that's a legacy fork-only endpoint. Chat composer + settings dialog hit it expecting it to work, got 404, fell through to broken UI states where the provider model picker was empty.Fix: when proxying
GET /api/available-modelsand upstream returns 404, synthesize a compatible{ models: [...] }response from/v1/modelsfiltered by?provider=.3. claude-proxy bearer token wasn't honoring
HERMES_API_TOKENSame fix that PR #234 applied to
openai-compat-api.ts, now extended to the proxy path: read at request time, preferHERMES_API_TOKEN, fall back toCLAUDE_API_TOKEN. Without this, deployments that follow the README's "set HERMES_API_TOKEN" instruction had the proxy 401 on every call.Why this together
These three fixes share a common root cause: the migration from
Claude→Hermesleft behind a few thin layers (the auth cast pattern, theavailable-modelslegacy endpoint, env var precedence) that work on the dev machine but break the moment a new user tries to onboard against a clean vanilla agent.Test plan
pnpm buildclean/api/connection-statusno longer 500s on auth-protected setups/api/claude-proxy/api/available-models?provider=openrouterfalls back gracefully when upstream 404sRefs
Resolves #263 partially (combined with PR #234 covers all bearer-token paths)
Refs #261 (auth cast pattern + provider model picker)