From 5c15e0ba5e0755b5624b4b7cc23a77444be4defe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zo=C3=AB?= <zoe@myhosted.site>
Date: Sat, 30 May 2026 18:29:35 -0700
Subject: [PATCH] fix: use role's allowed model from OpenBao secret instead of
 hardcoded model ID

---
 container/entrypoint.py | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/container/entrypoint.py b/container/entrypoint.py
index 10360a2..05345ec 100644
--- a/container/entrypoint.py
+++ b/container/entrypoint.py
@@ -74,14 +74,21 @@ def get_secret(bao_token: str, path: str, key: str) -> str:
 def fetch_role_secrets(bao_token: str, role: str) -> dict:
     """Fetch all secrets for a role. Returns dict of secret_name -> value."""
     secrets = {}
-    secret_names = ["litellm-key"]
-    for name in secret_names:
-        try:
-            key = "key"
-            secrets[name] = get_secret(bao_token, f"autojanet/{role}/{name}", key)
-            log.info("Fetched secret: %s", name)
-        except Exception as e:
-            log.warning("Could not fetch %s: %s", name, e)
+    try:
+        resp = httpx.get(
+            f"{OPENBAO_ADDR}/v1/secret/data/autojanet/{role}/litellm-key",
+            headers={"X-Vault-Token": bao_token},
+            timeout=10,
+        )
+        resp.raise_for_status()
+        data = resp.json()["data"]["data"]
+        secrets["litellm-key"] = data["key"]
+        # Use first allowed model; fall back to a sensible default
+        models = data.get("models", [])
+        secrets["litellm-model"] = models[0] if models else "copilot/claude-sonnet-4.5"
+        log.info("Fetched litellm-key; model=%s", secrets["litellm-model"])
+    except Exception as e:
+        log.warning("Could not fetch litellm-key: %s", e)
     return secrets
 
 
@@ -90,6 +97,7 @@ def write_opencode_config(secrets: dict, role: str) -> None:
     CONFIG_DIR.mkdir(parents=True, exist_ok=True)
 
     litellm_key = secrets.get("litellm-key", "")
+    litellm_model = f"litellm/{secrets.get('litellm-model', 'copilot/claude-sonnet-4.5')}"
 
     # Set the LiteLLM API key as env var — opencode reads OPENAI_API_KEY for
     # openai-compatible providers
@@ -97,7 +105,7 @@ def write_opencode_config(secrets: dict, role: str) -> None:
 
     config = {
         "$schema": "https://opencode.ai/config.json",
-        "model": "litellm/copilot/claude-sonnet-4.6",
+        "model": litellm_model,
         "provider": {
             "litellm": {
                 "npm": "@ai-sdk/openai-compatible",