fix: use role's allowed model from OpenBao secret instead of hardcoded model ID

2026-05-30 18:29:35 -07:00 · 2026-05-30 18:29:35 -07:00 · 5c15e0ba5e
commit 5c15e0ba5e
parent 80e0421be5
1 changed files with 17 additions and 9 deletions
--- a/container/entrypoint.py
+++ b/container/entrypoint.py
@ -74,14 +74,21 @@ def get_secret(bao_token: str, path: str, key: str) -> str:
 def fetch_role_secrets(bao_token: str, role: str) -> dict:
    """Fetch all secrets for a role. Returns dict of secret_name -> value."""
    secrets = {}
-    secret_names = ["litellm-key"]
-    for name in secret_names:
    try:
-            key = "key"
-            secrets[name] = get_secret(bao_token, f"autojanet/{role}/{name}", key)
-            log.info("Fetched secret: %s", name)
+        resp = httpx.get(
+            f"{OPENBAO_ADDR}/v1/secret/data/autojanet/{role}/litellm-key",
+            headers={"X-Vault-Token": bao_token},
+            timeout=10,
+        )
+        resp.raise_for_status()
+        data = resp.json()["data"]["data"]
+        secrets["litellm-key"] = data["key"]
+        # Use first allowed model; fall back to a sensible default
+        models = data.get("models", [])
+        secrets["litellm-model"] = models[0] if models else "copilot/claude-sonnet-4.5"
+        log.info("Fetched litellm-key; model=%s", secrets["litellm-model"])
    except Exception as e:
-            log.warning("Could not fetch %s: %s", name, e)
+        log.warning("Could not fetch litellm-key: %s", e)
    return secrets


@ -90,6 +97,7 @@ def write_opencode_config(secrets: dict, role: str) -> None:
    CONFIG_DIR.mkdir(parents=True, exist_ok=True)

    litellm_key = secrets.get("litellm-key", "")
+    litellm_model = f"litellm/{secrets.get('litellm-model', 'copilot/claude-sonnet-4.5')}"

    # Set the LiteLLM API key as env var — opencode reads OPENAI_API_KEY for
    # openai-compatible providers
@ -97,7 +105,7 @@ def write_opencode_config(secrets: dict, role: str) -> None:

    config = {
        "$schema": "https://opencode.ai/config.json",
-        "model": "litellm/copilot/claude-sonnet-4.6",
+        "model": litellm_model,
        "provider": {
            "litellm": {
                "npm": "@ai-sdk/openai-compatible",