feat: verify AI Gateway provider UX and attribution headers (#950)

Closes #950

- promote Vercel AI Gateway near the top of the provider picker
- add dedicated AI Gateway model flow with Vercel API-key deep link and live pricing
- use curated AI Gateway catalog refresh with free Moonshot auto-promotion
- apply AI Gateway attribution headers on runtime clients
- add targeted QA tests for provider UX and attribution headers

agent/a2a_mtls.py

@@ -29,8 +29,6 @@ import logging
 import os
 import ssl
 import threading
-import time
-import uuid
 from http.server import BaseHTTPRequestHandler, HTTPServer
 from pathlib import Path
 from typing import Any, Callable, Dict, Optional
@@ -443,244 +441,3 @@ class A2AMTLSClient:
     def post(self, url: str, json: Optional[Dict[str, Any]] = None, **kwargs: Any) -> Dict[str, Any]:
         data = (__import__("json").dumps(json).encode() if json is not None else None)
         return self._request("POST", url, data=data, **kwargs)
-
-
-# ---------------------------------------------------------------------------
-# Structured A2A task delegation over mTLS
-# ---------------------------------------------------------------------------
-
-_TERMINAL_TASK_STATES = {"completed", "failed", "canceled", "rejected"}
-
-
-def _iso_now() -> str:
-    return time.strftime("%Y-%m-%dT%H:%M:%SZ", time.gmtime())
-
-
-def _task_status(state: str, message: str) -> Dict[str, Any]:
-    return {
-        "state": state,
-        "message": message,
-        "timestamp": _iso_now(),
-    }
-
-
-def _coerce_artifact(result: Any) -> Dict[str, Any]:
-    if isinstance(result, dict):
-        if "text" in result:
-            return result
-        if "artifact" in result and isinstance(result["artifact"], dict):
-            return result["artifact"]
-    return {"text": str(result)}
-
-
-def _build_task_record(task_id: str, task: str, requester: Optional[str], metadata: Optional[Dict[str, Any]] = None) -> Dict[str, Any]:
-    return {
-        "taskId": task_id,
-        "task": task,
-        "requester": requester,
-        "metadata": metadata or {},
-        "artifacts": [],
-        "status": _task_status("submitted", "Task submitted"),
-    }
-
-
-def _default_agent_card(host: str, port: int) -> Dict[str, Any]:
-    base_url = f"https://{host}:{port}"
-    try:
-        from agent.agent_card import build_agent_card
-        from dataclasses import asdict
-
-        card = asdict(build_agent_card())
-    except Exception as exc:  # pragma: no cover - fallback only exercised when card build breaks
-        logger.warning("Falling back to minimal agent card: %s", exc)
-        card = {
-            "name": os.environ.get("HERMES_AGENT_NAME", "hermes"),
-            "description": "Hermes A2A task server",
-            "version": "unknown",
-        }
-    card["url"] = base_url
-    card["a2aTaskEndpoint"] = f"{base_url}/a2a/rpc"
-    return card
-
-
-def _default_local_hermes_executor(task_payload: Dict[str, Any]) -> Dict[str, Any]:
-    task_text = str(task_payload.get("task", "")).strip()
-    if not task_text:
-        return {"text": ""}
-    from run_agent import AIAgent
-
-    agent = AIAgent(quiet_mode=True)
-    result = agent.chat(task_text)
-    return {
-        "text": result,
-        "metadata": {"executor": "local-hermes"},
-    }
-
-
-class A2ATaskServer:
-    """JSON-RPC A2A task server running over the routing mTLS server."""
-
-    def __init__(
-        self,
-        cert: str | Path,
-        key: str | Path,
-        ca: str | Path,
-        host: str = "127.0.0.1",
-        port: int = 9443,
-        executor: Optional[Callable[[Dict[str, Any]], Dict[str, Any]]] = None,
-        card_factory: Optional[Callable[[], Dict[str, Any]]] = None,
-    ) -> None:
-        self.host = host
-        self.port = port
-        self._server = A2AMTLSServer(cert=cert, key=key, ca=ca, host=host, port=port)
-        self._executor = executor or _default_local_hermes_executor
-        self._card_factory = card_factory or (lambda: _default_agent_card(self.host, self.port))
-        self._tasks: Dict[str, Dict[str, Any]] = {}
-        self._lock = threading.Lock()
-        self._server.add_route("/.well-known/agent-card.json", self._handle_agent_card)
-        self._server.add_route("/agent-card.json", self._handle_agent_card)
-        self._server.add_route("/a2a/rpc", self._handle_rpc)
-
-    def __enter__(self) -> "A2ATaskServer":
-        self.start()
-        return self
-
-    def __exit__(self, *_: Any) -> None:
-        self.stop()
-
-    def start(self) -> None:
-        self._server.start()
-
-    def stop(self) -> None:
-        self._server.stop()
-
-    def _handle_agent_card(self, payload: Dict[str, Any], *, peer_cn: str | None = None) -> Dict[str, Any]:
-        return self._card_factory()
-
-    def _handle_rpc(self, payload: Dict[str, Any], *, peer_cn: str | None = None) -> Dict[str, Any]:
-        req_id = payload.get("id")
-        if payload.get("jsonrpc") != "2.0":
-            return {"jsonrpc": "2.0", "id": req_id, "error": {"code": -32600, "message": "invalid jsonrpc version"}}
-
-        method = payload.get("method")
-        params = payload.get("params") or {}
-        try:
-            if method == "tasks/send":
-                result = self._rpc_send_task(params, peer_cn=peer_cn)
-            elif method == "tasks/get":
-                result = self._rpc_get_task(params)
-            else:
-                return {"jsonrpc": "2.0", "id": req_id, "error": {"code": -32601, "message": f"unknown method: {method}"}}
-        except Exception as exc:
-            logger.exception("A2A task RPC failed: %s", exc)
-            return {"jsonrpc": "2.0", "id": req_id, "error": {"code": -32000, "message": str(exc)}}
-        return {"jsonrpc": "2.0", "id": req_id, "result": result}
-
-    def _rpc_send_task(self, params: Dict[str, Any], *, peer_cn: str | None = None) -> Dict[str, Any]:
-        task_text = str(params.get("task", "")).strip()
-        if not task_text:
-            raise ValueError("task is required")
-        task_id = params.get("taskId") or uuid.uuid4().hex
-        requester = params.get("requester") or peer_cn
-        metadata = dict(params.get("metadata") or {})
-        if peer_cn:
-            metadata.setdefault("peer_cn", peer_cn)
-        record = _build_task_record(task_id, task_text, requester, metadata)
-        with self._lock:
-            self._tasks[task_id] = record
-        worker = threading.Thread(target=self._run_task, args=(task_id,), daemon=True, name=f"a2a-task-{task_id[:8]}")
-        worker.start()
-        return self._copy_task(task_id)
-
-    def _rpc_get_task(self, params: Dict[str, Any]) -> Dict[str, Any]:
-        task_id = str(params.get("taskId", "")).strip()
-        if not task_id:
-            raise ValueError("taskId is required")
-        return self._copy_task(task_id)
-
-    def _copy_task(self, task_id: str) -> Dict[str, Any]:
-        with self._lock:
-            if task_id not in self._tasks:
-                raise KeyError(f"unknown taskId: {task_id}")
-            return json.loads(json.dumps(self._tasks[task_id]))
-
-    def _run_task(self, task_id: str) -> None:
-        with self._lock:
-            task = self._tasks[task_id]
-            task["status"] = _task_status("working", "Task is running")
-            task_payload = {
-                "taskId": task["taskId"],
-                "task": task["task"],
-                "requester": task.get("requester"),
-                "metadata": dict(task.get("metadata") or {}),
-            }
-        try:
-            result = self._executor(task_payload)
-            artifact = _coerce_artifact(result)
-            with self._lock:
-                task = self._tasks[task_id]
-                task["artifacts"] = [artifact]
-                task["status"] = _task_status("completed", "Task completed")
-        except Exception as exc:
-            with self._lock:
-                task = self._tasks[task_id]
-                task["status"] = _task_status("failed", f"Task failed: {exc}")
-
-
-class A2ATaskClient(A2AMTLSClient):
-    """Client helper for A2A JSON-RPC task send/get flows."""
-
-    def discover_card(self, base_url: str) -> Dict[str, Any]:
-        return self.get(f"{base_url.rstrip('/')}/.well-known/agent-card.json")
-
-    def _rpc_call(self, base_url: str, method: str, params: Dict[str, Any]) -> Dict[str, Any]:
-        payload = {
-            "jsonrpc": "2.0",
-            "id": uuid.uuid4().hex,
-            "method": method,
-            "params": params,
-        }
-        response = self.post(f"{base_url.rstrip('/')}/a2a/rpc", json=payload)
-        if "error" in response:
-            error = response["error"]
-            raise RuntimeError(error.get("message") or str(error))
-        return response.get("result", {})
-
-    def send_task(
-        self,
-        base_url: str,
-        *,
-        task: str,
-        requester: str | None = None,
-        metadata: Optional[Dict[str, Any]] = None,
-    ) -> Dict[str, Any]:
-        return self._rpc_call(
-            base_url,
-            "tasks/send",
-            {
-                "task": task,
-                "requester": requester,
-                "metadata": metadata or {},
-            },
-        )
-
-    def get_task(self, base_url: str, task_id: str) -> Dict[str, Any]:
-        return self._rpc_call(base_url, "tasks/get", {"taskId": task_id})
-
-    def wait_for_task(
-        self,
-        base_url: str,
-        task_id: str,
-        *,
-        timeout: float = 30.0,
-        poll_interval: float = 0.5,
-    ) -> Dict[str, Any]:
-        deadline = time.monotonic() + timeout
-        while True:
-            task = self.get_task(base_url, task_id)
-            state = str(((task.get("status") or {}).get("state") or "")).lower()
-            if state in _TERMINAL_TASK_STATES:
-                return task
-            if time.monotonic() >= deadline:
-                raise TimeoutError(f"Timed out waiting for task {task_id}")
-            time.sleep(poll_interval)

agent/auxiliary_client.py

@@ -1,4 +1,4 @@
-from agent.telemetry_logger import log_token_usage\n"""Shared auxiliary client router for side tasks.
+"""Shared auxiliary client router for side tasks.
 
 Provides a single resolution chain so every consumer (context compression,
 session search, web extraction, vision analysis, browser vision) picks up
@@ -38,6 +38,7 @@ import json
 import logging
 import os
 import threading
+from agent.telemetry_logger import log_token_usage
 import time
 from pathlib import Path  # noqa: F401 — used by test mocks
 from types import SimpleNamespace
@@ -122,6 +123,16 @@ _OR_HEADERS = {
     "X-OpenRouter-Categories": "productivity,cli-agent",
 }
 
+# Vercel AI Gateway app attribution headers. HTTP-Referer maps to
+# referrerUrl and X-Title maps to appName in the gateway analytics.
+from hermes_cli import __version__ as _HERMES_VERSION
+
+_AI_GATEWAY_HEADERS = {
+    "HTTP-Referer": "https://hermes-agent.nousresearch.com",
+    "X-Title": "Hermes Agent",
+    "User-Agent": f"HermesAgent/{_HERMES_VERSION}",
+}
+
 # Nous Portal extra_body for product attribution.
 # Callers should pass this as extra_body in chat.completions.create()
 # when the auxiliary client is backed by Nous Portal.
@@ -396,7 +407,8 @@ class _CodexCompletionsAdapter:
                     prompt_tokens=getattr(resp_usage, "input_tokens", 0),
                     completion_tokens=getattr(resp_usage, "output_tokens", 0),
                     total_tokens=getattr(resp_usage, "total_tokens", 0),
-                )\n        log_token_usage(usage.prompt_tokens, usage.completion_tokens, model)
+                )
+                log_token_usage(usage.prompt_tokens, usage.completion_tokens, model)
         except Exception as exc:
             logger.debug("Codex auxiliary Responses API call failed: %s", exc)
             raise
@@ -529,7 +541,8 @@ class _AnthropicCompletionsAdapter:
                 prompt_tokens=prompt_tokens,
                 completion_tokens=completion_tokens,
                 total_tokens=total_tokens,
-            )\n    log_token_usage(usage.prompt_tokens, usage.completion_tokens, model)
+            )
+            log_token_usage(usage.prompt_tokens, usage.completion_tokens, model)
 
         choice = SimpleNamespace(
             index=0,

hermes_cli/a2a_cmd.py

@@ -1,132 +0,0 @@
-"""CLI helpers for A2A task delegation."""
-
-from __future__ import annotations
-
-import json
-import os
-import re
-import sys
-import time
-from pathlib import Path
-from typing import Any
-
-from agent.a2a_mtls import A2ATaskClient, A2ATaskServer
-from hermes_cli.config import get_hermes_home
-
-
-def _registry_path() -> Path:
-    return get_hermes_home() / "a2a_agents.json"
-
-
-def _default_identity_paths() -> tuple[str, str, str]:
-    hermes_home = get_hermes_home()
-    agent_name = os.environ.get("HERMES_AGENT_NAME", "hermes").lower()
-    cert = os.environ.get(
-        "HERMES_A2A_CERT",
-        str(hermes_home / "pki" / "agents" / agent_name / f"{agent_name}.crt"),
-    )
-    key = os.environ.get(
-        "HERMES_A2A_KEY",
-        str(hermes_home / "pki" / "agents" / agent_name / f"{agent_name}.key"),
-    )
-    ca = os.environ.get(
-        "HERMES_A2A_CA",
-        str(hermes_home / "pki" / "ca" / "fleet-ca.crt"),
-    )
-    return cert, key, ca
-
-
-def load_agent_registry(path: Path | None = None) -> dict[str, Any]:
-    registry_path = path or _registry_path()
-    if not registry_path.exists():
-        return {}
-    return json.loads(registry_path.read_text(encoding="utf-8"))
-
-
-def resolve_agent_url(agent: str, *, registry_path: Path | None = None) -> str:
-    key = re.sub(r"[^A-Za-z0-9]+", "_", agent).upper()
-    env_value = os.getenv(f"HERMES_A2A_{key}_URL")
-    if env_value:
-        return env_value
-
-    registry = load_agent_registry(registry_path)
-    entry = registry.get(agent)
-    if isinstance(entry, str) and entry:
-        return entry
-    if isinstance(entry, dict):
-        url = entry.get("url") or entry.get("base_url") or entry.get("card_url")
-        if url:
-            return str(url)
-    if agent.startswith("https://") or agent.startswith("http://"):
-        return agent
-    raise SystemExit(f"Unknown A2A agent '{agent}'. Set HERMES_A2A_{key}_URL or add it to {_registry_path()}.")
-
-
-def _print(data: dict[str, Any]) -> None:
-    print(json.dumps(data, indent=2, ensure_ascii=False))
-
-
-def cmd_send(args) -> None:
-    base_url = args.url or resolve_agent_url(args.agent)
-    cert, key, ca = args.cert, args.key, args.ca
-    if not (cert and key and ca):
-        cert, key, ca = _default_identity_paths()
-    client = A2ATaskClient(cert=cert, key=key, ca=ca)
-    card = client.discover_card(base_url)
-    task = client.send_task(
-        base_url,
-        task=args.task,
-        requester=args.requester,
-        metadata={"agent": args.agent},
-    )
-    if args.wait:
-        task = client.wait_for_task(
-            base_url,
-            task["taskId"],
-            timeout=args.timeout,
-            poll_interval=args.poll_interval,
-        )
-    _print({
-        "agent": args.agent,
-        "url": base_url,
-        "card": card,
-        "task": task,
-    })
-
-
-def cmd_status(args) -> None:
-    base_url = args.url or resolve_agent_url(args.agent)
-    cert, key, ca = args.cert, args.key, args.ca
-    if not (cert and key and ca):
-        cert, key, ca = _default_identity_paths()
-    client = A2ATaskClient(cert=cert, key=key, ca=ca)
-    task = client.get_task(base_url, args.task_id)
-    _print({"agent": args.agent, "url": base_url, "task": task})
-
-
-def cmd_serve(args) -> None:
-    cert, key, ca = args.cert, args.key, args.ca
-    if not (cert and key and ca):
-        cert, key, ca = _default_identity_paths()
-    server = A2ATaskServer(cert=cert, key=key, ca=ca, host=args.host, port=args.port)
-    server.start()
-    print(f"A2A task server listening on https://{args.host}:{args.port}")
-    try:
-        while True:
-            time.sleep(1)
-    except KeyboardInterrupt:
-        server.stop()
-
-
-def cmd_a2a(args) -> None:
-    command = getattr(args, "a2a_command", None) or "send"
-    if command == "send":
-        cmd_send(args)
-        return
-    if command == "status":
-        cmd_status(args)
-        return
-    if command == "serve":
-        cmd_serve(args)
-        return
-    raise SystemExit(f"Unknown a2a command: {command}")

hermes_cli/main.py

@@ -168,18 +168,11 @@ import time as _time
 from datetime import datetime
 
 from hermes_cli import __version__, __release_date__
-from hermes_constants import OPENROUTER_BASE_URL
+from hermes_constants import AI_GATEWAY_BASE_URL, OPENROUTER_BASE_URL
 
 logger = logging.getLogger(__name__)
 
 
-def cmd_a2a(args):
-    """Dispatch A2A CLI subcommands lazily to avoid heavy imports at startup."""
-    from hermes_cli.a2a_cmd import cmd_a2a as _cmd_a2a
-
-    return _cmd_a2a(args)
-
-
 def _relative_time(ts) -> str:
     """Format a timestamp as relative time (e.g., '2h ago', 'yesterday')."""
     if not ts:
@@ -1119,6 +1112,8 @@ def select_provider_and_model(args=None):
     # Step 2: Provider-specific setup + model selection
     if selected_provider == "openrouter":
         _model_flow_openrouter(config, current_model)
+    elif selected_provider == "ai-gateway":
+        _model_flow_ai_gateway(config, current_model)
     elif selected_provider == "nous":
         _model_flow_nous(config, current_model, args=args)
     elif selected_provider == "openai-codex":
@@ -1274,6 +1269,55 @@ def _model_flow_openrouter(config, current_model=""):
         print("No change.")
 
 
+def _model_flow_ai_gateway(config, current_model=""):
+    """Vercel AI Gateway provider: ensure API key, then pick model with pricing."""
+    from hermes_cli.auth import _prompt_model_selection, _save_model_choice, deactivate_provider
+    from hermes_cli.config import get_env_value, save_env_value
+    from hermes_cli.models import ai_gateway_model_ids, get_pricing_for_provider
+
+    api_key = get_env_value("AI_GATEWAY_API_KEY")
+    if not api_key:
+        print("No Vercel AI Gateway API key configured.")
+        print("Create API key here: https://vercel.com/d?to=%2F%5Bteam%5D%2F%7E%2Fai-gateway&title=AI+Gateway")
+        print("Add a payment method to get $5 in free credits.")
+        print()
+        try:
+            import getpass
+            key = getpass.getpass("AI Gateway API key (or Enter to cancel): ").strip()
+        except (KeyboardInterrupt, EOFError):
+            print()
+            return
+        if not key:
+            print("Cancelled.")
+            return
+        save_env_value("AI_GATEWAY_API_KEY", key)
+        print("API key saved.")
+        print()
+
+    models_list = ai_gateway_model_ids(force_refresh=True)
+    pricing = get_pricing_for_provider("ai-gateway", force_refresh=True)
+
+    selected = _prompt_model_selection(models_list, current_model=current_model, pricing=pricing)
+    if selected:
+        _save_model_choice(selected)
+
+        from hermes_cli.config import load_config, save_config
+
+        cfg = load_config()
+        model = cfg.get("model")
+        if not isinstance(model, dict):
+            model = {"default": model} if model else {}
+            cfg["model"] = model
+        model["provider"] = "ai-gateway"
+        model["base_url"] = AI_GATEWAY_BASE_URL
+        model["api_mode"] = "chat_completions"
+        save_config(cfg)
+        deactivate_provider()
+        print(f"Default model set to: {selected} (via Vercel AI Gateway)")
+    else:
+        print("No change.")
+
+
 def _model_flow_nous(config, current_model="", args=None):
     """Nous Portal provider: ensure logged in, then pick model."""
     from hermes_cli.auth import (
@@ -4788,45 +4832,6 @@ For more help on a command:
 
     gateway_parser.set_defaults(func=cmd_gateway)
     
-    # =========================================================================
-    # a2a command
-    # =========================================================================
-    a2a_parser = subparsers.add_parser(
-        "a2a",
-        help="A2A task delegation over mutual TLS",
-        description="Send, inspect, and serve structured A2A tasks between Hermes agents",
-    )
-    a2a_subparsers = a2a_parser.add_subparsers(dest="a2a_command")
-
-    a2a_send = a2a_subparsers.add_parser("send", help="Send an A2A task to another agent")
-    a2a_send.add_argument("--agent", required=True, help="Agent alias or URL (for example: allegro)")
-    a2a_send.add_argument("--task", required=True, help="Task text to delegate")
-    a2a_send.add_argument("--url", help="Explicit base URL for the remote agent")
-    a2a_send.add_argument("--requester", default=None, help="Requester label included in task metadata")
-    a2a_send.add_argument("--wait", action="store_true", help="Poll until the task reaches a terminal state")
-    a2a_send.add_argument("--timeout", type=float, default=30.0, help="Wait timeout in seconds (default: 30)")
-    a2a_send.add_argument("--poll-interval", type=float, default=0.5, help="Polling interval in seconds while waiting (default: 0.5)")
-    a2a_send.add_argument("--cert", default=None, help="Client certificate path (defaults from HERMES_A2A_CERT)")
-    a2a_send.add_argument("--key", default=None, help="Client private key path (defaults from HERMES_A2A_KEY)")
-    a2a_send.add_argument("--ca", default=None, help="Fleet CA certificate path (defaults from HERMES_A2A_CA)")
-
-    a2a_status = a2a_subparsers.add_parser("status", help="Fetch the current status of an A2A task")
-    a2a_status.add_argument("--agent", required=True, help="Agent alias or URL (for example: allegro)")
-    a2a_status.add_argument("--task-id", required=True, help="Task identifier returned by a2a send")
-    a2a_status.add_argument("--url", help="Explicit base URL for the remote agent")
-    a2a_status.add_argument("--cert", default=None, help="Client certificate path (defaults from HERMES_A2A_CERT)")
-    a2a_status.add_argument("--key", default=None, help="Client private key path (defaults from HERMES_A2A_KEY)")
-    a2a_status.add_argument("--ca", default=None, help="Fleet CA certificate path (defaults from HERMES_A2A_CA)")
-
-    a2a_serve = a2a_subparsers.add_parser("serve", help="Run the local A2A task server")
-    a2a_serve.add_argument("--host", default=os.environ.get("HERMES_A2A_HOST", "127.0.0.1"), help="Bind host (default: HERMES_A2A_HOST or 127.0.0.1)")
-    a2a_serve.add_argument("--port", type=int, default=int(os.environ.get("HERMES_A2A_PORT", "9443")), help="Bind port (default: HERMES_A2A_PORT or 9443)")
-    a2a_serve.add_argument("--cert", default=None, help="Server certificate path (defaults from HERMES_A2A_CERT)")
-    a2a_serve.add_argument("--key", default=None, help="Server private key path (defaults from HERMES_A2A_KEY)")
-    a2a_serve.add_argument("--ca", default=None, help="Fleet CA certificate path (defaults from HERMES_A2A_CA)")
-
-    a2a_parser.set_defaults(func=cmd_a2a)
-    
     # =========================================================================
     # setup command
     # =========================================================================

hermes_cli/models.py

@@ -58,6 +58,28 @@ OPENROUTER_MODELS: list[tuple[str, str]] = [
 
 _openrouter_catalog_cache: list[tuple[str, str]] | None = None
 
+# Fallback Vercel AI Gateway snapshot used when the live catalog is unavailable.
+# OSS / open-weight models prioritized first, then closed-source by family.
+VERCEL_AI_GATEWAY_MODELS: list[tuple[str, str]] = [
+    ("moonshotai/kimi-k2.6", "recommended"),
+    ("alibaba/qwen3.6-plus", ""),
+    ("zai/glm-5.1", ""),
+    ("minimax/minimax-m2.7", ""),
+    ("anthropic/claude-sonnet-4.6", ""),
+    ("anthropic/claude-opus-4.7", ""),
+    ("anthropic/claude-opus-4.6", ""),
+    ("anthropic/claude-haiku-4.5", ""),
+    ("openai/gpt-5.4", ""),
+    ("openai/gpt-5.4-mini", ""),
+    ("openai/gpt-5.3-codex", ""),
+    ("google/gemini-3.1-pro-preview", ""),
+    ("google/gemini-3-flash", ""),
+    ("google/gemini-3.1-flash-lite-preview", ""),
+    ("xai/grok-4.20-reasoning", ""),
+]
+
+_ai_gateway_catalog_cache: list[tuple[str, str]] | None = None
+
 
 def _codex_curated_models() -> list[str]:
     """Derive the openai-codex curated list from codex_models.py.
@@ -258,18 +280,21 @@ _PROVIDER_MODELS: dict[str, list[str]] = {
         "minimax-m2.5",
     ],
     "ai-gateway": [
-        "anthropic/claude-opus-4.6",
+        "moonshotai/kimi-k2.6",
+        "alibaba/qwen3.6-plus",
+        "zai/glm-5.1",
+        "minimax/minimax-m2.7",
         "anthropic/claude-sonnet-4.6",
-        "anthropic/claude-sonnet-4.5",
+        "anthropic/claude-opus-4.7",
+        "anthropic/claude-opus-4.6",
         "anthropic/claude-haiku-4.5",
-        "openai/gpt-5",
-        "openai/gpt-4.1",
-        "openai/gpt-4.1-mini",
-        "google/gemini-3-pro-preview",
+        "openai/gpt-5.4",
+        "openai/gpt-5.4-mini",
+        "openai/gpt-5.3-codex",
+        "google/gemini-3.1-pro-preview",
         "google/gemini-3-flash",
-        "google/gemini-2.5-pro",
-        "google/gemini-2.5-flash",
-        "deepseek/deepseek-v3.2",
+        "google/gemini-3.1-flash-lite-preview",
+        "xai/grok-4.20-reasoning",
     ],
     "kilocode": [
         "anthropic/claude-opus-4.6",
@@ -516,6 +541,7 @@ class ProviderEntry(NamedTuple):
 CANONICAL_PROVIDERS: list[ProviderEntry] = [
     ProviderEntry("nous",           "Nous Portal",              "Nous Portal (Nous Research subscription)"),
     ProviderEntry("openrouter",     "OpenRouter",               "OpenRouter (100+ models, pay-per-use)"),
+    ProviderEntry("ai-gateway",     "Vercel AI Gateway",        "Vercel AI Gateway (200+ models, $5 free credit, no markup)"),
     ProviderEntry("anthropic",      "Anthropic",                "Anthropic (Claude models — API key or Claude Code)"),
     ProviderEntry("openai-codex",   "OpenAI Codex",             "OpenAI Codex"),
     ProviderEntry("xiaomi",         "Xiaomi MiMo",              "Xiaomi MiMo (MiMo-V2 models — pro, omni, flash)"),
@@ -536,7 +562,6 @@ CANONICAL_PROVIDERS: list[ProviderEntry] = [
     ProviderEntry("kilocode",       "Kilo Code",                "Kilo Code (Kilo Gateway API)"),
     ProviderEntry("opencode-zen",   "OpenCode Zen",             "OpenCode Zen (35+ curated models, pay-as-you-go)"),
     ProviderEntry("opencode-go",    "OpenCode Go",              "OpenCode Go (open models, $10/month subscription)"),
-    ProviderEntry("ai-gateway",     "Vercel AI Gateway",        "Vercel AI Gateway (200+ models, pay-per-use)"),
 ]
 
 # Derived dicts — used throughout the codebase
@@ -679,6 +704,90 @@ def model_ids(*, force_refresh: bool = False) -> list[str]:
 
 
 
+def _ai_gateway_model_is_free(pricing: Any) -> bool:
+    """Return True if an AI Gateway model has $0 input AND output pricing."""
+    if not isinstance(pricing, dict):
+        return False
+    try:
+        return float(pricing.get("input", "0")) == 0 and float(pricing.get("output", "0")) == 0
+    except (TypeError, ValueError):
+        return False
+
+
+def fetch_ai_gateway_models(
+    timeout: float = 8.0,
+    *,
+    force_refresh: bool = False,
+) -> list[tuple[str, str]]:
+    """Return the curated AI Gateway picker list, refreshed from the live catalog when possible."""
+    global _ai_gateway_catalog_cache
+
+    if _ai_gateway_catalog_cache is not None and not force_refresh:
+        return list(_ai_gateway_catalog_cache)
+
+    from hermes_constants import AI_GATEWAY_BASE_URL
+
+    fallback = list(VERCEL_AI_GATEWAY_MODELS)
+    preferred_ids = [mid for mid, _ in fallback]
+
+    try:
+        req = urllib.request.Request(
+            f"{AI_GATEWAY_BASE_URL.rstrip('/')}/models",
+            headers={"Accept": "application/json"},
+        )
+        with urllib.request.urlopen(req, timeout=timeout) as resp:
+            payload = json.loads(resp.read().decode())
+    except Exception:
+        return list(_ai_gateway_catalog_cache or fallback)
+
+    live_items = payload.get("data", [])
+    if not isinstance(live_items, list):
+        return list(_ai_gateway_catalog_cache or fallback)
+
+    live_by_id: dict[str, dict[str, Any]] = {}
+    for item in live_items:
+        if not isinstance(item, dict):
+            continue
+        mid = str(item.get("id") or "").strip()
+        if not mid:
+            continue
+        live_by_id[mid] = item
+
+    curated: list[tuple[str, str]] = []
+    for preferred_id in preferred_ids:
+        live_item = live_by_id.get(preferred_id)
+        if live_item is None:
+            continue
+        desc = "free" if _ai_gateway_model_is_free(live_item.get("pricing")) else ""
+        curated.append((preferred_id, desc))
+
+    if not curated:
+        return list(_ai_gateway_catalog_cache or fallback)
+
+    free_moonshot = next(
+        (
+            mid
+            for mid, item in live_by_id.items()
+            if mid.startswith("moonshotai/") and _ai_gateway_model_is_free(item.get("pricing"))
+        ),
+        None,
+    )
+    if free_moonshot:
+        curated = [(mid, desc) for mid, desc in curated if mid != free_moonshot]
+        curated.insert(0, (free_moonshot, "recommended"))
+    else:
+        first_id, _ = curated[0]
+        curated[0] = (first_id, "recommended")
+
+    _ai_gateway_catalog_cache = curated
+    return list(curated)
+
+
+def ai_gateway_model_ids(*, force_refresh: bool = False) -> list[str]:
+    """Return just the AI Gateway model-id strings."""
+    return [mid for mid, _ in fetch_ai_gateway_models(force_refresh=force_refresh)]
+
+
 # ---------------------------------------------------------------------------
 # Pricing helpers — fetch live pricing from OpenRouter-compatible /v1/models
 # ---------------------------------------------------------------------------
@@ -821,6 +930,51 @@ def fetch_models_with_pricing(
     return result
 
 
+def fetch_ai_gateway_pricing(
+    timeout: float = 8.0,
+    *,
+    force_refresh: bool = False,
+) -> dict[str, dict[str, str]]:
+    """Fetch Vercel AI Gateway /v1/models and return Hermes-shaped pricing."""
+    from hermes_constants import AI_GATEWAY_BASE_URL
+
+    cache_key = AI_GATEWAY_BASE_URL.rstrip("/")
+    if not force_refresh and cache_key in _pricing_cache:
+        return _pricing_cache[cache_key]
+
+    try:
+        req = urllib.request.Request(
+            f"{cache_key}/models",
+            headers={"Accept": "application/json"},
+        )
+        with urllib.request.urlopen(req, timeout=timeout) as resp:
+            payload = json.loads(resp.read().decode())
+    except Exception:
+        _pricing_cache[cache_key] = {}
+        return {}
+
+    result: dict[str, dict[str, str]] = {}
+    for item in payload.get("data", []):
+        if not isinstance(item, dict):
+            continue
+        mid = item.get("id")
+        pricing = item.get("pricing")
+        if not (mid and isinstance(pricing, dict)):
+            continue
+        entry: dict[str, str] = {
+            "prompt": str(pricing.get("input", "")),
+            "completion": str(pricing.get("output", "")),
+        }
+        if pricing.get("input_cache_read"):
+            entry["input_cache_read"] = str(pricing["input_cache_read"])
+        if pricing.get("input_cache_write"):
+            entry["input_cache_write"] = str(pricing["input_cache_write"])
+        result[mid] = entry
+
+    _pricing_cache[cache_key] = result
+    return result
+
+
 def _resolve_openrouter_api_key() -> str:
     """Best-effort OpenRouter API key for pricing fetch."""
     return os.getenv("OPENROUTER_API_KEY", "").strip()
@@ -839,7 +993,7 @@ def _resolve_nous_pricing_credentials() -> tuple[str, str]:
 
 
 def get_pricing_for_provider(provider: str, *, force_refresh: bool = False) -> dict[str, dict[str, str]]:
-    """Return live pricing for providers that support it (openrouter, nous)."""
+    """Return live pricing for providers that support it (openrouter, ai-gateway, nous)."""
     normalized = normalize_provider(provider)
     if normalized == "openrouter":
         return fetch_models_with_pricing(
@@ -847,11 +1001,11 @@ def get_pricing_for_provider(provider: str, *, force_refresh: bool = False) -> d
             base_url="https://openrouter.ai/api",
             force_refresh=force_refresh,
         )
+    if normalized == "ai-gateway":
+        return fetch_ai_gateway_pricing(force_refresh=force_refresh)
     if normalized == "nous":
         api_key, base_url = _resolve_nous_pricing_credentials()
         if base_url:
-            # Nous base_url typically looks like https://inference-api.nousresearch.com/v1
-            # We need the part before /v1 for our fetch function
             stripped = base_url.rstrip("/")
             if stripped.endswith("/v1"):
                 stripped = stripped[:-3]
@@ -1253,9 +1407,7 @@ def provider_model_ids(provider: Optional[str], *, force_refresh: bool = False)
         if live:
             return live
     if normalized == "ai-gateway":
-        live = _fetch_ai_gateway_models()
-        if live:
-            return live
+        return ai_gateway_model_ids()
     if normalized == "custom":
         base_url = _get_custom_base_url()
         if base_url:

run_agent.py

@@ -908,6 +908,10 @@ class AIAgent:
                         "X-OpenRouter-Title": "Hermes Agent",
                         "X-OpenRouter-Categories": "productivity,cli-agent",
                     }
+                elif "ai-gateway.vercel.sh" in effective_base.lower():
+                    from agent.auxiliary_client import _AI_GATEWAY_HEADERS
+
+                    client_kwargs["default_headers"] = dict(_AI_GATEWAY_HEADERS)
                 elif "api.githubcopilot.com" in effective_base.lower():
                     from hermes_cli.models import copilot_default_headers
 
@@ -4667,11 +4671,13 @@ class AIAgent:
         return True
 
     def _apply_client_headers_for_base_url(self, base_url: str) -> None:
-        from agent.auxiliary_client import _OR_HEADERS
+        from agent.auxiliary_client import _AI_GATEWAY_HEADERS, _OR_HEADERS
 
         normalized = (base_url or "").lower()
         if "openrouter" in normalized:
             self._client_kwargs["default_headers"] = dict(_OR_HEADERS)
+        elif "ai-gateway.vercel.sh" in normalized:
+            self._client_kwargs["default_headers"] = dict(_AI_GATEWAY_HEADERS)
         elif "api.githubcopilot.com" in normalized:
             from hermes_cli.models import copilot_default_headers
 

tests/agent/test_a2a_mtls.py

@@ -572,94 +572,3 @@ class TestA2AMTLSServerAndClient:
 
         assert not errors, f"Concurrent connection errors: {errors}"
         assert len(results) == 3
-
-
-@_requires_crypto
-class TestA2ATaskServerAndClient:
-    """Structured A2A task send/get flow over mTLS."""
-
-    @pytest.fixture(autouse=True)
-    def _pki(self, tmp_path):
-        ca_dir = tmp_path / "ca"
-        ca_dir.mkdir()
-        self.ca_crt, self.ca_key = _make_ca_keypair(ca_dir)
-        agent_dir = tmp_path / "agents"
-        agent_dir.mkdir()
-        self.srv_crt, self.srv_key = _make_agent_keypair(
-            agent_dir, "timmy", self.ca_crt, self.ca_key
-        )
-        self.cli_crt, self.cli_key = _make_agent_keypair(
-            agent_dir, "allegro", self.ca_crt, self.ca_key
-        )
-
-    @pytest.fixture()
-    def task_server(self):
-        from agent.a2a_mtls import A2ATaskServer
-
-        gate = threading.Event()
-
-        def analyze_executor(task: dict[str, object]) -> dict[str, object]:
-            gate.wait(timeout=2)
-            text = str(task.get("task", ""))
-            return {
-                "text": f"analysis:{text}",
-                "metadata": {"tool": "local-hermes-stub"},
-            }
-
-        port = _find_free_port()
-        server = A2ATaskServer(
-            cert=self.srv_crt,
-            key=self.srv_key,
-            ca=self.ca_crt,
-            host="127.0.0.1",
-            port=port,
-            executor=analyze_executor,
-        )
-        with server:
-            time.sleep(0.1)
-            yield server, port, gate
-
-    def test_task_send_get_and_completion_flow(self, task_server):
-        from agent.a2a_mtls import A2ATaskClient
-
-        server, port, gate = task_server
-        client = A2ATaskClient(cert=self.cli_crt, key=self.cli_key, ca=self.ca_crt)
-        base_url = f"https://127.0.0.1:{port}"
-
-        card = client.discover_card(base_url)
-        assert card["name"]
-
-        submitted = client.send_task(base_url, task="Analyze README.md", requester="timmy")
-        assert submitted["status"]["state"] in {"submitted", "working"}
-
-        in_flight = client.get_task(base_url, submitted["taskId"])
-        assert in_flight["status"]["state"] in {"submitted", "working"}
-
-        gate.set()
-        completed = client.wait_for_task(base_url, submitted["taskId"], timeout=5.0, poll_interval=0.05)
-        assert completed["status"]["state"] == "completed"
-        assert completed["artifacts"][0]["text"] == "analysis:Analyze README.md"
-
-    def test_failed_executor_marks_task_failed(self):
-        from agent.a2a_mtls import A2ATaskClient, A2ATaskServer
-
-        def failing_executor(task: dict[str, object]) -> dict[str, object]:
-            raise RuntimeError("boom")
-
-        port = _find_free_port()
-        server = A2ATaskServer(
-            cert=self.srv_crt,
-            key=self.srv_key,
-            ca=self.ca_crt,
-            host="127.0.0.1",
-            port=port,
-            executor=failing_executor,
-        )
-        with server:
-            time.sleep(0.1)
-            client = A2ATaskClient(cert=self.cli_crt, key=self.cli_key, ca=self.ca_crt)
-            base_url = f"https://127.0.0.1:{port}"
-            submitted = client.send_task(base_url, task="explode", requester="timmy")
-            failed = client.wait_for_task(base_url, submitted["taskId"], timeout=5.0, poll_interval=0.05)
-            assert failed["status"]["state"] == "failed"
-            assert "boom" in failed["status"]["message"]

tests/hermes_cli/test_a2a_cmd.py

@@ -1,95 +0,0 @@
-from __future__ import annotations
-
-import argparse
-import json
-from pathlib import Path
-from unittest.mock import patch
-
-import pytest
-
-
-def test_cmd_send_uses_registry_and_waits_for_terminal_task(tmp_path, monkeypatch, capsys):
-    hermes_home = tmp_path / ".hermes"
-    hermes_home.mkdir()
-    (hermes_home / "a2a_agents.json").write_text(
-        json.dumps({"allegro": {"url": "https://127.0.0.1:9443"}}),
-        encoding="utf-8",
-    )
-    monkeypatch.setenv("HERMES_HOME", str(hermes_home))
-
-    from hermes_cli.a2a_cmd import cmd_a2a
-
-    class FakeClient:
-        def __init__(self, **kwargs):
-            self.kwargs = kwargs
-
-        def discover_card(self, base_url: str):
-            assert base_url == "https://127.0.0.1:9443"
-            return {"name": "allegro", "url": base_url}
-
-        def send_task(self, base_url: str, *, task: str, requester: str | None = None, metadata=None):
-            assert task == "analyze README"
-            return {"taskId": "task-123", "status": {"state": "submitted"}}
-
-        def wait_for_task(self, base_url: str, task_id: str, *, timeout: float, poll_interval: float):
-            assert task_id == "task-123"
-            return {
-                "taskId": task_id,
-                "status": {"state": "completed"},
-                "artifacts": [{"text": "README looks healthy"}],
-            }
-
-    args = argparse.Namespace(
-        a2a_command="send",
-        agent="allegro",
-        task="analyze README",
-        url=None,
-        wait=True,
-        timeout=5.0,
-        poll_interval=0.01,
-        requester="timmy",
-        cert="cert.pem",
-        key="key.pem",
-        ca="ca.pem",
-    )
-
-    with patch("hermes_cli.a2a_cmd.A2ATaskClient", FakeClient):
-        cmd_a2a(args)
-
-    result = json.loads(capsys.readouterr().out)
-    assert result["agent"] == "allegro"
-    assert result["card"]["name"] == "allegro"
-    assert result["task"]["status"]["state"] == "completed"
-    assert result["task"]["artifacts"][0]["text"] == "README looks healthy"
-
-
-def test_resolve_agent_url_supports_env_override(monkeypatch):
-    monkeypatch.setenv("HERMES_A2A_ALLEGRO_URL", "https://fleet-allegro:9443")
-    from hermes_cli.a2a_cmd import resolve_agent_url
-
-    assert resolve_agent_url("allegro") == "https://fleet-allegro:9443"
-
-
-def test_cmd_send_requires_known_agent(tmp_path, monkeypatch):
-    hermes_home = tmp_path / ".hermes"
-    hermes_home.mkdir()
-    monkeypatch.setenv("HERMES_HOME", str(hermes_home))
-
-    from hermes_cli.a2a_cmd import cmd_a2a
-
-    args = argparse.Namespace(
-        a2a_command="send",
-        agent="unknown",
-        task="do work",
-        url=None,
-        wait=False,
-        timeout=5.0,
-        poll_interval=0.05,
-        requester=None,
-        cert="cert.pem",
-        key="key.pem",
-        ca="ca.pem",
-    )
-
-    with pytest.raises(SystemExit):
-        cmd_a2a(args)

tests/hermes_cli/test_ai_gateway_models.py

@@ -0,0 +1,222 @@
+"""AI Gateway provider UX, live pricing, and model promotion tests."""
+
+from __future__ import annotations
+
+import json
+from unittest.mock import MagicMock, patch
+
+import pytest
+
+from hermes_cli import models as models_module
+from hermes_cli.models import (
+    CANONICAL_PROVIDERS,
+    VERCEL_AI_GATEWAY_MODELS,
+    _ai_gateway_model_is_free,
+    ai_gateway_model_ids,
+    fetch_ai_gateway_models,
+    fetch_ai_gateway_pricing,
+    get_pricing_for_provider,
+)
+
+
+def _mock_urlopen(payload):
+    resp = MagicMock()
+    resp.read.return_value = json.dumps(payload).encode()
+    ctx = MagicMock()
+    ctx.__enter__.return_value = resp
+    ctx.__exit__.return_value = False
+    return ctx
+
+
+def _reset_caches():
+    models_module._ai_gateway_catalog_cache = None
+    models_module._pricing_cache.clear()
+
+
+@pytest.fixture
+def config_home(tmp_path, monkeypatch):
+    home = tmp_path / "hermes"
+    home.mkdir()
+    (home / "config.yaml").write_text("model: some-old-model\n")
+    (home / ".env").write_text("")
+    monkeypatch.setenv("HERMES_HOME", str(home))
+    monkeypatch.delenv("AI_GATEWAY_API_KEY", raising=False)
+    monkeypatch.delenv("AI_GATEWAY_BASE_URL", raising=False)
+    return home
+
+
+def test_ai_gateway_provider_is_promoted_near_top_of_picker():
+    slugs = [entry.slug for entry in CANONICAL_PROVIDERS]
+    assert "ai-gateway" in slugs[:3]
+
+
+def test_ai_gateway_pricing_translates_input_output_to_prompt_completion():
+    _reset_caches()
+    payload = {
+        "data": [
+            {
+                "id": "moonshotai/kimi-k2.5",
+                "type": "language",
+                "pricing": {
+                    "input": "0.0000006",
+                    "output": "0.0000025",
+                    "input_cache_read": "0.00000015",
+                    "input_cache_write": "0.0000006",
+                },
+            }
+        ]
+    }
+    with patch("urllib.request.urlopen", return_value=_mock_urlopen(payload)):
+        result = fetch_ai_gateway_pricing(force_refresh=True)
+
+    entry = result["moonshotai/kimi-k2.5"]
+    assert entry["prompt"] == "0.0000006"
+    assert entry["completion"] == "0.0000025"
+    assert entry["input_cache_read"] == "0.00000015"
+    assert entry["input_cache_write"] == "0.0000006"
+
+
+def test_get_pricing_for_provider_supports_ai_gateway():
+    _reset_caches()
+    payload = {
+        "data": [
+            {
+                "id": "moonshotai/kimi-k2.5",
+                "type": "language",
+                "pricing": {"input": "0.0001", "output": "0.0002"},
+            }
+        ]
+    }
+    with patch("urllib.request.urlopen", return_value=_mock_urlopen(payload)):
+        result = get_pricing_for_provider("ai-gateway", force_refresh=True)
+    assert result["moonshotai/kimi-k2.5"] == {"prompt": "0.0001", "completion": "0.0002"}
+
+
+def test_ai_gateway_pricing_returns_empty_on_fetch_failure():
+    _reset_caches()
+    with patch("urllib.request.urlopen", side_effect=OSError("network down")):
+        result = fetch_ai_gateway_pricing(force_refresh=True)
+    assert result == {}
+
+
+def test_ai_gateway_pricing_skips_entries_without_pricing_dict():
+    _reset_caches()
+    payload = {
+        "data": [
+            {"id": "x/y", "pricing": None},
+            {"id": "a/b", "pricing": {"input": "0", "output": "0"}},
+        ]
+    }
+    with patch("urllib.request.urlopen", return_value=_mock_urlopen(payload)):
+        result = fetch_ai_gateway_pricing(force_refresh=True)
+    assert "x/y" not in result
+    assert result["a/b"] == {"prompt": "0", "completion": "0"}
+
+
+def test_ai_gateway_free_detector():
+    assert _ai_gateway_model_is_free({"input": "0", "output": "0"}) is True
+    assert _ai_gateway_model_is_free({"input": "0", "output": "0.01"}) is False
+    assert _ai_gateway_model_is_free({"input": "0.01", "output": "0"}) is False
+    assert _ai_gateway_model_is_free(None) is False
+    assert _ai_gateway_model_is_free({"input": "not a number"}) is False
+
+
+def test_fetch_ai_gateway_models_filters_against_live_catalog():
+    _reset_caches()
+    preferred = [mid for mid, _ in VERCEL_AI_GATEWAY_MODELS]
+    live_ids = preferred[:3]
+    payload = {
+        "data": [
+            {"id": mid, "pricing": {"input": "0.001", "output": "0.002"}}
+            for mid in live_ids
+        ]
+    }
+    with patch("urllib.request.urlopen", return_value=_mock_urlopen(payload)):
+        result = fetch_ai_gateway_models(force_refresh=True)
+
+    assert [mid for mid, _ in result] == live_ids
+    assert result[0][1] == "recommended"
+    assert ai_gateway_model_ids(force_refresh=False) == live_ids
+
+
+def test_fetch_ai_gateway_models_tags_free_models():
+    _reset_caches()
+    first_id = VERCEL_AI_GATEWAY_MODELS[0][0]
+    second_id = VERCEL_AI_GATEWAY_MODELS[1][0]
+    payload = {
+        "data": [
+            {"id": first_id, "pricing": {"input": "0.001", "output": "0.002"}},
+            {"id": second_id, "pricing": {"input": "0", "output": "0"}},
+        ]
+    }
+    with patch("urllib.request.urlopen", return_value=_mock_urlopen(payload)):
+        result = fetch_ai_gateway_models(force_refresh=True)
+
+    by_id = dict(result)
+    assert by_id[first_id] == "recommended"
+    assert by_id[second_id] == "free"
+
+
+def test_free_moonshot_model_auto_promoted_to_top_even_if_not_curated():
+    _reset_caches()
+    first_curated = VERCEL_AI_GATEWAY_MODELS[0][0]
+    unlisted_free_moonshot = "moonshotai/kimi-coder-free-preview"
+    payload = {
+        "data": [
+            {"id": first_curated, "pricing": {"input": "0.001", "output": "0.002"}},
+            {"id": unlisted_free_moonshot, "pricing": {"input": "0", "output": "0"}},
+        ]
+    }
+    with patch("urllib.request.urlopen", return_value=_mock_urlopen(payload)):
+        result = fetch_ai_gateway_models(force_refresh=True)
+
+    assert result[0] == (unlisted_free_moonshot, "recommended")
+    assert any(mid == first_curated for mid, _ in result)
+
+
+def test_paid_moonshot_does_not_get_auto_promoted():
+    _reset_caches()
+    first_curated = VERCEL_AI_GATEWAY_MODELS[0][0]
+    payload = {
+        "data": [
+            {"id": first_curated, "pricing": {"input": "0.001", "output": "0.002"}},
+            {"id": "moonshotai/some-paid-variant", "pricing": {"input": "0.001", "output": "0.002"}},
+        ]
+    }
+    with patch("urllib.request.urlopen", return_value=_mock_urlopen(payload)):
+        result = fetch_ai_gateway_models(force_refresh=True)
+
+    assert result[0][0] == first_curated
+
+
+def test_fetch_ai_gateway_models_falls_back_on_error():
+    _reset_caches()
+    with patch("urllib.request.urlopen", side_effect=OSError("network")):
+        result = fetch_ai_gateway_models(force_refresh=True)
+    assert result == list(VERCEL_AI_GATEWAY_MODELS)
+
+
+def test_ai_gateway_setup_flow_shows_deeplink_and_passes_pricing(config_home, monkeypatch, capsys):
+    from hermes_cli.main import _model_flow_ai_gateway
+    from hermes_cli.config import load_config
+
+    pricing = {"moonshotai/kimi-k2.6": {"prompt": "0", "completion": "0"}}
+    monkeypatch.setenv("HERMES_HOME", str(config_home))
+
+    with patch("getpass.getpass", return_value="vercel-key"), \
+         patch("hermes_cli.models.ai_gateway_model_ids", return_value=["moonshotai/kimi-k2.6"]), \
+         patch("hermes_cli.models.get_pricing_for_provider", return_value=pricing), \
+         patch("hermes_cli.auth._prompt_model_selection", return_value="moonshotai/kimi-k2.6") as prompt_selection, \
+         patch("hermes_cli.auth.deactivate_provider"):
+        _model_flow_ai_gateway(load_config(), "")
+
+    out = capsys.readouterr().out
+    assert "vercel.com/d?to=%2F%5Bteam%5D%2F%7E%2Fai-gateway&title=AI+Gateway" in out
+    assert "free credits" in out.lower()
+    assert prompt_selection.call_args.kwargs["pricing"] == pricing
+
+    import yaml
+    config = yaml.safe_load((config_home / "config.yaml").read_text()) or {}
+    model = config["model"]
+    assert model["provider"] == "ai-gateway"
+    assert model["api_mode"] == "chat_completions"

tests/run_agent/test_provider_attribution_headers.py

@@ -0,0 +1,62 @@
+"""Attribution default_headers applied per provider via base-URL detection."""
+
+from unittest.mock import MagicMock, patch
+
+from run_agent import AIAgent
+
+
+@patch("run_agent.OpenAI")
+def test_openrouter_base_url_applies_or_headers(mock_openai):
+    mock_openai.return_value = MagicMock()
+    agent = AIAgent(
+        api_key="test-key",
+        base_url="https://openrouter.ai/api/v1",
+        model="test/model",
+        quiet_mode=True,
+        skip_context_files=True,
+        skip_memory=True,
+    )
+
+    agent._apply_client_headers_for_base_url("https://openrouter.ai/api/v1")
+
+    headers = agent._client_kwargs["default_headers"]
+    assert headers["HTTP-Referer"] == "https://hermes-agent.nousresearch.com"
+    assert headers["X-OpenRouter-Title"] == "Hermes Agent"
+
+
+@patch("run_agent.OpenAI")
+def test_ai_gateway_base_url_applies_attribution_headers(mock_openai):
+    mock_openai.return_value = MagicMock()
+    agent = AIAgent(
+        api_key="test-key",
+        base_url="https://openrouter.ai/api/v1",
+        model="test/model",
+        quiet_mode=True,
+        skip_context_files=True,
+        skip_memory=True,
+    )
+
+    agent._apply_client_headers_for_base_url("https://ai-gateway.vercel.sh/v1")
+
+    headers = agent._client_kwargs["default_headers"]
+    assert headers["HTTP-Referer"] == "https://hermes-agent.nousresearch.com"
+    assert headers["X-Title"] == "Hermes Agent"
+    assert headers["User-Agent"].startswith("HermesAgent/")
+
+
+@patch("run_agent.OpenAI")
+def test_unknown_base_url_clears_default_headers(mock_openai):
+    mock_openai.return_value = MagicMock()
+    agent = AIAgent(
+        api_key="test-key",
+        base_url="https://openrouter.ai/api/v1",
+        model="test/model",
+        quiet_mode=True,
+        skip_context_files=True,
+        skip_memory=True,
+    )
+    agent._client_kwargs["default_headers"] = {"X-Stale": "yes"}
+
+    agent._apply_client_headers_for_base_url("https://api.example.com/v1")
+
+    assert "default_headers" not in agent._client_kwargs