fix: resolve secrets from local sources when hub lookup fails

[Aadityagawai]

Fixes #8890

Problem

The error "We couldn't find a secret with the name 'ANTHROPIC_API_KEY'" appeared even when the secret was available in process.env or .env files. The client failed as soon as the Hub lookup returned "not found", without checking any local sources.

Solution

• Updated CLIPlatformClient.resolveFQSNs() to fallback to local sources (process.env and .env files) when Hub lookup fails.
• Corrected secret type for process.env-based secrets to use ProcessEnv instead of LocalEnv.
• Improved error handling so local resolution is still attempted even if the Hub request fails.

Testing

• Verified secrets are correctly resolved from local environment variables and .env files when they don't exist in the Hub.
• Confirmed the previous error no longer occurs.
• Ensured behavior matches expected fallback logic.

Notes

This improves developer workflows and prevents false "secret not found" errors when running Continue locally.

---

Summary by cubic

Resolve secrets from local sources when Hub lookup fails. Prevents false “secret not found” errors (e.g., ANTHROPIC_API_KEY) when the secret exists in process.env or .env.

• Bug Fixes
  • resolveFQSNs() now falls back to process.env and .env if Hub returns not found or the API call fails.
  • Corrected secret type for process.env secrets to SecretType.ProcessEnv.
  • Added bounds checks for API results and improved error handling so local resolution still runs.

^{Written for commit 12e4884. Summary will update automatically on new commits.}

[continue-development-app]

Keep this PR in a mergeable state →

Learn more

---

All Green is an AI agent that automatically:

✅ Addresses code review comments

✅ Fixes failing CI checks

✅ Resolves merge conflicts

[github-actions]

Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

---

I have read the CLA Document and I hereby sign the CLA

---

0 out of 2 committers have signed the CLA.
❌ @Aadityagawai
❌ @continue Agent
Continue Agent seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.}

[cubic-dev-ai]

No issues found across 1 file

[Aadityagawai]

Let me know if you'd like any changes or additional tests.
Happy to update the PR!

[continue]

Reviewed the changes - this is an internal bug fix that improves secret resolution fallback behavior. No documentation updates needed as this restores expected functionality rather than introducing new features. The existing docs already cover environment variable usage in the onboarding flow.

[continue]

Added comprehensive test coverage for the secret resolution changes in CLIPlatformClient.test.ts:

Test Coverage:

• ✅ Fallback to process.env when Hub API returns found: false
• ✅ Fallback to local sources when Hub API call fails completely
• ✅ Proper prioritization of Hub secrets over local when found: true
• ✅ Handling of API returning fewer results than requested FQSNs
• ✅ Handling of empty API results array
• ✅ Correct use of SecretType.ProcessEnv for process.env secrets (not LocalEnv)
• ✅ Mixed scenarios with some secrets from Hub and others from local sources
• ✅ Edge cases: empty strings, null results, undefined secrets

The tests verify the core fix: secrets now properly fallback to local sources when Hub lookup fails, preventing false "secret not found" errors.

[RomneyDa]

@Aadityagawai we already support falling back to env secret loading for the CLI, could you clarify what this PR changes?

See existing findSecretInProcessEnv

[RomneyDa]

Closing this for now since stale, @Aadityagawai feel free to reopen!