Switch to JWT token for inference against Nous, falling back to old opaque token on failure.

tests/agent/test_auxiliary_client.py

@@ -673,6 +673,8 @@ class TestGetTextAuxiliaryClient:
     def test_custom_endpoint_uses_codex_wrapper_when_runtime_requests_responses_api(self):
         with patch("agent.auxiliary_client._resolve_custom_runtime",
                    return_value=("https://api.openai.com/v1", "sk-test", "codex_responses")), \
+             patch("agent.auxiliary_client._read_nous_auth", return_value=None), \
+             patch("agent.auxiliary_client._resolve_nous_runtime_api", return_value=None), \
              patch("agent.auxiliary_client._read_main_model", return_value="gpt-5.3-codex"), \
              patch("agent.auxiliary_client.OpenAI") as mock_openai:
             client, model = get_text_auxiliary_client()

tests/agent/test_credential_pool.py

@@ -2,8 +2,10 @@
 
 from __future__ import annotations
 
+import base64
 import json
 import time
+from datetime import datetime, timezone
 
 import pytest
 
@@ -14,6 +16,14 @@ def _write_auth_store(tmp_path, payload: dict) -> None:
     (hermes_home / "auth.json").write_text(json.dumps(payload, indent=2))
 
 
+def _jwt_with_claims(claims: dict) -> str:
+    def _part(payload: dict) -> str:
+        raw = json.dumps(payload, separators=(",", ":")).encode("utf-8")
+        return base64.urlsafe_b64encode(raw).decode("ascii").rstrip("=")
+
+    return f"{_part({'alg': 'none', 'typ': 'JWT'})}.{_part(claims)}.sig"
+
+
 def test_fill_first_selection_skips_recently_exhausted_entry(tmp_path, monkeypatch):
     monkeypatch.setenv("HERMES_HOME", str(tmp_path / "hermes"))
     _write_auth_store(
@@ -510,6 +520,52 @@ def test_load_pool_migrates_nous_provider_state(tmp_path, monkeypatch):
     assert entry.agent_key == "agent-key"
 
 
+def test_load_pool_mirrors_nous_invoke_jwt_agent_key_runtime_api_key(tmp_path, monkeypatch):
+    monkeypatch.setenv("HERMES_HOME", str(tmp_path / "hermes"))
+    expires_at = datetime.fromtimestamp(time.time() + 3600, tz=timezone.utc).isoformat()
+    token = _jwt_with_claims({
+        "sub": "test-user",
+        "scope": ["inference:invoke", "inference:mint_agent_key"],
+        "exp": int(time.time() + 3600),
+    })
+    _write_auth_store(
+        tmp_path,
+        {
+            "version": 1,
+            "active_provider": "nous",
+            "providers": {
+                "nous": {
+                    "portal_base_url": "https://portal.example.com",
+                    "inference_base_url": "https://inference.example.com/v1",
+                    "client_id": "hermes-cli",
+                    "token_type": "Bearer",
+                    "scope": "inference:invoke inference:mint_agent_key",
+                    "access_token": token,
+                    "refresh_token": "refresh-token",
+                    "expires_at": expires_at,
+                    "agent_key": token,
+                    "agent_key_expires_at": expires_at,
+                }
+            },
+        },
+    )
+
+    from agent.credential_pool import load_pool
+
+    pool = load_pool("nous")
+    entry = pool.select()
+
+    assert entry is not None
+    assert entry.source == "device_code"
+    assert entry.agent_key == token
+    assert entry.runtime_api_key == token
+
+    auth_payload = json.loads((tmp_path / "hermes" / "auth.json").read_text())
+    pool_entry = auth_payload["credential_pool"]["nous"][0]
+    assert pool_entry["agent_key"] == token
+    assert pool_entry["agent_key_expires_at"] == expires_at
+
+
 def test_nous_pool_terminal_refresh_clears_tokens(tmp_path, monkeypatch):
     monkeypatch.setenv("HERMES_HOME", str(tmp_path / "hermes"))
     monkeypatch.setenv("HERMES_SHARED_AUTH_DIR", str(tmp_path / "shared"))

tests/conftest.py

@@ -187,6 +187,7 @@ _HERMES_BEHAVIORAL_VARS = frozenset({
     "HERMES_BACKGROUND_NOTIFICATIONS",
     "HERMES_EXEC_ASK",
     "HERMES_HOME_MODE",
+    "HERMES_AGENT_USE_LEGACY_SESSION_KEYS",
     # Kanban path/board pins must never leak from a developer shell or
     # dispatched worker into tests; otherwise tests can write fake tasks to
     # the real ~/.hermes/kanban.db instead of the per-test HERMES_HOME.

tests/hermes_cli/test_auth_commands.py

@@ -107,7 +107,7 @@ def test_auth_add_nous_oauth_persists_pool_entry(tmp_path, monkeypatch):
             "portal_base_url": "https://portal.example.com",
             "inference_base_url": "https://inference.example.com/v1",
             "client_id": "hermes-cli",
-            "scope": "inference:mint_agent_key",
+            "scope": "inference:invoke inference:mint_agent_key",
             "token_type": "Bearer",
             "access_token": token,
             "refresh_token": "refresh-token",
@@ -228,7 +228,7 @@ def test_auth_add_nous_oauth_honors_custom_label(tmp_path, monkeypatch):
             "portal_base_url": "https://portal.example.com",
             "inference_base_url": "https://inference.example.com/v1",
             "client_id": "hermes-cli",
-            "scope": "inference:mint_agent_key",
+            "scope": "inference:invoke inference:mint_agent_key",
             "token_type": "Bearer",
             "access_token": token,
             "refresh_token": "refresh-token",

tests/hermes_cli/test_auth_nous_provider.py

@@ -1,6 +1,9 @@
 """Regression tests for Nous OAuth refresh + agent-key mint interactions."""
 
+import base64
 import json
+import logging
+import time
 from datetime import datetime, timezone
 from pathlib import Path
 
@@ -125,6 +128,11 @@ def _setup_nous_auth(
     *,
     access_token: str = "access-old",
     refresh_token: str = "refresh-old",
+    scope: str = "inference:mint_agent_key",
+    expires_at: str = "2026-02-01T00:00:00+00:00",
+    expires_in: int = 0,
+    agent_key: str | None = None,
+    agent_key_expires_at: str | None = None,
 ) -> None:
     hermes_home.mkdir(parents=True, exist_ok=True)
     auth_store = {
@@ -136,15 +144,15 @@ def _setup_nous_auth(
                 "inference_base_url": "https://inference.example.com/v1",
                 "client_id": "hermes-cli",
                 "token_type": "Bearer",
-                "scope": "inference:mint_agent_key",
+                "scope": scope,
                 "access_token": access_token,
                 "refresh_token": refresh_token,
                 "obtained_at": "2026-02-01T00:00:00+00:00",
-                "expires_in": 0,
-                "expires_at": "2026-02-01T00:00:00+00:00",
-                "agent_key": None,
+                "expires_in": expires_in,
+                "expires_at": expires_at,
+                "agent_key": agent_key,
                 "agent_key_id": None,
-                "agent_key_expires_at": None,
+                "agent_key_expires_at": agent_key_expires_at,
                 "agent_key_expires_in": None,
                 "agent_key_reused": None,
                 "agent_key_obtained_at": None,
@@ -164,6 +172,351 @@ def _mint_payload(api_key: str = "agent-key") -> dict:
     }
 
 
+def _jwt_with_claims(claims: dict) -> str:
+    def _part(payload: dict) -> str:
+        raw = json.dumps(payload, separators=(",", ":")).encode("utf-8")
+        return base64.urlsafe_b64encode(raw).decode("ascii").rstrip("=")
+
+    return f"{_part({'alg': 'none', 'typ': 'JWT'})}.{_part(claims)}.sig"
+
+
+def _future_iso(seconds: int = 3600) -> str:
+    return datetime.fromtimestamp(time.time() + seconds, tz=timezone.utc).isoformat()
+
+
+def _invoke_jwt(*, seconds: int = 3600, scope: object = "inference:invoke inference:mint_agent_key") -> str:
+    return _jwt_with_claims({
+        "sub": "test-user",
+        "scope": scope,
+        "exp": int(time.time() + seconds),
+    })
+
+
+def test_resolve_nous_runtime_credentials_prefers_invoke_jwt_and_mirrors(
+    tmp_path,
+    monkeypatch,
+):
+    import hermes_cli.auth as auth_mod
+
+    hermes_home = tmp_path / "hermes"
+    token = _invoke_jwt(seconds=3600)
+    _setup_nous_auth(
+        hermes_home,
+        access_token=token,
+        scope=auth_mod.DEFAULT_NOUS_SCOPE,
+        expires_at=_future_iso(3600),
+        expires_in=3600,
+    )
+    monkeypatch.setenv("HERMES_HOME", str(hermes_home))
+
+    def _unexpected_mint(*args, **kwargs):
+        raise AssertionError("legacy agent-key mint should not run for invoke JWT")
+
+    monkeypatch.setattr(auth_mod, "_mint_agent_key", _unexpected_mint)
+
+    creds = auth_mod.resolve_nous_runtime_credentials(min_key_ttl_seconds=300)
+
+    assert creds["api_key"] == token
+    assert creds["source"] == "invoke_jwt"
+    assert creds["auth_path"] == "invoke_jwt"
+
+    payload = json.loads((hermes_home / "auth.json").read_text())
+    singleton = payload["providers"]["nous"]
+    assert singleton["agent_key"] == token
+    assert datetime.fromisoformat(singleton["agent_key_expires_at"]).timestamp() > time.time() + 300
+
+    pool_entries = payload["credential_pool"]["nous"]
+    assert len(pool_entries) == 1
+    assert pool_entries[0]["agent_key"] == token
+    assert pool_entries[0]["source"] == auth_mod.NOUS_DEVICE_CODE_SOURCE
+
+
+def test_resolve_nous_runtime_credentials_trusts_invoke_jwt_exp_over_stale_metadata(
+    tmp_path,
+    monkeypatch,
+):
+    import hermes_cli.auth as auth_mod
+
+    hermes_home = tmp_path / "hermes"
+    token = _invoke_jwt(seconds=3600)
+    _setup_nous_auth(
+        hermes_home,
+        access_token=token,
+        scope=auth_mod.DEFAULT_NOUS_SCOPE,
+        expires_at="2000-01-01T00:00:00+00:00",
+        expires_in=0,
+        agent_key=token,
+        agent_key_expires_at="2000-01-01T00:00:00+00:00",
+    )
+    monkeypatch.setenv("HERMES_HOME", str(hermes_home))
+
+    def _unexpected_refresh(*args, **kwargs):
+        raise AssertionError("valid invoke JWT should not be refreshed because metadata is stale")
+
+    def _unexpected_mint(*args, **kwargs):
+        raise AssertionError("valid invoke JWT should not fall back to legacy mint")
+
+    monkeypatch.setattr(auth_mod, "_refresh_access_token", _unexpected_refresh)
+    monkeypatch.setattr(auth_mod, "_mint_agent_key", _unexpected_mint)
+
+    creds = auth_mod.resolve_nous_runtime_credentials(min_key_ttl_seconds=300)
+
+    assert creds["api_key"] == token
+    assert creds["source"] == "invoke_jwt"
+    payload = json.loads((hermes_home / "auth.json").read_text())
+    singleton = payload["providers"]["nous"]
+    assert singleton["agent_key"] == token
+    assert datetime.fromisoformat(singleton["expires_at"]).timestamp() > time.time() + 300
+    assert datetime.fromisoformat(singleton["agent_key_expires_at"]).timestamp() > time.time() + 300
+
+
+def test_resolve_nous_runtime_credentials_does_not_apply_legacy_ttl_to_invoke_jwt(
+    tmp_path,
+    monkeypatch,
+):
+    import hermes_cli.auth as auth_mod
+
+    hermes_home = tmp_path / "hermes"
+    token = _invoke_jwt(seconds=900)
+    _setup_nous_auth(
+        hermes_home,
+        access_token=token,
+        scope=auth_mod.DEFAULT_NOUS_SCOPE,
+        expires_at=_future_iso(900),
+        expires_in=900,
+    )
+    monkeypatch.setenv("HERMES_HOME", str(hermes_home))
+
+    def _unexpected_mint(*args, **kwargs):
+        raise AssertionError("1800s legacy min TTL should not force opaque mint for invoke JWT")
+
+    monkeypatch.setattr(auth_mod, "_mint_agent_key", _unexpected_mint)
+
+    creds = auth_mod.resolve_nous_runtime_credentials(min_key_ttl_seconds=1800)
+
+    assert creds["api_key"] == token
+    assert creds["source"] == "invoke_jwt"
+    payload = json.loads((hermes_home / "auth.json").read_text())
+    assert payload["providers"]["nous"]["agent_key"] == token
+    assert payload["credential_pool"]["nous"][0]["agent_key"] == token
+
+
+def test_resolve_nous_runtime_credentials_falls_back_when_invoke_scope_missing(
+    tmp_path,
+    monkeypatch,
+):
+    import hermes_cli.auth as auth_mod
+
+    hermes_home = tmp_path / "hermes"
+    token = _jwt_with_claims({
+        "sub": "test-user",
+        "scope": "inference:mint_agent_key",
+        "exp": int(time.time() + 3600),
+    })
+    _setup_nous_auth(
+        hermes_home,
+        access_token=token,
+        scope=auth_mod.NOUS_LEGACY_AGENT_KEY_SCOPE,
+        expires_at=_future_iso(3600),
+        expires_in=3600,
+    )
+    monkeypatch.setenv("HERMES_HOME", str(hermes_home))
+
+    calls = []
+
+    def _fake_mint_agent_key(*, client, portal_base_url, access_token, min_ttl_seconds):
+        del client, portal_base_url, min_ttl_seconds
+        calls.append(access_token)
+        return _mint_payload(api_key="opaque-agent-key")
+
+    monkeypatch.setattr(auth_mod, "_mint_agent_key", _fake_mint_agent_key)
+
+    creds = auth_mod.resolve_nous_runtime_credentials(min_key_ttl_seconds=300)
+
+    assert calls == [token]
+    assert creds["api_key"] == "opaque-agent-key"
+    assert creds["source"] == "portal"
+    payload = json.loads((hermes_home / "auth.json").read_text())
+    assert payload["providers"]["nous"]["agent_key"] == "opaque-agent-key"
+    assert payload["credential_pool"]["nous"][0]["agent_key"] == "opaque-agent-key"
+
+
+def test_nous_device_code_login_retries_legacy_scope_when_invoke_refused(monkeypatch):
+    import hermes_cli.auth as auth_mod
+
+    scopes = []
+
+    def _fake_request_device_code(*, client, portal_base_url, client_id, scope):
+        del client, portal_base_url, client_id
+        scopes.append(scope)
+        if len(scopes) == 1:
+            request = httpx.Request("POST", "https://portal.example.com/api/oauth/device/code")
+            response = httpx.Response(
+                400,
+                json={
+                    "error": "invalid_scope",
+                    "error_description": "unsupported inference:invoke",
+                },
+                request=request,
+            )
+            raise httpx.HTTPStatusError("invalid_scope", request=request, response=response)
+        return {
+            "device_code": "device",
+            "user_code": "user",
+            "verification_uri": "https://portal.example.com/device",
+            "verification_uri_complete": "https://portal.example.com/device?code=user",
+            "expires_in": 600,
+            "interval": 1,
+        }
+
+    def _fake_poll_for_token(**kwargs):
+        del kwargs
+        return {
+            "access_token": "access-legacy",
+            "refresh_token": "refresh-legacy",
+            "expires_in": 900,
+            "scope": auth_mod.NOUS_LEGACY_AGENT_KEY_SCOPE,
+        }
+
+    def _fake_refresh(state, **kwargs):
+        del kwargs
+        refreshed = dict(state)
+        refreshed["agent_key"] = "opaque-agent-key"
+        refreshed["agent_key_expires_at"] = _future_iso(1800)
+        return refreshed
+
+    monkeypatch.setattr(auth_mod, "_request_device_code", _fake_request_device_code)
+    monkeypatch.setattr(auth_mod, "_poll_for_token", _fake_poll_for_token)
+    monkeypatch.setattr(auth_mod, "refresh_nous_oauth_from_state", _fake_refresh)
+
+    result = auth_mod._nous_device_code_login(
+        portal_base_url="https://portal.example.com",
+        inference_base_url="https://inference.example.com/v1",
+        open_browser=False,
+        timeout_seconds=1,
+    )
+
+    assert scopes == [auth_mod.DEFAULT_NOUS_SCOPE, auth_mod.NOUS_LEGACY_AGENT_KEY_SCOPE]
+    assert result["scope"] == auth_mod.NOUS_LEGACY_AGENT_KEY_SCOPE
+    assert result["agent_key"] == "opaque-agent-key"
+
+
+def test_forced_legacy_env_skips_invoke_scope_and_jwt_storage(tmp_path, monkeypatch):
+    import hermes_cli.auth as auth_mod
+
+    hermes_home = tmp_path / "hermes"
+    token = _invoke_jwt(seconds=3600)
+    _setup_nous_auth(
+        hermes_home,
+        access_token=token,
+        scope=auth_mod.DEFAULT_NOUS_SCOPE,
+        expires_at=_future_iso(3600),
+        expires_in=3600,
+    )
+    monkeypatch.setenv("HERMES_HOME", str(hermes_home))
+    monkeypatch.setenv(auth_mod.NOUS_LEGACY_SESSION_KEYS_ENV, "true")
+
+    mint_calls = []
+
+    def _fake_mint_agent_key(*, client, portal_base_url, access_token, min_ttl_seconds):
+        del client, portal_base_url, min_ttl_seconds
+        mint_calls.append(access_token)
+        return _mint_payload(api_key="forced-legacy-key")
+
+    monkeypatch.setattr(auth_mod, "_mint_agent_key", _fake_mint_agent_key)
+
+    creds = auth_mod.resolve_nous_runtime_credentials(min_key_ttl_seconds=300)
+
+    assert mint_calls == [token]
+    assert creds["api_key"] == "forced-legacy-key"
+    payload = json.loads((hermes_home / "auth.json").read_text())
+    assert payload["providers"]["nous"]["agent_key"] == "forced-legacy-key"
+
+    requested_scopes = []
+
+    def _fake_request_device_code(*, client, portal_base_url, client_id, scope):
+        del client, portal_base_url, client_id
+        requested_scopes.append(scope)
+        return {
+            "device_code": "device",
+            "user_code": "user",
+            "verification_uri": "https://portal.example.com/device",
+            "verification_uri_complete": "https://portal.example.com/device?code=user",
+            "expires_in": 600,
+            "interval": 1,
+        }
+
+    def _fake_poll_for_token(**kwargs):
+        del kwargs
+        return {
+            "access_token": "access-legacy",
+            "refresh_token": "refresh-legacy",
+            "expires_in": 900,
+            "scope": auth_mod.NOUS_LEGACY_AGENT_KEY_SCOPE,
+        }
+
+    def _fake_refresh(state, **kwargs):
+        del kwargs
+        refreshed = dict(state)
+        refreshed["agent_key"] = "forced-legacy-login-key"
+        refreshed["agent_key_expires_at"] = _future_iso(1800)
+        return refreshed
+
+    monkeypatch.setattr(auth_mod, "_request_device_code", _fake_request_device_code)
+    monkeypatch.setattr(auth_mod, "_poll_for_token", _fake_poll_for_token)
+    monkeypatch.setattr(auth_mod, "refresh_nous_oauth_from_state", _fake_refresh)
+
+    auth_mod._nous_device_code_login(
+        portal_base_url="https://portal.example.com",
+        inference_base_url="https://inference.example.com/v1",
+        open_browser=False,
+        timeout_seconds=1,
+    )
+
+    assert requested_scopes == [auth_mod.NOUS_LEGACY_AGENT_KEY_SCOPE]
+
+
+def test_nous_inference_auth_logs_do_not_include_secret_values(
+    tmp_path,
+    monkeypatch,
+    caplog,
+):
+    import hermes_cli.auth as auth_mod
+
+    hermes_home = tmp_path / "hermes"
+    token = _jwt_with_claims({
+        "sub": "secret-user",
+        "scope": "inference:mint_agent_key",
+        "exp": int(time.time() + 3600),
+    })
+    refresh_token = "refresh-secret-token"
+    opaque_key = "opaque-secret-agent-key"
+    _setup_nous_auth(
+        hermes_home,
+        access_token=token,
+        refresh_token=refresh_token,
+        scope=auth_mod.NOUS_LEGACY_AGENT_KEY_SCOPE,
+        expires_at=_future_iso(3600),
+        expires_in=3600,
+    )
+    monkeypatch.setenv("HERMES_HOME", str(hermes_home))
+
+    def _fake_mint_agent_key(*, client, portal_base_url, access_token, min_ttl_seconds):
+        del client, portal_base_url, access_token, min_ttl_seconds
+        return _mint_payload(api_key=opaque_key)
+
+    monkeypatch.setattr(auth_mod, "_mint_agent_key", _fake_mint_agent_key)
+
+    caplog.set_level(logging.INFO, logger="hermes_cli.auth")
+    auth_mod.resolve_nous_runtime_credentials(min_key_ttl_seconds=300)
+
+    logged = caplog.text
+    assert "legacy session key path" in logged
+    assert token not in logged
+    assert refresh_token not in logged
+    assert opaque_key not in logged
+
+
 def test_get_nous_auth_status_checks_credential_pool(tmp_path, monkeypatch):
     """get_nous_auth_status() should find Nous credentials in the pool
     even when the auth store has no Nous provider entry — this is the