fix(auth): honor SSL CA env vars across httpx + requests callsites

- hermes_cli/auth.py: add _default_verify() with macOS Homebrew certifi fallback (mirrors weixin 3a0ec1d93). Extend env var chain to include REQUESTS_CA_BUNDLE so one env var works across httpx + requests paths. - agent/model_metadata.py: add _resolve_requests_verify() reading HERMES_CA_BUNDLE / REQUESTS_CA_BUNDLE / SSL_CERT_FILE in priority order. Apply explicit verify= to all 6 requests.get callsites. - Tests: 18 new unit tests + autouse platform pin on existing TestResolveVerifyFallback to keep its "returns True" assertions platform-independent. Empirically verified against self-signed HTTPS server: requests honors REQUESTS_CA_BUNDLE only; httpx honors SSL_CERT_FILE only. Hermes now honors all three everywhere. Triggered by Discord reports — Nous OAuth SSL failure on macOS Homebrew Python; custom provider self-signed cert ignored despite REQUESTS_CA_BUNDLE set in env.
2026-04-26 01:01:40 +00:00 · 2026-04-23 14:59:26 +03:00 · 2026-04-23 14:59:26 +03:00 · 8aa37a0cf9
commit 8aa37a0cf9
parent b0cb81a089
5 changed files with 260 additions and 7 deletions
--- a/tests/agent/test_model_metadata_ssl.py
+++ b/tests/agent/test_model_metadata_ssl.py
@ -0,0 +1,90 @@
+"""Tests for _resolve_requests_verify() env var precedence.
+
+Verifies that custom provider `/models` fetches honour the three supported
+CA bundle env vars (HERMES_CA_BUNDLE, REQUESTS_CA_BUNDLE, SSL_CERT_FILE)
+in the documented priority order, and that non-existent paths are
+skipped gracefully rather than breaking the request.
+
+No filesystem or network I/O required — we use tmp_path to create real
+CA bundle stand-in files and monkeypatch env vars.
+"""
+
+import os
+import sys
+from pathlib import Path
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), ".."))
+
+import pytest
+
+from agent.model_metadata import _resolve_requests_verify
+
+
+_CA_ENV_VARS = ("HERMES_CA_BUNDLE", "REQUESTS_CA_BUNDLE", "SSL_CERT_FILE")
+
+
+@pytest.fixture
+def clean_env(monkeypatch):
+    """Clear all three SSL env vars so each test starts from a known state."""
+    for var in _CA_ENV_VARS:
+        monkeypatch.delenv(var, raising=False)
+    return monkeypatch
+
+
+@pytest.fixture
+def bundle_file(tmp_path: Path) -> str:
+    """Create a placeholder CA bundle file and return its absolute path."""
+    path = tmp_path / "ca.pem"
+    path.write_text("-----BEGIN CERTIFICATE-----\nstub\n-----END CERTIFICATE-----\n")
+    return str(path)
+
+
+class TestResolveRequestsVerify:
+    def test_no_env_returns_true(self, clean_env):
+        assert _resolve_requests_verify() is True
+
+    def test_hermes_ca_bundle_returns_path(self, clean_env, bundle_file):
+        clean_env.setenv("HERMES_CA_BUNDLE", bundle_file)
+        assert _resolve_requests_verify() == bundle_file
+
+    def test_requests_ca_bundle_returns_path(self, clean_env, bundle_file):
+        clean_env.setenv("REQUESTS_CA_BUNDLE", bundle_file)
+        assert _resolve_requests_verify() == bundle_file
+
+    def test_ssl_cert_file_returns_path(self, clean_env, bundle_file):
+        clean_env.setenv("SSL_CERT_FILE", bundle_file)
+        assert _resolve_requests_verify() == bundle_file
+
+    def test_priority_hermes_over_requests(self, clean_env, tmp_path, bundle_file):
+        other = tmp_path / "other.pem"
+        other.write_text("stub")
+        clean_env.setenv("HERMES_CA_BUNDLE", bundle_file)
+        clean_env.setenv("REQUESTS_CA_BUNDLE", str(other))
+        assert _resolve_requests_verify() == bundle_file
+
+    def test_priority_requests_over_ssl_cert_file(self, clean_env, tmp_path, bundle_file):
+        other = tmp_path / "other.pem"
+        other.write_text("stub")
+        clean_env.setenv("REQUESTS_CA_BUNDLE", bundle_file)
+        clean_env.setenv("SSL_CERT_FILE", str(other))
+        assert _resolve_requests_verify() == bundle_file
+
+    def test_nonexistent_path_falls_through(self, clean_env, tmp_path, bundle_file):
+        missing = tmp_path / "does_not_exist.pem"
+        clean_env.setenv("HERMES_CA_BUNDLE", str(missing))
+        clean_env.setenv("REQUESTS_CA_BUNDLE", bundle_file)
+        assert _resolve_requests_verify() == bundle_file
+
+    def test_all_nonexistent_returns_true(self, clean_env, tmp_path):
+        missing1 = tmp_path / "a.pem"
+        missing2 = tmp_path / "b.pem"
+        missing3 = tmp_path / "c.pem"
+        clean_env.setenv("HERMES_CA_BUNDLE", str(missing1))
+        clean_env.setenv("REQUESTS_CA_BUNDLE", str(missing2))
+        clean_env.setenv("SSL_CERT_FILE", str(missing3))
+        assert _resolve_requests_verify() is True
+
+    def test_empty_string_env_var_ignored(self, clean_env, bundle_file):
+        clean_env.setenv("HERMES_CA_BUNDLE", "")
+        clean_env.setenv("REQUESTS_CA_BUNDLE", bundle_file)
+        assert _resolve_requests_verify() == bundle_file