fix: validate nous auth status against runtime credentials

This commit is contained in:
Michael Steuer 2026-04-23 19:47:35 +02:00 committed by Teknium
parent 1fc77f995b
commit cd221080ec
4 changed files with 223 additions and 52 deletions

View file

@ -198,12 +198,82 @@ def test_get_nous_auth_status_auth_store_fallback(tmp_path, monkeypatch):
hermes_home = tmp_path / "hermes"
_setup_nous_auth(hermes_home, access_token="at-123")
monkeypatch.setenv("HERMES_HOME", str(hermes_home))
monkeypatch.setattr(
"hermes_cli.auth.resolve_nous_runtime_credentials",
lambda min_key_ttl_seconds=60: {
"base_url": "https://inference.example.com/v1",
"expires_at": "2099-01-01T00:00:00+00:00",
"key_id": "key-1",
"source": "cache",
},
)
status = get_nous_auth_status()
assert status["logged_in"] is True
assert status["portal_base_url"] == "https://portal.example.com"
def test_get_nous_auth_status_prefers_runtime_auth_store_over_stale_pool(tmp_path, monkeypatch):
from hermes_cli.auth import get_nous_auth_status
from agent.credential_pool import PooledCredential, load_pool
hermes_home = tmp_path / "hermes"
_setup_nous_auth(hermes_home, access_token="at-fresh")
monkeypatch.setenv("HERMES_HOME", str(hermes_home))
pool = load_pool("nous")
stale = PooledCredential.from_dict("nous", {
"access_token": "at-stale",
"refresh_token": "rt-stale",
"portal_base_url": "https://portal.stale.example.com",
"inference_base_url": "https://inference.stale.example.com/v1",
"agent_key": "agent-stale",
"agent_key_expires_at": "2020-01-01T00:00:00+00:00",
"expires_at": "2020-01-01T00:00:00+00:00",
"label": "dashboard device_code",
"auth_type": "oauth",
"source": "manual:dashboard_device_code",
"base_url": "https://inference.stale.example.com/v1",
"priority": 0,
})
pool.add_entry(stale)
monkeypatch.setattr(
"hermes_cli.auth.resolve_nous_runtime_credentials",
lambda min_key_ttl_seconds=60: {
"base_url": "https://inference.example.com/v1",
"expires_at": "2099-01-01T00:00:00+00:00",
"key_id": "key-fresh",
"source": "portal",
},
)
status = get_nous_auth_status()
assert status["logged_in"] is True
assert status["portal_base_url"] == "https://portal.example.com"
assert status["inference_base_url"] == "https://inference.example.com/v1"
assert status["source"] == "runtime:portal"
def test_get_nous_auth_status_reports_revoked_refresh_session(tmp_path, monkeypatch):
from hermes_cli.auth import get_nous_auth_status
hermes_home = tmp_path / "hermes"
_setup_nous_auth(hermes_home, access_token="at-123")
monkeypatch.setenv("HERMES_HOME", str(hermes_home))
def _boom(min_key_ttl_seconds=60):
raise AuthError("Refresh session has been revoked", provider="nous", relogin_required=True)
monkeypatch.setattr("hermes_cli.auth.resolve_nous_runtime_credentials", _boom)
status = get_nous_auth_status()
assert status["logged_in"] is False
assert status["relogin_required"] is True
assert "revoked" in status["error"].lower()
assert status["portal_base_url"] == "https://portal.example.com"
def test_get_nous_auth_status_empty_returns_not_logged_in(tmp_path, monkeypatch):
"""get_nous_auth_status() returns logged_in=False when both pool
and auth store are empty.

View file

@ -42,3 +42,40 @@ def test_show_status_termux_gateway_section_skips_systemctl(monkeypatch, capsys,
assert "Manager: Termux / manual process" in output
assert "Start with: hermes gateway" in output
assert "systemd (user)" not in output
def test_show_status_reports_nous_auth_error(monkeypatch, capsys, tmp_path):
from hermes_cli import status as status_mod
import hermes_cli.auth as auth_mod
import hermes_cli.gateway as gateway_mod
monkeypatch.setattr(status_mod, "get_env_path", lambda: tmp_path / ".env", raising=False)
monkeypatch.setattr(status_mod, "get_hermes_home", lambda: tmp_path, raising=False)
monkeypatch.setattr(status_mod, "load_config", lambda: {"model": "gpt-5.4"}, raising=False)
monkeypatch.setattr(status_mod, "resolve_requested_provider", lambda requested=None: "openai-codex", raising=False)
monkeypatch.setattr(status_mod, "resolve_provider", lambda requested=None, **kwargs: "openai-codex", raising=False)
monkeypatch.setattr(status_mod, "provider_label", lambda provider: "OpenAI Codex", raising=False)
monkeypatch.setattr(
auth_mod,
"get_nous_auth_status",
lambda: {
"logged_in": False,
"portal_base_url": "https://portal.nousresearch.com",
"access_expires_at": "2026-04-20T01:00:51+00:00",
"agent_key_expires_at": "2026-04-20T04:54:24+00:00",
"has_refresh_token": True,
"error": "Refresh session has been revoked",
},
raising=False,
)
monkeypatch.setattr(auth_mod, "get_codex_auth_status", lambda: {}, raising=False)
monkeypatch.setattr(auth_mod, "get_qwen_auth_status", lambda: {}, raising=False)
monkeypatch.setattr(gateway_mod, "find_gateway_pids", lambda exclude_pids=None: [], raising=False)
status_mod.show_status(SimpleNamespace(all=False, deep=False))
output = capsys.readouterr().out
assert "Nous Portal ✗ not logged in (run: hermes auth add nous --type oauth)" in output
assert "Error: Refresh session has been revoked" in output
assert "Access exp:" in output
assert "Key exp:" in output