mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-06-27 11:22:03 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
hermes-agent/hermes_cli/dashboard_auth
History
Ben cb9cb6ba1c feat(dashboard-auth): generic non-interactive API-token capability 
Task 2.0a of the safe-shutdown drain-coordination plan. Widens the dashboard
auth framework GENERICALLY to support non-interactive (service-to-service)
bearer-token auth, mirroring the existing supports_password precedent. This is
a reusable capability — any future machine-credential provider plugs in without
core changes (decisions.md Q-C). The drain bearer-secret plugin (Task 2.0b) is
the first consumer, not the definition.

- base.py: add TokenPrincipal dataclass (the token analog of Session) +
  supports_token capability flag + verify_token() on the ABC (default raises
  NotImplementedError so a misconfigured provider fails loud). Contract mirrors
  verify_session stacking: return None for unrecognised tokens (never raise),
  raise ProviderError only on a genuine backing-store outage.
- registry.py: list_token_providers() — the supports_token subset, in
  registration order. Empty when none registered (token routes fail closed).
- token_auth.py (new): route-agnostic seam. Routes opt in via
  register_token_route(exact path); token_auth_middleware owns the auth
  decision for those routes only — authenticate via stacked providers, attach
  request.state.token_principal + token_authenticated, pass through. 401 on
  missing/unrecognised token, 503 when a provider was unreachable, untouched
  passthrough for non-token routes. Fails closed (never open).
- web_server.py: install the seam OUTERMOST (registered last → runs first).
  Both downstream gates (legacy auth_middleware + gated_auth_middleware) honour
  request.state.token_authenticated and skip enforcement, so a token-authed
  service request is never bounced to /login.
- audit.py: TOKEN_AUTH_SUCCESS / TOKEN_AUTH_FAILURE events.

Tests: tests/hermes_cli/test_dashboard_token_auth.py — ABC flag default,
verify_token NotImplementedError, registry filter, bearer extraction
(case-insensitive scheme, malformed/non-bearer → ""), provider stacking
(first-match-wins, unreachable-remembered, unreachable-then-valid, buggy
provider doesn't crash the gate), and the seam's passthrough/401/503/
fail-closed behaviour. 29 new tests; full dashboard-auth suite 169 passed.

Intentionally deferred:
- The concrete shared-bearer-secret provider plugin — Task 2.0b.
- The begin/cancel-drain endpoint that registers itself as a token route —
  Task 2.1.

Build status: dashboard-auth + plugin-hook suites green.
2026-06-26 00:47:19 -07:00
..
__init__.py feat(dashboard-auth): generic non-interactive API-token capability 2026-06-26 00:47:19 -07:00
audit.py feat(dashboard-auth): generic non-interactive API-token capability 2026-06-26 00:47:19 -07:00
base.py feat(dashboard-auth): generic non-interactive API-token capability 2026-06-26 00:47:19 -07:00
cookies.py fix(desktop): gate OAuth remote connect on AT-or-RT, not access token alone 2026-06-04 22:18:46 -07:00
login_page.py feat(dashboard-auth): add pluggable password (non-redirect) login 2026-06-04 01:02:25 -07:00
middleware.py feat(dashboard-auth): generic non-interactive API-token capability 2026-06-26 00:47:19 -07:00
prefix.py fix(dashboard-auth): warn when public_url override is silently rejected (#43214) 2026-06-10 12:14:57 +10:00
public_paths.py fix(cron): serve /api/cron/fire on the dashboard app (hosted-agent surface) 2026-06-19 12:43:30 +10:00
registry.py feat(dashboard-auth): generic non-interactive API-token capability 2026-06-26 00:47:19 -07:00
routes.py feat(dashboard-auth): add pluggable password (non-redirect) login 2026-06-04 01:02:25 -07:00
token_auth.py feat(dashboard-auth): generic non-interactive API-token capability 2026-06-26 00:47:19 -07:00
ws_tickets.py test(dashboard): direct unit coverage for internal WS credential + docstring fix 2026-06-02 23:43:27 -07:00