mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-06-21 10:22:18 +00:00
f538470cf4
The credential gate. When multiplexing is active, a profile's secrets resolve from a context-local scope, never the process-global os.environ (which in a multiplexer may hold another profile's keys, and is inherited by every subprocess spawned with env=dict(os.environ)). - agent/secret_scope.py: get_secret() backed by a secret-scope contextvar. FAIL-CLOSED: when multiplex is active and no scope is installed, an unscoped read RAISES UnscopedSecretError instead of falling back to os.environ — a missed/new call site crashes loudly at that line rather than leaking a cross-profile value. Genuinely-global vars (HERMES_*, PATH, kanban paths, …) keep reading os.environ via an allowlist. load_env_file/build_profile_ secret_scope parse a profile .env into an isolated dict WITHOUT mutating os.environ. Off by default => transparent os.getenv behavior. - hermes_cli/runtime_provider.py: all credential/provider/base-url reads go through _getenv -> get_secret. - agent/credential_pool.py: env fallbacks route through get_secret (the ~/.hermes/.env-first preference is preserved and already profile-correct via the home override). - tools/mcp_tool.py: MCP config interpolation resolves through get_secret, so a server's picks up the routed profile's value. - gateway/run.py: set_multiplex_active() at GatewayRunner init; per-turn .env reload is a no-op for credentials in multiplex mode (secrets come from the scope, not global env); _profile_runtime_scope context manager combines the HERMES_HOME override + secret scope; _run_agent wraps _run_agent_inner in that scope (resolved via _resolve_profile_home_for_source) when multiplexing. Propagates into the agent worker thread for free via the existing copy_context() in _run_in_executor_with_context. Tests: 13 unit (fail-closed, scope isolation, global allowlist, .env parsing without environ mutation) + 7 E2E (runtime_provider + MCP interpolation prove two profiles isolated, unscoped read raises, globals still read environ).
130 lines
4.7 KiB
Python
130 lines
4.7 KiB
Python
"""Tests for the profile-scoped credential primitive (Workstream A / Phase 2)."""
|
|
import pytest
|
|
|
|
from agent import secret_scope as ss
|
|
|
|
|
|
@pytest.fixture(autouse=True)
|
|
def _reset_multiplex():
|
|
"""Ensure each test starts and ends with multiplexing off (it's a global)."""
|
|
ss.set_multiplex_active(False)
|
|
yield
|
|
ss.set_multiplex_active(False)
|
|
|
|
|
|
class TestMultiplexInactiveBackwardCompat:
|
|
"""Default deployment: get_secret transparently reads os.environ."""
|
|
|
|
def test_reads_environ(self, monkeypatch):
|
|
monkeypatch.setenv("ANTHROPIC_API_KEY", "sk-test")
|
|
assert ss.get_secret("ANTHROPIC_API_KEY") == "sk-test"
|
|
|
|
def test_missing_returns_default(self, monkeypatch):
|
|
monkeypatch.delenv("NOPE_KEY", raising=False)
|
|
assert ss.get_secret("NOPE_KEY") is None
|
|
assert ss.get_secret("NOPE_KEY", "fallback") == "fallback"
|
|
|
|
def test_no_raise_without_scope(self, monkeypatch):
|
|
monkeypatch.delenv("SOME_KEY", raising=False)
|
|
# multiplex off => unscoped read is fine, returns default
|
|
assert ss.get_secret("SOME_KEY") is None
|
|
|
|
|
|
class TestMultiplexActiveFailClosed:
|
|
"""Multiplex on: an unscoped secret read raises instead of leaking."""
|
|
|
|
def test_unscoped_read_raises(self, monkeypatch):
|
|
monkeypatch.setenv("ANTHROPIC_API_KEY", "sk-leaky")
|
|
ss.set_multiplex_active(True)
|
|
with pytest.raises(ss.UnscopedSecretError):
|
|
ss.get_secret("ANTHROPIC_API_KEY")
|
|
|
|
def test_scoped_read_uses_scope_not_environ(self, monkeypatch):
|
|
monkeypatch.setenv("ANTHROPIC_API_KEY", "sk-from-environ")
|
|
ss.set_multiplex_active(True)
|
|
token = ss.set_secret_scope({"ANTHROPIC_API_KEY": "sk-from-scope"})
|
|
try:
|
|
assert ss.get_secret("ANTHROPIC_API_KEY") == "sk-from-scope"
|
|
finally:
|
|
ss.reset_secret_scope(token)
|
|
|
|
def test_scoped_missing_key_returns_default_not_environ(self, monkeypatch):
|
|
# Even though the value exists in os.environ, a scope is authoritative:
|
|
# an absent scope key must NOT fall through to the (cross-profile) env.
|
|
monkeypatch.setenv("OPENAI_API_KEY", "sk-other-profile")
|
|
ss.set_multiplex_active(True)
|
|
token = ss.set_secret_scope({"ANTHROPIC_API_KEY": "sk-mine"})
|
|
try:
|
|
assert ss.get_secret("OPENAI_API_KEY") is None
|
|
assert ss.get_secret("OPENAI_API_KEY", "d") == "d"
|
|
finally:
|
|
ss.reset_secret_scope(token)
|
|
|
|
def test_global_env_still_reads_environ_under_multiplex(self, monkeypatch):
|
|
monkeypatch.setenv("HERMES_HOME", "/opt/data")
|
|
ss.set_multiplex_active(True)
|
|
# No scope, multiplex on — but HERMES_HOME is global, so no raise.
|
|
assert ss.get_secret("HERMES_HOME") == "/opt/data"
|
|
|
|
def test_kanban_prefix_is_global(self, monkeypatch):
|
|
monkeypatch.setenv("HERMES_KANBAN_DB", "/x/kanban.db")
|
|
ss.set_multiplex_active(True)
|
|
assert ss.get_secret("HERMES_KANBAN_DB") == "/x/kanban.db"
|
|
|
|
|
|
class TestScopeIsolation:
|
|
"""Two scopes never see each other's secrets."""
|
|
|
|
def test_nested_scopes_restore(self):
|
|
ss.set_multiplex_active(True)
|
|
t1 = ss.set_secret_scope({"K": "a"})
|
|
try:
|
|
assert ss.get_secret("K") == "a"
|
|
t2 = ss.set_secret_scope({"K": "b"})
|
|
try:
|
|
assert ss.get_secret("K") == "b"
|
|
finally:
|
|
ss.reset_secret_scope(t2)
|
|
assert ss.get_secret("K") == "a"
|
|
finally:
|
|
ss.reset_secret_scope(t1)
|
|
|
|
|
|
class TestEnvFileParsing:
|
|
"""load_env_file parses without mutating os.environ."""
|
|
|
|
def test_parses_basic(self, tmp_path):
|
|
env = tmp_path / ".env"
|
|
env.write_text(
|
|
"# comment\n"
|
|
"ANTHROPIC_API_KEY=sk-abc\n"
|
|
"export OPENAI_API_KEY=sk-def\n"
|
|
'QUOTED="quoted-value"\n'
|
|
"SINGLE='single'\n"
|
|
"\n"
|
|
"BAD_LINE_NO_EQUALS\n"
|
|
)
|
|
out = ss.load_env_file(env)
|
|
assert out == {
|
|
"ANTHROPIC_API_KEY": "sk-abc",
|
|
"OPENAI_API_KEY": "sk-def",
|
|
"QUOTED": "quoted-value",
|
|
"SINGLE": "single",
|
|
}
|
|
|
|
def test_does_not_mutate_environ(self, tmp_path, monkeypatch):
|
|
monkeypatch.delenv("ZZZ_KEY", raising=False)
|
|
env = tmp_path / ".env"
|
|
env.write_text("ZZZ_KEY=secret\n")
|
|
ss.load_env_file(env)
|
|
import os
|
|
assert "ZZZ_KEY" not in os.environ
|
|
|
|
def test_missing_file_returns_empty(self, tmp_path):
|
|
assert ss.load_env_file(tmp_path / "nope.env") == {}
|
|
|
|
def test_build_profile_secret_scope(self, tmp_path):
|
|
(tmp_path / ".env").write_text("ANTHROPIC_API_KEY=sk-profile\n")
|
|
assert ss.build_profile_secret_scope(tmp_path) == {
|
|
"ANTHROPIC_API_KEY": "sk-profile"
|
|
}
|