hermes-agent/tests/hermes_cli/test_nous_account.py

"""Tests for normalized Nous Portal account entitlement helpers."""

from __future__ import annotations

import base64
import json
import time
from typing import Any

import pytest

from hermes_cli.nous_account import (
    NousPaidServiceAccessInfo,
    NousPortalAccountInfo,
    format_nous_portal_entitlement_message,
    get_nous_portal_account_info,
    nous_portal_topup_url,
    reset_nous_portal_account_info_cache,
)


def _jwt(claims: dict[str, Any]) -> str:
    def _part(payload: dict[str, Any]) -> str:
        raw = json.dumps(payload, separators=(",", ":")).encode()
        return base64.urlsafe_b64encode(raw).decode().rstrip("=")

    return f"{_part({'alg': 'none', 'typ': 'JWT'})}.{_part(claims)}.sig"


def _state(token: str) -> dict[str, Any]:
    return {
        "access_token": token,
        "portal_base_url": "https://portal.example.test",
        "client_id": "hermes-cli",
    }


def _account_payload(
    *,
    allowed: bool,
    subscription: dict[str, Any] | None,
    subscription_credits: float,
    purchased_credits: float,
) -> dict[str, Any]:
    return {
        "user": {
            "email": "alice@example.test",
            "privy_did": "did:privy:alice",
        },
        "organisation": {
            "id": "org_123",
        },
        "subscription": subscription,
        "purchased_credits_remaining": purchased_credits,
        "paid_service_access": {
            "allowed": allowed,
            "paid_access": allowed,
            "reason": "usable_credits" if allowed else "no_usable_credits",
            "organisation_id": "org_123",
            "effective_at_ms": 123456789,
            "has_active_subscription": subscription is not None,
            "active_subscription_is_paid": bool(
                subscription and subscription.get("monthly_charge", 0) > 0
            ),
            "subscription_tier": subscription.get("tier") if subscription else None,
            "subscription_monthly_charge": (
                subscription.get("monthly_charge") if subscription else None
            ),
            "subscription_credits_remaining": subscription_credits,
            "purchased_credits_remaining": purchased_credits,
            "total_usable_credits": subscription_credits + purchased_credits,
        },
    }


@pytest.fixture(autouse=True)
def _reset_cache():
    reset_nous_portal_account_info_cache()
    yield
    reset_nous_portal_account_info_cache()


def test_valid_jwt_with_paid_access_true(monkeypatch):
    token = _jwt(
        {
            "sub": "user_123",
            "org_id": "org_123",
            "client_id": "hermes-cli",
            "product_id": "nous-hermes-agent",
            "nous_client": "hermes-agent",
            "exp": int(time.time()) + 900,
            "paid_access": True,
            "subscription_tier": 2,
        }
    )
    monkeypatch.setattr("hermes_cli.auth.get_provider_auth_state", lambda provider: _state(token))

    info = get_nous_portal_account_info()

    assert info.source == "jwt"
    assert info.fresh is False
    assert info.logged_in is True
    assert info.user_id == "user_123"
    assert info.org_id == "org_123"
    assert info.product_id == "nous-hermes-agent"
    assert info.paid_service_access is True
    assert info.is_paid is True
    assert info.is_free_tier is False


def test_valid_jwt_with_paid_access_false(monkeypatch):
    token = _jwt(
        {
            "sub": "user_123",
            "org_id": "org_123",
            "exp": int(time.time()) + 900,
            "paid_access": False,
        }
    )
    monkeypatch.setattr("hermes_cli.auth.get_provider_auth_state", lambda provider: _state(token))

    info = get_nous_portal_account_info()

    assert info.source == "jwt"
    assert info.paid_service_access is False
    assert info.is_paid is False
    assert info.is_free_tier is True


def test_valid_jwt_missing_paid_access_is_unknown_not_paid(monkeypatch):
    token = _jwt(
        {
            "sub": "user_123",
            "org_id": "org_123",
            "exp": int(time.time()) + 900,
        }
    )
    monkeypatch.setattr("hermes_cli.auth.get_provider_auth_state", lambda provider: _state(token))

    info = get_nous_portal_account_info()

    assert info.source == "jwt"
    assert info.paid_service_access is None
    assert info.is_paid is False
    assert info.is_free_tier is False


def test_expired_jwt_falls_back_to_fresh_account(monkeypatch):
    token = _jwt(
        {
            "sub": "user_123",
            "org_id": "org_123",
            "exp": int(time.time()) - 60,
            "paid_access": False,
        }
    )
    payload = _account_payload(
        allowed=True,
        subscription={
            "plan": "Tier 2",
            "tier": 2,
            "monthly_charge": 20,
            "current_period_end": "2026-05-01T00:00:00.000Z",
            "credits_remaining": 12.25,
            "rollover_credits": 3.5,
        },
        subscription_credits=12.25,
        purchased_credits=7.75,
    )
    monkeypatch.setattr("hermes_cli.auth.get_provider_auth_state", lambda provider: _state(token))
    monkeypatch.setattr("hermes_cli.auth.resolve_nous_access_token", lambda: "fresh-token")
    monkeypatch.setattr("hermes_cli.nous_account._fetch_nous_account_info", lambda *a, **kw: payload)

    info = get_nous_portal_account_info()

    assert info.source == "account_api"
    assert info.fresh is True
    assert info.paid_service_access is True
    assert info.subscription is not None
    assert info.subscription.monthly_charge == 20
    assert info.paid_service_access_info is not None
    assert info.paid_service_access_info.total_usable_credits == 20


@pytest.mark.parametrize(
    ("payload", "expected_paid"),
    [
        (
            _account_payload(
                allowed=True,
                subscription={
                    "plan": "Tier 2",
                    "tier": 2,
                    "monthly_charge": 20,
                    "current_period_end": "2026-05-01T00:00:00.000Z",
                    "credits_remaining": 12.25,
                    "rollover_credits": 3.5,
                },
                subscription_credits=12.25,
                purchased_credits=7.75,
            ),
            True,
        ),
        (
            _account_payload(
                allowed=False,
                subscription={
                    "plan": "Tier 2",
                    "tier": 2,
                    "monthly_charge": 20,
                    "current_period_end": "2026-05-01T00:00:00.000Z",
                    "credits_remaining": 0,
                    "rollover_credits": 0,
                },
                subscription_credits=0,
                purchased_credits=0,
            ),
            False,
        ),
        (
            _account_payload(
                allowed=True,
                subscription=None,
                subscription_credits=0,
                purchased_credits=7.75,
            ),
            True,
        ),
        (
            _account_payload(
                allowed=False,
                subscription=None,
                subscription_credits=0,
                purchased_credits=0,
            ),
            False,
        ),
    ],
)
def test_fresh_account_payload_normalization(monkeypatch, payload, expected_paid):
    token = _jwt({"sub": "user_123", "org_id": "org_123", "exp": int(time.time()) + 900})
    monkeypatch.setattr("hermes_cli.auth.get_provider_auth_state", lambda provider: _state(token))
    monkeypatch.setattr("hermes_cli.auth.resolve_nous_access_token", lambda: "fresh-token")
    monkeypatch.setattr("hermes_cli.nous_account._fetch_nous_account_info", lambda *a, **kw: payload)

    info = get_nous_portal_account_info(force_fresh=True)

    assert isinstance(info, NousPortalAccountInfo)
    assert info.source == "account_api"
    assert info.fresh is True
    assert info.email == "alice@example.test"
    assert info.privy_did == "did:privy:alice"
    assert info.org_id == "org_123"
    assert info.paid_service_access is expected_paid
    assert info.is_paid is expected_paid
    assert info.is_free_tier is (not expected_paid)


def test_force_fresh_uses_account_api_even_when_jwt_is_valid(monkeypatch):
    token = _jwt(
        {
            "sub": "user_123",
            "org_id": "org_123",
            "exp": int(time.time()) + 900,
            "paid_access": False,
        }
    )
    payload = _account_payload(
        allowed=True,
        subscription=None,
        subscription_credits=0,
        purchased_credits=5,
    )
    monkeypatch.setattr("hermes_cli.auth.get_provider_auth_state", lambda provider: _state(token))
    monkeypatch.setattr("hermes_cli.auth.resolve_nous_access_token", lambda: "fresh-token")
    monkeypatch.setattr("hermes_cli.nous_account._fetch_nous_account_info", lambda *a, **kw: payload)

    info = get_nous_portal_account_info(force_fresh=True)

    assert info.source == "account_api"
    assert info.paid_service_access is True


def test_no_oauth_token_reports_inference_key_present(monkeypatch):
    monkeypatch.setattr("hermes_cli.auth.get_provider_auth_state", lambda provider: {})

    class _Entry:
        label = "manual-nous"
        access_token = ""
        agent_key = "opaque-runtime-key"
        agent_key_expires_at = "2099-01-01T00:00:00+00:00"
        expires_at = None
        inference_base_url = "https://inference.example.test/v1"
        base_url = "https://inference.example.test/v1"
        priority = 0

        @property
        def runtime_api_key(self):
            return self.agent_key

        @property
        def runtime_base_url(self):
            return self.inference_base_url

    class _Pool:
        def has_credentials(self):
            return True

        def entries(self):
            return [_Entry()]

    monkeypatch.setattr("agent.credential_pool.load_pool", lambda provider: _Pool())

    info = get_nous_portal_account_info()

    assert info.logged_in is False
    assert info.source == "inference_key"
    assert info.inference_credential_present is True
    assert info.credential_source == "pool:manual-nous"
    assert info.paid_service_access is None


def test_pool_oauth_entry_uses_jwt_snapshot(monkeypatch):
    token = _jwt(
        {
            "sub": "user_123",
            "org_id": "org_123",
            "client_id": "hermes-cli",
            "exp": int(time.time()) + 900,
            "paid_access": True,
        }
    )
    monkeypatch.setattr("hermes_cli.auth.get_provider_auth_state", lambda provider: {})

    class _Entry:
        label = "dashboard device_code"
        auth_type = "oauth"
        access_token = token
        refresh_token = "refresh-token"
        agent_key = "opaque-runtime-key"
        agent_key_expires_at = "2099-01-01T00:00:00+00:00"
        expires_at = "2099-01-01T00:00:00+00:00"
        portal_base_url = "https://portal.example.test"
        inference_base_url = "https://inference.example.test/v1"
        base_url = "https://inference.example.test/v1"
        priority = 0

        @property
        def runtime_api_key(self):
            return self.agent_key

        @property
        def runtime_base_url(self):
            return self.inference_base_url

    class _Pool:
        def has_credentials(self):
            return True

        def entries(self):
            return [_Entry()]

    monkeypatch.setattr("agent.credential_pool.load_pool", lambda provider: _Pool())

    info = get_nous_portal_account_info()

    assert info.logged_in is True
    assert info.source == "jwt"
    assert info.paid_service_access is True
    assert info.credential_source == "pool:dashboard device_code"


def test_pool_oauth_entry_force_fresh_uses_account_api(monkeypatch):
    token = _jwt(
        {
            "sub": "user_123",
            "org_id": "org_123",
            "exp": int(time.time()) + 900,
            "paid_access": False,
        }
    )
    payload = _account_payload(
        allowed=True,
        subscription=None,
        subscription_credits=0,
        purchased_credits=3,
    )
    monkeypatch.setattr("hermes_cli.auth.get_provider_auth_state", lambda provider: {})
    monkeypatch.setattr("hermes_cli.nous_account._fetch_nous_account_info", lambda *a, **kw: payload)

    class _Entry:
        label = "dashboard device_code"
        auth_type = "oauth"
        access_token = token
        refresh_token = "refresh-token"
        agent_key = "opaque-runtime-key"
        agent_key_expires_at = "2099-01-01T00:00:00+00:00"
        expires_at = "2099-01-01T00:00:00+00:00"
        portal_base_url = "https://portal.example.test"
        inference_base_url = "https://inference.example.test/v1"
        base_url = "https://inference.example.test/v1"
        priority = 0

        @property
        def runtime_api_key(self):
            return self.agent_key

        @property
        def runtime_base_url(self):
            return self.inference_base_url

    class _Pool:
        def has_credentials(self):
            return True

        def entries(self):
            return [_Entry()]

    monkeypatch.setattr("agent.credential_pool.load_pool", lambda provider: _Pool())

    info = get_nous_portal_account_info(force_fresh=True)

    assert info.logged_in is True
    assert info.source == "account_api"
    assert info.fresh is True
    assert info.paid_service_access is True
    assert info.credential_source == "pool:dashboard device_code"


def test_entitlement_message_returns_none_for_paid_access():
    info = NousPortalAccountInfo(
        logged_in=True,
        source="account_api",
        fresh=True,
        paid_service_access=True,
        portal_base_url="https://portal.example.test",
    )

    assert format_nous_portal_entitlement_message(info, capability="paid models") is None


def test_entitlement_message_for_inference_key_without_portal_login():
    info = NousPortalAccountInfo(
        logged_in=False,
        source="inference_key",
        fresh=False,
        inference_credential_present=True,
        portal_base_url="https://portal.example.test",
    )

    message = format_nous_portal_entitlement_message(
        info,
        capability="managed tools",
    )

    assert message is not None
    assert "Nous inference credentials are configured" in message
    assert "cannot verify your Nous Portal paid access" in message
    assert "Log in with `hermes model`" in message


def test_entitlement_message_for_active_paid_subscription_with_no_credits():
    info = NousPortalAccountInfo(
        logged_in=True,
        source="account_api",
        fresh=True,
        paid_service_access=False,
        portal_base_url="https://portal.example.test",
        paid_service_access_info=NousPaidServiceAccessInfo(
            allowed=False,
            reason="no_usable_credits",
            has_active_subscription=True,
            active_subscription_is_paid=True,
            subscription_credits_remaining=0,
            purchased_credits_remaining=0,
            total_usable_credits=0,
        ),
    )

    message = format_nous_portal_entitlement_message(
        info,
        capability="managed tools",
    )

    assert message is not None
    assert "credits are exhausted" in message
    assert "managed tools" in message
    assert "https://portal.example.test/billing" in message


def test_entitlement_message_for_no_subscription_or_credits():
    info = NousPortalAccountInfo(
        logged_in=True,
        source="account_api",
        fresh=True,
        paid_service_access=False,
        portal_base_url="https://portal.example.test",
        paid_service_access_info=NousPaidServiceAccessInfo(
            allowed=False,
            reason="no_usable_credits",
            has_active_subscription=False,
            subscription_credits_remaining=0,
            purchased_credits_remaining=0,
            total_usable_credits=0,
        ),
    )

    message = format_nous_portal_entitlement_message(info, capability="paid models")

    assert message is not None
    assert "no active subscription or usable credits" in message
    assert "Subscribe or add credits" in message


def test_entitlement_message_for_unknown_entitlement_is_explicit():
    info = NousPortalAccountInfo(
        logged_in=True,
        source="error",
        fresh=False,
        paid_service_access=None,
        portal_base_url="https://portal.example.test",
        error="account_api_timeout",
    )

    message = format_nous_portal_entitlement_message(info, capability="Tool Gateway")

    assert message is not None
    assert "could not verify" in message
    assert "account_api_timeout" in message
    assert "Run `hermes model`" in message


def test_entitlement_message_for_account_missing():
    info = NousPortalAccountInfo(
        logged_in=True,
        source="account_api",
        fresh=True,
        paid_service_access=False,
        paid_service_access_info=NousPaidServiceAccessInfo(
            allowed=False,
            reason="account_missing",
        ),
    )

    message = format_nous_portal_entitlement_message(info, capability="Tool Gateway")

    assert message is not None
    assert "could not find a Nous Portal account or organisation" in message


# ── org slug/name parsing + top-up URL builder ──────────────────────────────


def test_account_payload_parses_org_slug_and_name(monkeypatch):
    token = _jwt({"sub": "user_123", "org_id": "org_123", "exp": int(time.time()) + 900})
    payload = {
        "user": {"email": "alice@example.test"},
        "organisation": {"id": "org_123", "slug": "acme", "name": "Acme Inc"},
        "paid_service_access": {"allowed": True, "paid_access": True},
    }
    monkeypatch.setattr("hermes_cli.auth.get_provider_auth_state", lambda provider: _state(token))
    monkeypatch.setattr("hermes_cli.auth.resolve_nous_access_token", lambda: "fresh-token")
    monkeypatch.setattr("hermes_cli.nous_account._fetch_nous_account_info", lambda *a, **kw: payload)

    info = get_nous_portal_account_info(force_fresh=True)

    assert info.source == "account_api"
    assert info.org_slug == "acme"
    assert info.org_name == "Acme Inc"


def test_account_payload_org_without_slug_leaves_fields_none(monkeypatch):
    # Mirrors current main: organisation: { id } only (slug nullable on the portal).
    token = _jwt({"sub": "user_123", "org_id": "org_123", "exp": int(time.time()) + 900})
    payload = {
        "user": {"email": "alice@example.test"},
        "organisation": {"id": "org_123"},
        "paid_service_access": {"allowed": True, "paid_access": True},
    }
    monkeypatch.setattr("hermes_cli.auth.get_provider_auth_state", lambda provider: _state(token))
    monkeypatch.setattr("hermes_cli.auth.resolve_nous_access_token", lambda: "fresh-token")
    monkeypatch.setattr("hermes_cli.nous_account._fetch_nous_account_info", lambda *a, **kw: payload)

    info = get_nous_portal_account_info(force_fresh=True)

    assert info.org_id == "org_123"
    assert info.org_slug is None
    assert info.org_name is None


def test_topup_url_is_org_pinned_when_slug_present():
    info = NousPortalAccountInfo(
        logged_in=True,
        source="account_api",
        fresh=True,
        portal_base_url="https://portal.example.test",
        org_slug="acme",
    )
    assert (
        nous_portal_topup_url(info)
        == "https://portal.example.test/orgs/acme/billing?topup=open"
    )


def test_topup_url_falls_back_to_legacy_when_slug_null():
    info = NousPortalAccountInfo(
        logged_in=True,
        source="account_api",
        fresh=True,
        portal_base_url="https://portal.example.test",
        org_slug=None,
    )
    url = nous_portal_topup_url(info)
    assert url == "https://portal.example.test/billing?topup=open"
    assert "/orgs/" not in url


def test_topup_url_strips_trailing_slash_and_encodes_slug():
    info = NousPortalAccountInfo(
        logged_in=True,
        source="account_api",
        fresh=True,
        portal_base_url="https://portal.example.test/",
        org_slug="a/b team",
    )
    assert (
        nous_portal_topup_url(info)
        == "https://portal.example.test/orgs/a%2Fb%20team/billing?topup=open"
    )


def test_topup_url_defaults_to_production_portal_for_none():
    url = nous_portal_topup_url(None)
    assert url == "https://portal.nousresearch.com/billing?topup=open"