mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-07-08 13:12:08 +00:00
* fix(auth): resolve Anthropic OAuth file per-profile + close port-binding platform gaps
Two focused pieces salvaged from PR #57563:
1. _HERMES_OAUTH_FILE was computed at module import time — frozen before
HERMES_HOME/profile overrides, so multiplexed profile turns read and
wrote the DEFAULT profile's .anthropic_oauth.json (OAuth path hijack).
Replaced with a lazy _get_hermes_oauth_file(); all web_server.py call
sites updated.
2. _PORT_BINDING_PLATFORM_VALUES was missing whatsapp_cloud and line —
both bind aiohttp TCP listeners, so a secondary multiplex profile
enabling them would collide with the primary's listener instead of
failing fast at startup.
Original work by @austinlaw076. The rest of #57563 was redundant on
main (adapter routing sweep superseded by #56854's salvage; cron secret
scope landed in fdab380a1; nested-config fallback in from_dict).
* chore(release): map austinlaw076 author email for PR #57563 salvage
* test(hermes_cli): patch _get_hermes_oauth_file instead of removed _HERMES_OAUTH_FILE constant
---------
Co-authored-by: Austin <austin@openvm067.space>
Co-authored-by: Ben <ben@nousresearch.com>
53 lines
1.5 KiB
Python
53 lines
1.5 KiB
Python
import os
|
|
|
|
import pytest
|
|
|
|
from hermes_cli.web_server import _save_anthropic_oauth_creds
|
|
|
|
|
|
class _DummyPool:
|
|
def entries(self):
|
|
return []
|
|
|
|
def remove_entry(self, _id):
|
|
return None
|
|
|
|
def add_entry(self, _entry):
|
|
return None
|
|
|
|
|
|
@pytest.fixture
|
|
def oauth_file(monkeypatch, tmp_path):
|
|
target = tmp_path / '.anthropic_oauth.json'
|
|
monkeypatch.setattr('agent.anthropic_adapter._get_hermes_oauth_file', lambda: target)
|
|
monkeypatch.setattr('agent.credential_pool.load_pool', lambda _provider: _DummyPool())
|
|
return target
|
|
|
|
|
|
def test_dashboard_oauth_write_uses_owner_only_permissions(oauth_file):
|
|
old_umask = os.umask(0o022)
|
|
try:
|
|
_save_anthropic_oauth_creds('access-token', 'refresh-token', 123456)
|
|
finally:
|
|
os.umask(old_umask)
|
|
|
|
assert oauth_file.exists()
|
|
mode = oauth_file.stat().st_mode & 0o777
|
|
assert mode == 0o600
|
|
|
|
|
|
def test_dashboard_oauth_write_uses_atomic_replace_and_cleans_temp_files(oauth_file, monkeypatch):
|
|
replace_calls = []
|
|
|
|
def flaky_replace(src, dst):
|
|
replace_calls.append((src, dst))
|
|
raise OSError('simulated replace failure')
|
|
|
|
monkeypatch.setattr('hermes_cli.web_server.os.replace', flaky_replace)
|
|
|
|
with pytest.raises(OSError, match='simulated replace failure'):
|
|
_save_anthropic_oauth_creds('access-token', 'refresh-token', 123456)
|
|
|
|
assert replace_calls, 'helper should attempt atomic os.replace()'
|
|
assert not oauth_file.exists()
|
|
assert not list(oauth_file.parent.glob(f'{oauth_file.name}.tmp*'))
|