hermes-agent/tests/plugins
Ben Barclay 53a75f147f
feat(dashboard_auth): support confidential clients (client_secret) in self-hosted OIDC (#55344)
The self-hosted OIDC dashboard provider was public-client + PKCE only, with
two `# TODO(confidential-client)` seams. Authentik and Keycloak commonly
default a new OIDC client to *confidential*, whose token endpoint rejects an
unauthenticated exchange (`invalid_client`) — so a self-hoster who accepts
their IDP's default could not complete dashboard login without manually
flipping the client to public.

Add optional confidential-client support:

- New optional `client_secret` (env `HERMES_DASHBOARD_OIDC_CLIENT_SECRET`,
  or `dashboard.oauth.self_hosted.client_secret`; env-wins-config, empty
  treated as unset). It is a credential, so docs steer operators to the
  `.env` file; config.yaml is supported only for precedence symmetry.
- `_token_endpoint_auth()` selects `client_secret_basic` (HTTP Basic header)
  vs `client_secret_post` (form body) from the IDP's advertised
  `token_endpoint_auth_methods_supported`, defaulting to basic (the OIDC
  default) when absent. Applied to complete_login, refresh_session, and
  revoke_session (RFC 7009 §2.1).
- PKCE is sent in BOTH modes — the secret is client authentication layered
  on top, never a replacement (OAuth 2.1 / RFC 9700 keep PKCE mandatory).
- Basic header url-encodes client_id/secret before base64 per RFC 6749
  §2.3.1, so reserved chars (`:`, `@`, space) round-trip correctly.

Non-breaking: with no secret configured the provider is a pure public PKCE
client, byte-identical to prior behaviour (no Authorization header, no
client_secret in the body). The secret is never logged — register() reports
only a `confidential=<bool>` flag.

Tests: 16 new cases covering basic/post selection, default-when-absent,
public-unchanged contract, PKCE-preserved, reserved-char url-encoding,
blank-secret-is-public, refresh + revoke auth, no-secret-in-logs, and
env/config register wiring. Full dashboard-auth suite (nous provider,
middleware, gate, cookies, WS, 401-reauth, status endpoint) — 396 tests —
green, proving no existing auth path regressed.
2026-06-30 13:32:51 +10:00
..
browser fix(browser): self-review pass — dead-import, log levels, future-proofing 2026-05-17 04:04:15 -07:00
dashboard_auth feat(dashboard_auth): support confidential clients (client_secret) in self-hosted OIDC (#55344) 2026-06-30 13:32:51 +10:00
image_gen fix shape 2026-06-25 12:38:33 -07:00
memory fix(memory): lazy-install supermemory + mem0 SDKs like honcho/hindsight 2026-06-29 00:25:36 -07:00
model_providers feat: add reasoning_effort support to ollama-cloud provider 2026-06-23 11:51:43 -07:00
platforms/photon fix(photon): correlate tapbacks to bot message context 2026-06-27 00:51:34 -07:00
transcription feat(stt): add stt.providers.<name> command-provider registry 2026-05-25 01:41:19 -07:00
tts feat(tts): add register_tts_provider() plugin hook (closes #30398) 2026-05-24 18:04:54 -07:00
video_gen fix(xai): route video models by modality 2026-06-01 19:00:30 -07:00
web revert(web): remove keyless Parallel search fallback (#46350) 2026-06-14 16:47:57 -07:00
__init__.py fix: mem0 API v2 compat, prefetch context fencing, secret redaction (#5423) 2026-04-05 22:43:33 -07:00
test_achievements_plugin.py test: use subprocesses for each test file (#29016) 2026-05-21 16:40:04 +05:30
test_chronos_cron.py fix(cron): avoid provider package shadowing core cron 2026-06-23 23:39:22 -07:00
test_chronos_verify.py fix(cron): avoid provider package shadowing core cron 2026-06-23 23:39:22 -07:00
test_discord_runtime_failure.py fix(discord): recover from runtime gateway task exits (#44383) 2026-06-11 15:39:01 -04:00
test_disk_cleanup_plugin.py test: assert disk cleanup prunes protected walks 2026-06-15 05:25:27 -07:00
test_google_meet_audio.py chore: prune unused imports and duplicate import redefinitions 2026-05-28 22:26:25 -07:00
test_google_meet_node.py chore: prune unused imports and duplicate import redefinitions 2026-05-28 22:26:25 -07:00
test_google_meet_plugin.py chore: prune unused imports and duplicate import redefinitions 2026-05-28 22:26:25 -07:00
test_google_meet_realtime.py chore: prune unused imports and duplicate import redefinitions 2026-05-28 22:26:25 -07:00
test_hindsight_health_grace_timeout.py feat(hindsight): configurable embedded daemon health grace timeout (#50341) 2026-06-21 12:20:53 -07:00
test_hindsight_root_guard.py fix(hindsight): skip local_embedded daemon when running as root 2026-06-21 11:47:02 -07:00
test_kanban_attachments.py feat(kanban): file attachments on tasks (#35395) 2026-05-30 07:41:04 -07:00
test_kanban_dashboard_plugin.py fix(security): sanitize kanban markdown html 2026-06-21 13:10:17 -07:00
test_kanban_worker_runs.py feat(kanban): add POST /runs/{run_id}/terminate endpoint 2026-05-29 00:21:54 -07:00
test_langfuse_plugin.py test(langfuse): pin exact surviving key in turn-isolation test 2026-06-18 13:00:01 +05:30
test_nemo_relay_plugin.py fix(nemo-relay): preserve downstream errors in adaptive execution (#42691) 2026-06-09 02:31:10 -07:00
test_plugin_dashboard_auth_contract.py fix(dashboard): sanction plugin WS/upload auth via SDK helpers (gated mode) 2026-06-03 16:59:36 -07:00
test_raft_check_fn_silent.py fix(plugins): silence raft check_fn log spam for users without raft CLI 2026-06-19 17:12:58 -07:00
test_retaindb_plugin.py chore: prune unused imports and duplicate import redefinitions 2026-05-28 22:26:25 -07:00
test_security_guidance_plugin.py chore: prune unused imports and duplicate import redefinitions 2026-05-28 22:26:25 -07:00
test_teams_pipeline_plugin.py chore: prune unused imports and duplicate import redefinitions 2026-05-28 22:26:25 -07:00