mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-06-21 10:22:18 +00:00
4f9e15df97
- set_config_value hard-rejects a managed config key (D2) and names the source, exiting non-zero. - save_env_value / remove_env_value refuse a managed env key. - save_config strips managed leaves from a bulk write (mechanical safety net) with a warning, so the unmanaged remainder still persists. New _strip_dotted_keys helper drives the bulk-save pruning. All guards are distinct from and layered after the existing is_managed() package-manager write-lock.
110 lines
3.8 KiB
Python
110 lines
3.8 KiB
Python
"""Write-guard tests — managed keys can't be set/removed by the user."""
|
|
import pytest
|
|
|
|
|
|
@pytest.fixture
|
|
def homes(tmp_path, monkeypatch):
|
|
home = tmp_path / "home"
|
|
home.mkdir()
|
|
managed = tmp_path / "managed"
|
|
managed.mkdir()
|
|
monkeypatch.setenv("HERMES_HOME", str(home))
|
|
monkeypatch.setenv("HERMES_MANAGED_DIR", str(managed))
|
|
import hermes_cli.config as cfg
|
|
from hermes_cli import managed_scope
|
|
|
|
cfg._LOAD_CONFIG_CACHE.clear()
|
|
cfg._RAW_CONFIG_CACHE.clear()
|
|
managed_scope.invalidate_managed_cache()
|
|
(managed / "config.yaml").write_text(
|
|
"model:\n default: managed/model\n", encoding="utf-8"
|
|
)
|
|
managed_scope.invalidate_managed_cache()
|
|
return home, managed
|
|
|
|
|
|
def test_config_set_managed_key_rejected(homes, capsys):
|
|
from hermes_cli.config import set_config_value
|
|
|
|
with pytest.raises(SystemExit) as exc:
|
|
set_config_value("model.default", "user/override")
|
|
assert exc.value.code != 0
|
|
captured = capsys.readouterr()
|
|
assert "managed" in (captured.out + captured.err).lower()
|
|
|
|
|
|
def test_config_set_managed_key_does_not_write(homes):
|
|
from hermes_cli.config import set_config_value, read_raw_config
|
|
|
|
try:
|
|
set_config_value("model.default", "user/override")
|
|
except SystemExit:
|
|
pass
|
|
raw = read_raw_config()
|
|
assert raw.get("model", {}).get("default") != "user/override"
|
|
|
|
|
|
def test_config_set_unmanaged_key_still_works(homes):
|
|
from hermes_cli.config import set_config_value, read_raw_config
|
|
|
|
set_config_value("model.fallback", "user/fb") # not managed
|
|
assert read_raw_config().get("model", {}).get("fallback") == "user/fb"
|
|
|
|
|
|
# ── env write guards ─────────────────────────────────────────────────────────
|
|
|
|
|
|
@pytest.fixture
|
|
def env_homes(tmp_path, monkeypatch):
|
|
home = tmp_path / "home"
|
|
home.mkdir()
|
|
managed = tmp_path / "managed"
|
|
managed.mkdir()
|
|
monkeypatch.setenv("HERMES_HOME", str(home))
|
|
monkeypatch.setenv("HERMES_MANAGED_DIR", str(managed))
|
|
(managed / ".env").write_text(
|
|
"OPENAI_API_BASE=https://org.example/v1\n", encoding="utf-8"
|
|
)
|
|
from hermes_cli import managed_scope
|
|
|
|
managed_scope.invalidate_managed_cache()
|
|
return home, managed
|
|
|
|
|
|
def test_save_env_value_managed_key_rejected(env_homes, capsys):
|
|
from hermes_cli.config import save_env_value, get_env_path
|
|
|
|
save_env_value("OPENAI_API_BASE", "https://user.example/v1")
|
|
assert "managed" in capsys.readouterr().err.lower()
|
|
env_path = get_env_path()
|
|
body = env_path.read_text() if env_path.exists() else ""
|
|
assert "user.example" not in body
|
|
|
|
|
|
def test_remove_env_value_managed_key_rejected(env_homes, capsys):
|
|
from hermes_cli.config import remove_env_value
|
|
|
|
result = remove_env_value("OPENAI_API_BASE")
|
|
assert result is False
|
|
assert "managed" in capsys.readouterr().err.lower()
|
|
|
|
|
|
def test_save_env_value_unmanaged_key_still_works(env_homes):
|
|
from hermes_cli.config import save_env_value, get_env_value
|
|
|
|
save_env_value("SOME_OTHER_VALUE", "abc123")
|
|
assert get_env_value("SOME_OTHER_VALUE") == "abc123"
|
|
|
|
|
|
# ── bulk save strips managed leaves ──────────────────────────────────────────
|
|
|
|
|
|
def test_save_config_strips_managed_leaves(homes, capsys):
|
|
from hermes_cli.config import save_config, read_raw_config
|
|
|
|
# 'model.default' is managed (homes fixture); 'model.fallback' is not.
|
|
save_config({"model": {"default": "user/override", "fallback": "user/fb"}})
|
|
raw = read_raw_config()
|
|
assert raw.get("model", {}).get("default") != "user/override" # stripped
|
|
assert raw.get("model", {}).get("fallback") == "user/fb" # kept
|
|
assert "managed" in capsys.readouterr().err.lower()
|