mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-05-18 04:41:56 +00:00
b62c997973
Adds a new authentication provider that lets SuperGrok subscribers sign in to Hermes with their xAI account via the standard OAuth 2.0 PKCE loopback flow, instead of pasting a raw API key from console.x.ai. Highlights ---------- * OAuth 2.0 PKCE loopback login against accounts.x.ai with discovery, state/nonce, and a strict CORS-origin allowlist on the callback. * Authorize URL carries `plan=generic` (required for non-allowlisted loopback clients) and `referrer=hermes-agent` for best-effort attribution in xAI's OAuth server logs. * Token storage in `auth.json` with file-locked atomic writes; JWT `exp`-based expiry detection with skew; refresh-token rotation synced both ways between the singleton store and the credential pool so multi-process / multi-profile setups don't tear each other's refresh tokens. * Reactive 401 retry: on a 401 from the xAI Responses API, the agent refreshes the token, swaps it back into `self.api_key`, and retries the call once. Guarded against silent account swaps when the active key was sourced from a different (manual) pool entry. * Auxiliary tasks (curator, vision, embeddings, etc.) route through a dedicated xAI Responses-mode auxiliary client instead of falling back to OpenRouter billing. * Direct HTTP tools (`tools/xai_http.py`, transcription, TTS, image-gen plugin) resolve credentials through a unified runtime → singleton → env-var fallback chain so xai-oauth users get them for free. * `hermes auth add xai-oauth` and `hermes auth remove xai-oauth N` are wired through the standard auth-commands surface; remove cleans up the singleton loopback_pkce entry so it doesn't silently reinstate. * `hermes model` provider picker shows "xAI Grok OAuth (SuperGrok Subscription)" and the model-flow falls back to pool credentials when the singleton is missing. Hardening --------- * Discovery and refresh responses validate the returned `token_endpoint` host against the same `*.x.ai` allowlist as the authorization endpoint, blocking MITM persistence of a hostile endpoint. * Discovery / refresh / token-exchange `response.json()` calls are wrapped to raise typed `AuthError` on malformed bodies (captive portals, proxy error pages) instead of leaking JSONDecodeError tracebacks. * `prompt_cache_key` is routed through `extra_body` on the codex transport (sending it as a top-level kwarg trips xAI's SDK with a TypeError). * Credential-pool sync-back preserves `active_provider` so refreshing an OAuth entry doesn't silently flip the active provider out from under the running agent. Testing ------- * New `tests/hermes_cli/test_auth_xai_oauth_provider.py` (~63 tests) covers JWT expiry, OAuth URL params (plan + referrer), CORS origins, redirect URI validation, singleton↔pool sync, concurrency races, refresh error paths, runtime resolution, and malformed-JSON guards. * Extended `test_credential_pool.py`, `test_codex_transport.py`, and `test_run_agent_codex_responses.py` cover the pool sync-back, `extra_body` routing, and 401 reactive refresh paths. * 165 tests passing on this branch via `scripts/run_tests.sh`.
113 lines
3.9 KiB
Python
113 lines
3.9 KiB
Python
"""Smoke tests for the xAI video gen plugin — load & register surface."""
|
|
|
|
from __future__ import annotations
|
|
|
|
import pytest
|
|
|
|
from agent import video_gen_registry
|
|
|
|
|
|
@pytest.fixture(autouse=True)
|
|
def _reset_registry():
|
|
video_gen_registry._reset_for_tests()
|
|
yield
|
|
video_gen_registry._reset_for_tests()
|
|
|
|
|
|
def test_xai_provider_registers():
|
|
from plugins.video_gen.xai import XAIVideoGenProvider
|
|
|
|
provider = XAIVideoGenProvider()
|
|
video_gen_registry.register_provider(provider)
|
|
|
|
assert video_gen_registry.get_provider("xai") is provider
|
|
assert provider.display_name == "xAI"
|
|
assert provider.default_model() == "grok-imagine-video"
|
|
|
|
|
|
def test_xai_capabilities_text_and_image_only():
|
|
"""xAI was previously advertised with edit/extend operations. The
|
|
simplified surface only exposes text-to-video and image-to-video —
|
|
confirm those are the only modalities advertised."""
|
|
from plugins.video_gen.xai import XAIVideoGenProvider
|
|
|
|
caps = XAIVideoGenProvider().capabilities()
|
|
assert caps["modalities"] == ["text", "image"]
|
|
# No 'operations' key in the simplified surface
|
|
assert "operations" not in caps
|
|
assert caps["max_reference_images"] == 7
|
|
|
|
|
|
def test_xai_unavailable_without_key(monkeypatch):
|
|
from plugins.video_gen.xai import XAIVideoGenProvider
|
|
|
|
monkeypatch.delenv("XAI_API_KEY", raising=False)
|
|
assert XAIVideoGenProvider().is_available() is False
|
|
|
|
|
|
def test_xai_generate_requires_xai_key(monkeypatch):
|
|
from plugins.video_gen.xai import XAIVideoGenProvider
|
|
|
|
monkeypatch.delenv("XAI_API_KEY", raising=False)
|
|
result = XAIVideoGenProvider().generate("a happy dog")
|
|
assert result["success"] is False
|
|
assert result["error_type"] == "auth_required"
|
|
|
|
|
|
def test_xai_available_with_oauth_only(monkeypatch):
|
|
"""The plugin must honour xAI Grok OAuth credentials, not just
|
|
XAI_API_KEY. Otherwise the agent's tool-availability check filters
|
|
``video_generate`` out of the toolbelt and the agent silently falls
|
|
back to whatever skill advertises video generation (e.g. comfyui).
|
|
"""
|
|
import plugins.video_gen.xai as xai_plugin
|
|
|
|
monkeypatch.delenv("XAI_API_KEY", raising=False)
|
|
monkeypatch.setattr(
|
|
"tools.xai_http.resolve_xai_http_credentials",
|
|
lambda: {
|
|
"provider": "xai-oauth",
|
|
"api_key": "oauth-bearer-token",
|
|
"base_url": "https://api.x.ai/v1",
|
|
},
|
|
)
|
|
|
|
assert xai_plugin.XAIVideoGenProvider().is_available() is True
|
|
|
|
|
|
def test_xai_resolved_credentials_threaded_through_request(monkeypatch):
|
|
"""OAuth-resolved creds must reach the HTTP layer — bug class where
|
|
``is_available()`` says yes but the request still hits with no key.
|
|
"""
|
|
import plugins.video_gen.xai as xai_plugin
|
|
|
|
monkeypatch.delenv("XAI_API_KEY", raising=False)
|
|
monkeypatch.setattr(
|
|
"tools.xai_http.resolve_xai_http_credentials",
|
|
lambda: {
|
|
"provider": "xai-oauth",
|
|
"api_key": "oauth-bearer-token",
|
|
"base_url": "https://api.x.ai/v1",
|
|
},
|
|
)
|
|
|
|
api_key, base_url = xai_plugin._resolve_xai_credentials()
|
|
assert api_key == "oauth-bearer-token"
|
|
assert base_url == "https://api.x.ai/v1"
|
|
headers = xai_plugin._xai_headers(api_key)
|
|
assert headers["Authorization"] == "Bearer oauth-bearer-token"
|
|
|
|
|
|
def test_xai_no_operation_kwarg():
|
|
"""The ABC's generate() signature no longer accepts 'operation'.
|
|
Passing it through **kwargs should be ignored (forward-compat)."""
|
|
from plugins.video_gen.xai import XAIVideoGenProvider
|
|
|
|
# We're not actually hitting the network — just verify the call
|
|
# doesn't TypeError on the unexpected kwarg.
|
|
# Will fail with auth_required (no XAI_API_KEY), but should NOT
|
|
# fail with TypeError.
|
|
result = XAIVideoGenProvider().generate("x", operation="generate")
|
|
assert result["success"] is False
|
|
# auth_required, NOT some signature error
|
|
assert result["error_type"] in ("auth_required", "api_error")
|