mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-05-30 06:41:51 +00:00
e7c99651fb
When the Hermes Docker image runs an stdio MCP server configured with an
explicit env.PATH that omits /usr/local/bin (a common pattern when users
hand-author PATH for sandboxing), the MCP env-filter passes that narrow
PATH straight through to the subprocess. _resolve_stdio_command's
fallback for bare 'npx' / 'npm' / 'node' commands only checked
$HERMES_HOME/node/bin/ and ~/.local/bin/, so execvp() failed with
'[Errno 2] No such file or directory: npx' on every Node-based stdio
MCP server (Railway, Anthropic, GitHub Copilot, etc.).
The naive workaround — symlink /usr/local/bin/npx into the user's PATH —
fails one layer deeper because npx's shebang re-execs /usr/bin/env node
and node also lives at /usr/local/bin/node.
Fix: add /usr/local/bin/<cmd> as a third candidate in the fallback list.
This is the canonical install location for Node on:
- Linux from-source builds
- the upstream node:bookworm-slim image, which the Hermes Docker
image copies node + npm + corepack from since #4977 (the Node 22 LTS
refactor that exposed this)
- macOS Homebrew on Intel
Because the resolver already calls _prepend_path(resolved_env, command_dir)
after locating the command, /usr/local/bin gets prepended to the env's
PATH automatically, which also fixes the second-layer shebang failure
(npx-cli.js can now find node).
Scope is intentionally narrow: the fix activates only when the bare
command isn't otherwise locatable through the user's PATH. Users who
explicitly narrowed PATH for a non-Node MCP server see no change in
behavior.
Tested:
- tests/tools/test_mcp_tool_issue_948.py: new test
test_resolve_stdio_command_falls_back_to_usr_local_bin (mirrors the
existing hermes-node-bin fallback test)
- Full MCP test suite: 254/254 pass across 7 test files
- E2E against a freshly-built Docker image: reproduced the original
failure mode (env.PATH=/opt/data/bin:/usr/bin:/bin), confirmed the
resolver returns /usr/local/bin/npx and prepends /usr/local/bin to
PATH; subprocess.run of the resolved command prints '10.9.8' and
exits 0 with empty stderr
- Negative E2E on the host (where Node is already on PATH via mise):
resolver still hits the mise install dir, /usr/local/bin candidate
is not consulted, PATH is unchanged
130 lines
5.1 KiB
Python
130 lines
5.1 KiB
Python
import asyncio
|
|
import os
|
|
import sys
|
|
from types import SimpleNamespace
|
|
from unittest.mock import AsyncMock, MagicMock, patch
|
|
|
|
import pytest
|
|
|
|
from tools.mcp_tool import MCPServerTask, _format_connect_error, _resolve_stdio_command, _MCP_AVAILABLE
|
|
|
|
# Ensure the mcp module symbols exist for patching even when the SDK isn't installed
|
|
if not _MCP_AVAILABLE:
|
|
import tools.mcp_tool as _mcp_mod
|
|
if not hasattr(_mcp_mod, "StdioServerParameters"):
|
|
_mcp_mod.StdioServerParameters = MagicMock
|
|
if not hasattr(_mcp_mod, "stdio_client"):
|
|
_mcp_mod.stdio_client = MagicMock
|
|
if not hasattr(_mcp_mod, "ClientSession"):
|
|
_mcp_mod.ClientSession = MagicMock
|
|
|
|
|
|
def test_resolve_stdio_command_falls_back_to_hermes_node_bin(tmp_path):
|
|
node_bin = tmp_path / "node" / "bin"
|
|
node_bin.mkdir(parents=True)
|
|
npx_path = node_bin / "npx"
|
|
npx_path.write_text("#!/bin/sh\nexit 0\n", encoding="utf-8")
|
|
npx_path.chmod(0o755)
|
|
|
|
with patch("tools.mcp_tool.shutil.which", return_value=None), \
|
|
patch.dict("os.environ", {"HERMES_HOME": str(tmp_path)}, clear=False):
|
|
command, env = _resolve_stdio_command("npx", {"PATH": "/usr/bin"})
|
|
|
|
assert command == str(npx_path)
|
|
assert env["PATH"].split(os.pathsep)[0] == str(node_bin)
|
|
|
|
|
|
def test_resolve_stdio_command_falls_back_to_usr_local_bin():
|
|
"""When ``npx`` isn't on the filtered PATH and isn't under ``$HERMES_HOME/node/bin``
|
|
or ``~/.local/bin``, the resolver should still locate it at ``/usr/local/bin/npx``.
|
|
|
|
This is the canonical install location for Node on Linux from-source builds,
|
|
the upstream ``node:bookworm-slim`` image (which the Hermes Docker image
|
|
copies ``node + npm + corepack`` from since #4977), and macOS Homebrew on
|
|
Intel. Without this candidate, MCP servers run with an ``env.PATH`` that
|
|
omits ``/usr/local/bin`` (common when users hand-author PATH for sandboxing)
|
|
fail with ENOENT at ``execvp``.
|
|
"""
|
|
target = os.path.join(os.sep, "usr", "local", "bin", "npx")
|
|
|
|
# Pretend ONLY the /usr/local/bin/npx candidate exists and is executable —
|
|
# the other candidates ($HERMES_HOME/node/bin/npx and ~/.local/bin/npx)
|
|
# should fail isfile() and the resolver must fall through to /usr/local/bin.
|
|
def _fake_isfile(path):
|
|
return path == target
|
|
|
|
def _fake_access(path, _mode):
|
|
return path == target
|
|
|
|
with patch("tools.mcp_tool.shutil.which", return_value=None), \
|
|
patch("tools.mcp_tool.os.path.isfile", side_effect=_fake_isfile), \
|
|
patch("tools.mcp_tool.os.access", side_effect=_fake_access):
|
|
command, env = _resolve_stdio_command("npx", {"PATH": "/opt/data/bin:/usr/bin:/bin"})
|
|
|
|
assert command == target
|
|
# /usr/local/bin must be prepended so npx's shebang (`/usr/bin/env node`)
|
|
# can find node in the same directory.
|
|
assert env["PATH"].split(os.pathsep)[0] == os.path.dirname(target)
|
|
|
|
|
|
def test_resolve_stdio_command_respects_explicit_empty_path():
|
|
seen_paths = []
|
|
|
|
def _fake_which(_cmd, path=None):
|
|
seen_paths.append(path)
|
|
return None
|
|
|
|
with patch("tools.mcp_tool.shutil.which", side_effect=_fake_which):
|
|
command, env = _resolve_stdio_command("python", {"PATH": ""})
|
|
|
|
assert command == "python"
|
|
assert env["PATH"] == ""
|
|
assert seen_paths == [""]
|
|
|
|
|
|
def test_format_connect_error_unwraps_exception_group():
|
|
error = ExceptionGroup(
|
|
"unhandled errors in a TaskGroup",
|
|
[FileNotFoundError(2, "No such file or directory", "node")],
|
|
)
|
|
|
|
message = _format_connect_error(error)
|
|
|
|
assert "missing executable 'node'" in message
|
|
|
|
|
|
def test_run_stdio_uses_resolved_command_and_prepended_path(tmp_path):
|
|
node_bin = tmp_path / "node" / "bin"
|
|
node_bin.mkdir(parents=True)
|
|
npx_path = node_bin / "npx"
|
|
npx_path.write_text("#!/bin/sh\nexit 0\n", encoding="utf-8")
|
|
npx_path.chmod(0o755)
|
|
|
|
mock_session = MagicMock()
|
|
mock_session.initialize = AsyncMock()
|
|
mock_session.list_tools = AsyncMock(return_value=SimpleNamespace(tools=[]))
|
|
|
|
mock_stdio_cm = MagicMock()
|
|
mock_stdio_cm.__aenter__ = AsyncMock(return_value=(object(), object()))
|
|
mock_stdio_cm.__aexit__ = AsyncMock(return_value=False)
|
|
|
|
mock_session_cm = MagicMock()
|
|
mock_session_cm.__aenter__ = AsyncMock(return_value=mock_session)
|
|
mock_session_cm.__aexit__ = AsyncMock(return_value=False)
|
|
|
|
async def _test():
|
|
with patch("tools.mcp_tool.shutil.which", return_value=None), \
|
|
patch.dict("os.environ", {"HERMES_HOME": str(tmp_path), "PATH": "/usr/bin", "HOME": str(tmp_path)}, clear=False), \
|
|
patch("tools.mcp_tool.StdioServerParameters") as mock_params, \
|
|
patch("tools.mcp_tool.stdio_client", return_value=mock_stdio_cm), \
|
|
patch("tools.mcp_tool.ClientSession", return_value=mock_session_cm):
|
|
server = MCPServerTask("srv")
|
|
await server.start({"command": "npx", "args": ["-y", "pkg"], "env": {"PATH": "/usr/bin"}})
|
|
|
|
call_kwargs = mock_params.call_args.kwargs
|
|
assert call_kwargs["command"] == str(npx_path)
|
|
assert call_kwargs["env"]["PATH"].split(os.pathsep)[0] == str(node_bin)
|
|
|
|
await server.shutdown()
|
|
|
|
asyncio.run(_test())
|