test: make test env hermetic; enforce CI parity via scripts/run_tests.sh (#11577)
* test: make test env hermetic; enforce CI parity via scripts/run_tests.sh
Fixes the recurring 'works locally, fails in CI' (and vice versa) class
of flakes by making tests hermetic and providing a canonical local runner
that matches CI's environment.
## Layer 1 — hermetic conftest.py (tests/conftest.py)
Autouse fixture now unsets every credential-shaped env var before every
test, so developer-local API keys can't leak into tests that assert
'auto-detect provider when key present'.
Pattern: unset any var ending in _API_KEY, _TOKEN, _SECRET, _PASSWORD,
_CREDENTIALS, _ACCESS_KEY, _PRIVATE_KEY, etc. Plus an explicit list of
credential names that don't fit the suffix pattern (AWS_ACCESS_KEY_ID,
FAL_KEY, GH_TOKEN, etc.) and all the provider BASE_URL overrides that
change auto-detect behavior.
Also unsets HERMES_* behavioral vars (HERMES_YOLO_MODE, HERMES_QUIET,
HERMES_SESSION_*, etc.) that mutate agent behavior.
Also:
- Redirects HOME to a per-test tempdir (not just HERMES_HOME), so
code reading ~/.hermes/* directly can't touch the real dir.
- Pins TZ=UTC, LANG=C.UTF-8, LC_ALL=C.UTF-8, PYTHONHASHSEED=0 to
match CI's deterministic runtime.
The old _isolate_hermes_home fixture name is preserved as an alias so
any test that yields it explicitly still works.
## Layer 2 — scripts/run_tests.sh canonical runner
'Always use scripts/run_tests.sh, never call pytest directly' is the
new rule (documented in AGENTS.md). The script:
- Unsets all credential env vars (belt-and-suspenders for callers
who bypass conftest — e.g. IDE integrations)
- Pins TZ/LANG/PYTHONHASHSEED
- Uses -n 4 xdist workers (matches GHA ubuntu-latest; -n auto on
a 20-core workstation surfaces test-ordering flakes CI will never
see, causing the infamous 'passes in CI, fails locally' drift)
- Finds the venv in .venv, venv, or main checkout's venv
- Passes through arbitrary pytest args
Installs pytest-split on demand so the script can also be used to run
matrix-split subsets locally for debugging.
## Remove 3 module-level dotenv stubs that broke test isolation
tests/hermes_cli/test_{arcee,xiaomi,api_key}_provider.py each had a
module-level:
if 'dotenv' not in sys.modules:
fake_dotenv = types.ModuleType('dotenv')
fake_dotenv.load_dotenv = lambda *a, **kw: None
sys.modules['dotenv'] = fake_dotenv
This patches sys.modules['dotenv'] to a fake at import time with no
teardown. Under pytest-xdist LoadScheduling, whichever worker collected
one of these files first poisoned its sys.modules; subsequent tests in
the same worker that imported load_dotenv transitively (e.g.
test_env_loader.py via hermes_cli.env_loader) got the no-op lambda and
saw their assertions fail.
dotenv is a required dependency (python-dotenv>=1.2.1 in pyproject.toml),
so the defensive stub was never needed. Removed.
## Validation
- tests/hermes_cli/ alone: 2178 passed, 1 skipped, 0 failed (was 4
failures in test_env_loader.py before this fix)
- tests/test_plugin_skills.py, tests/hermes_cli/test_plugins.py,
tests/test_hermes_logging.py combined: 123 passed (the caplog
regression tests from PR #11453 still pass)
- Local full run shows no F/E clusters in the 0-55% range that were
previously present before the conftest hardening
## Background
See AGENTS.md 'Testing' section for the full list of drift sources
this closes. Matrix split (closed as #11566) will be re-attempted
once this foundation lands — cross-test pollution was the root cause
of the shard-3 hang in that PR.
* fix(conftest): don't redirect HOME — it broke CI subprocesses
PR #11577's autouse fixture was setting HOME to a per-test tempdir.
CI started timing out at 97% complete with dozens of E/F markers and
orphan python processes at cleanup — tests (or transitive deps)
spawn subprocesses that expect a stable HOME, and the redirect broke
them in non-obvious ways.
Env-var unsetting and TZ/LANG/hashseed pinning (the actual CI-drift
fixes) are unchanged and still in place. HERMES_HOME redirection is
also unchanged — that's the canonical way to isolate tests from
~/.hermes/, not HOME.
Any code in the codebase reading ~/.hermes/* via `Path.home() / ".hermes"`
instead of `get_hermes_home()` is a bug to fix at the callsite, not
something to paper over in conftest.
2026-04-17 06:09:09 -07:00
|
|
|
"""Shared fixtures for the hermes-agent test suite.
|
|
|
|
|
|
|
|
|
|
Hermetic-test invariants enforced here (see AGENTS.md for rationale):
|
|
|
|
|
|
|
|
|
|
1. **No credential env vars.** All provider/credential-shaped env vars
|
|
|
|
|
(ending in _API_KEY, _TOKEN, _SECRET, _PASSWORD, _CREDENTIALS, etc.)
|
|
|
|
|
are unset before every test. Local developer keys cannot leak in.
|
|
|
|
|
2. **Isolated HERMES_HOME.** HERMES_HOME points to a per-test tempdir so
|
|
|
|
|
code reading ``~/.hermes/*`` via ``get_hermes_home()`` can't see the
|
|
|
|
|
real one. (We do NOT also redirect HOME — that broke subprocesses in
|
|
|
|
|
CI. Code using ``Path.home() / ".hermes"`` instead of the canonical
|
|
|
|
|
``get_hermes_home()`` is a bug to fix at the callsite.)
|
|
|
|
|
3. **Deterministic runtime.** TZ=UTC, LANG=C.UTF-8, PYTHONHASHSEED=0.
|
|
|
|
|
4. **No HERMES_SESSION_* inheritance** — the agent's current gateway
|
|
|
|
|
session must not leak into tests.
|
|
|
|
|
|
|
|
|
|
These invariants make the local test run match CI closely. Gaps that
|
|
|
|
|
remain (CPU count, xdist worker count) are addressed by the canonical
|
|
|
|
|
test runner at ``scripts/run_tests.sh``.
|
|
|
|
|
"""
|
test: reorganize test structure and add missing unit tests
Reorganize flat tests/ directory to mirror source code structure
(tools/, gateway/, hermes_cli/, integration/). Add 11 new test files
covering previously untested modules: registry, patch_parser,
fuzzy_match, todo_tool, approval, file_tools, gateway session/config/
delivery, and hermes_cli config/models. Total: 147 unit tests passing,
9 integration tests gated behind pytest marker.
2026-02-26 03:20:08 +03:00
|
|
|
|
2026-03-14 03:14:34 -07:00
|
|
|
import asyncio
|
test: reorganize test structure and add missing unit tests
Reorganize flat tests/ directory to mirror source code structure
(tools/, gateway/, hermes_cli/, integration/). Add 11 new test files
covering previously untested modules: registry, patch_parser,
fuzzy_match, todo_tool, approval, file_tools, gateway session/config/
delivery, and hermes_cli config/models. Total: 147 unit tests passing,
9 integration tests gated behind pytest marker.
2026-02-26 03:20:08 +03:00
|
|
|
import os
|
test: make test env hermetic; enforce CI parity via scripts/run_tests.sh (#11577)
* test: make test env hermetic; enforce CI parity via scripts/run_tests.sh
Fixes the recurring 'works locally, fails in CI' (and vice versa) class
of flakes by making tests hermetic and providing a canonical local runner
that matches CI's environment.
## Layer 1 — hermetic conftest.py (tests/conftest.py)
Autouse fixture now unsets every credential-shaped env var before every
test, so developer-local API keys can't leak into tests that assert
'auto-detect provider when key present'.
Pattern: unset any var ending in _API_KEY, _TOKEN, _SECRET, _PASSWORD,
_CREDENTIALS, _ACCESS_KEY, _PRIVATE_KEY, etc. Plus an explicit list of
credential names that don't fit the suffix pattern (AWS_ACCESS_KEY_ID,
FAL_KEY, GH_TOKEN, etc.) and all the provider BASE_URL overrides that
change auto-detect behavior.
Also unsets HERMES_* behavioral vars (HERMES_YOLO_MODE, HERMES_QUIET,
HERMES_SESSION_*, etc.) that mutate agent behavior.
Also:
- Redirects HOME to a per-test tempdir (not just HERMES_HOME), so
code reading ~/.hermes/* directly can't touch the real dir.
- Pins TZ=UTC, LANG=C.UTF-8, LC_ALL=C.UTF-8, PYTHONHASHSEED=0 to
match CI's deterministic runtime.
The old _isolate_hermes_home fixture name is preserved as an alias so
any test that yields it explicitly still works.
## Layer 2 — scripts/run_tests.sh canonical runner
'Always use scripts/run_tests.sh, never call pytest directly' is the
new rule (documented in AGENTS.md). The script:
- Unsets all credential env vars (belt-and-suspenders for callers
who bypass conftest — e.g. IDE integrations)
- Pins TZ/LANG/PYTHONHASHSEED
- Uses -n 4 xdist workers (matches GHA ubuntu-latest; -n auto on
a 20-core workstation surfaces test-ordering flakes CI will never
see, causing the infamous 'passes in CI, fails locally' drift)
- Finds the venv in .venv, venv, or main checkout's venv
- Passes through arbitrary pytest args
Installs pytest-split on demand so the script can also be used to run
matrix-split subsets locally for debugging.
## Remove 3 module-level dotenv stubs that broke test isolation
tests/hermes_cli/test_{arcee,xiaomi,api_key}_provider.py each had a
module-level:
if 'dotenv' not in sys.modules:
fake_dotenv = types.ModuleType('dotenv')
fake_dotenv.load_dotenv = lambda *a, **kw: None
sys.modules['dotenv'] = fake_dotenv
This patches sys.modules['dotenv'] to a fake at import time with no
teardown. Under pytest-xdist LoadScheduling, whichever worker collected
one of these files first poisoned its sys.modules; subsequent tests in
the same worker that imported load_dotenv transitively (e.g.
test_env_loader.py via hermes_cli.env_loader) got the no-op lambda and
saw their assertions fail.
dotenv is a required dependency (python-dotenv>=1.2.1 in pyproject.toml),
so the defensive stub was never needed. Removed.
## Validation
- tests/hermes_cli/ alone: 2178 passed, 1 skipped, 0 failed (was 4
failures in test_env_loader.py before this fix)
- tests/test_plugin_skills.py, tests/hermes_cli/test_plugins.py,
tests/test_hermes_logging.py combined: 123 passed (the caplog
regression tests from PR #11453 still pass)
- Local full run shows no F/E clusters in the 0-55% range that were
previously present before the conftest hardening
## Background
See AGENTS.md 'Testing' section for the full list of drift sources
this closes. Matrix split (closed as #11566) will be re-attempted
once this foundation lands — cross-test pollution was the root cause
of the shard-3 hang in that PR.
* fix(conftest): don't redirect HOME — it broke CI subprocesses
PR #11577's autouse fixture was setting HOME to a per-test tempdir.
CI started timing out at 97% complete with dozens of E/F markers and
orphan python processes at cleanup — tests (or transitive deps)
spawn subprocesses that expect a stable HOME, and the redirect broke
them in non-obvious ways.
Env-var unsetting and TZ/LANG/hashseed pinning (the actual CI-drift
fixes) are unchanged and still in place. HERMES_HOME redirection is
also unchanged — that's the canonical way to isolate tests from
~/.hermes/, not HOME.
Any code in the codebase reading ~/.hermes/* via `Path.home() / ".hermes"`
instead of `get_hermes_home()` is a bug to fix at the callsite, not
something to paper over in conftest.
2026-04-17 06:09:09 -07:00
|
|
|
import re
|
2026-03-12 01:23:28 -07:00
|
|
|
import signal
|
test: reorganize test structure and add missing unit tests
Reorganize flat tests/ directory to mirror source code structure
(tools/, gateway/, hermes_cli/, integration/). Add 11 new test files
covering previously untested modules: registry, patch_parser,
fuzzy_match, todo_tool, approval, file_tools, gateway session/config/
delivery, and hermes_cli config/models. Total: 147 unit tests passing,
9 integration tests gated behind pytest marker.
2026-02-26 03:20:08 +03:00
|
|
|
import sys
|
|
|
|
|
import tempfile
|
|
|
|
|
from pathlib import Path
|
|
|
|
|
from unittest.mock import patch
|
|
|
|
|
|
|
|
|
|
import pytest
|
|
|
|
|
|
|
|
|
|
# Ensure project root is importable
|
|
|
|
|
PROJECT_ROOT = Path(__file__).parent.parent
|
|
|
|
|
if str(PROJECT_ROOT) not in sys.path:
|
|
|
|
|
sys.path.insert(0, str(PROJECT_ROOT))
|
|
|
|
|
|
|
|
|
|
|
test: make test env hermetic; enforce CI parity via scripts/run_tests.sh (#11577)
* test: make test env hermetic; enforce CI parity via scripts/run_tests.sh
Fixes the recurring 'works locally, fails in CI' (and vice versa) class
of flakes by making tests hermetic and providing a canonical local runner
that matches CI's environment.
## Layer 1 — hermetic conftest.py (tests/conftest.py)
Autouse fixture now unsets every credential-shaped env var before every
test, so developer-local API keys can't leak into tests that assert
'auto-detect provider when key present'.
Pattern: unset any var ending in _API_KEY, _TOKEN, _SECRET, _PASSWORD,
_CREDENTIALS, _ACCESS_KEY, _PRIVATE_KEY, etc. Plus an explicit list of
credential names that don't fit the suffix pattern (AWS_ACCESS_KEY_ID,
FAL_KEY, GH_TOKEN, etc.) and all the provider BASE_URL overrides that
change auto-detect behavior.
Also unsets HERMES_* behavioral vars (HERMES_YOLO_MODE, HERMES_QUIET,
HERMES_SESSION_*, etc.) that mutate agent behavior.
Also:
- Redirects HOME to a per-test tempdir (not just HERMES_HOME), so
code reading ~/.hermes/* directly can't touch the real dir.
- Pins TZ=UTC, LANG=C.UTF-8, LC_ALL=C.UTF-8, PYTHONHASHSEED=0 to
match CI's deterministic runtime.
The old _isolate_hermes_home fixture name is preserved as an alias so
any test that yields it explicitly still works.
## Layer 2 — scripts/run_tests.sh canonical runner
'Always use scripts/run_tests.sh, never call pytest directly' is the
new rule (documented in AGENTS.md). The script:
- Unsets all credential env vars (belt-and-suspenders for callers
who bypass conftest — e.g. IDE integrations)
- Pins TZ/LANG/PYTHONHASHSEED
- Uses -n 4 xdist workers (matches GHA ubuntu-latest; -n auto on
a 20-core workstation surfaces test-ordering flakes CI will never
see, causing the infamous 'passes in CI, fails locally' drift)
- Finds the venv in .venv, venv, or main checkout's venv
- Passes through arbitrary pytest args
Installs pytest-split on demand so the script can also be used to run
matrix-split subsets locally for debugging.
## Remove 3 module-level dotenv stubs that broke test isolation
tests/hermes_cli/test_{arcee,xiaomi,api_key}_provider.py each had a
module-level:
if 'dotenv' not in sys.modules:
fake_dotenv = types.ModuleType('dotenv')
fake_dotenv.load_dotenv = lambda *a, **kw: None
sys.modules['dotenv'] = fake_dotenv
This patches sys.modules['dotenv'] to a fake at import time with no
teardown. Under pytest-xdist LoadScheduling, whichever worker collected
one of these files first poisoned its sys.modules; subsequent tests in
the same worker that imported load_dotenv transitively (e.g.
test_env_loader.py via hermes_cli.env_loader) got the no-op lambda and
saw their assertions fail.
dotenv is a required dependency (python-dotenv>=1.2.1 in pyproject.toml),
so the defensive stub was never needed. Removed.
## Validation
- tests/hermes_cli/ alone: 2178 passed, 1 skipped, 0 failed (was 4
failures in test_env_loader.py before this fix)
- tests/test_plugin_skills.py, tests/hermes_cli/test_plugins.py,
tests/test_hermes_logging.py combined: 123 passed (the caplog
regression tests from PR #11453 still pass)
- Local full run shows no F/E clusters in the 0-55% range that were
previously present before the conftest hardening
## Background
See AGENTS.md 'Testing' section for the full list of drift sources
this closes. Matrix split (closed as #11566) will be re-attempted
once this foundation lands — cross-test pollution was the root cause
of the shard-3 hang in that PR.
* fix(conftest): don't redirect HOME — it broke CI subprocesses
PR #11577's autouse fixture was setting HOME to a per-test tempdir.
CI started timing out at 97% complete with dozens of E/F markers and
orphan python processes at cleanup — tests (or transitive deps)
spawn subprocesses that expect a stable HOME, and the redirect broke
them in non-obvious ways.
Env-var unsetting and TZ/LANG/hashseed pinning (the actual CI-drift
fixes) are unchanged and still in place. HERMES_HOME redirection is
also unchanged — that's the canonical way to isolate tests from
~/.hermes/, not HOME.
Any code in the codebase reading ~/.hermes/* via `Path.home() / ".hermes"`
instead of `get_hermes_home()` is a bug to fix at the callsite, not
something to paper over in conftest.
2026-04-17 06:09:09 -07:00
|
|
|
# ── Credential env-var filter ──────────────────────────────────────────────
|
|
|
|
|
#
|
|
|
|
|
# Any env var in the current process matching ONE of these patterns is
|
|
|
|
|
# unset for every test. Developers' local keys cannot leak into assertions
|
|
|
|
|
# about "auto-detect provider when key present".
|
|
|
|
|
|
|
|
|
|
_CREDENTIAL_SUFFIXES = (
|
|
|
|
|
"_API_KEY",
|
|
|
|
|
"_TOKEN",
|
|
|
|
|
"_SECRET",
|
|
|
|
|
"_PASSWORD",
|
|
|
|
|
"_CREDENTIALS",
|
|
|
|
|
"_ACCESS_KEY",
|
|
|
|
|
"_SECRET_ACCESS_KEY",
|
|
|
|
|
"_PRIVATE_KEY",
|
|
|
|
|
"_OAUTH_TOKEN",
|
|
|
|
|
"_WEBHOOK_SECRET",
|
|
|
|
|
"_ENCRYPT_KEY",
|
|
|
|
|
"_APP_SECRET",
|
|
|
|
|
"_CLIENT_SECRET",
|
|
|
|
|
"_CORP_SECRET",
|
|
|
|
|
"_AES_KEY",
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
# Explicit names (for ones that don't fit the suffix pattern)
|
|
|
|
|
_CREDENTIAL_NAMES = frozenset({
|
|
|
|
|
"AWS_ACCESS_KEY_ID",
|
|
|
|
|
"AWS_SECRET_ACCESS_KEY",
|
|
|
|
|
"AWS_SESSION_TOKEN",
|
|
|
|
|
"ANTHROPIC_TOKEN",
|
|
|
|
|
"FAL_KEY",
|
|
|
|
|
"GH_TOKEN",
|
|
|
|
|
"GITHUB_TOKEN",
|
|
|
|
|
"OPENAI_API_KEY",
|
|
|
|
|
"OPENROUTER_API_KEY",
|
|
|
|
|
"NOUS_API_KEY",
|
|
|
|
|
"GEMINI_API_KEY",
|
|
|
|
|
"GOOGLE_API_KEY",
|
|
|
|
|
"GROQ_API_KEY",
|
|
|
|
|
"XAI_API_KEY",
|
|
|
|
|
"MISTRAL_API_KEY",
|
|
|
|
|
"DEEPSEEK_API_KEY",
|
|
|
|
|
"KIMI_API_KEY",
|
|
|
|
|
"MOONSHOT_API_KEY",
|
|
|
|
|
"GLM_API_KEY",
|
|
|
|
|
"ZAI_API_KEY",
|
|
|
|
|
"MINIMAX_API_KEY",
|
|
|
|
|
"OLLAMA_API_KEY",
|
|
|
|
|
"OPENVIKING_API_KEY",
|
|
|
|
|
"COPILOT_API_KEY",
|
|
|
|
|
"CLAUDE_CODE_OAUTH_TOKEN",
|
|
|
|
|
"BROWSERBASE_API_KEY",
|
|
|
|
|
"FIRECRAWL_API_KEY",
|
|
|
|
|
"PARALLEL_API_KEY",
|
|
|
|
|
"EXA_API_KEY",
|
|
|
|
|
"TAVILY_API_KEY",
|
|
|
|
|
"WANDB_API_KEY",
|
|
|
|
|
"ELEVENLABS_API_KEY",
|
|
|
|
|
"HONCHO_API_KEY",
|
|
|
|
|
"MEM0_API_KEY",
|
|
|
|
|
"SUPERMEMORY_API_KEY",
|
|
|
|
|
"RETAINDB_API_KEY",
|
|
|
|
|
"HINDSIGHT_API_KEY",
|
|
|
|
|
"HINDSIGHT_LLM_API_KEY",
|
|
|
|
|
"TINKER_API_KEY",
|
|
|
|
|
"DAYTONA_API_KEY",
|
|
|
|
|
"TWILIO_AUTH_TOKEN",
|
|
|
|
|
"TELEGRAM_BOT_TOKEN",
|
|
|
|
|
"DISCORD_BOT_TOKEN",
|
|
|
|
|
"SLACK_BOT_TOKEN",
|
|
|
|
|
"SLACK_APP_TOKEN",
|
|
|
|
|
"MATTERMOST_TOKEN",
|
|
|
|
|
"MATRIX_ACCESS_TOKEN",
|
|
|
|
|
"MATRIX_PASSWORD",
|
|
|
|
|
"MATRIX_RECOVERY_KEY",
|
|
|
|
|
"HASS_TOKEN",
|
|
|
|
|
"EMAIL_PASSWORD",
|
|
|
|
|
"BLUEBUBBLES_PASSWORD",
|
|
|
|
|
"FEISHU_APP_SECRET",
|
|
|
|
|
"FEISHU_ENCRYPT_KEY",
|
|
|
|
|
"FEISHU_VERIFICATION_TOKEN",
|
|
|
|
|
"DINGTALK_CLIENT_SECRET",
|
|
|
|
|
"QQ_CLIENT_SECRET",
|
|
|
|
|
"QQ_STT_API_KEY",
|
|
|
|
|
"WECOM_SECRET",
|
|
|
|
|
"WECOM_CALLBACK_CORP_SECRET",
|
|
|
|
|
"WECOM_CALLBACK_TOKEN",
|
|
|
|
|
"WECOM_CALLBACK_ENCODING_AES_KEY",
|
|
|
|
|
"WEIXIN_TOKEN",
|
|
|
|
|
"MODAL_TOKEN_ID",
|
|
|
|
|
"MODAL_TOKEN_SECRET",
|
|
|
|
|
"TERMINAL_SSH_KEY",
|
|
|
|
|
"SUDO_PASSWORD",
|
|
|
|
|
"GATEWAY_PROXY_KEY",
|
|
|
|
|
"API_SERVER_KEY",
|
|
|
|
|
"TOOL_GATEWAY_USER_TOKEN",
|
|
|
|
|
"TELEGRAM_WEBHOOK_SECRET",
|
|
|
|
|
"WEBHOOK_SECRET",
|
|
|
|
|
"AI_GATEWAY_API_KEY",
|
|
|
|
|
"VOICE_TOOLS_OPENAI_KEY",
|
|
|
|
|
"BROWSER_USE_API_KEY",
|
|
|
|
|
"CUSTOM_API_KEY",
|
|
|
|
|
"GATEWAY_PROXY_URL",
|
|
|
|
|
"GEMINI_BASE_URL",
|
|
|
|
|
"OPENAI_BASE_URL",
|
|
|
|
|
"OPENROUTER_BASE_URL",
|
|
|
|
|
"OLLAMA_BASE_URL",
|
|
|
|
|
"GROQ_BASE_URL",
|
|
|
|
|
"XAI_BASE_URL",
|
|
|
|
|
"AI_GATEWAY_BASE_URL",
|
|
|
|
|
"ANTHROPIC_BASE_URL",
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def _looks_like_credential(name: str) -> bool:
|
|
|
|
|
"""True if env var name matches a credential-shaped pattern."""
|
|
|
|
|
if name in _CREDENTIAL_NAMES:
|
|
|
|
|
return True
|
|
|
|
|
return any(name.endswith(suf) for suf in _CREDENTIAL_SUFFIXES)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# HERMES_* vars that change test behavior by being set. Unset all of these
|
|
|
|
|
# unconditionally — individual tests that need them set do so explicitly.
|
|
|
|
|
_HERMES_BEHAVIORAL_VARS = frozenset({
|
|
|
|
|
"HERMES_YOLO_MODE",
|
|
|
|
|
"HERMES_INTERACTIVE",
|
|
|
|
|
"HERMES_QUIET",
|
|
|
|
|
"HERMES_TOOL_PROGRESS",
|
|
|
|
|
"HERMES_TOOL_PROGRESS_MODE",
|
|
|
|
|
"HERMES_MAX_ITERATIONS",
|
|
|
|
|
"HERMES_SESSION_PLATFORM",
|
|
|
|
|
"HERMES_SESSION_CHAT_ID",
|
|
|
|
|
"HERMES_SESSION_CHAT_NAME",
|
|
|
|
|
"HERMES_SESSION_THREAD_ID",
|
|
|
|
|
"HERMES_SESSION_SOURCE",
|
|
|
|
|
"HERMES_SESSION_KEY",
|
|
|
|
|
"HERMES_GATEWAY_SESSION",
|
|
|
|
|
"HERMES_PLATFORM",
|
|
|
|
|
"HERMES_INFERENCE_PROVIDER",
|
|
|
|
|
"HERMES_MANAGED",
|
|
|
|
|
"HERMES_DEV",
|
|
|
|
|
"HERMES_CONTAINER",
|
|
|
|
|
"HERMES_EPHEMERAL_SYSTEM_PROMPT",
|
|
|
|
|
"HERMES_TIMEZONE",
|
|
|
|
|
"HERMES_REDACT_SECRETS",
|
|
|
|
|
"HERMES_BACKGROUND_NOTIFICATIONS",
|
|
|
|
|
"HERMES_EXEC_ASK",
|
|
|
|
|
"HERMES_HOME_MODE",
|
2026-04-17 15:03:31 -06:00
|
|
|
"BROWSER_CDP_URL",
|
|
|
|
|
"CAMOFOX_URL",
|
test(conftest): reset module-level state + unset platform allowlists (#13400)
Three fixes that close the remaining structural sources of CI flakes
after PR #13363.
## 1. Per-test reset of module-level singletons and ContextVars
Python modules are singletons per process, and pytest-xdist workers are
long-lived. Module-level dicts/sets and ContextVars persist across tests
on the same worker. A test that sets state in `tools.approval._session_approved`
and doesn't explicitly clear it leaks that state to every subsequent test
on the same worker.
New `_reset_module_state` autouse fixture in `tests/conftest.py` clears:
- tools.approval: _session_approved, _session_yolo, _permanent_approved,
_pending, _gateway_queues, _gateway_notify_cbs, _approval_session_key
- tools.interrupt: _interrupted_threads
- gateway.session_context: 10 session/cron ContextVars (reset to _UNSET)
- tools.env_passthrough: _allowed_env_vars_var (reset to empty set)
- tools.credential_files: _registered_files_var (reset to empty dict)
- tools.file_tools: _read_tracker, _file_ops_cache
This was the single biggest remaining class of CI flakes.
`test_command_guards::test_warn_session_approved` and
`test_combined_cli_session_approves_both` were failing 12/15 recent main
runs specifically because `_session_approved` carried approvals from a
prior test's session into these tests' `"default"` session lookup.
## 2. Unset platform allowlist env vars in hermetic fixture
`TELEGRAM_ALLOWED_USERS`, `DISCORD_ALLOWED_USERS`, and 20 other
`*_ALLOWED_USERS` / `*_ALLOW_ALL_USERS` vars are now unset per-test in
the same place credential env vars already are. These aren't credentials
but they change gateway auth behavior; if set from any source (user
shell, leaky test, CI env) they flake button-authorization tests.
Fixes three `test_telegram_approval_buttons` tests that were failing
across recent runs of the full gateway directory.
## 3. Two specific tests with module-level captured state
- `test_signal::TestSignalPhoneRedaction`: `agent.redact._REDACT_ENABLED`
is captured at module import from `HERMES_REDACT_SECRETS`, not read
per-call. `monkeypatch.delenv` at test time is too late. Added
`monkeypatch.setattr("agent.redact._REDACT_ENABLED", True)` per
skill xdist-cross-test-pollution Pattern 5.
- `test_internal_event_bypass_pairing::test_non_internal_event_without_user_triggers_pairing`:
`gateway.pairing.PAIRING_DIR` is captured at module import from
HERMES_HOME, so per-test HERMES_HOME redirection in conftest doesn't
retroactively move it. Test now monkeypatches PAIRING_DIR directly to
its tmp_path, preventing rate-limit state from prior xdist workers
from letting the pairing send-call be suppressed.
## Validation
- tests/tools/: 3494 pass (0 fail) including test_command_guards
- tests/gateway/: 3504 pass (0 fail) across repeat runs
- tests/agent/ + tests/hermes_cli/ + tests/run_agent/ + tests/tools/:
8371 pass, 37 skipped, 0 fail — full suite across directories
No production code changed.
2026-04-21 01:33:10 -07:00
|
|
|
# Platform allowlists — not credentials, but if set from any source
|
|
|
|
|
# (user shell, earlier leaky test, CI env), they change gateway auth
|
|
|
|
|
# behavior and flake button-authorization tests.
|
|
|
|
|
"TELEGRAM_ALLOWED_USERS",
|
|
|
|
|
"DISCORD_ALLOWED_USERS",
|
|
|
|
|
"WHATSAPP_ALLOWED_USERS",
|
|
|
|
|
"SLACK_ALLOWED_USERS",
|
|
|
|
|
"SIGNAL_ALLOWED_USERS",
|
|
|
|
|
"SIGNAL_GROUP_ALLOWED_USERS",
|
|
|
|
|
"EMAIL_ALLOWED_USERS",
|
|
|
|
|
"SMS_ALLOWED_USERS",
|
|
|
|
|
"MATTERMOST_ALLOWED_USERS",
|
|
|
|
|
"MATRIX_ALLOWED_USERS",
|
|
|
|
|
"DINGTALK_ALLOWED_USERS",
|
|
|
|
|
"FEISHU_ALLOWED_USERS",
|
|
|
|
|
"WECOM_ALLOWED_USERS",
|
|
|
|
|
"GATEWAY_ALLOWED_USERS",
|
|
|
|
|
"GATEWAY_ALLOW_ALL_USERS",
|
|
|
|
|
"TELEGRAM_ALLOW_ALL_USERS",
|
|
|
|
|
"DISCORD_ALLOW_ALL_USERS",
|
|
|
|
|
"WHATSAPP_ALLOW_ALL_USERS",
|
|
|
|
|
"SLACK_ALLOW_ALL_USERS",
|
|
|
|
|
"SIGNAL_ALLOW_ALL_USERS",
|
|
|
|
|
"EMAIL_ALLOW_ALL_USERS",
|
|
|
|
|
"SMS_ALLOW_ALL_USERS",
|
2026-04-26 12:23:05 -07:00
|
|
|
# Platform gating — set by load_gateway_config() as a side effect when
|
|
|
|
|
# a config.yaml is present, so individual test bodies that call the
|
|
|
|
|
# loader leak these values into later tests on the same xdist worker.
|
|
|
|
|
# Force-clear on every test setup so the leak can't happen.
|
|
|
|
|
"SLACK_REQUIRE_MENTION",
|
|
|
|
|
"SLACK_STRICT_MENTION",
|
|
|
|
|
"SLACK_FREE_RESPONSE_CHANNELS",
|
|
|
|
|
"SLACK_ALLOW_BOTS",
|
|
|
|
|
"SLACK_REACTIONS",
|
|
|
|
|
"DISCORD_REQUIRE_MENTION",
|
|
|
|
|
"DISCORD_FREE_RESPONSE_CHANNELS",
|
|
|
|
|
"TELEGRAM_REQUIRE_MENTION",
|
|
|
|
|
"WHATSAPP_REQUIRE_MENTION",
|
|
|
|
|
"DINGTALK_REQUIRE_MENTION",
|
|
|
|
|
"MATRIX_REQUIRE_MENTION",
|
test: make test env hermetic; enforce CI parity via scripts/run_tests.sh (#11577)
* test: make test env hermetic; enforce CI parity via scripts/run_tests.sh
Fixes the recurring 'works locally, fails in CI' (and vice versa) class
of flakes by making tests hermetic and providing a canonical local runner
that matches CI's environment.
## Layer 1 — hermetic conftest.py (tests/conftest.py)
Autouse fixture now unsets every credential-shaped env var before every
test, so developer-local API keys can't leak into tests that assert
'auto-detect provider when key present'.
Pattern: unset any var ending in _API_KEY, _TOKEN, _SECRET, _PASSWORD,
_CREDENTIALS, _ACCESS_KEY, _PRIVATE_KEY, etc. Plus an explicit list of
credential names that don't fit the suffix pattern (AWS_ACCESS_KEY_ID,
FAL_KEY, GH_TOKEN, etc.) and all the provider BASE_URL overrides that
change auto-detect behavior.
Also unsets HERMES_* behavioral vars (HERMES_YOLO_MODE, HERMES_QUIET,
HERMES_SESSION_*, etc.) that mutate agent behavior.
Also:
- Redirects HOME to a per-test tempdir (not just HERMES_HOME), so
code reading ~/.hermes/* directly can't touch the real dir.
- Pins TZ=UTC, LANG=C.UTF-8, LC_ALL=C.UTF-8, PYTHONHASHSEED=0 to
match CI's deterministic runtime.
The old _isolate_hermes_home fixture name is preserved as an alias so
any test that yields it explicitly still works.
## Layer 2 — scripts/run_tests.sh canonical runner
'Always use scripts/run_tests.sh, never call pytest directly' is the
new rule (documented in AGENTS.md). The script:
- Unsets all credential env vars (belt-and-suspenders for callers
who bypass conftest — e.g. IDE integrations)
- Pins TZ/LANG/PYTHONHASHSEED
- Uses -n 4 xdist workers (matches GHA ubuntu-latest; -n auto on
a 20-core workstation surfaces test-ordering flakes CI will never
see, causing the infamous 'passes in CI, fails locally' drift)
- Finds the venv in .venv, venv, or main checkout's venv
- Passes through arbitrary pytest args
Installs pytest-split on demand so the script can also be used to run
matrix-split subsets locally for debugging.
## Remove 3 module-level dotenv stubs that broke test isolation
tests/hermes_cli/test_{arcee,xiaomi,api_key}_provider.py each had a
module-level:
if 'dotenv' not in sys.modules:
fake_dotenv = types.ModuleType('dotenv')
fake_dotenv.load_dotenv = lambda *a, **kw: None
sys.modules['dotenv'] = fake_dotenv
This patches sys.modules['dotenv'] to a fake at import time with no
teardown. Under pytest-xdist LoadScheduling, whichever worker collected
one of these files first poisoned its sys.modules; subsequent tests in
the same worker that imported load_dotenv transitively (e.g.
test_env_loader.py via hermes_cli.env_loader) got the no-op lambda and
saw their assertions fail.
dotenv is a required dependency (python-dotenv>=1.2.1 in pyproject.toml),
so the defensive stub was never needed. Removed.
## Validation
- tests/hermes_cli/ alone: 2178 passed, 1 skipped, 0 failed (was 4
failures in test_env_loader.py before this fix)
- tests/test_plugin_skills.py, tests/hermes_cli/test_plugins.py,
tests/test_hermes_logging.py combined: 123 passed (the caplog
regression tests from PR #11453 still pass)
- Local full run shows no F/E clusters in the 0-55% range that were
previously present before the conftest hardening
## Background
See AGENTS.md 'Testing' section for the full list of drift sources
this closes. Matrix split (closed as #11566) will be re-attempted
once this foundation lands — cross-test pollution was the root cause
of the shard-3 hang in that PR.
* fix(conftest): don't redirect HOME — it broke CI subprocesses
PR #11577's autouse fixture was setting HOME to a per-test tempdir.
CI started timing out at 97% complete with dozens of E/F markers and
orphan python processes at cleanup — tests (or transitive deps)
spawn subprocesses that expect a stable HOME, and the redirect broke
them in non-obvious ways.
Env-var unsetting and TZ/LANG/hashseed pinning (the actual CI-drift
fixes) are unchanged and still in place. HERMES_HOME redirection is
also unchanged — that's the canonical way to isolate tests from
~/.hermes/, not HOME.
Any code in the codebase reading ~/.hermes/* via `Path.home() / ".hermes"`
instead of `get_hermes_home()` is a bug to fix at the callsite, not
something to paper over in conftest.
2026-04-17 06:09:09 -07:00
|
|
|
})
|
|
|
|
|
|
|
|
|
|
|
2026-03-02 04:34:21 -08:00
|
|
|
@pytest.fixture(autouse=True)
|
test: make test env hermetic; enforce CI parity via scripts/run_tests.sh (#11577)
* test: make test env hermetic; enforce CI parity via scripts/run_tests.sh
Fixes the recurring 'works locally, fails in CI' (and vice versa) class
of flakes by making tests hermetic and providing a canonical local runner
that matches CI's environment.
## Layer 1 — hermetic conftest.py (tests/conftest.py)
Autouse fixture now unsets every credential-shaped env var before every
test, so developer-local API keys can't leak into tests that assert
'auto-detect provider when key present'.
Pattern: unset any var ending in _API_KEY, _TOKEN, _SECRET, _PASSWORD,
_CREDENTIALS, _ACCESS_KEY, _PRIVATE_KEY, etc. Plus an explicit list of
credential names that don't fit the suffix pattern (AWS_ACCESS_KEY_ID,
FAL_KEY, GH_TOKEN, etc.) and all the provider BASE_URL overrides that
change auto-detect behavior.
Also unsets HERMES_* behavioral vars (HERMES_YOLO_MODE, HERMES_QUIET,
HERMES_SESSION_*, etc.) that mutate agent behavior.
Also:
- Redirects HOME to a per-test tempdir (not just HERMES_HOME), so
code reading ~/.hermes/* directly can't touch the real dir.
- Pins TZ=UTC, LANG=C.UTF-8, LC_ALL=C.UTF-8, PYTHONHASHSEED=0 to
match CI's deterministic runtime.
The old _isolate_hermes_home fixture name is preserved as an alias so
any test that yields it explicitly still works.
## Layer 2 — scripts/run_tests.sh canonical runner
'Always use scripts/run_tests.sh, never call pytest directly' is the
new rule (documented in AGENTS.md). The script:
- Unsets all credential env vars (belt-and-suspenders for callers
who bypass conftest — e.g. IDE integrations)
- Pins TZ/LANG/PYTHONHASHSEED
- Uses -n 4 xdist workers (matches GHA ubuntu-latest; -n auto on
a 20-core workstation surfaces test-ordering flakes CI will never
see, causing the infamous 'passes in CI, fails locally' drift)
- Finds the venv in .venv, venv, or main checkout's venv
- Passes through arbitrary pytest args
Installs pytest-split on demand so the script can also be used to run
matrix-split subsets locally for debugging.
## Remove 3 module-level dotenv stubs that broke test isolation
tests/hermes_cli/test_{arcee,xiaomi,api_key}_provider.py each had a
module-level:
if 'dotenv' not in sys.modules:
fake_dotenv = types.ModuleType('dotenv')
fake_dotenv.load_dotenv = lambda *a, **kw: None
sys.modules['dotenv'] = fake_dotenv
This patches sys.modules['dotenv'] to a fake at import time with no
teardown. Under pytest-xdist LoadScheduling, whichever worker collected
one of these files first poisoned its sys.modules; subsequent tests in
the same worker that imported load_dotenv transitively (e.g.
test_env_loader.py via hermes_cli.env_loader) got the no-op lambda and
saw their assertions fail.
dotenv is a required dependency (python-dotenv>=1.2.1 in pyproject.toml),
so the defensive stub was never needed. Removed.
## Validation
- tests/hermes_cli/ alone: 2178 passed, 1 skipped, 0 failed (was 4
failures in test_env_loader.py before this fix)
- tests/test_plugin_skills.py, tests/hermes_cli/test_plugins.py,
tests/test_hermes_logging.py combined: 123 passed (the caplog
regression tests from PR #11453 still pass)
- Local full run shows no F/E clusters in the 0-55% range that were
previously present before the conftest hardening
## Background
See AGENTS.md 'Testing' section for the full list of drift sources
this closes. Matrix split (closed as #11566) will be re-attempted
once this foundation lands — cross-test pollution was the root cause
of the shard-3 hang in that PR.
* fix(conftest): don't redirect HOME — it broke CI subprocesses
PR #11577's autouse fixture was setting HOME to a per-test tempdir.
CI started timing out at 97% complete with dozens of E/F markers and
orphan python processes at cleanup — tests (or transitive deps)
spawn subprocesses that expect a stable HOME, and the redirect broke
them in non-obvious ways.
Env-var unsetting and TZ/LANG/hashseed pinning (the actual CI-drift
fixes) are unchanged and still in place. HERMES_HOME redirection is
also unchanged — that's the canonical way to isolate tests from
~/.hermes/, not HOME.
Any code in the codebase reading ~/.hermes/* via `Path.home() / ".hermes"`
instead of `get_hermes_home()` is a bug to fix at the callsite, not
something to paper over in conftest.
2026-04-17 06:09:09 -07:00
|
|
|
def _hermetic_environment(tmp_path, monkeypatch):
|
|
|
|
|
"""Blank out all credential/behavioral env vars so local and CI match.
|
|
|
|
|
|
|
|
|
|
Also redirects HOME and HERMES_HOME to per-test tempdirs so code that
|
|
|
|
|
reads ``~/.hermes/*`` can't touch the real one, and pins TZ/LANG so
|
|
|
|
|
datetime/locale-sensitive tests are deterministic.
|
|
|
|
|
"""
|
|
|
|
|
# 1. Blank every credential-shaped env var that's currently set.
|
|
|
|
|
for name in list(os.environ.keys()):
|
|
|
|
|
if _looks_like_credential(name):
|
|
|
|
|
monkeypatch.delenv(name, raising=False)
|
|
|
|
|
|
|
|
|
|
# 2. Blank behavioral HERMES_* vars that could change test semantics.
|
|
|
|
|
for name in _HERMES_BEHAVIORAL_VARS:
|
|
|
|
|
monkeypatch.delenv(name, raising=False)
|
|
|
|
|
|
|
|
|
|
# 3. Redirect HERMES_HOME to a per-test tempdir. Code that reads
|
|
|
|
|
# ``~/.hermes/*`` via ``get_hermes_home()`` now gets the tempdir.
|
|
|
|
|
#
|
|
|
|
|
# NOTE: We do NOT also redirect HOME. Doing so broke CI because
|
|
|
|
|
# some tests (and their transitive deps) spawn subprocesses that
|
|
|
|
|
# inherit HOME and expect it to be stable. If a test genuinely
|
|
|
|
|
# needs HOME isolated, it should set it explicitly in its own
|
|
|
|
|
# fixture. Any code in the codebase reading ``~/.hermes/*`` via
|
|
|
|
|
# ``Path.home() / ".hermes"`` instead of ``get_hermes_home()``
|
|
|
|
|
# is a bug to fix at the callsite.
|
|
|
|
|
fake_hermes_home = tmp_path / "hermes_test"
|
|
|
|
|
fake_hermes_home.mkdir()
|
|
|
|
|
(fake_hermes_home / "sessions").mkdir()
|
|
|
|
|
(fake_hermes_home / "cron").mkdir()
|
|
|
|
|
(fake_hermes_home / "memories").mkdir()
|
|
|
|
|
(fake_hermes_home / "skills").mkdir()
|
|
|
|
|
monkeypatch.setenv("HERMES_HOME", str(fake_hermes_home))
|
|
|
|
|
|
|
|
|
|
# 4. Deterministic locale / timezone / hashseed. CI runs in UTC with
|
|
|
|
|
# C.UTF-8 locale; local dev often doesn't. Pin everything.
|
|
|
|
|
monkeypatch.setenv("TZ", "UTC")
|
|
|
|
|
monkeypatch.setenv("LANG", "C.UTF-8")
|
|
|
|
|
monkeypatch.setenv("LC_ALL", "C.UTF-8")
|
|
|
|
|
monkeypatch.setenv("PYTHONHASHSEED", "0")
|
|
|
|
|
|
2026-04-17 14:21:22 -07:00
|
|
|
# 4b. Disable AWS IMDS lookups. Without this, any test that ends up
|
|
|
|
|
# calling has_aws_credentials() / resolve_aws_auth_env_var()
|
|
|
|
|
# (e.g. provider auto-detect, status command, cron run_job) burns
|
|
|
|
|
# ~2s waiting for the metadata service at 169.254.169.254 to time
|
|
|
|
|
# out. Tests don't run on EC2 — IMDS is always unreachable here.
|
|
|
|
|
monkeypatch.setenv("AWS_EC2_METADATA_DISABLED", "true")
|
|
|
|
|
monkeypatch.setenv("AWS_METADATA_SERVICE_TIMEOUT", "1")
|
|
|
|
|
monkeypatch.setenv("AWS_METADATA_SERVICE_NUM_ATTEMPTS", "1")
|
|
|
|
|
|
test: make test env hermetic; enforce CI parity via scripts/run_tests.sh (#11577)
* test: make test env hermetic; enforce CI parity via scripts/run_tests.sh
Fixes the recurring 'works locally, fails in CI' (and vice versa) class
of flakes by making tests hermetic and providing a canonical local runner
that matches CI's environment.
## Layer 1 — hermetic conftest.py (tests/conftest.py)
Autouse fixture now unsets every credential-shaped env var before every
test, so developer-local API keys can't leak into tests that assert
'auto-detect provider when key present'.
Pattern: unset any var ending in _API_KEY, _TOKEN, _SECRET, _PASSWORD,
_CREDENTIALS, _ACCESS_KEY, _PRIVATE_KEY, etc. Plus an explicit list of
credential names that don't fit the suffix pattern (AWS_ACCESS_KEY_ID,
FAL_KEY, GH_TOKEN, etc.) and all the provider BASE_URL overrides that
change auto-detect behavior.
Also unsets HERMES_* behavioral vars (HERMES_YOLO_MODE, HERMES_QUIET,
HERMES_SESSION_*, etc.) that mutate agent behavior.
Also:
- Redirects HOME to a per-test tempdir (not just HERMES_HOME), so
code reading ~/.hermes/* directly can't touch the real dir.
- Pins TZ=UTC, LANG=C.UTF-8, LC_ALL=C.UTF-8, PYTHONHASHSEED=0 to
match CI's deterministic runtime.
The old _isolate_hermes_home fixture name is preserved as an alias so
any test that yields it explicitly still works.
## Layer 2 — scripts/run_tests.sh canonical runner
'Always use scripts/run_tests.sh, never call pytest directly' is the
new rule (documented in AGENTS.md). The script:
- Unsets all credential env vars (belt-and-suspenders for callers
who bypass conftest — e.g. IDE integrations)
- Pins TZ/LANG/PYTHONHASHSEED
- Uses -n 4 xdist workers (matches GHA ubuntu-latest; -n auto on
a 20-core workstation surfaces test-ordering flakes CI will never
see, causing the infamous 'passes in CI, fails locally' drift)
- Finds the venv in .venv, venv, or main checkout's venv
- Passes through arbitrary pytest args
Installs pytest-split on demand so the script can also be used to run
matrix-split subsets locally for debugging.
## Remove 3 module-level dotenv stubs that broke test isolation
tests/hermes_cli/test_{arcee,xiaomi,api_key}_provider.py each had a
module-level:
if 'dotenv' not in sys.modules:
fake_dotenv = types.ModuleType('dotenv')
fake_dotenv.load_dotenv = lambda *a, **kw: None
sys.modules['dotenv'] = fake_dotenv
This patches sys.modules['dotenv'] to a fake at import time with no
teardown. Under pytest-xdist LoadScheduling, whichever worker collected
one of these files first poisoned its sys.modules; subsequent tests in
the same worker that imported load_dotenv transitively (e.g.
test_env_loader.py via hermes_cli.env_loader) got the no-op lambda and
saw their assertions fail.
dotenv is a required dependency (python-dotenv>=1.2.1 in pyproject.toml),
so the defensive stub was never needed. Removed.
## Validation
- tests/hermes_cli/ alone: 2178 passed, 1 skipped, 0 failed (was 4
failures in test_env_loader.py before this fix)
- tests/test_plugin_skills.py, tests/hermes_cli/test_plugins.py,
tests/test_hermes_logging.py combined: 123 passed (the caplog
regression tests from PR #11453 still pass)
- Local full run shows no F/E clusters in the 0-55% range that were
previously present before the conftest hardening
## Background
See AGENTS.md 'Testing' section for the full list of drift sources
this closes. Matrix split (closed as #11566) will be re-attempted
once this foundation lands — cross-test pollution was the root cause
of the shard-3 hang in that PR.
* fix(conftest): don't redirect HOME — it broke CI subprocesses
PR #11577's autouse fixture was setting HOME to a per-test tempdir.
CI started timing out at 97% complete with dozens of E/F markers and
orphan python processes at cleanup — tests (or transitive deps)
spawn subprocesses that expect a stable HOME, and the redirect broke
them in non-obvious ways.
Env-var unsetting and TZ/LANG/hashseed pinning (the actual CI-drift
fixes) are unchanged and still in place. HERMES_HOME redirection is
also unchanged — that's the canonical way to isolate tests from
~/.hermes/, not HOME.
Any code in the codebase reading ~/.hermes/* via `Path.home() / ".hermes"`
instead of `get_hermes_home()` is a bug to fix at the callsite, not
something to paper over in conftest.
2026-04-17 06:09:09 -07:00
|
|
|
# 5. Reset plugin singleton so tests don't leak plugins from
|
|
|
|
|
# ~/.hermes/plugins/ (which, per step 3, is now empty — but the
|
|
|
|
|
# singleton might still be cached from a previous test).
|
feat: first-class plugin architecture (#1555)
Plugin system for extending Hermes with custom tools, hooks, and
integrations — no source code changes required.
Core system (hermes_cli/plugins.py):
- Plugin discovery from ~/.hermes/plugins/, .hermes/plugins/, and
pip entry_points (hermes_agent.plugins group)
- PluginContext with register_tool() and register_hook()
- 6 lifecycle hooks: pre/post tool_call, pre/post llm_call,
on_session_start/end
- Namespace package handling for relative imports in plugins
- Graceful error isolation — broken plugins never crash the agent
Integration (model_tools.py):
- Plugin discovery runs after built-in + MCP tools
- Plugin tools bypass toolset filter via get_plugin_tool_names()
- Pre/post tool call hooks fire in handle_function_call()
CLI:
- /plugins command shows loaded plugins, tool counts, status
- Added to COMMANDS dict for autocomplete
Docs:
- Getting started guide (build-a-hermes-plugin.md) — full tutorial
building a calculator plugin step by step
- Reference page (features/plugins.md) — quick overview + tables
- Covers: file structure, schemas, handlers, hooks, data files,
bundled skills, env var gating, pip distribution, common mistakes
Tests: 16 tests covering discovery, loading, hooks, tool visibility.
2026-03-16 07:17:36 -07:00
|
|
|
try:
|
|
|
|
|
import hermes_cli.plugins as _plugins_mod
|
|
|
|
|
monkeypatch.setattr(_plugins_mod, "_plugin_manager", None)
|
|
|
|
|
except Exception:
|
|
|
|
|
pass
|
test: make test env hermetic; enforce CI parity via scripts/run_tests.sh (#11577)
* test: make test env hermetic; enforce CI parity via scripts/run_tests.sh
Fixes the recurring 'works locally, fails in CI' (and vice versa) class
of flakes by making tests hermetic and providing a canonical local runner
that matches CI's environment.
## Layer 1 — hermetic conftest.py (tests/conftest.py)
Autouse fixture now unsets every credential-shaped env var before every
test, so developer-local API keys can't leak into tests that assert
'auto-detect provider when key present'.
Pattern: unset any var ending in _API_KEY, _TOKEN, _SECRET, _PASSWORD,
_CREDENTIALS, _ACCESS_KEY, _PRIVATE_KEY, etc. Plus an explicit list of
credential names that don't fit the suffix pattern (AWS_ACCESS_KEY_ID,
FAL_KEY, GH_TOKEN, etc.) and all the provider BASE_URL overrides that
change auto-detect behavior.
Also unsets HERMES_* behavioral vars (HERMES_YOLO_MODE, HERMES_QUIET,
HERMES_SESSION_*, etc.) that mutate agent behavior.
Also:
- Redirects HOME to a per-test tempdir (not just HERMES_HOME), so
code reading ~/.hermes/* directly can't touch the real dir.
- Pins TZ=UTC, LANG=C.UTF-8, LC_ALL=C.UTF-8, PYTHONHASHSEED=0 to
match CI's deterministic runtime.
The old _isolate_hermes_home fixture name is preserved as an alias so
any test that yields it explicitly still works.
## Layer 2 — scripts/run_tests.sh canonical runner
'Always use scripts/run_tests.sh, never call pytest directly' is the
new rule (documented in AGENTS.md). The script:
- Unsets all credential env vars (belt-and-suspenders for callers
who bypass conftest — e.g. IDE integrations)
- Pins TZ/LANG/PYTHONHASHSEED
- Uses -n 4 xdist workers (matches GHA ubuntu-latest; -n auto on
a 20-core workstation surfaces test-ordering flakes CI will never
see, causing the infamous 'passes in CI, fails locally' drift)
- Finds the venv in .venv, venv, or main checkout's venv
- Passes through arbitrary pytest args
Installs pytest-split on demand so the script can also be used to run
matrix-split subsets locally for debugging.
## Remove 3 module-level dotenv stubs that broke test isolation
tests/hermes_cli/test_{arcee,xiaomi,api_key}_provider.py each had a
module-level:
if 'dotenv' not in sys.modules:
fake_dotenv = types.ModuleType('dotenv')
fake_dotenv.load_dotenv = lambda *a, **kw: None
sys.modules['dotenv'] = fake_dotenv
This patches sys.modules['dotenv'] to a fake at import time with no
teardown. Under pytest-xdist LoadScheduling, whichever worker collected
one of these files first poisoned its sys.modules; subsequent tests in
the same worker that imported load_dotenv transitively (e.g.
test_env_loader.py via hermes_cli.env_loader) got the no-op lambda and
saw their assertions fail.
dotenv is a required dependency (python-dotenv>=1.2.1 in pyproject.toml),
so the defensive stub was never needed. Removed.
## Validation
- tests/hermes_cli/ alone: 2178 passed, 1 skipped, 0 failed (was 4
failures in test_env_loader.py before this fix)
- tests/test_plugin_skills.py, tests/hermes_cli/test_plugins.py,
tests/test_hermes_logging.py combined: 123 passed (the caplog
regression tests from PR #11453 still pass)
- Local full run shows no F/E clusters in the 0-55% range that were
previously present before the conftest hardening
## Background
See AGENTS.md 'Testing' section for the full list of drift sources
this closes. Matrix split (closed as #11566) will be re-attempted
once this foundation lands — cross-test pollution was the root cause
of the shard-3 hang in that PR.
* fix(conftest): don't redirect HOME — it broke CI subprocesses
PR #11577's autouse fixture was setting HOME to a per-test tempdir.
CI started timing out at 97% complete with dozens of E/F markers and
orphan python processes at cleanup — tests (or transitive deps)
spawn subprocesses that expect a stable HOME, and the redirect broke
them in non-obvious ways.
Env-var unsetting and TZ/LANG/hashseed pinning (the actual CI-drift
fixes) are unchanged and still in place. HERMES_HOME redirection is
also unchanged — that's the canonical way to isolate tests from
~/.hermes/, not HOME.
Any code in the codebase reading ~/.hermes/* via `Path.home() / ".hermes"`
instead of `get_hermes_home()` is a bug to fix at the callsite, not
something to paper over in conftest.
2026-04-17 06:09:09 -07:00
|
|
|
|
|
|
|
|
|
|
|
|
|
# Backward-compat alias — old tests reference this fixture name. Keep it
|
|
|
|
|
# as a no-op wrapper so imports don't break.
|
|
|
|
|
@pytest.fixture(autouse=True)
|
|
|
|
|
def _isolate_hermes_home(_hermetic_environment):
|
|
|
|
|
"""Alias preserved for any test that yields this name explicitly."""
|
|
|
|
|
return None
|
2026-03-02 04:34:21 -08:00
|
|
|
|
|
|
|
|
|
test(conftest): reset module-level state + unset platform allowlists (#13400)
Three fixes that close the remaining structural sources of CI flakes
after PR #13363.
## 1. Per-test reset of module-level singletons and ContextVars
Python modules are singletons per process, and pytest-xdist workers are
long-lived. Module-level dicts/sets and ContextVars persist across tests
on the same worker. A test that sets state in `tools.approval._session_approved`
and doesn't explicitly clear it leaks that state to every subsequent test
on the same worker.
New `_reset_module_state` autouse fixture in `tests/conftest.py` clears:
- tools.approval: _session_approved, _session_yolo, _permanent_approved,
_pending, _gateway_queues, _gateway_notify_cbs, _approval_session_key
- tools.interrupt: _interrupted_threads
- gateway.session_context: 10 session/cron ContextVars (reset to _UNSET)
- tools.env_passthrough: _allowed_env_vars_var (reset to empty set)
- tools.credential_files: _registered_files_var (reset to empty dict)
- tools.file_tools: _read_tracker, _file_ops_cache
This was the single biggest remaining class of CI flakes.
`test_command_guards::test_warn_session_approved` and
`test_combined_cli_session_approves_both` were failing 12/15 recent main
runs specifically because `_session_approved` carried approvals from a
prior test's session into these tests' `"default"` session lookup.
## 2. Unset platform allowlist env vars in hermetic fixture
`TELEGRAM_ALLOWED_USERS`, `DISCORD_ALLOWED_USERS`, and 20 other
`*_ALLOWED_USERS` / `*_ALLOW_ALL_USERS` vars are now unset per-test in
the same place credential env vars already are. These aren't credentials
but they change gateway auth behavior; if set from any source (user
shell, leaky test, CI env) they flake button-authorization tests.
Fixes three `test_telegram_approval_buttons` tests that were failing
across recent runs of the full gateway directory.
## 3. Two specific tests with module-level captured state
- `test_signal::TestSignalPhoneRedaction`: `agent.redact._REDACT_ENABLED`
is captured at module import from `HERMES_REDACT_SECRETS`, not read
per-call. `monkeypatch.delenv` at test time is too late. Added
`monkeypatch.setattr("agent.redact._REDACT_ENABLED", True)` per
skill xdist-cross-test-pollution Pattern 5.
- `test_internal_event_bypass_pairing::test_non_internal_event_without_user_triggers_pairing`:
`gateway.pairing.PAIRING_DIR` is captured at module import from
HERMES_HOME, so per-test HERMES_HOME redirection in conftest doesn't
retroactively move it. Test now monkeypatches PAIRING_DIR directly to
its tmp_path, preventing rate-limit state from prior xdist workers
from letting the pairing send-call be suppressed.
## Validation
- tests/tools/: 3494 pass (0 fail) including test_command_guards
- tests/gateway/: 3504 pass (0 fail) across repeat runs
- tests/agent/ + tests/hermes_cli/ + tests/run_agent/ + tests/tools/:
8371 pass, 37 skipped, 0 fail — full suite across directories
No production code changed.
2026-04-21 01:33:10 -07:00
|
|
|
# ── Module-level state reset ───────────────────────────────────────────────
|
|
|
|
|
#
|
|
|
|
|
# Python modules are singletons per process, and pytest-xdist workers are
|
|
|
|
|
# long-lived. Module-level dicts/sets (tool registries, approval state,
|
|
|
|
|
# interrupt flags) and ContextVars persist across tests in the same worker,
|
|
|
|
|
# causing tests that pass alone to fail when run with siblings.
|
|
|
|
|
#
|
|
|
|
|
# Each entry in this fixture clears state that belongs to a specific module.
|
|
|
|
|
# New state buckets go here too — this is the single gate that prevents
|
|
|
|
|
# "works alone, flakes in CI" bugs from state leakage.
|
|
|
|
|
#
|
|
|
|
|
# The skill `test-suite-cascade-diagnosis` documents the concrete patterns
|
|
|
|
|
# this closes; the running example was `test_command_guards` failing 12/15
|
|
|
|
|
# CI runs because ``tools.approval._session_approved`` carried approvals
|
|
|
|
|
# from one test's session into another's.
|
|
|
|
|
|
|
|
|
|
@pytest.fixture(autouse=True)
|
|
|
|
|
def _reset_module_state():
|
|
|
|
|
"""Clear module-level mutable state and ContextVars between tests.
|
|
|
|
|
|
|
|
|
|
Keeps state from leaking across tests on the same xdist worker. Modules
|
|
|
|
|
that don't exist yet (test collection before production import) are
|
|
|
|
|
skipped silently — production import later creates fresh empty state.
|
|
|
|
|
"""
|
|
|
|
|
# --- tools.approval — the single biggest source of cross-test pollution ---
|
|
|
|
|
try:
|
|
|
|
|
from tools import approval as _approval_mod
|
|
|
|
|
_approval_mod._session_approved.clear()
|
|
|
|
|
_approval_mod._session_yolo.clear()
|
|
|
|
|
_approval_mod._permanent_approved.clear()
|
|
|
|
|
_approval_mod._pending.clear()
|
|
|
|
|
_approval_mod._gateway_queues.clear()
|
|
|
|
|
_approval_mod._gateway_notify_cbs.clear()
|
|
|
|
|
# ContextVar: reset to empty string so get_current_session_key()
|
|
|
|
|
# falls through to the env var / default path, matching a fresh
|
|
|
|
|
# process.
|
|
|
|
|
_approval_mod._approval_session_key.set("")
|
|
|
|
|
except Exception:
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
# --- tools.interrupt — per-thread interrupt flag set ---
|
|
|
|
|
try:
|
|
|
|
|
from tools import interrupt as _interrupt_mod
|
|
|
|
|
with _interrupt_mod._lock:
|
|
|
|
|
_interrupt_mod._interrupted_threads.clear()
|
|
|
|
|
except Exception:
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
# --- gateway.session_context — 9 ContextVars that represent
|
|
|
|
|
# the active gateway session. If set in one test and not reset,
|
|
|
|
|
# the next test's get_session_env() reads stale values.
|
|
|
|
|
try:
|
|
|
|
|
from gateway import session_context as _sc_mod
|
|
|
|
|
for _cv in (
|
|
|
|
|
_sc_mod._SESSION_PLATFORM,
|
|
|
|
|
_sc_mod._SESSION_CHAT_ID,
|
|
|
|
|
_sc_mod._SESSION_CHAT_NAME,
|
|
|
|
|
_sc_mod._SESSION_THREAD_ID,
|
|
|
|
|
_sc_mod._SESSION_USER_ID,
|
|
|
|
|
_sc_mod._SESSION_USER_NAME,
|
|
|
|
|
_sc_mod._SESSION_KEY,
|
|
|
|
|
_sc_mod._CRON_AUTO_DELIVER_PLATFORM,
|
|
|
|
|
_sc_mod._CRON_AUTO_DELIVER_CHAT_ID,
|
|
|
|
|
_sc_mod._CRON_AUTO_DELIVER_THREAD_ID,
|
|
|
|
|
):
|
|
|
|
|
_cv.set(_sc_mod._UNSET)
|
|
|
|
|
except Exception:
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
# --- tools.env_passthrough — ContextVar<set[str]> with no default ---
|
|
|
|
|
# LookupError is normal if the test never set it. Setting it to an
|
|
|
|
|
# empty set unconditionally normalizes the starting state.
|
|
|
|
|
try:
|
|
|
|
|
from tools import env_passthrough as _envp_mod
|
|
|
|
|
_envp_mod._allowed_env_vars_var.set(set())
|
|
|
|
|
except Exception:
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
# --- tools.credential_files — ContextVar<dict> ---
|
|
|
|
|
try:
|
|
|
|
|
from tools import credential_files as _credf_mod
|
|
|
|
|
_credf_mod._registered_files_var.set({})
|
|
|
|
|
except Exception:
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
# --- tools.file_tools — per-task read history + file-ops cache ---
|
|
|
|
|
# _read_tracker accumulates per-task_id read history for loop detection,
|
|
|
|
|
# capped by _READ_HISTORY_CAP. If entries from a prior test persist, the
|
|
|
|
|
# cap is hit faster than expected and capacity-related tests flake.
|
|
|
|
|
try:
|
|
|
|
|
from tools import file_tools as _ft_mod
|
|
|
|
|
with _ft_mod._read_tracker_lock:
|
|
|
|
|
_ft_mod._read_tracker.clear()
|
|
|
|
|
with _ft_mod._file_ops_lock:
|
|
|
|
|
_ft_mod._file_ops_cache.clear()
|
|
|
|
|
except Exception:
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
yield
|
|
|
|
|
|
|
|
|
|
|
test: reorganize test structure and add missing unit tests
Reorganize flat tests/ directory to mirror source code structure
(tools/, gateway/, hermes_cli/, integration/). Add 11 new test files
covering previously untested modules: registry, patch_parser,
fuzzy_match, todo_tool, approval, file_tools, gateway session/config/
delivery, and hermes_cli config/models. Total: 147 unit tests passing,
9 integration tests gated behind pytest marker.
2026-02-26 03:20:08 +03:00
|
|
|
@pytest.fixture()
|
|
|
|
|
def tmp_dir(tmp_path):
|
|
|
|
|
"""Provide a temporary directory that is cleaned up automatically."""
|
|
|
|
|
return tmp_path
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@pytest.fixture()
|
|
|
|
|
def mock_config():
|
|
|
|
|
"""Return a minimal hermes config dict suitable for unit tests."""
|
|
|
|
|
return {
|
|
|
|
|
"model": "test/mock-model",
|
|
|
|
|
"toolsets": ["terminal", "file"],
|
|
|
|
|
"max_turns": 10,
|
|
|
|
|
"terminal": {
|
|
|
|
|
"backend": "local",
|
|
|
|
|
"cwd": "/tmp",
|
|
|
|
|
"timeout": 30,
|
|
|
|
|
},
|
|
|
|
|
"compression": {"enabled": False},
|
|
|
|
|
"memory": {"memory_enabled": False, "user_profile_enabled": False},
|
|
|
|
|
"command_allowlist": [],
|
|
|
|
|
}
|
2026-03-12 01:23:28 -07:00
|
|
|
|
|
|
|
|
|
|
|
|
|
# ── Global test timeout ─────────────────────────────────────────────────────
|
|
|
|
|
# Kill any individual test that takes longer than 30 seconds.
|
|
|
|
|
# Prevents hanging tests (subprocess spawns, blocking I/O) from stalling the
|
|
|
|
|
# entire test suite.
|
|
|
|
|
|
|
|
|
|
def _timeout_handler(signum, frame):
|
|
|
|
|
raise TimeoutError("Test exceeded 30 second timeout")
|
|
|
|
|
|
2026-03-14 03:14:34 -07:00
|
|
|
@pytest.fixture(autouse=True)
|
|
|
|
|
def _ensure_current_event_loop(request):
|
|
|
|
|
"""Provide a default event loop for sync tests that call get_event_loop().
|
|
|
|
|
|
|
|
|
|
Python 3.11+ no longer guarantees a current loop for plain synchronous tests.
|
|
|
|
|
A number of gateway tests still use asyncio.get_event_loop().run_until_complete(...).
|
|
|
|
|
Ensure they always have a usable loop without interfering with pytest-asyncio's
|
|
|
|
|
own loop management for @pytest.mark.asyncio tests.
|
|
|
|
|
"""
|
|
|
|
|
if request.node.get_closest_marker("asyncio") is not None:
|
|
|
|
|
yield
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
loop = asyncio.get_event_loop_policy().get_event_loop()
|
|
|
|
|
except RuntimeError:
|
|
|
|
|
loop = None
|
|
|
|
|
|
|
|
|
|
created = loop is None or loop.is_closed()
|
|
|
|
|
if created:
|
|
|
|
|
loop = asyncio.new_event_loop()
|
|
|
|
|
asyncio.set_event_loop(loop)
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
yield
|
|
|
|
|
finally:
|
|
|
|
|
if created and loop is not None:
|
|
|
|
|
try:
|
|
|
|
|
loop.close()
|
|
|
|
|
finally:
|
|
|
|
|
asyncio.set_event_loop(None)
|
|
|
|
|
|
|
|
|
|
|
2026-03-12 01:23:28 -07:00
|
|
|
@pytest.fixture(autouse=True)
|
|
|
|
|
def _enforce_test_timeout():
|
fix(approval): show full command in dangerous command approval (#1553)
* fix: prevent infinite 400 failure loop on context overflow (#1630)
When a gateway session exceeds the model's context window, Anthropic may
return a generic 400 invalid_request_error with just 'Error' as the
message. This bypassed the phrase-based context-length detection,
causing the agent to treat it as a non-retryable client error. Worse,
the failed user message was still persisted to the transcript, making
the session even larger on each attempt — creating an infinite loop.
Three-layer fix:
1. run_agent.py — Fallback heuristic: when a 400 error has a very short
generic message AND the session is large (>40% of context or >80
messages), treat it as a probable context overflow and trigger
compression instead of aborting.
2. run_agent.py + gateway/run.py — Don't persist failed messages:
when the agent returns failed=True before generating any response,
skip writing the user's message to the transcript/DB. This prevents
the session from growing on each failure.
3. gateway/run.py — Smarter error messages: detect context-overflow
failures and suggest /compact or /reset specifically, instead of a
generic 'try again' that will fail identically.
* fix(skills): detect prompt injection patterns and block cache file reads
Adds two security layers to prevent prompt injection via skills hub
cache files (#1558):
1. read_file: blocks direct reads of ~/.hermes/skills/.hub/ directory
(index-cache, catalog files). The 3.5MB clawhub_catalog_v1.json
was the original injection vector — untrusted skill descriptions
in the catalog contained adversarial text that the model executed.
2. skill_view: warns when skills are loaded from outside the trusted
~/.hermes/skills/ directory, and detects common injection patterns
in skill content ("ignore previous instructions", "<system>", etc.).
Cherry-picked from PR #1562 by ygd58.
* fix(tools): chunk long messages in send_message_tool before dispatch (#1552)
Long messages sent via send_message tool or cron delivery silently
failed when exceeding platform limits. Gateway adapters handle this
via truncate_message(), but the standalone senders in send_message_tool
bypassed that entirely.
- Apply truncate_message() chunking in _send_to_platform() before
dispatching to individual platform senders
- Remove naive message[i:i+2000] character split in _send_discord()
in favor of centralized smart splitting
- Attach media files to last chunk only for Telegram
- Add regression tests for chunking and media placement
Cherry-picked from PR #1557 by llbn.
* fix(approval): show full command in dangerous command approval (#1553)
Previously the command was truncated to 80 chars in CLI (with a
[v]iew full option), 500 chars in Discord embeds, and missing entirely
in Telegram/Slack approval messages. Now the full command is always
displayed everywhere:
- CLI: removed 80-char truncation and [v]iew full menu option
- Gateway (TG/Slack): approval_required message includes full command
in a code block
- Discord: embed shows full command up to 4096-char limit
- Windows: skip SIGALRM-based test timeout (Unix-only)
- Updated tests: replaced view-flow tests with direct approval tests
Cherry-picked from PR #1566 by crazywriter1.
---------
Co-authored-by: buray <ygd58@users.noreply.github.com>
Co-authored-by: lbn <llbn@users.noreply.github.com>
Co-authored-by: crazywriter1 <53251494+crazywriter1@users.noreply.github.com>
2026-03-17 02:02:33 -07:00
|
|
|
"""Kill any individual test that takes longer than 30 seconds.
|
|
|
|
|
SIGALRM is Unix-only; skip on Windows."""
|
|
|
|
|
if sys.platform == "win32":
|
|
|
|
|
yield
|
|
|
|
|
return
|
2026-03-12 01:23:28 -07:00
|
|
|
old = signal.signal(signal.SIGALRM, _timeout_handler)
|
|
|
|
|
signal.alarm(30)
|
|
|
|
|
yield
|
|
|
|
|
signal.alarm(0)
|
|
|
|
|
signal.signal(signal.SIGALRM, old)
|