mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-07-12 21:33:04 +08:00
Remove unused imports (F401) and duplicate/shadowed import redefinitions (F811) across the codebase using ruff's safe autofixes. No behavioral changes -- imports only. - ~1400 safe autofixes applied across 644 files (net -1072 lines) - __init__.py re-exports preserved (excluded from F401 removal so public re-export surfaces stay intact) - Re-exports that are imported or monkeypatched by tests but look unused in their defining module are kept with explicit # noqa: F401 (gateway/run.py load_dotenv; run_agent re-exports from agent.message_sanitization, agent.context_compressor, agent.retry_utils, agent.prompt_builder, agent.process_bootstrap, agent.codex_responses_adapter) - Unsafe F841 (unused-variable) fixes deliberately skipped -- those can change behavior when the RHS has side effects - ruff lints remain disabled in pyproject.toml (only PLW1514 is selected); this is a one-time cleanup, not a config change Verification: - python -m compileall: clean - pytest --collect-only: all 27161 tests collect (zero import errors) - core entry points import clean (run_agent, model_tools, cli, toolsets, hermes_state, batch_runner, gateway) - static scan: every name any test imports directly from an edited module still resolves
208 lines
7.8 KiB
Python
208 lines
7.8 KiB
Python
"""Tests for Bug #12905 fix — stale OAuth token detection in hermes model flow.
|
|
|
|
Bug 3: `hermes model` with `provider=anthropic` skips OAuth re-authentication
|
|
when a stale ANTHROPIC_TOKEN exists in ~/.hermes/.env but no valid
|
|
Claude Code credentials are available. The fast-path silently proceeds to
|
|
model selection with a broken token instead of offering re-auth.
|
|
"""
|
|
|
|
|
|
from hermes_cli.config import save_env_value
|
|
|
|
|
|
class TestStaleOAuthTokenDetection:
|
|
"""Bug 3: stale OAuth token must trigger needs_auth=True in _model_flow_anthropic."""
|
|
|
|
def test_stale_oauth_token_triggers_reauth(self, tmp_path, monkeypatch, capsys):
|
|
"""
|
|
Scenario: ANTHROPIC_TOKEN is an expired OAuth token and there are no
|
|
valid Claude Code credentials anywhere. The flow MUST offer re-auth
|
|
instead of silently skipping to model selection.
|
|
"""
|
|
monkeypatch.setenv("HERMES_HOME", str(tmp_path))
|
|
|
|
# Pre-load .env with an expired OAuth token (sk-ant- prefix = OAuth)
|
|
save_env_value("ANTHROPIC_TOKEN", "sk-ant-oat-ExpiredToken00000")
|
|
save_env_value("ANTHROPIC_API_KEY", "")
|
|
|
|
# No valid Claude Code credentials available (expired, no refresh token)
|
|
monkeypatch.setattr(
|
|
"agent.anthropic_adapter.read_claude_code_credentials",
|
|
lambda: {
|
|
"accessToken": "expired-cc-token",
|
|
"refreshToken": "", # No refresh — can't recover
|
|
"expiresAt": 0, # Already expired
|
|
"source": "claude_code_credentials_file",
|
|
},
|
|
)
|
|
monkeypatch.setattr(
|
|
"agent.anthropic_adapter.is_claude_code_token_valid",
|
|
lambda creds: False, # Explicitly expired
|
|
)
|
|
monkeypatch.setattr(
|
|
"agent.anthropic_adapter._is_oauth_token",
|
|
lambda key: key.startswith("sk-ant-"),
|
|
)
|
|
# _resolve_claude_code_token_from_credentials has no valid path
|
|
monkeypatch.setattr(
|
|
"agent.anthropic_adapter._resolve_claude_code_token_from_credentials",
|
|
lambda creds=None: None,
|
|
)
|
|
|
|
# Simulate user types "3" (Cancel) when prompted for re-auth
|
|
monkeypatch.setattr("builtins.input", lambda _: "3")
|
|
monkeypatch.setattr("hermes_cli.secret_prompt.masked_secret_prompt", lambda _: "")
|
|
|
|
from hermes_cli.main import _model_flow_anthropic
|
|
cfg = {}
|
|
|
|
_model_flow_anthropic(cfg)
|
|
|
|
output = capsys.readouterr().out
|
|
# Must show auth method choice since token is stale
|
|
assert "subscription" in output or "API key" in output, (
|
|
f"Expected auth method menu but got: {output!r}"
|
|
)
|
|
|
|
def test_valid_api_key_skips_stale_check(self, tmp_path, monkeypatch, capsys):
|
|
"""
|
|
A non-OAuth ANTHROPIC_API_KEY (regular pay-per-token key) must NOT be
|
|
flagged as stale even when cc_creds are invalid. Regular API keys don't
|
|
expire the same way OAuth tokens do.
|
|
"""
|
|
monkeypatch.setenv("HERMES_HOME", str(tmp_path))
|
|
|
|
# Regular API key — NOT an OAuth token
|
|
save_env_value("ANTHROPIC_API_KEY", "sk-ant-api03-RegularPayPerTokenKey")
|
|
save_env_value("ANTHROPIC_TOKEN", "")
|
|
|
|
monkeypatch.setattr(
|
|
"agent.anthropic_adapter.read_claude_code_credentials",
|
|
lambda: None, # No CC creds
|
|
)
|
|
monkeypatch.setattr(
|
|
"agent.anthropic_adapter.is_claude_code_token_valid",
|
|
lambda creds: False,
|
|
)
|
|
monkeypatch.setattr(
|
|
"agent.anthropic_adapter._is_oauth_token",
|
|
lambda key: key.startswith("sk-ant-") and "oat" in key,
|
|
)
|
|
|
|
# Simulate user picks "1" (use existing)
|
|
monkeypatch.setattr("builtins.input", lambda _: "1")
|
|
|
|
from hermes_cli.main import _model_flow_anthropic
|
|
cfg = {}
|
|
|
|
_model_flow_anthropic(cfg)
|
|
|
|
output = capsys.readouterr().out
|
|
# Should show "Use existing credentials" menu, NOT auth method choice
|
|
assert "Use existing" in output or "credentials" in output.lower()
|
|
|
|
def test_valid_oauth_token_with_refresh_available_skips_reauth(self, tmp_path, monkeypatch, capsys):
|
|
"""
|
|
When ANTHROPIC_TOKEN is OAuth and valid cc_creds with refresh exist,
|
|
the flow should use existing credentials (no forced re-auth).
|
|
"""
|
|
monkeypatch.setenv("HERMES_HOME", str(tmp_path))
|
|
|
|
save_env_value("ANTHROPIC_TOKEN", "sk-ant-oat-GoodOAuthToken")
|
|
save_env_value("ANTHROPIC_API_KEY", "")
|
|
|
|
# Valid Claude Code credentials with refresh token
|
|
monkeypatch.setattr(
|
|
"agent.anthropic_adapter.read_claude_code_credentials",
|
|
lambda: {
|
|
"accessToken": "valid-cc-token",
|
|
"refreshToken": "valid-refresh",
|
|
"expiresAt": 9999999999999,
|
|
},
|
|
)
|
|
monkeypatch.setattr(
|
|
"agent.anthropic_adapter.is_claude_code_token_valid",
|
|
lambda creds: True,
|
|
)
|
|
monkeypatch.setattr(
|
|
"agent.anthropic_adapter._is_oauth_token",
|
|
lambda key: key.startswith("sk-ant-"),
|
|
)
|
|
monkeypatch.setattr(
|
|
"agent.anthropic_adapter._resolve_claude_code_token_from_credentials",
|
|
lambda creds=None: "valid-cc-token",
|
|
)
|
|
|
|
# Simulate user picks "1" (use existing)
|
|
monkeypatch.setattr("builtins.input", lambda _: "1")
|
|
|
|
from hermes_cli.main import _model_flow_anthropic
|
|
cfg = {}
|
|
|
|
_model_flow_anthropic(cfg)
|
|
|
|
output = capsys.readouterr().out
|
|
# Should show "Use existing" without forcing re-auth
|
|
assert "Use existing" in output or "credentials" in output.lower()
|
|
|
|
|
|
class TestStaleOAuthGuardLogic:
|
|
"""Unit-level test of the stale-OAuth detection guard logic."""
|
|
|
|
def test_stale_oauth_flag_logic_no_cc_creds(self):
|
|
"""
|
|
When existing_key is OAuth and cc_available is False,
|
|
existing_is_stale_oauth should be True → has_creds = False.
|
|
"""
|
|
existing_key = "sk-ant-oat-expiredtoken123"
|
|
_is_oauth_token = lambda k: k.startswith("sk-ant-")
|
|
cc_available = False
|
|
|
|
existing_is_stale_oauth = (
|
|
bool(existing_key) and
|
|
_is_oauth_token(existing_key) and
|
|
not cc_available
|
|
)
|
|
has_creds = (bool(existing_key) and not existing_is_stale_oauth) or cc_available
|
|
|
|
assert existing_is_stale_oauth is True
|
|
assert has_creds is False
|
|
|
|
def test_stale_oauth_flag_logic_with_valid_cc_creds(self):
|
|
"""
|
|
When existing_key is OAuth but cc_available is True (valid creds exist),
|
|
has_creds should be True — the cc_creds will be used instead.
|
|
"""
|
|
existing_key = "sk-ant-oat-sometoken"
|
|
_is_oauth_token = lambda k: k.startswith("sk-ant-")
|
|
cc_available = True
|
|
|
|
existing_is_stale_oauth = (
|
|
bool(existing_key) and
|
|
_is_oauth_token(existing_key) and
|
|
not cc_available
|
|
)
|
|
has_creds = (bool(existing_key) and not existing_is_stale_oauth) or cc_available
|
|
|
|
assert existing_is_stale_oauth is False
|
|
assert has_creds is True
|
|
|
|
def test_non_oauth_key_not_flagged_as_stale(self):
|
|
"""
|
|
Regular ANTHROPIC_API_KEY (non-OAuth) must not be flagged as stale
|
|
even when cc_available is False.
|
|
"""
|
|
existing_key = "sk-ant-api03-regular-key"
|
|
_is_oauth_token = lambda k: k.startswith("sk-ant-") and "oat" in k
|
|
cc_available = False
|
|
|
|
existing_is_stale_oauth = (
|
|
bool(existing_key) and
|
|
_is_oauth_token(existing_key) and
|
|
not cc_available
|
|
)
|
|
has_creds = (bool(existing_key) and not existing_is_stale_oauth) or cc_available
|
|
|
|
assert existing_is_stale_oauth is False
|
|
assert has_creds is True
|