)jJUdZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlZddlZddlmZddlmZmZddlmZmZddlmZmZmZddlmZdd lm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&dd l'm(Z(m)Z)m*Z*ddl+Z+dd l,m-Z-m.Z.m/Z/dd l0m1Z1m2Z2dd l3m4Z4ddl5m6Z6m7Z7m8Z8ej9e:Z; ddlZ>n #e=$rdZ>YnwxYwdZ?dZ@dZAdZBdZCdZDeDZEdZFdZGdZHeHZIdZJdZKdZLdZMdZNdZOdZPdZQdZRd ZSd!ZTd"ZUd#ZVd$ZWd%ZXd&ZYd'ZZd(Z[d)Z\dZ]d*Z^e^d+Z_d,Z`d-Zad.Zbd/Zcd0ZddZed1Zfd2ZgdZhd3Zid4Zjd5Zkd6Zld7ZmdZnd8Zod9Zpd:qd;Zrdetd?<d@Zud!ZvdAZweGdBdCZxidDexdDdEdFeAeBeCeEGdHexdHdIdJeKKdLexdLdMdNdOdPdQRdSexdSdTdJeLKdUexdUdVdJeUKdWexdWdXdJeuKdYexdYdZdNd[d\d]Rd^exd^d_dNeVd`daRdbexdbdcddeWdefdgexdgdhdNdidjdkRdlexdldmdNdndodpRdqexdqdrdNdsdtduRdvexdvdwdNdxdyzd{exd{d|dNeYd}d~RdexdddNdddRdexdddNdddRdexdddNdddRidexdddePeReMeNdeQeSddexdddNdddRdexdddNdddRdexdddNdddRdexdddNd ddRdexdddNdddRdexdddNdddRdexdddNdddRdexdddNdddRdexdddNdddRdexdddNddd¬RdexdddNdddǬRdexdddNddd̬RdexdddNdddѬRdexdddNeXddլRdexdddddd۬RdexdddNdddRZydetd< ddlzm{Z|e|D]Z}e}j~eyvr e}jdNkse}jse}j~dvr)ede}jDZede}jDdZexe}j~e}jpe}j~dNe}jepe}jepdެReye}j~<e}jD]Zeeyvreye}j~eye<n #e=$rYnwxYwddZdZddZhdZddddZddZddndgdfdddgdfddgddfddgddfgZddd Zdd Zd ZGddeZddZddZddZddZddZddZdddd!Zdd#Zdd%Zdd'Zdd(ZejZedd.Zee@fdd/Zddd1Zdd3Zdd5Zdd7Zd8d9dd;Zdd<Zdd=Zdd>Zddd?ZddBZddDZddEZddFZddGZddHZddIZdddJZddKZddMZ ddddNddRZddTZddWZddYZddZZed[hZd\etd]<dd_Zdd`ZddcZddeIddddhZddeIddddiZddjddlZddddmZĐdddoZddpddrZdddsddtZedXduhZȐddvZɐddwZʐddxZːddyZ̐dd{Zehfdd}ZΐdddZϐddZАdd8ehdddZѐddZҐddZӐddddZԐddZՐdddZ֐dddZ dddZ dddZِdddZڐdddZېdddZܐdÐdZݐdddZސdÐdZߐdĐdZdŐdZdƐdZdddǐdZdŐdZdȐdZdƐdZecfdɐdZddddʐdZddZdddːdZd~dd̐dZd~dd͐d„Zdd8endddÄZddĄZdΐdƄZddDŽZddȄZehdɣZd\etd<dd˄Zdϐd΄ZdАdτZddЄZddќdѐdԄZd8d՜dҐdׄZ ddӐdڄZddԐd܄Zd~ddՐdބZd֐d߄ZdאdZdd8e]dddZddZd8d՜dҐdZdddddؐdZdِdڐdZdېdZdܐdZdݐdސdZdސd~ddߐdZdސdddZdd8eedddZddZ ddddddZ ddZ ddZ dZ ejZddZddZee@fddZddZddZddZdd Zdd Zdd Zdd ZddZddZddddZddZdd8dddZddZdddeHdddZdeEdddddddddd dd!Z dddd"dd#Z!dd$dd%Z"dd&Z#ddddd'dd(Z$dd)Z%dd*Z&dZ'da(d+etd,<dd-Z)dd.Z*dd/Z+dd0Z,dd1Z-dd2Z.dd3Z/dd4Z0ddd5Z1dd6Z2dd7Z3dd8Z4 ddd:Z5dd;Z6dd<Z7dd=Z8dd>Z9dd?Z:dddސd@ddDZ; dddPZ<ddQZ=ddRZ>ddSddUZ?ddSddVZ@ddYZAd~dddZZBd~d8dd[dd^ZCdd_ZDddaZEddbZFddeZGddhZHddkZIddlZJdd8ddmddoZKdddpddrZLddsZMd duZNeTddvd dyZOddzZPd d{ZQddddd8dddd|d d}ZRd d~ZSddZTdS( a Multi-provider authentication system for Hermes Agent. Supports OAuth device code flows (Nous Portal, future: OpenAI Codex) and traditional API key providers (OpenRouter, custom endpoints). Auth state is persisted in ~/.hermes/auth.json with cross-process file locking. Architecture: - ProviderConfig registry defines known OAuth providers - Auth store (auth.json) holds per-provider credential state - resolve_provider() picks the active provider via priority chain - resolve_*_runtime_credentials() handles token refresh and runtime keys - logout_command() is the CLI entry point for clearing auth Nous authentication paths: - Invoke JWT (preferred): use a scoped access_token directly for inference. ) annotationsN)contextmanager) dataclassfield)datetimetimezone)BaseHTTPRequestHandler HTTPServerThreadingHTTPServer)Path)AnyCallableDict FrozenSetListOptionalTuple)parse_qs urlencodeurlparse)get_hermes_homeget_config_pathread_raw_config)OPENROUTER_BASE_URLsecure_parent_dir)$sanitize_borrowed_credential_payload)atomic_replaceatomic_yaml_writeis_truthy_value.@zhttps://portal.nousresearch.comz)https://inference-api.nousresearch.com/v1 hermes-clizinference:invoke device_code invoke_jwtxz%https://chatgpt.com/backend-api/codexzhttps://api.x.ai/v1z$78257093-7e40-4613-99e0-527b14b39113z!group_id profile model.completionz*urn:ietf:params:oauth:grant-type:user_codezhttps://api.minimax.iozhttps://api.minimaxi.comz https://api.minimax.io/anthropicz"https://api.minimaxi.com/anthropic<zhttps://portal.qwen.ai/v1zhttps://api.githubcopilot.comz acp://copilotzhttps://ollama.com/v1z#https://api.stepfun.ai/step_plan/v1z$https://api.stepfun.com/step_plan/v1app_EMoamEEZ73f0CkXaXp7hrannz#https://auth.openai.com/oauth/tokenhttps://auth.x.aiz!/.well-known/openid-configurationz$b1a00492-073a-47ea-816f-4c329264a828z>openid profile email offline_access grok-cli:access api:access 127.0.0.1i9z /callback f0304373b74a44d2b584a3fb70ca9e56z(https://chat.qwen.ai/api/v1/oauth2/tokenzhttps://accounts.spotify.comzhttps://api.spotify.com/v1z'http://127.0.0.1:43827/spotify/callbackzFhttps://hermes-agent.nousresearch.com/docs/user-guide/features/spotifyz'https://developer.spotify.com/dashboardz@https://hermes-agent.nousresearch.com/docs/guides/xai-grok-oauthz@https://hermes-agent.nousresearch.com/docs/guides/oauth-over-ssh ) zuser-modify-playback-statezuser-read-playback-statezuser-read-currently-playingzuser-read-recently-playedzplaylist-read-privatezplaylist-read-collaborativezplaylist-modify-publiczplaylist-modify-privatezuser-library-readzuser-library-modifyspotifySpotifyDict[str, str]SERVICE_PROVIDER_NAMESzcloudcode-pa://googlezdummy-lm-api-keyceZdZUdZded<ded<ded<dZded<dZded<dZded <dZded <e e Z d ed <dZ ded<dZ ded<dS)ProviderConfigz%Describes a known inference provider.stridname auth_typeportal_base_urlinference_base_url client_idscope)default_factoryDict[str, Any]extratupleapi_key_env_varsbase_url_env_varN)__name__ __module__ __qualname____doc____annotations__r7r8r9r:rdictr=r@rAr>4/home/ubuntu/.hermes/hermes-agent/hermes_cli/auth.pyr1r1s// GGG IIINNNO     IEOOOO!E$777E7777     rHr1nousz Nous Portaloauth_device_code)r3r4r5r7r8r9r: openai-codexz OpenAI Codexoauth_external)r3r4r5r8z openai-apiz OpenAI APIapi_keyzhttps://api.openai.com/v1)OPENAI_API_KEYOPENAI_BASE_URL)r3r4r5r8r@rA xai-oauthz%xAI Grok OAuth (SuperGrok / Premium+) qwen-oauthz Qwen OAuthgoogle-gemini-clizGoogle Gemini (OAuth)lmstudioz LM Studiozhttp://127.0.0.1:1234/v1) LM_API_KEY LM_BASE_URLcopilotzGitHub Copilot)COPILOT_GITHUB_TOKENGH_TOKEN GITHUB_TOKENCOPILOT_API_BASE_URL copilot-acpzGitHub Copilot ACPexternal_processCOPILOT_ACP_BASE_URL)r3r4r5r8rAgeminizGoogle AI Studioz0https://generativelanguage.googleapis.com/v1beta)GOOGLE_API_KEYGEMINI_API_KEYGEMINI_BASE_URLzaiz Z.AI / GLMzhttps://api.z.ai/api/paas/v4) GLM_API_KEY ZAI_API_KEY Z_AI_API_KEY GLM_BASE_URL kimi-codingzKimi / Moonshotzhttps://api.moonshot.ai/v1) KIMI_API_KEYKIMI_CODING_API_KEY KIMI_BASE_URLkimi-coding-cnzKimi / Moonshot (China)zhttps://api.moonshot.cn/v1)KIMI_CN_API_KEY)r3r4r5r8r@stepfunzStepFun Step Plan)STEPFUN_API_KEYSTEPFUN_BASE_URLarceezArcee AIzhttps://api.arcee.ai/api/v1)ARCEEAI_API_KEYARCEE_BASE_URLgmiz GMI Cloudzhttps://api.gmi-serving.com/v1) GMI_API_KEY GMI_BASE_URLminimaxMiniMax)MINIMAX_API_KEYMINIMAX_BASE_URL minimax-oauthuMiniMax (OAuth · minimax.io) oauth_minimaxglobal)regioncn_portal_base_urlcn_inference_base_url)r3r4r5r7r8r9r:r= anthropic Anthropiczhttps://api.anthropic.com)ANTHROPIC_API_KEYANTHROPIC_TOKENCLAUDE_CODE_OAUTH_TOKENANTHROPIC_BASE_URLalibabaz Qwen Cloudz6https://dashscope-intl.aliyuncs.com/compatible-mode/v1)DASHSCOPE_API_KEYDASHSCOPE_BASE_URLalibaba-coding-planzAlibaba Cloud (Coding Plan)z-https://coding-intl.dashscope.aliyuncs.com/v1)ALIBABA_CODING_PLAN_API_KEYrALIBABA_CODING_PLAN_BASE_URL minimax-cnzMiniMax (China))MINIMAX_CN_API_KEYMINIMAX_CN_BASE_URLdeepseekDeepSeekzhttps://api.deepseek.com/v1)DEEPSEEK_API_KEYDEEPSEEK_BASE_URLxaixAI) XAI_API_KEY XAI_BASE_URLnvidiaz NVIDIA NIMz#https://integrate.api.nvidia.com/v1)NVIDIA_API_KEYNVIDIA_BASE_URL opencode-zenz OpenCode Zenzhttps://opencode.ai/zen/v1)OPENCODE_ZEN_API_KEYOPENCODE_ZEN_BASE_URL opencode-goz OpenCode Gozhttps://opencode.ai/zen/go/v1)OPENCODE_GO_API_KEYOPENCODE_GO_BASE_URLkilocodez Kilo Codezhttps://api.kilo.ai/api/gateway)KILOCODE_API_KEYKILOCODE_BASE_URL huggingfacez Hugging Facez https://router.huggingface.co/v1)HF_TOKEN HF_BASE_URLxiaomiz Xiaomi MiMozhttps://api.xiaomimimo.com/v1)XIAOMI_API_KEYXIAOMI_BASE_URLtencent-tokenhubzTencent TokenHubz#https://tokenhub.tencentmaas.com/v1)TOKENHUB_API_KEYTOKENHUB_BASE_URL ollama-cloudz Ollama Cloud)OLLAMA_API_KEYOLLAMA_BASE_URLbedrockz AWS Bedrockaws_sdkz/https://bedrock-runtime.us-east-1.amazonaws.comr>BEDROCK_BASE_URL azure-foundryz Azure Foundryr6)AZURE_FOUNDRY_API_KEYAZURE_FOUNDRY_BASE_URLzDict[str, ProviderConfig]PROVIDER_REGISTRYlist_providers>rccustomrW openrouterrhrlc#nK|]0}|d|d,|V1dS _BASE_URL_URLNendswith.0vs rI rsHppAQZZ =T=Tp]^]g]ghn]o]opapppppprHc#nK|]0}|ds|d,|V1dSrrrs rIrrsHggAK9P9PgTUT^T^_eTfTfgaggggggrHreturnr2cddlm}tdjD](}||pt j|d}|r|cS)dS)aQReturn the first usable Anthropic credential, or ``""``. Checks both the ``.env`` file (via ``get_env_value``) and the process environment (``os.getenv``). The fallback order mirrors the ``PROVIDER_REGISTRY["anthropic"].api_key_env_vars`` tuple: ANTHROPIC_API_KEY -> ANTHROPIC_TOKEN -> CLAUDE_CODE_OAUTH_TOKEN r get_env_valuerr6)hermes_cli.configrrr@osgetenv)rvarvalues rIget_anthropic_keyrsh0///// -> c""8biR&8&8  LLL  2rHzhttps://api.kimi.com/coding default_url env_overridecN|r|S|s|S|drtS|S)zReturn the correct Kimi base URL based on the API key prefix. If the user has explicitly set KIMI_BASE_URL, that always wins. Otherwise, sk-kimi- prefixed keys route to api.kimi.com/coding/v1. zsk-kimi-) startswithKIMI_CODE_BASE_URL)rNrrs rI_resolve_kimi_base_urlrsB  *%%"!! rH> ***** your-api-key*nonenulldummyexamplechangeme placeholder your_api_keyyour_api_key_here) min_lengthrr rintboolct|tsdS|}t||krdS|t vrdSdS)zIReturn True when a configured secret looks usable, not empty/placeholder.FT) isinstancer2striplenlower_PLACEHOLDER_SECRET_VALUES)rrcleaneds rIhas_usable_secretr'sZ eS ! !ukkmmG 7||j  u}}444u 4rH provider_idpconfigtuple[str, str]c|dkre ddlm}m}|\}}|r |||fSn=#t$r%}td|Yd}~nd}~wt $rYnwxYwdSddlm}|j D]6}||pd } t| r| |fcS7 dd l m } | |} | r| ro| } | rYt!| d dpt!| d d} t#|  } t| r| d |fSn#t $rYnwxYwdS) zDResolve an API-key provider's token and indicate where it came from.rWr)resolve_copilot_tokenget_copilot_api_tokenz#Copilot token validation failed: %sN)r6r6rr6 load_pool access_tokenruntime_api_keyzcredential_pool:)hermes_cli.copilot_authrr ValueErrorloggerwarning Exceptionrrr@rragent.credential_poolrhas_credentialspeekgetattrr2)rrrrtokensourceexcrenv_varvalrpoolentrykeys rI _resolve_api_key_provider_secretr 3s i  \ \ \ \ \ \ \ \1133ME6 <,,U33V;; < G G G NN@# F F F F F F F F    D v//////+  }W%%+2244 S ! ! <      333333y%%  AD((** AIIKKE Ae^R88aGEK\^`__,xu! _ _E _z222)<7)<)<(: "'"'&'.4%H%H$I  $   #s**LL!KUT\^cddd#$,!&!&   KUTY[_[kllll _ _ _ JESXZ]^^^^^^^^ _3 _6 4sAB1"B CCCc|r|S|s|St}t|dpi}|d}t|tr|dr|dd}|t j|ddkr)t d|d|dSt|}|r|drt j|dd}|d|d d|d d|d d|d |d<t|d|t d |d |d|dSt d||S)aYReturn the correct Z.AI base URL by probing endpoints. If the user has explicitly set GLM_BASE_URL, that always wins. Otherwise, probe the candidate endpoints to find one that accepts the key. The detected endpoint is cached in provider state (auth.json) keyed on a hash of the API key so subsequent starts skip the probe. rcdetected_endpointr!key_hashr6NzZ.AI: using cached endpoint %sr3rr")r! endpoint_idrr"r.z$Z.AI: auto-detected endpoint %s (%s)z.Z.AI: probe failed, falling back to default %s)_load_auth_store_load_provider_stategetrrGhashlibsha256encode hexdigestrr'r+_save_provider_stateinfo)rNrr auth_storestatecachedr.detecteds rI_resolve_zai_base_urlr>s "##J U 3 3 9rE YY* + +F&$&FJJz$:$:&::j"-- w~gnn&6&677AACCCRCH H H LL96*;M N N N*% %#7++H $HLL,, $>'.."2"233==??D ,#<<b11\\'2..\\'2.. & & !" Z666 :HWaccount_missingno_usable_creditssubscription_expiredtemporarily_unavailablez Please retry in a few seconds.)rrAr2rTrErDrC#_format_nous_entitlement_auth_errorrSs rIformat_auth_errorrcs  eY ' '5zz"%((5zz A@@@@ z,,, >V # #6u== =hh z+++ >V # #6u== =VV zUUU >V # #6u== = z...8888 u::rHcz ddlm}m}|d}||d}|r|Sn#t$rYnwxYw|dS)Nr&format_nous_portal_entitlement_messageget_nous_portal_account_infoT force_freshzNous model access capabilityz5 Check credits or billing in Nous Portal, then retry.)hermes_cli.nous_accountrfrgr)rPrfrg account_inforFs rIrbrb's         43EEE 88 *     N        J J JJs $( 55rrGct|tsdS|}|sdStj|dddS)zJReturn a short hash fingerprint for telemetry without leaking token bytes.Nutf-8 )rr2rr4r5r6r7)rrs rI_token_fingerprintrq:sd eS ! !tkkmmG t >'..11 2 2 < < > >ss CCrHc|tjdd}|dvS)NHERMES_OAUTH_TRACEr6>1onyestrue)rrrr)rXs rI_oauth_trace_enabledrxDs8 )(" - - 3 3 5 5 ; ; = =C , ,,rH) sequence_ideventryfieldsrHc tsdSd|i}|r||d<||tdt j|dddS)Nrzryzoauth_trace %sTF) sort_keys ensure_ascii)rxupdaterr9rdumps)rzryr{payloads rI _oauth_tracerIsp  ! !&.G-!,  NN6 KK $*WSX"Y"Y"YZZZZZrHr cFtdz }tjdrpt jdz dz d} |d}n#t$r|}YnwxYw||krtd|d|S)N auth.jsonPYTEST_CURRENT_TEST.hermesFstrictz8Refusing to touch real user auth store during test run: zq. Set HERMES_HOME to a tmp_path in your test fixture, or run via scripts/run_tests.sh for hermetic CI-parity env.) rrenvironr3r homeresolver RuntimeError)pathreal_home_authresolveds rI_auth_file_pathrWs   { *D  z~~+,, )++ 1K?HHPUHVV ||5|11HH   HHH  ~ % %G4GGG  KsA66 BBOptional[Path]c ddlm}|}n#t$rYdSwxYwt} |d|dkrdSn#t$r ||krYdSYnwxYw|dz S)aReturn the global-root auth.json when the process is in profile mode. Returns ``None`` when the profile and global root resolve to the same directory (classic mode, or custom HERMES_HOME that is not a profile). Used by read-only fallback paths so providers authed at the root are visible to profile processes that haven't configured them locally. See issue #18594 follow-up (credential_pool shadowing). rget_default_hermes_rootNFrr)hermes_constantsrrrr)r global_root profile_homes rI_global_auth_file_pathrms<<<<<<--// tt"$$L   u  - -1D1DE1D1R1R R R4 S  ; & &44 ' &  $$s !!.A$$A:9A:r<ct}||siStjdrytjdd}|rWt |dz dz } |d|dkriSn#t$rYnwxYw t|S#t$ricYSwxYw) a8Load the global-root auth store (read-only fallback). Returns an empty dict when no global fallback exists (classic mode, or the global auth.json is absent). Never raises on missing file. Seat belt: under pytest, refuses to read the real user's ``~/.hermes/auth.json`` even when HERMES_HOME is set to a profile path. The hermetic conftest does not redirect ``HOME``, so ``get_default_hermes_root()`` for a profile-shaped HERMES_HOME can still resolve to the real user's home on a dev machine. That would leak real credentials into tests. This guard uses the unmodified ``HOME`` env var (what ``os.path.expanduser('~')`` would resolve to), not ``Path.home()``, because ``Path.home`` is sometimes monkeypatched by fixtures that want to relocate the global root to a tmp path. NrHOMEr6rrFr) rexistsrrr3r rrr1) global_path real_home_env real_roots rI_load_global_auth_storers  )**K+"4"4"6"6  z~~+,, vr22  ]++i7+EI &&e&44 8I8IQV8I8W8WWWIX     ,,,  s$>/B// B<;B<C CCcDtdS)N.lock)r with_suffixr>rHrI_auth_lock_pathrs    ( ( 1 11rH lock_pathholderthreading.localtimeout_secondstimeout_messagec#Kt|dddkr=|xjdz c_ dV|xjdzc_n#|xjdzc_wxYwdS|jddt)t "d|_ dVd|_n #d|_wxYwdSt rH|r|jdkr| dd | t rd nd d 5}tj td |z} tr?t j|tjtjznG|dt j|t jdnX#t*t,t.f$r=tj |krt1|tjd YnwxYwd|_ dVd|_trL t j|tjnD#t,t6f$rYn0wxYwt r` |dt j|t jdn#t,t6f$rYnwxYwn#d|_trJ t j|tjw#t,t6f$rYwwxYwt r` |dt j|t jdw#t,t6f$rYwwxYwwxYwddddS#1swxYwYdS)uCross-process advisory flock helper. Reentrant per-thread via ``holder.depth``. Falls back to a depth-only guard when neither ``fcntl`` nor ``msvcrt`` is available (rare). Callers supply their own ``threading.local`` so independent locks (e.g. profile auth.json vs shared Nous store) don't share reentrancy state — that would let one lock's reentrant acquisition silently skip the other's kernel-level flock. depthrr NTparentsexist_okr+roencodingzr+za+?g?)rrparentmkdirfcntlmsvcrtrstatst_size write_textopentime monotonicmaxflockfilenoLOCK_EXLOCK_NBseeklockingLK_NBLCKBlockingIOErrorOSErrorPermissionError TimeoutErrorsleepLOCK_UNIOErrorLK_UNLCK)rrrr lock_filedeadlines rI _file_lockrs3 vw""Q&&    EEE LLA LLLFLLA LLLLLL 4$777 }   EEEFLL1FL    4y''))4Y^^-=-=-E-J-JS7333 0D7 C Cy>##c#&?&?? ! !KK 0 0 2 2EMEM4QRRRRNN1%%%N9#3#3#5#5vJJJ#Wo> ! ! !>##x//&777 4      ! !   EEEFL K 0 0 2 2EMBBBB)D NN1%%%N9#3#3#5#5vJJJJ)D   FL K 0 0 2 2EMBBBB)D NN1%%%N9#3#3#5#5vJJJJ)D  3s>AB B&N<7B GN<AHN<H N<%K+)N<81I+)N<+J<N<?J N< AKN<K'$N<&K''N<+N,;1L-,N,-M >N,M  N, ANN,N( %N,'N( (N,,N<<OOc#Kttt|d5dVddddS#1swxYwYdS)aCross-process advisory lock for auth.json reads+writes. Reentrant. Lock ordering invariant: when this lock is held together with ``_nous_shared_store_lock``, acquire ``_auth_store_lock`` FIRST (outer) and the shared Nous lock SECOND (inner). All runtime refresh paths follow this order; violating it risks deadlock against a concurrent import on the shared store. z%Timed out waiting for auth store lockN)rr_auth_lock_holderrs rI_auth_store_lockrs /     s 8<< auth_filecz|p t}|s tidS tj|}nz#t $rm}|d} ddl}|j ||n#t $rYnwxYwt d|||tidcYd}~Sd}~wwxYwt|trht|dts(t|dtr|di|St|trPt|dtr(|d}i}d|vr |d|d <t||rd ndd StidS) N)version providersz .json.corruptruYauth: failed to parse %s (%s) — starting with empty store. Corrupt file preserved at %srcredential_poolsystems nous_portalrJ)rractive_provider)rrAUTH_STORE_VERSIONrloads read_textrrshutilcopy2rrrrGr3 setdefault)rrXr corrupt_pathrrrs rIr1r1s._..I     @-B???@j,,..//  @ @ @ ,,_==   MMM FLL 1 1 1 1    D  + sL   .B???????? @#t377;''.. cgg/00$ 7 7 {B''' #tBCGGI,>,>!E!EBi. G # # ' 6If -I-6#@66DBB B* ; ;;sA&A C!C 7B  C  BC B)C C Cr:ct}|jddt|t|d<t jtj |d<tj |ddz}| |j dtjd t!jj} tjt)|tjtjztjzt0jt0jz}tj|d d 5}|||tj|dddn #1swxYwYtA|| tjt)|jtj!}n#tD$rd}YnwxYw|C tj|tj#|n#tj#|wxYw |$r|%nO#tD$rYnCwxYw# |$r|%ww#tD$rYwwxYwxYw |&t0jt0jzn#tD$rYnwxYw|S) NTrr updated_at)indent .tmp..wror)'rrrrrrnowrutc isoformatrr with_namer4rgetpiduuiduuid4hexrr2O_WRONLYO_CREATO_EXCLrS_IRUSRS_IWUSRfdopenwriteflushfsyncrrO_RDONLYrcloserunlinkchmod)r:rrtmp_pathfdhandledir_fds rI_save_auth_storer:s!!I 4$777i   .Jy'|HL99CCEEJ|jA...5G""in#[#[29;;#[#[IY#[#[\\H W MM K"* $ry 0 L4< '   Yr3 1 1 1 &V LL ! ! ! LLNNN HV]]__ % % % & & & & & & & & & & & & & & & x+++ WS!122BK@@FF   FFF    !               "!!!    D     "!!!! "    D   t|34444      sA5J AF+ J +F//J 2F/3J 1G98J 9 HJ HJ H7"J 7I  J (I:: JJ K (J64K6 KKKK ,K77 LLOptional[Dict[str, Any]]c|d}t|tr9||}t|trt|St}|rc|d}t|tr9||}t|trt|SdS)aReturn a provider's persisted state. In profile mode, falls back to the global-root ``auth.json`` when the profile has no entry for ``provider_id``. This mirrors the per-provider shadowing already used by ``read_credential_pool``: workers spawned in a profile can see providers (e.g. ``nous``) that were only authenticated at global scope. Once the user runs ``hermes auth login `` inside the profile, the profile state fully shadows the global state on the next read. See issue #18594 follow-up. rN)r3rrGr)r:rrr; global_storeglobal_providers global_states rIr2r2ks{++I)T"" k** eT " " ;; +,,L*'++K88 & - - *+// <`` block). Adding the very first credential for a provider should make it the active provider so the setup wizard's ``_model_section_has_credentials()`` check (which consults ``get_active_provider()``) does not report "No inference provider configured". Subsequent adds for an already-active setup leave the user's chosen active provider untouched. rr6N)rr1r3rrrr:s rImark_provider_active_if_unsetrs   ))%'' 0117R>>@@ ),7J( ) Z ( ( ( ))))))))))))))))))sA A((A,/A,cv|pd}|tvp|tvSNr6)rrrr/r normalizeds rIis_known_auth_providerrs;#**,,2244J * * Rj >>rHct}|d}t|tsi}i}t }|r|dnd}t|tr|}|t|}|D]\\}}t|t r|s||} t| t r| rJt |||<]|S||} t| t r| rt | S||} t| t rt | ngS)uReturn the persisted credential pool, or one provider slice. In profile mode, the profile's credential pool is authoritative. If a provider has no entries in the profile, entries from the global-root ``auth.json`` are used as a read-only fallback — so workers spawned in a profile can see providers that were only authenticated at global scope. Profile entries always win: the global fallback only applies per-provider when the profile has zero entries for that provider. Once the user runs ``hermes auth add `` inside the profile, profile entries fully shadow global for that provider on the next read. Writes always go to the profile (``write_credential_pool`` is unchanged). See issue #18594 follow-up. rN)r1r3rrGritemslist) rr:r global_poolrmaybe_global_poolmergedgp_key gp_entriesexistingprovider_entriesglobal_entriess rIread_credential_poolr$s "##J >>+ , ,D dD ! !"$K*,,L?KU (():;;;QU#T**(' d"-"3"3"5"5 . . FJj$// z zz&))H(D)) h !*--F6NN xx ,,"D))&.>&$%%% __[11N#-nd#C#C K4   KrHentriesList[Dict[str, Any]]ct5t}|d}t|tsi}||d<fd|D|<t |cdddS#1swxYwYdS)aPersist one provider's credential pool under auth.json. This is the final disk-boundary guard for borrowed/reference-only credentials. Callers may pass raw dictionaries, so sanitize here even when ``PooledCredential.to_dict()`` already did the same work upstream. rc^g|])}t|trt|n|*Sr>)rrGr)rrrs rI z)write_credential_pool..sM   %&& 2 0 D D D,1   rHNrr1r3rrGr)rr%r:rs` rIwrite_credential_poolr+s    , ,%'' ~~/00$%% 1D,0J( )    !   [  ++ , , , , , , , , , , , , , , , , , ,sAA<<BBrct5t}|di}||g}||vr||t |ddddS#1swxYwYdS)z@Mark a credential source as suppressed so it won't be re-seeded.suppressed_sourcesN)rr1rappendrrrr: suppressed provider_lists rIsuppress_credential_sourcer2s   %%%'' **+?DD "--k2>>  & &   ( ( ($$$ %%%%%%%%%%%%%%%%%%sA#A??BBc t}|di}|||gvS#t$rYdSwxYw)z=Check if a credential source has been suppressed by the user.r-F)r1r3r)rrr:r0s rIis_source_suppressedr4sa%'' ^^$8"==  R8888 uus;> A  A ct5t}|d}t|ts ddddS||}t|t r||vr ddddS|||s||d|s|ddt| ddddS#1swxYwYdS)zClear a suppression marker so the source will be re-seeded on the next load. Returns True if a marker was cleared, False if no marker existed. r-NFT) rr1r3rrGrremovepoprr/s rIunsuppress_credential_sourcer8s   %'' ^^$899 *d++   #{33 -.. & 2M2M V$$$ . NN; - - - 7 NN/ 6 6 6$$$s:C4/C4AC44C8;C8c>t}t||S)uReturn persisted auth state for a provider, or None. In profile mode, ``_load_provider_state`` already falls back to the global-root ``auth.json`` per-provider when the profile has no entry — so this is now a thin convenience wrapper. Profile state always wins when present. Writes (``_save_auth_store`` / ``persist_*_credentials``) are unchanged — they still target the profile only. This mirrors ``read_credential_pool``'s per-provider shadowing semantics so that ``_seed_from_singletons`` can reseed a profile's credential pool from global-scope provider state (e.g. a globally-authenticated Anthropic OAuth or Nous device-code session). See issue #18594 follow-up. )r1r2rs rIget_provider_auth_stater:.s"##J  K 8 88rHcHt}|dS)z8Return the currently active provider ID from auth store.r)r1r3r:s rIget_active_providerr=?s !##J >>+ , ,,rHc|pd} t}|dpd}|r||krdSn#t$rYnwxYw ddlm}|}|d}t|trC|dpd}||krdSn#t$rYnwxYwdh}t|} | r?| j d kr4| j D],} | |vrttj| drdS-d S) aReturn True only if the user has explicitly configured this provider. Checks: 1. active_provider in auth.json matches 2. model.provider in config.yaml matches 3. Provider-specific env vars are set (e.g. ANTHROPIC_API_KEY) This is used to gate auto-discovery of external credentials (e.g. Claude Code's ~/.claude/.credentials.json) so they are never used without the user's explicit choice. See PR #4210 for the same pattern applied to the setup wizard gate. r6rTr) load_configrrCrrNF)rrr1r3rrr?rrGrr5r@rrr) rrr:activer?cfg model_cfg cfg_provider_IMPLICIT_ENV_VARSrrs rI!is_provider_explicitly_configuredrEEs#**,,2244J %'' ..!2339r@@BBHHJJ  f **4        111111kmmGGG$$ i & & %MM*55;BBDDJJLLLz))t      44##J//G7$ 11/  G,,, 7B!7!788 tt  5s%AA>> B  B A;D DDc(t5t}|p|d}|s ddddS|di}t|tsi}||d<|d}t|tsi}||d<d}||vr||=d}||vr||=d}|d|krd|d<d}|s ddddSt |dddn #1swxYwYdS)z Clear auth state for a provider. Used by `hermes logout`. If provider_id is None, clears the active provider. Returns True if something was cleared. rNFrrTr*)rr:targetrrcleareds rIclear_provider_authrIxs   %%%'' A /@ A A  %%%%%%%% NN;33 )T** 0I&/J{ #~~/00$%% 1D,0J( ) Y  &!G T>>V G >>+ , , 6 6,0J( )G ;%%%%%%%%< $$$=%%%%%%%%%%%%%%%> 4s)DBD,DD D ct5t}d|d<t|ddddS#1swxYwYdS)z Clear active_provider in auth.json without deleting credentials. Used when the user switches to a non-OAuth provider (OpenRouter, custom) so auto-resolution doesn't keep picking the OAuth provider. Nr)rr1rr<s rIdeactivate_providerrKs   %%%'' (, $%$$$%%%%%%%%%%%%%%%%%%s#?AA provider_namecj ddlm}|}|sdSdg}|D]s}|jdkrdnd}|d|d |j|jr|jdnd}|r|d |td |S#t$rYdSwxYw) zReturn a helpful hint string when provider resolution fails. Checks for common config.yaml mistakes (malformed custom_providers, etc.) and returns a human-readable diagnostic, or empty string if nothing found. r)validate_config_structurer6uCConfig issue detected — run 'hermes doctor' for full diagnostics:rPERRORWARNINGz [z] u → r) rrNseverityr.rFhint splitlinesjoinr)rLrNissueslinesciprefix first_hints rI%_get_config_hint_for_unknown_providerrZs ??????**,, 2VW 6 6B " w 6 6WWIF LL5v5555 6 6 646GC++--a00J 6 4 44555yy rrsB$B B$$ B21B2)explicit_api_keyexplicit_base_url requestedr[r\c |pd}iddddddddddd dd dd d d d dd ddddddddddddddiddddddddddddd d!d"d!d#d$d%d$d&d'd(d'd)d'd*d+d,d+d-d+d.d/id0d/d1d2d3d2d4d2d5d2d6d7d8d7d9d:d;d:dd=d=d=d?d?d@d?dAd?dBdCdDdCidEdCdFdGdHdGdIdJdKdJdLdJdMdJdNdOdPdOdQdOdRdOdSdTdUdTdVdWdXdWdYdWdZdZdZdZd[d\d[d[d[d[d]} d^d_lm}|D]}|jD]}||vr |j||<n#t $rYnwxYw|||}|d`krd`S|d[krd[S|tvr|S|dkr6t|}da|db} |r | dc|z } n| ddz } t| def|s|rd`S t} | dg} | r/| tvr&t| } | dhr| Sn2#t $r%} tdi| Ydj} ~ ndj} ~ wwxYwtt!jdks!tt!jdlrd`S d^dmlm}|d`rd`Sn2#t $r%} tdn| Ydj} ~ ndj} ~ wwxYwtD]H\}}|jdokr|dpvr|jD]*}tt!j|dqr|ccS+I d^drlm}|rdOSn#t4$rYnwxYwtdsdtf)ua~ Determine which inference provider to use. Priority (when requested="auto" or None): 1. active_provider in auth.json with valid credentials 2. Explicit CLI api_key/base_url -> "openrouter" 3. OPENAI_API_KEY or OPENROUTER_API_KEY env vars -> "openrouter" 4. Provider-specific API keys (GLM, Kimi, MiniMax) -> that provider 5. Fallback: "openrouter" autoglmrczz-aizz.aizhipugoogler_z google-geminizgoogle-ai-studiozx-airx.aigrokrQz x-ai-oauthz grok-oauthzxai-grok-oauthkimirhzkimi-for-codingmoonshotzkimi-cnrlz moonshot-cnsteprnzstepfun-coding-planzarcee-airqarceeaiz gmi-cloudrtgmicloudz minimax-chinar minimax_cnzminimax-portalr{zminimax-global minimax_oauthalibaba_codingrzalibaba-codingalibaba_coding_planclauderz claude-codegithubrWzgithub-copilotz github-modelsz github-modelzgithub-copilot-acpr\zcopilot-acp-agentopencoderzenz qwen-portalrRqwen-clirSz gemini-cliz gemini-oauthhfrz hugging-facezhuggingface-hubmimorz xiaomi-mimotencentrtokenhubz tencent-cloud tencentmaasawsrz aws-bedrockzamazon-bedrockamazongorzopencode-go-subkilorz kilo-codez kilo-gatewayrTrr)z lm-studio lm_studioollama ollama_cloudvllmllamacppz llama.cppz llama-cpprrrzUnknown provider 'z'.z z` Check 'hermes model' for available providers, or run 'hermes doctor' to diagnose config issues.invalid_provider)rDr logged_inz)Could not detect active auth provider: %sNrOOPENROUTER_API_KEYrz.Could not check OpenRouter credential pool: %srN>rWrTr6has_aws_credentialszNo inference provider configured. Run 'hermes model' to choose a provider and model, or set an API key (OPENROUTER_API_KEY, OPENAI_API_KEY, etc.) in ~/.hermes/.env.no_provider_configured)rrrraliasesr4rr3rrZrAr1get_auth_statusrr'rrrrrrrr5r@agent.bedrock_adapterr ImportError)r]r[r\r_PROVIDER_ALIASES_lp_pp_alias _config_hintmsgr:r@statuse _load_poolpidrrrs rIresolve_providerrsm %v,,..4466J! u!e!%+U!4;U!(!+X!7I8! !u!'-e! [ !#/ ! k ! $4[ !  ! 1- ! BL] !! #!&34D!  !1)! G!'! U!'! !(4\! /!,<_!O^_n! /!2BCX! 4! +!!! -k! )!! .y!!" #!"%3I#!$ m%!$.A-%!& N'!&%*>'!( |)!(&0)!(@L\)!(\oqD)!(FRTg)!(iwyL)!* m+!*,]+!!!*=N}+!, -!,(-!. %/!.(23E/!0 +1!0.;>J\!!|Xx&&&V/...`` URL. Returns ``None`` if the URL is missing, malformed, non-https, or points at an unexpected host — letting the caller fall back to the configured default rather than persist or forward a poisoned value. Defense-in-depth: a compromised refresh response from the Portal API (MITM, malicious response injection) could otherwise redirect every subsequent proxy request — bearing the user's inference JWT — to an attacker-controlled endpoint. Validating scheme + host at the source closes that loop before the poisoned URL ever lands in ``auth.json``. The env-var override path (``NOUS_INFERENCE_BASE_URL``) bypasses this — env values come from the trusted OS user, not from the network, and the override is documented for staging/dev use. Co-authored-by: memosr NhttpszEnous: refusing non-https inference URL scheme %r from Portal responsezenous: refusing inference URL host %r from Portal response (not in allowlist); falling back to defaultr) rr2rrrschemerrhostnamerr)rrrs rI)_validate_nous_inference_url_from_networkrs, c3  tiikkG t'"" tt } S M   t ;;; : O   t >>#  sA AAct|tr|ddkriS|dd}|ddt |dzz dzzz } t j|d}tj | d}n#t$ricYSwxYwt|tr|niS)Nrrr =rro) rr2countsplitrbase64urlsafe_b64decoder6rrdecoderrG)rrrXclaimss rI_decode_jwt_claimsrs eS ! !U[[%5%5%:%: kk#q!G sq3w<'>??CJJw//00  -- 56625s+AB:: C C  raw_scopeset[str]ct}t|trW|ddD]-}|}|r||.ndt|ttttfr<|D]9}t|tr"| t|:|S)N,r+) setrr2rrraddrr? frozensetr _scope_values)rscopespartritems rIrrsuuF)S!!3%%c3//5577 $ $DjjllG $ 7### $ IeS)< = =3 3 3D$$$ 3 mD11222 MrHr: expires_atmin_ttl_secondsr:rrct|}|sdSt|t|dzt|dz}t|vrdS|d}t dt |}t |t tfr+t|tj|zkrdSdSt||rd SdS) zDReturn None when the token can be used for inference, else a reason.access_token_not_jwtr:scpmissing_inference_invoke_scopeexprinvoke_jwt_expiringN%invoke_jwt_expiry_unknown_or_expiring) rrr3NOUS_INFERENCE_INVOKE_SCOPErrrrrr)rr:rrrrrskews rI_nous_invoke_jwt_statusrs  & &F &%%e  7++ , , -  5)) * * + #&00// **U  C q#o&& ' 'D#U|$$ ::$)++, - -((tJ%%766 4rHc,t||||duS)Nr)r)rr:rrs rI_nous_invoke_jwt_is_usablers1 !+      rHrrc||dn|}t||d|d}|dStd|dd|d ) Nrr:rr:r8Nous Portal access token is not a usable inference JWT (z-). Re-authenticate with: hermes auth add nousrJTrB)r3rrA)r;rrreasons rI!_assert_nous_inference_jwt_usablers *6)=EIIn % % %B B B) obtained_atrc |d}t|tr|sdSt jt j}|d}|r|}nY|d|kr,t|tr|r|}n|}t||d}t|}|1tdt|tj z n!t|d}|r ||d<||d<||d<d|d<||d<||d <d |d <||d<dS) Nragent_key_obtained_at agent_keyrrr agent_key_idagent_key_expires_atagent_key_expires_inFagent_key_reused)r3rr2rrrrrrrrrrrr) r;rrrexisting_obtained_ateffective_obtained_atrrrs rI#_set_nous_agent_key_from_invoke_jwtr?s 99^,,L lC ( ( 0B0B0D0D ,x| $ $C 99%<== 0 + +,.. +S 1 1 / & & ( ( /!5 # %lEIIl4K4KLLJ(44M  $ As=49;;.//000 d|DS)Nc,i|]\}}|tv||Sr>)"_NOUS_EFFECTIVE_STATE_IGNORED_KEYS)rrrs rI z2_nous_effective_provider_state..~s4    C 8 8 8 U 8 8 8rH)rr;s rI_nous_effective_provider_stater}s+  ++--   rHc t|}|d}t|ttfsdSt |t jt dt|zkS)NrFr)rr3rrrrr)rrrrs rI_codex_access_token_is_expiringrsi  - -F **U  C cC< ( (u ::$)++AsrHrI_qwen_cli_auth_pathrs 9;; #5 55rHcnt}|stddd tj|d}n+#t $r}td|d|dd |d}~wwxYwt|tstd |d dd |S) NzAQwen CLI credentials not found. Run 'qwen auth qwen-oauth' first.rRqwen_auth_missingrCrDrorz)Failed to read Qwen CLI credentials from : qwen_auth_read_failedz Invalid Qwen CLI credentials in rqwen_auth_invalid) rrrArrrrrrG) auth_pathdatars rI_read_qwen_cli_tokensr s#%%I       O!$    z)--w-??@@  J J JS J J!(      dD ! !  ;y ; ; ;!$    Ks(A B)BBtokensct}|jddt|||jdt jdtj j }t j t|t j t jzt jzt jt jz} t j|dd5}|t+j|dd d z|t j|dddn #1swxYwYt5|| |r|nO#t:$rYnCwxYw# |r|ww#t:$rYwwxYwxYw|S) NTrrrrrorrrr}r)rrrrrr4rrrrrrr2rrrrrrrrrrrrrrrrr)r rrrfhs rI_save_qwen_cli_tokensrs#%%I 4$777i   ""in#[#[29;;#[#[IY#[#[\\H  H  bj 29, t|#  B  Yr3 1 1 1 "R HHTZqDAAADH I I I HHJJJ HRYY[[ ! ! ! " " " " " " " " " " " " " " " x+++    "!!!    D     "!!!! "    D  sg"G9A(E-! G-E11G4E15G (F22 F?>F?G>(G.,G>. G;8G>:G;;G>expiry_date_msc t|}n#t$rYdSwxYwtjtdt|zdz|kS)NTr)rrrr)rr expiry_mss rI_qwen_access_token_is_expiringrse'' tt IKK#a\!2!233 3t ;y HHs   4@c t|ddpd}|stddd t jt ddd d|td | }n(#t$r}td |dd |d}~wwxYw|j dkr5|j }td|rd|ndzdd  | }n(#t$r}td|dd|d}~wwxYwt|tr7t|ddpdstddd|d} t|}n#t$rd}YnwxYwt|ddpdt|d|p|t|d|ddpdpdt|d|ddpdttjdzt!d|dzzd} t#| | S)N refresh_tokenr6z@Qwen OAuth refresh token missing. Re-run 'qwen auth qwen-oauth'.rRqwen_refresh_token_missingr!application/x-www-form-urlencodedrrAccept grant_typerr9rrrzQwen OAuth refresh failed: qwen_refresh_failedz9Qwen OAuth refresh failed. Re-run 'qwen auth qwen-oauth'. Response: z*Qwen OAuth refresh returned invalid JSON: qwen_refresh_invalid_jsonrz1Qwen OAuth refresh response missing access_token.qwen_refresh_invalid_responseri`T token_typeBearer resource_urlzportal.qwen.airr )rrr#r% expiry_date)r2r3rrAr$r%QWEN_OAUTH_TOKEN_URLQWEN_OAUTH_CLIENT_IDrr&rrrrGrrrr) r rrresponserbodyrrexpires_in_seconds refresheds rI_refresh_qwen_cli_tokensr-s ?B77=2>>DDFFM   N!-    : C, .!.1 $      /# / /!&     s""}""$$ G'+3#T### 5!&     --//  > > >!,      gt $ $ C NB0O0O0USU,V,V,\,\,^,^  ?!0    \**J) __ )))()GKK;;ArBBHHJJW[[-HHYMZZ``bb'++lFJJ|X4V4VWWc[cddjjllxpxGKK >Sc8d8deeyiyzzAACC49;;-..Q8J1K1Kd1RR I)$$$ sB )A77 BBB C55 D?DDF!! F0/F0credsct5t}i}|drt|d|d<t |d|t |ddddS#1swxYwYdS)aSet active_provider to qwen-oauth in auth.json. Qwen OAuth tokens live in the Qwen CLI credential file managed by _save_qwen_cli_tokens / resolve_qwen_runtime_credentials. This function only writes a minimal provider-state entry (base_url for display) and sets active_provider so that get_active_provider() and _model_section_has_credentials() detect the provider for the setup wizard and status commands. r!rRNrr1r3r2r8rr.r:r;s rI_mark_qwen_oauth_activer2s   %%%'' " 99Z  7 #E*$5 6 6E* Zu===$$$ %%%%%%%%%%%%%%%%%%AA::A>A>F) force_refreshrefresh_if_expiringrefresh_skew_secondsr4r5r6c t}t|ddpd}t |}|s%|r#t |d|}|rFt |}t|ddpd}|stdddtj dd d pt}d||d |dttd S) Nrr6r&z?Qwen OAuth access token missing. Re-run 'qwen auth qwen-oauth'.rRqwen_access_token_missingrHERMES_QWEN_BASE_URLrrr)rCr!rNr expires_at_msr) r r2r3rrrr-rArrrDEFAULT_QWEN_BASE_URLr)r4r5r6r rshould_refreshr!s rI resolve_qwen_runtime_credentialsr=,sP # $ $Fvzz."55;<<BBDDL-((N i1i7 =8Q8QSghhI)&116::nb99?R@@FFHH   M!,    y/44::<<CCCHHaLaH M22,..//   rHcJt} td}dt||d|d|ddS#t$r*}dt|t|dcYd}~Sd}~wwxYw) NT)r5rrNr:)rrrrNr:FrrrP)rr=r2r3rA)rr.rs rIget_qwen_auth_statusr@Ls#%%I 1TJJJYii))yy++"YY77        YXX         sAA.. B"8BB"B"ct5t}i}|drt|d|d<t |d|t |ddddS#1swxYwYdS)aSet active_provider to google-gemini-cli in auth.json. The actual OAuth tokens live in the Google credential file managed by agent.google_oauth. This function only writes a minimal provider-state entry (email for display) and sets active_provider so that get_active_provider() and _model_section_has_credentials() detect the provider for the setup wizard and status commands. emailrSNr0r1s rI_mark_google_gemini_cli_activerCks   %%%'' " 99W   1 w00E'NZ)Return a status dict for `hermes auth list` / `hermes status`.r)rGrIFzagent.google_oauth unavailable)rrPNz not logged inr?TrK)rrrrNr:rBrL) rMrGrIrrr2rOrBrL)rGrIrr.s rIget_gemini_oauth_auth_statusrRsOJJJJJJJJJ OOO"-MNNNNNO!!##I    E }E.}Y$   ^^ %)&  s   List[str]c|pt}d|D}t}g}|D]0}||vr*||||1|S)Ncg|]}||Sr>r>)rrs rIr)z'_spotify_scope_list..s : : :tT :d : : :rH)DEFAULT_SPOTIFY_SCOPErrrrr.)r scope_textrseenorderedr:s rI_spotify_scope_listrZs44;;==J : :z//11 : : :FUUDG""    HHUOOO NN5 ! ! ! NrHcFdt|S)Nr+)rTrZ)rs rI_spotify_scope_stringr\s 88' 22 3 33rHexplicitcddlm}||d|dt|tr|dndf}|D]+}t |pd}|r|cS,tddd ) NrrHERMES_SPOTIFY_CLIENT_IDSPOTIFY_CLIENT_IDr9r6zPSpotify client_id is required. Set HERMES_SPOTIFY_CLIENT_ID or pass --client-id.r,spotify_client_id_missingr)rrrrGr3r2rrAr]r;r candidates candidaters rI_spotify_client_idres0/////  011 )**",UD"9"9C +t J   io2&&,,..  NNN  Z (   rHcddlm}||d|dt|tr|dndt f}|D]+}t |pd}|r|cS,t S)NrrHERMES_SPOTIFY_REDIRECT_URISPOTIFY_REDIRECT_URI redirect_urir6)rrrrGr3DEFAULT_SPOTIFY_REDIRECT_URIr2rrbs rI_spotify_redirect_urirks0/////  344 ,--%/t%<%<F .!!!$$ J  io2&&,,..  NNN  ''rHcddlm}|dt|tr|dndt f}|D]>}t |pdd}|r|cS?t S)NrrHERMES_SPOTIFY_API_BASE_URL api_base_urlr6r) rrrrGr3DEFAULT_SPOTIFY_API_BASE_URLr2rrr;rrcrdrs rI_spotify_api_base_urlrqs//////  344%/t%<%<F .!!!$$J   io2&&,,..55c::  NNN  ''rHcddlm}|dt|tr|dndt f}|D]>}t |pdd}|r|cS?t S)Nrr HERMES_SPOTIFY_ACCOUNTS_BASE_URLaccounts_base_urlr6r) rrrrGr3!DEFAULT_SPOTIFY_ACCOUNTS_BASE_URLr2rrrps rI_spotify_accounts_base_urlrv s//////  899*4UD*A*AK %&&&t)J   io2&&,,..55c::  NNN  ,,rH@lengthctjtj|d}|dddSNasciirrurlsafe_b64encoderurandomrrrxrXs rI_spotify_code_verifierr C  "2:f#5#5 6 6 = =g F FC ::c??4C4  rH code_verifierctj|d}t j|ddSNror{rr4r5r6digestrr~rrrrs rI_spotify_code_challenger X ^M0099 : : A A C CF  #F + + 2 27 ; ; B B3 G GGrHctjtj|d}|dddSrzr}rs rI_oauth_pkce_code_verifierr% rrHctj|d}t j|ddSrrrs rI_oauth_pkce_code_challenger* rrHr9ricode_challengertc >t|d|||d|d}|d|S)NrDS256)r9 response_typerir:r;code_challenge_methodrz /authorize?)r)r9rir:r;rrtquerys rI_spotify_build_authorize_urlr/ sH $!'(  E 3 3E 3 33rHtuple[str, int, str]ct|}|jdkrtddd|jpd}|dvrtddd|jstd dd||j|jpd fS) NhttpzHSpotify PKCE redirect_uri must use http://localhost or http://127.0.0.1.r,spotify_redirect_invalidrr6> localhostr)z?Spotify PKCE redirect_uri must point to localhost or 127.0.0.1.zBSpotify PKCE redirect_uri must include an explicit localhost port.r)rrrArportrrirhosts rI_spotify_validate_redirect_urirD s l # #F } V+    ? bD --- M+    ;  P+    fk0S 00rH expected_path3tuple[type[BaseHTTPRequestHandler], dict[str, Any]]cHdddddGfddt}|fS)NrDr;rPerror_descriptionc&eZdZd fd Zd dZd S) ?_make_spotify_callback_handler.._SpotifyCallbackHandlerrrHct|j}|jkrE|d||jddSt |j}|ddgdd<|ddgdd<|ddgdd<|ddgdd<|d| d d |drd }nd }|j| d dS)N Not found.rDrr;rPrr rtext/html; charset=utf-8zW

Spotify authorization failed.

You can close this tab.zY

Spotify authorization received.

You can close this tab.ro) rr send_response end_headerswfilerrrr3 send_headerr6)rMrparamsr*rresults rIdo_GETzF_make_spotify_callback_handler.._SpotifyCallbackHandler.do_GETe sidi((F{m++""3'''  """   ///fl++F#ZZ77:F6N$jj4&99!rMrrs rI log_messagezK_make_spotify_callback_handler.._SpotifyCallbackHandler.log_message|  FrHNrrHrr2rr rrH)rBrCrDrr)rrsrI_SpotifyCallbackHandlerrd sL 3 3 3 3 3 3 3.      rHr)r )rrrs` @rI_make_spotify_callback_handlerr\ sc! F"86 #F **rHf@rdict[str, Any]c t|\}}}t|\}}Gddt} |||f|}n.#t$r!} t d|d|d| dd| d} ~ wwxYwt j|jd d id } | tj td |z} tj | kr{|ds|dr@|| | | dStjd tj | k{| | | dnC#| | | dwxYwt ddd)NceZdZdZdS)4_spotify_wait_for_callback.._ReuseHTTPServerTN)rBrCrDallow_reuse_addressr>rHrI_ReuseHTTPServerr s"rHrz*Could not bind Spotify callback server on :rr,spotify_callback_bind_failedr poll_interval皙?TrGkwargsdaemon@rDrPrrz?Spotify authorization timed out waiting for the local callback.spotify_callback_timeout)rrr rrA threadingThread serve_foreverstartrrrshutdown server_closerTr) rirrrr handler_clsrrserverrthreadrs rI_spotify_wait_for_callbackr sD 6lCCD$8>>K#####:###!!4, <<  M M M M M M M/      V%9?TWBXae f f fF LLNNN~#c?";";;H!n))f~    C     JsOOOn))  C       C     I '   s*A A4A//A4(F5+FAGct|}|jdkrtddd|jpd}|tkrtddd|jstddd||j|jpd fS) Nrz1xAI OAuth redirect_uri must use http://127.0.0.1.rQxai_redirect_invalidrr6z/xAI OAuth redirect_uri must point to 127.0.0.1.z?xAI OAuth redirect_uri must include an explicit localhost port.r)rrrArXAI_OAUTH_REDIRECT_HOSTrrrs rI#_xai_validate_loopback_redirect_urir s l # #F } ? '    ? bD &&& = '    ;  M '    fk0S 00rHorigincddh}||vr|ndS)Nzhttps://accounts.x.air(r6r>)ralloweds rI_xai_callback_cors_originr s' Gw&&66B.rHcrdddddtjGfddt}|fS)Nrc8eZdZd dZd dZd fd Zd d Zd S)7_make_xai_callback_handler.._XAICallbackHandlerrrHc<|jd}t|}|rp|d||dd|dd|dd|d ddSdS) NOriginzAccess-Control-Allow-OriginzAccess-Control-Allow-Methodsz GET, OPTIONSzAccess-Control-Allow-Headersrz$Access-Control-Allow-Private-NetworkrwVary)rr3rr)rMr allow_origins rI_maybe_write_cors_headerszQ_make_xai_callback_handler.._XAICallbackHandler._maybe_write_cors_headers s\%%h//F4V< MMM  !?PPP  !?PPP  !GPPP  22222  3 3rHc|d||dS)N)rrr)rMs rI do_OPTIONSzB_make_xai_callback_handler.._XAICallbackHandler.do_OPTIONS s@   s # # #  * * , , ,        rHc t|j}|jkrE|d||jddSt |j}|ddgd|ddgd|ddgd|ddgdd} t d |j|ddu|ddu|ddu|j d pd dd |dr2t d |d|dpd ddn#t$rYnwxYw|d|d|d| |dd|d}|j|ddS5dsds|dddn #1swxYwY|d| |dd||drd}nd}|j|ddS)NrrrDrr;rPrrzSxAI loopback callback received: path=%s has_code=%s has_state=%s has_error=%s ua=%sz User-Agentr6Pz;xAI loopback callback carries error=%s error_description=%sr rrrz

xAI authorization not received.

No authorization code was present in this callback URL. Return to the terminal and re-run hermes auth add xai-oauth to retry.

rozS

xAI authorization failed.

You can close this tab.zU

xAI authorization received.

You can close this tab.)rrrrrrrrr3rr9rrrrr6r)rMrrincomingr*rr result_locks rIrz>_make_xai_callback_handler.._XAICallbackHandler.do_GET sedi((F{m++""3'''  """   ///fl++F 6D62215GdV44Q7GdV44Q7%+ZZ0CdV%L%LQ%O H  KV$D0W%T1W%T1\%%l339r3B3?G$KKU )!"56<"dsdC     'HW,=,E""3'''..000  1KLLL  """%   W!5!5666 , ,v,&/,MM(+++ , , , , , , , , , , , , , , ,   s # # #  * * , , ,   ^-G H H H        oln J  T[[11 2 2 2 2 2s%.BF FF-&II#&I#rr2rr cdSrJr>rs rIrzC_make_xai_callback_handler.._XAICallbackHandler.log_message8 rrHNrr)rBrCrDrrrr)rrrsrI_XAICallbackHandlerr s 3 3 3 3     Q 3Q 3Q 3Q 3Q 3Q 3Q 3Q 3f      rHr)rLockr )rrrrs` @@rI_make_xai_callback_handlerr s! F .""Kddddddddd4dddL  &&rHpreferred_port8tuple[HTTPServer, threading.Thread, dict[str, Any], str]ct}t}t|\}}Gddt}|g}|dkr|dd}d}|D]+} ||| f|}n#t $r } | }Yd} ~ $d} ~ wwxYw|t d|d|d|dd |t|jd } d |d| |} tj |j d d id} | || || fS)NceZdZdZdZdS)4_xai_start_callback_server.._ReuseHTTPServerTN)rBrCrDrdaemon_threadsr>rHrIrrE s"rHrrz&Could not bind xAI callback server on rrrQxai_callback_bind_failedrr http://rrTr) rXAI_OAUTH_REDIRECT_PATHrr r.rrArserver_addressrrrr)rrrrrr ports_to_tryr last_errorrr actual_portrirs rI_xai_start_callback_serverr> s #D+M4]CCK.##LA F$(J %%tTlK@@F E   JJJJJJ  ~ ZT Z ZN Z Zj Z Z +      f+A.//K@T@@K@@@L  #%F  LLNNN 66< //sA++ B5A<<Brmanual_paste_redirect_urirr rthreading.Threadrrctjtd|z}|rJtjr,t t dt d tj|kr|ds|dr@|||| dS|rxt}|rh| rTt|}d|d <|||| dStj d tj|k||| dnC#||| dwxYwtd td||ddu|ddut!d d d)Nrz6If xAI shows a Grok Build code instead of redirecting,z%paste that code here and press Enter.rDrPrrT _manual_pasterz`xAI loopback wait timed out after %.0fs with no usable callback (result.code=%s result.error=%s)z;xAI authorization timed out waiting for the local callback.rQxai_callback_timeoutr)rrrsysstdinisattyprintrrrT_read_ready_stdin_liner_parse_pasted_callbackrrr9rA)rrrrrr raw_pastepasteds rI_xai_wait_for_callbackr f sV~#c?";";;H 7SY%5%5%7%77  FGGG 5666!n))f~    C     ) "244 "!2!2"3I>>F.2F?+!  C     JsOOOn))  C       C      KK + C!!vd"wt#  E #   s2(F=;F=+F==AG=c tjsdSddl}|tjgggd\}}}|sdStjS#t $rYdSwxYw)zHReturn one pending stdin line without blocking, if the terminal has one.Nr)rrrselectreadliner)rready_s rIr r  s y!! 4 mmSYKR;; q! 4y!!### ttsA/-A/A// A=<A=)previous_state token_payloadrequested_scopernrcttjtj}t |dd}tj||ztj} t|pi} | |||||t|dp| t|ddpd pdt|ddpd t|d p| d pd | | |d d | S) Nrrrr:r#r$rr6r oauth_pkce) r9rirtrnr: granted_scoper#rrrrrr5) rrrrrr3rrrGrr2rr) rr9rirrtrnrrrrr;s rI_spotify_token_payload_to_stater s ,x| $ $C$]%6%6|Q%G%GHHJ' *(DVVVJ %2 & &E LL$.$ ]..w77J?KKQQSS-++L(CCOxPPVVXXd\dM--nbAAGRHHNNPP   o . . yy))    %''}} **,, !#& LrHrDc  tj|dddi|d|||d|}n(#t$r}td|dd |d}~wwxYw|jd kr5|j}td |rd |ndzdd |} t| tr7t| ddpdstddd | S)N /api/tokenrrauthorization_code)r9rrDrirrzSpotify token exchange failed: r,spotify_token_exchange_failedrrzSpotify token exchange failed.r r6rz7Spotify token response did not include an access_token.spotify_token_exchange_invalid) r$r%rrAr&rrrrrGr2r3) r9rDrirrtrr)rdetailrs rI!_spotify_exchange_code_for_tokensr  su: , , ,#%HI&2 ,!. $      3c 3 30     s""$$&& ,)/7%V%%%R 90     mmooG gt $ $ C NB0O0O0USU,V,V,\,\,^,^  E1    Ns#& A AA c t|ddpd}|stddddt |}t |} t j|d d d id||d | }n(#t$r}td|dd|d}~wwxYw|j dkr6|j }td|rd|ndzddd| }t|tr7t|ddpdstddddt||t|t|dpt |t#||S)Nrr6z?Spotify refresh token missing. Run `hermes auth spotify` again.r,spotify_refresh_token_missingTrBrrrrrrzSpotify token refresh failed: spotify_refresh_failedrrz>Spotify token refresh failed. Run `hermes auth spotify` again.r rz9Spotify refresh response did not include an access_token.spotify_refresh_invalidr:)r9rirrtrnr)r2r3rrArervr$r%rr&rrrrGrrkrVrq) r;rrr9rtr)rrrs rI_refresh_spotify_oauth_stater% sB  /266<"==CCEEM   M0!     #///I2599: , , ,#%HI-!.& $      2S 2 2)     s""$$&& L)/7%V%%%R 9)!     mmooG gt $ $ C NB0O0O0USU,V,V,\,\,^,^  G*!      +*777EIIg..G2GHH+*511   s-!B B4B//B4ct5t}t|d}|stddddt |}|s%|r#t |d|}|r1t|}t|d|dt|dddn #1swxYwYt|d d pd  }|std dd dd||t|d dpdt|t|dp|dpd  t|t||dt|dd pd  d S)Nr,z>Spotify is not authenticated. Run `hermes auth spotify` first.spotify_auth_missingTrBrFr rr6z>Spotify access token missing. Run `hermes auth spotify` again.spotify_access_token_missingr#r$rr:rr) rCrrNr#r!r:r9rirr)rr1r2rArrr3r%rrr2rrqrerk)r4r5r6r:r;r<rs rI#resolve_spotify_runtime_credentialsr)6 sK   ))%'' $Z;; P"+!%  m,, Y"5 Y)%))L*A*ACWXXN  )077E !*i5 Q Q Q Q Z ( ( (#)))))))))))))))&uyy44:;;AACCL   L/!     $%))L(;;GxHH)%00UYY//K599W3E3EKLLRRTT'e444-E:::ii --UYY;;ArBBHHJJ   sBB88B<?B<c td}|sddiS|d}t|ddpd}t |pt |d |dd |d |d |d p|d ||dt |dS)Nr,rFrrr6rr5rr9rirr:rn)rr5r9rir:rrnhas_refresh_token)r:r3r2rrr)r;rrs rIget_spotify_auth_statusr,f s #I . .E $U##<((J /266<"==CCEEM-J|J/J/J+JKKYY{L99YY{++ .11?++Auyy/A/A  .11!-00   rHredirect_uri_hintcddlm}ttdtdtdttdtdtdttdtttd td td td td tdtd|tdtdtdtdtt s+ t jtn#t$rYnwxYw td }n2#ttf$rttdwxYw|s5ttdtdtd|d||r|tkr |d|ttdt|S)zWalk the user through creating a Spotify developer app, persist the resulting client_id to ~/.hermes/.env, and return it. Raises SystemExit if the user aborts or submits an empty value. r)save_env_valuezF======================================================================zSpotify first-time setupz=Spotify requires every user to register their own lightweightz>developer app. This takes about two minutes and only has to bezdone once per machine.z Full guide: zSteps:z 1. Opening z in your browser...z$ 2. Click 'Create app' and fill in:z1 App name: anything (e.g. hermes-agent)z Description: anythingz Redirect URI: z API/SDK: Web APIz$ 3. Agree to the terms, click Save.z9 4. Open the app's Settings page and copy the Client ID.z 5. Paste it below.zSpotify Client ID: zSpotify setup cancelled.zNo Client ID entered. See z for the full guide.z)Spotify setup cancelled: empty Client ID.r_rgz0Saved HERMES_SPOTIFY_CLIENT_ID to ~/.hermes/.env)rr/rSPOTIFY_DOCS_URLSPOTIFY_DASHBOARD_URL_is_remote_session webbrowserrrinputrEOFErrorKeyboardInterrupt SystemExitrj)r-r/rXs rI_spotify_interactive_setupr8y s 100000 GGG (OOO $%%% (OOO GGG IJJJ JKKK "### GGG +) + +,,, GGG (OOO D/ D D DEEE 0111 =>>> )*** 5"3 5 5666 ())) 0111 EFFF !!! GGG     O1 2 2 2 2    D 5)**0022 ' (555 34445 F  Q+;QQQRRRDEEEN-s333I.2NNN46GHHH GGG <=== GGG Js/F FF!F<JJ    3 # #'B B B .%dNDAAaEa    )~t)L)Ln]]L !'$">">"].BTBTU\B]B] ^ ^E2>BB(88Lt\5999L*,,M,];;N*,,"K0!%+ M *+++ # # #$$$ )< ) )*** UVVV GGG ./// - GGG 1/ 1 1222 GGG\4DEEEER.00R5P5R5RR _]33FF   FFF   R = > > > > P Q Q Q)gdIt<<EFFH||GD122Ghw6GB&BBCCC||G ++HIII5 f%%+ , ,!#+gdIt<<DEE M4!+! M   00%'' j)]uUUUU#J//000000000000000  %&&& %8 % %&&& :;;; '% ' '(((((s85 B> 44  5rH> www-browserw3mlynxlinksbrowshelinkslinks2_CONSOLE_BROWSER_NAMEScddl}dd}tjdd }|r ||rd Stjd rQttjd ptjd }|s|sd S |}n#t$rYd SwxYwt|dd pt|dd pd }|r ||rd SdS)uReturn True only when a *graphical* browser is likely to open. ``webbrowser.open()`` resolves to whatever the platform offers, and on a headless / CLI-only Linux box with no GUI browser installed that is often a text-mode browser (w3m/lynx/links) which launches inside the terminal and takes over the user's session. This guard distinguishes "a real windowed browser will pop up" from "a console browser will hijack the TTY", so callers can fall back to printing the URL instead. Heuristics: * Respect ``$BROWSER`` — if it names a known console browser, refuse. * On Linux, require a display server (``$DISPLAY`` / ``$WAYLAND_DISPLAY``) unless ``$BROWSER`` points at something graphical; no display server almost always means no GUI browser. * Ask ``webbrowser.get()`` what it resolved to and refuse when the underlying command is a known console browser. * macOS and Windows always have a usable default GUI browser. rNrr2rrc|r,|dnd}tj|}|t vS)Nrr6)rrrrbasenamerr[)rrbases rI_names_console_browserz;_can_open_graphical_browser.._names_console_browser_ s_,1KKMMA ##%%a((rw&&,,..---rHBROWSERr6FlinuxDISPLAYWAYLAND_DISPLAYr4r^T)rr2rr) r3rrr3rplatformrrrr) _webbrowserr` browser_env has_display controllerrds rIr@r@J sN&%$$$.... *..B//K--k::u |w'' JNN9 % % J8I)J)J   ; 5 __&& uu  FB''  :z2 . .   ++I66u 4s)B>> C  C rXrGc|}ddddd}|s|Sd}|dr- t|}n#t$r|cYSwxYw|jpd}n.|dr |dd}nd|vr|}n||d<|St |d }dD]$}||}|r |d ||<%|S) uParse a pasted callback URL / query string into the loopback shape. Accepts any of: * full URL: ``http://127.0.0.1:56121/callback?code=abc&state=xyz`` * bare query string: ``?code=abc&state=xyz`` or ``code=abc&state=xyz`` * bare code (no state, only used when the upstream omits state): ``abc-the-code-value`` Returns ``{"code", "state", "error", "error_description"}`` with missing keys set to ``None`` so the loopback callsites can keep using the same validation path (state check, error check, etc.) they already use for the HTTP server output. Regression for #26923 — formalises the curl-the-callback-URL workaround the reporter used while waiting for upstream support. Nrr6)rzhttps://?r rrDF)keep_blank_valuesr)rrrrrrr3)rXstrippedrrrrrvaluess rIr r  s*"yy{{H! F  E233 h''FF   MMM  "   S ! !  "v eu 5 5 5F>$$C  $ )F3K MsA AActtdtdtd|tdtdtdtdtdtd td td  td }n#ttf$rd }YnwxYwt |S)aJRead a callback URL from stdin as a fallback for browser-only remotes. Used when ``--manual-paste`` is set or when the loopback listener cannot bind. Returns the parsed callback dict (same shape as the HTTP handler output) so the existing state / error validation in the caller works unchanged. See #26923. u─── Manual callback paste ─────────────────────────────────────z>After approving in your browser, your browser will try to load z=which fails (the loopback listener is on this remote machine,u<not on your laptop) — that is expected. Copy the FULL URLz=from your browser's address bar of that failed page and pastezUSERLOGNAMEz@)socket gethostnamerrr)_socketrrs rI_ssh_user_at_hostry s !    &&((9M !!! ! 9V   @ ) 4 4 @D  X  s  ,,r;r< str | Nonec tsdS t|}n#t$rYdSwxYw|jpd}|j}|dvs|sdSd}t t |t dt |t d|t dt dt t d |d |d t t t d t t d t dt d|rt d|t dtt |t dS)aPrint an SSH tunnel hint when running a loopback-redirect OAuth flow on a remote host. The auth server (xAI, Spotify, ...) will redirect the user's browser to ``127.0.0.1:/callback``. If the browser is on a different machine than the loopback listener (the usual SSH case), the redirect can't reach the listener without a local port forward. The hint is best-effort: silent if we don't think we're remote, or if we can't parse a host/port out of the redirect URI. Pass ``docs_url`` for a provider-specific guide (e.g. the xAI Grok OAuth page); the generic OAuth-over-SSH guide is always shown after it. Nr6>::1rr)z<------------------------------------------------------------u/Remote session detected — SSH tunnel requiredz,Hermes is waiting for the OAuth callback on z>+ , ,D dD ! !hh~&&G gt $ $ G+T22H+//??G4,,%&&  8$$ ] " "!%   + + + "&@EIIn55@""   "' !   ,n  3%2E/ "  1$0E. !#m"&#' %)!"&*"#'+#$$?,,rHr"c|Dtjtjdd}t 5t}t|dpi}t| dtr| dnd}||d<||d<d|d<|rEt| r$t| |d <t|d|t|||| t!|ddddS#1swxYwYdS) zCSave Codex OAuth tokens to Hermes auth store (~/.hermes/auth.json).NrrrLr rchatgpt auth_moder")r)rrrrrrrr1r2rr3rGr2rr8rr)r rr"r:r;rs rI_save_codex_tokensr s|HL11;;==EEhPSTT   %%%'' $Z@@FB Refresh Codex OAuth tokens without mutating Hermes auth state.rrLrTrBrrrrrrrrrrrNirz2Codex provider quota exhausted (429); retry after zs. Credentials are still valid.zfCodex provider quota exhausted (429). Credentials are still valid; retry after the usage limit resets.Fr codex_refresh_failedz'Codex token refresh failed with status rrPrDtyperFzCodex token refresh failed: r> invalid_grant invalid_tokeninvalid_requestrefresh_token_reusedzCodex refresh token was already consumed by another client (e.g. Codex CLI or VS Code extension). Run `codex` in your terminal to generate fresh tokens, then run `hermes auth` to re-authenticate.>z*Codex token refresh returned invalid JSON.codex_refresh_invalid_jsonrz6Codex token refresh response was missing access_token."codex_refresh_missing_access_tokenrr)rrr)rr2rrAr$TimeoutrrClientr%CODEX_OAUTH_TOKEN_URLCODEX_OAUTH_CLIENT_IDr&rZrrRrrGr3rrrrrrr)rrrrclientr) retry_afterrFrDrEerrerr_obj nested_code nested_msgerr_descrefresh_payloadrrefreshed_accessupdated next_refreshs rIrefresh_codex_oauth_purer s<  mS ) ) 1D1D1F1F  X#3!     mCU?%;%;<<==G g:L/M N N N  RX;; !#%HI-!.2                  s"" 19d1S1STT  "/[/// G 6  #("     s""%SH:: & , , 4D4J4J4L4L  D#5!     )..00&,,.. X\22<<>>FFxQTUUG #&&77L,$$8););)=)=8#/#5#5#7#7 Ns=)B::B>B>-F8K&& K32K3'L<< MMMc tt|ddpdt|ddpd|}t|}|d|d<|d|d<t ||S)zzRefresh Codex access token using the refresh token. Saves the new tokens to Hermes auth store automatically. rr6rr)rr2r3rGr)r rr,updated_tokenss rI_refresh_codex_auth_tokensrGs) FJJ~r * * 0b11 FJJ + + 1r22'I &\\N%.~%>N>"&/&@N?#~&&& rHctjdd}|s#tt jdz }t |dz }|sdS tj | }| d}t|tsdS| d}| d}|r|sdSt|d rtd |dSt|S#t"$rYdSwxYw) zTry to read tokens from ~/.codex/auth.json (Codex CLI shared file). Returns tokens dict if valid and not expired, None otherwise. Does NOT write to the shared file. CODEX_HOMEr6z.codexrNr rrru7Codex CLI tokens at %s are expired — skipping import.)rrrr2r r expanduseris_filerrrr3rrGrrr'r) codex_homerrr rrs rI_import_codex_cli_tokensr\sZ <,,2244J 1x/00 Z  ++-- ;I     t*Y002233X&&&$'' 4zz.11  ?33  = 4 +< ; ;  LLI9   4F|| tts%AE.E +E7E EEc t}nk#t$r^t}|rLtjdddpt}d||ddddcYSwxYwt|d }t| d dpd}ttjd d }t|} | s|rt||} | rtttt |d z5td}t|d }t| d dpd}t|} | s|rt||} | rGt#||}t| d dpd}dddn #1swxYwYtjdddpt}d||d| dddS)uResolve runtime credentials from Hermes's own Codex token store. Falls back to the credential pool when the singleton (``providers.openai-codex.tokens``) has no usable access_token but the pool (``credential_pool.openai-codex``) does. This closes the divergence between the chat path (singleton-only via this function) and the auxiliary path (pool-first via ``_read_codex_access_token``). Without this fallback, a user whose tokens live only in the pool — for example after a manual pool seed, a partial re-auth, or pool-only restoration from a backup — gets a bare HTTP 401 ``Missing Authentication header`` from the wire instead of a usable credential. See issue #32992. HERMES_CODEX_BASE_URLr6rrLrNrrCr!rNrrrr r$HERMES_CODEX_REFRESH_TIMEOUT_SECONDS20rrFrhermes-auth-storer)rrA_pool_codex_access_tokenrrrrDEFAULT_CODEX_BASE_URLrGr2r3rrrrrAUTH_LOCK_TIMEOUT_SECONDSr) r4r5r6r pool_tokenr!r rrefresh_timeout_secondsr<s rI!resolve_codex_runtime_credentialsr~s"!## -//   1266<<>>EEcJJ*)  +$%+ $&     "$x. ! !Fvzz."55;<<BBDDL#BI.TVZ$[$[\\-((N ] 3]8G[\\ Q c%8Q2R2RTknqTq.r.r s s s Q Q%E222D$x.))Fvzz."==CDDJJLLL!-00N" e(; e!@Oc!d!d Q3F._entry_usableseT** uIIn--EeS))  uyy!677H(S%L11 h6L6Lu4rHrz!Codex pool fallback lookup failedT)exc_info)rr<rr) rr1r3rrGrr2rrrr')r:rr%rrs rIrrs|I    , ,)++J , , , , , , , , , , , , , , ,~~/00$%% 2((>**'4(( 2     B BE}U## B599^R8899??AAAAA B B III 84 HHHHHI 2s?C+ C/C/-C"*CA CC&DDc|r5t5t}dddn #1swxYwYnt}t|d}|stdddd|d}t |t stddddt|d d pd }t|d d pd }|std dd d|stdddd||d|dpi|ddS)NrQz`No xAI OAuth credentials stored. Select xAI Grok OAuth (SuperGrok / Premium+) in `hermes model`.xai_auth_missingTrBr zGxAI OAuth state is missing tokens. Re-authenticate with `hermes model`.xai_auth_invalid_shaperr6rzMxAI OAuth state is missing access_token. Re-authenticate with `hermes model`.xai_auth_missing_access_tokenzNxAI OAuth state is missing refresh_token. Re-authenticate with `hermes model`.xai_auth_missing_refresh_tokenr discoveryri)r rrrirrs rI_read_xai_oauth_tokensrs (    , ,)++J , , , , , , , , , , , , , , ,&'' [ 9 9E   n #!     YYx F fd # #  U )!     vzz."55;<<BBDDL ?B77=2>>DDFFM   [ 0!       \ 1!      .11YY{++1r .11   rrrirrc|Dtjtjdd}t 5t}t|dpi}||d<||d<d|d<|r||d<|r||d <t|d|t|ddddS#1swxYwYdS) NrrrQr rrrrri) rrrrrrrr1r2r8r)r rrirr:r;s rI_save_xai_oauth_tokensr!s(|HL11;;==EEhPSTT    % %%'' $Z==C h ,n)k  +!*E+   1$0E. !Ze<<<$$$ % % % % % % % % % % % % % % % % % %sACCCctt|trd|vrdS |d}t|dkrdS|d}|dt| dzzz }t jt j|d d}| d }t|ttfsdSt|tj td t|zkS#t$rYdSwxYw) NrFrr rrr{rorr)rr2rrrrrrr6rr3rrrrr)rrparts payload_b64rrs rI_xai_access_token_is_expiringr8s* lC ( (C|,C,Cu ""3'' u::>>5Ah ss;///!344 *V5k6H6H6Q6QRRYYZabbcckk%  #U|,, 5SzzdikkC3|3D3D,E,EEFF uus(D)BD)'AD)) D76D7rc@t|}|jdkrtd|d|ddd|jpd}|std |d |ddd|d kr.|d std |d |ddd|S)uIRefuse any OIDC discovery endpoint that isn't HTTPS on the xAI origin. The OIDC discovery response is a long-lived, low-frequency request whose output is cached in ``~/.hermes/auth.json``. A single MITM during initial login could substitute a malicious ``token_endpoint``; that URL would then receive the refresh_token on every subsequent refresh — a permanent credential leak from a one-time MITM. Validating scheme + host pins the cached endpoint to the xAI auth origin (or a future ``*.x.ai`` subdomain if xAI migrates) so the cache poisoning loses its persistence guarantee. RFC 8414 §2 requires the issuer to be ``https://`` and SHOULD-keeps the token_endpoint on the same origin; we enforce both. ``x.ai`` is the bare apex, so we accept either exact host match or any ``.x.ai`` suffix. rz(xAI OIDC discovery returned a non-HTTPS rrrQxai_discovery_invalidrr6zxAI OIDC discovery z is missing a hostname: rc.x.aiz host z is not on the xAI origin (expected x.ai or a *.x.ai subdomain). Refusing to use a cached endpoint that may have been substituted by a MITM during initial discovery; re-authenticate with `hermes model` to re-fetch.)rrrArrr)rrrrs rI_xai_validate_oauth_endpointrJs c]]F } Hu H H H H H (    O !r ( ( * *D   I% I I I I I (     v~~dmmG44~ K% K Kt K K K!(      JrHfallbackc|pdd}|s|S t|}n.#t$r!td|||cYSwxYw|jdkrtd|||S|jpd}|std|||S|dkr4| dstd ||||S|S) uRefuse a non-xAI base_url for the OAuth-authenticated inference path. The xAI Grok OAuth bearer is a high-value, long-lived credential tied to the user's SuperGrok subscription. ``XAI_BASE_URL`` / ``HERMES_XAI_BASE_URL`` let users repoint the inference endpoint (handy for staging or a local proxy), but the env override is also a credential-leak vector: a tampered ``.env`` or hostile shell init that sets ``XAI_BASE_URL=https://attacker.example/v1`` would ship the OAuth access token to a third party on every request, silently. Pin the inference origin to ``api.x.ai`` (or any ``*.x.ai`` subdomain xAI may add). On rejection, fall back to the default and log a warning rather than raise — a bad env var should not deadlock authentication, but it should also never leak the bearer. ``value`` is the already-stripped, trailing-slash-trimmed candidate from env. Empty input returns ``fallback`` unchanged. r6rz>Ignoring malformed xAI base_url override %r; using %s instead.rznRefusing non-HTTPS xAI base_url override %r (xai-oauth bearer would be sent in cleartext); falling back to %s.zEIgnoring xAI base_url override %r with no hostname; using %s instead.rcruRefusing xAI base_url override %r — host %r is not on the xAI origin (expected x.ai or a *.x.ai subdomain). The xai-oauth bearer is only valid against xAI's inference API; sending it elsewhere would leak the credential. Falling back to %s.) rrrrrrrrrr)rrrdrrs rI _xai_validate_inference_base_urlrssQ&"##%%,,S11I )$$  L x     } 9 x    O !r ( ( * *D  S x    v~~dmmG44~ 2 tX     s?(A*)A*c tjtddi|}n(#t$r}t d|dd|d}~wwxYw|jdkrt d |jd dd |}n(#t$r}t d |dd |d}~wwxYwt|tst d ddt|ddpd }t|ddpd }|r|st dddt|dt|d||dS)Nrr)rrzxAI OIDC discovery failed: rQxai_discovery_failedrr z#xAI OIDC discovery returned status rz*xAI OIDC discovery returned invalid JSON: xai_discovery_invalid_jsonz2xAI OIDC discovery response was not a JSON object.xai_discovery_incompleteauthorization_endpointr6token_endpointz;xAI OIDC discovery response was missing required endpoints.r)rr) r$r3XAI_OAUTH_DISCOVERY_URLrrAr&rrrGr2rr)rr)rrrrs rI_xai_oauth_discoveryrs 9 #12#     /# / / '      s"" I(2F I I I '    --//  > > > -      gt $ $  @ +    !-Er!J!J!PbQQWWYY%5r::@bAAGGIIN !   I +    !!7?WXXXX 7GHHHH"8(  s,! AAA0B B*B%%B*rrrc :~t|tr|stdddd|pt |d}t |dt jtdt|}t j |d d i 5}| |d d idt|d}dddn #1swxYwY|j dkrh|j}|j dkr td|rd|ndzdzdddtd|rd|ndzdd|j dv |} n(#t $r} td| dd| d} ~ wwxYwt| t"stddd dt| d!dpd} | std"dd#d| t| dp|t| d$pd| d%t| d&pd'pd't'jt*jd(d)d*} | S)+NzHxAI OAuth is missing refresh_token. Re-authenticate with `hermes model`.rQrTrBrrrrrrrrrrr9rrr rz'xAI token refresh failed with HTTP 403.r r6uP This OAuth account is not authorized for xAI API access — xAI may be restricting API/OAuth use to specific SuperGrok tiers despite the in-app subscription being active. Re-logging in won't change that; set ``XAI_API_KEY`` and switch to ``provider: xai`` (API-key path) if available, or upgrade your subscription at https://x.ai/grok.xai_oauth_tier_deniedFzxAI token refresh failed.xai_refresh_failed>rrz)xAI token refresh returned invalid JSON: xai_refresh_invalid_jsonrz1xAI token refresh response was not a JSON object.xai_refresh_invalid_responserz4xAI token refresh response was missing access_token. xai_refresh_missing_access_tokenid_tokenrr#r$rr)rrrrr#r)rr2rrArrr$rrrrr%XAI_OAUTH_CLIENT_IDr&rrrrGr3rrrrrr) rrrrendpointrrr)rrrrrs rIrefresh_xai_oauth_purers  mS ) ) 1D1D1F1F  V 1!     ##%%`)=o)N)NO_)`H !1ABBBBmCU?%;%;<<==G g:L/M N N N  RX;; #%HI-0!.                  s""$$&&  3 & &9-3;))))=EE%,!&     ')/7%V%%%R 9 %&2j@     --//  = = = +      gt $ $  ? /!     7;;~r::@bAAGGII   B 3!     )W[[99J]KKQQSS J//5266<<>>kk,//'++l33?x@@FFHHTH X\22<<>>FFxQTUU G Ns*?$C//C36C3.F F( F##F()ric tt|ddpdt|ddpd||}t|}|d|d<|d|d<|dr |d|d<|d |d|d<|dr |d|d<t |d|i||d  |S) Nrr6rrrrr#rrr)rr2r3rGr)r rrirr,rs rI_refresh_xai_oauth_tokensr>s!' FJJ~r * * 0b11 FJJ + + 1r22%' I &\\N%.~%>N>"&/&@N?#}}Z  ;%.z%:z"}}\"".'0'>|$}}\""?'0'>|$#^4!~.  rHc  t}t|d}t|ddpd}t t jdd}t|dpi}t|ddpd}t|ddpd} t|} | s|rt||} | rttt t|d z 5td }t|d}t|ddpd}t|dpi}t|ddpd}t|ddpd} t|} | s|rt||} | r|st|d} t||| | }t|ddpd}n=#t$r/} t!| r t#} t%| dpi} t| dpi}|dd|dd|| d<d| jpdt| ddt+jt.jd| d<t5| d| d t7| n2#t8$r%}t:d|Yd}~nd}~wwxYwd} ~ wwxYwdddn #1swxYwYt?t jdd dp9t jdd dtB}d||d|dddS)Nr rr6"HERMES_XAI_REFRESH_TIMEOUT_SECONDSrrrrirrFr)rrirrQrrruntime_refresh_failureTrCrDrFrrEatlast_auth_errorr z2xAI OAuth: failed to persist quarantined state: %sHERMES_XAI_BASE_URLrrrrrrr)"rrGr2r3rrrrrrrrrrrrA$_is_terminal_xai_oauth_refresh_errorr1r2r7rDrrrrrrrrrr'rrDEFAULT_XAI_OAUTH_BASE_URL)r4r5r6rr rrrrrir<r_q_store_q_state _q_tokens _save_excr!s rI%resolve_xai_oauth_runtime_credentialsr ]s " # #D $x. ! !Fvzz."55;<<BBDDL#BI.RTX$Y$YZZTXXk**0b11I'7<<BCCIIKKNtxx339r::@@BBL-((N [ 3[6|EYZZ0 c%8Q2R2RTknqTq.r.r s s s/ / )666D$x.))Fvzz."==CDDJJLLLTXXk228b99I /?!D!D!JKKQQSSNtxx;;ArBBHHJJL!-00N" c(; c!>|Ma!b!b% %e%9:Q%R%RSc%dN"6'5%1(? F $'vzz."'E'E'K#L#L#R#R#T#TLL ;C@@'7'9'9H';Hk'R'R'XVXH(,X\\(-C-C-Ir(J(JI%MM.$???%MM/4@@@1:HX.,7(+(H4H+.s88*C48&.l8<&@&@&J&J&L&L ;;H%672(K^cdddd,X6666("LL TV_5+/ / / / / / / / / / / / / / / b0 ',,2244;;C@@ = 9^R ( ( . . 0 0 7 7 < <+H  %00!   sc(D,P*A K!P*! P,P=C%O#"P# P-P P PPPP**P.1P.bool | ssl.SSLContextctjdkr< ddl}tj|S#t $rYnwxYwdS)a~Platform-aware default SSL verify for httpx clients. On macOS with Homebrew Python, the system OpenSSL cannot locate the system trust store and valid public certs fail verification. When certifi is importable we pin its bundle explicitly; elsewhere we defer to httpx's built-in default (certifi via its own dependency). Mirrors the weixin fix in 3a0ec1d93. darwinrNcafileT)rrecertifisslcreate_default_contextwherer)rs rI_default_verifyrs` |x  NNN-W]]__EEE E    D  4s*= A  A insecure ca_bundle auth_staterOptional[bool]rrct|tr|dni}t|tr|ni}|t|dn$t|ddd}|pP|dp;t jdp't jdpt jd}|rdS|rlt |}tj|s)t d |tStj | StS) NtlsFdefaultrrHERMES_CA_BUNDLE SSL_CERT_FILEREQUESTS_CA_BUNDLEuJCA bundle path does not exist: %s — falling back to default certificatesr)rrGr3rrrr2risfilerrrrr)rrr tls_stateeffective_insecure effective_caca_paths rI_resolve_verifyr(s\ *4J)E)EM u%%%2I' 488@ bI5=4H%0000 Y]]:u==u M M M  + == % % + 9' ( ( + 9_ % % + 9) * * u:l##w~~g&& % NN\   #$$ $)9999   rHr httpx.Clientr7c||dd|i|rd|ini}||gd}fd|D}|r%tdd|S) zFPOST to the device code endpoint. Returns device_code, user_code, etc.z/api/oauth/device/coder9r:r)r# user_codeverification_uriverification_uri_completerintervalcg|]}|v| Sr>r>)rfrs rIr)z(_request_device_code..s;;;QQd]]q]]]rHz%Device code response missing fields: z, )r%raise_for_statusrrrT)rr7r9r:r)required_fieldsmissingrs @rI_request_device_coder5s{{ 222  #(0b H  ==??DO<;;;/;;;GWU7ASASUUVVV KrHrc&tjtd|z}tdt|t}tj|kr$||dd||d}|jdkr)|} d| vrtd| S |} n1#t$r$| td wxYw| d d } | d krtj || d kr)t|dzd}tj || dpd} t| d| td)zDPoll the token endpoint until the user approves or the code expires.r /api/oauth/tokenz,urn:ietf:params:oauth:grant-type:device_code)rr9r#r+r rz+Token response did not include access_tokenz1Token endpoint returned a non-JSON error responserPr6authorization_pending slow_downrzUnknown authentication errorrz*Timed out waiting for device authorization)rrrmin%DEVICE_AUTH_POLL_INTERVAL_CAP_SECONDSr%r&rrrr2rr3rr) rr7r9r#rrrcurrent_intervalr)r error_payload error_code descriptions rI_poll_for_tokenrAs~#a"4"44H1c-1VWWXX .  X % %;; 0 0 0L&*    3 & &mmooGW,, !NOOON T$MMOOMM T T T  % % ' ' 'RSS S T#&&w33 0 0 0 J' ( ( (   $ $"#3a#7<<  J' ( ( ( #''(;<<^@^ j99K99::: C D DDs 3C.C6znous_auth.jsonctjdd}|r!t|Sddlm}|dz S)uzResolve the directory that holds the shared Nous token store. Honors ``HERMES_SHARED_AUTH_DIR`` so tests can redirect it to a tmp path without touching the real user's home. Defaults to ``/shared/``, where ```` is what :func:`hermes_constants.get_default_hermes_root` returns — so Linux/macOS classic installs land at ``~/.hermes/shared/``, native Windows installs at ``%LOCALAPPDATA%\hermes\shared\``, and Docker / custom ``HERMES_HOME`` deployments at ``/shared/``. Sits outside any named profile so all profiles under the same root share the store. HERMES_SHARED_AUTH_DIRr6rrshared)rrrr rrr)overriders rI_nous_shared_auth_dirrFSshy1266<<>>H+H~~((***888888 " " $ $x //rHcTttz }tjdrrddlm}|dz tz d} |d}n#t$r|}YnwxYw||krtd|d|S) NrrrrDFrzDRefusing to touch real user shared Nous auth store during test run: z@. Set HERMES_SHARED_AUTH_DIR to a tmp_path in your test fixture.) rFNOUS_SHARED_STORE_FILENAMErrr3rrrrr)rrreal_home_sharedrs rI_nous_shared_store_pathrJgs " "%? ?D z~~+,, <<<<<< # # % % 03M M ''    ||5|11HH   HHH  ' ' 'ZZZZ  Ks&A== B  B c#K td}n#t$rdVYdSwxYwt|t|d5dVddddS#1swxYwYdS)a Cross-profile lock for the shared Nous OAuth store. Lock ordering invariant: if both this and ``_auth_store_lock`` need to be held, acquire ``_auth_store_lock`` FIRST. All runtime refresh paths follow this order. The one exception is ``_try_import_shared_nous_state``, which holds this lock alone for the entire refresh cycle so concurrent imports on sibling profiles can't race on the single-use shared refresh token; that helper must NOT be called with ``_auth_store_lock`` already held. rNz+Timed out waiting for shared Nous auth lock)rJrrr_nous_shared_lock_holder)rrs rI_nous_shared_store_lockrMs+--99'BB    5     s!&88A$$A(+A(c4t}|sdS|d}t|tr|sdS|d}t |dpd}t |dpd}|t|pdk}||k}|s|sdSdD] }||} | dvr| ||<!dS) zACopy fresher shared OAuth tokens into a profile-local Nous state.Frrr6) rrr#r:r9r7r8rr>Nr6T)_read_shared_nous_stater3rr2rr) r;rDshared_refresh local_refreshshared_access_explocal_access_exprefresh_changedfresher_accessrrs rI_merge_shared_nous_oauth_staterWs. $ & &F uZZ00N nc * *.2F2F2H2HuIIo..M,VZZ -E-EFFM#+EIIl,C,CDDK$**,,M4GR0H0H0N0N0P0PPO&)99N >u    3  " "E#J 4rHc |d}|d}t|tr|sdSt|tr|sdSd|||dpd|dpt|dpt |d pt |d pt|d |d tj tj  d } t5t}|jddt#|||jdt)jdt-jj}t)jt|t(jt(jzt(jzt:jt:jz} t)j |dd5}|!tEj#|dd|$t)j%|&dddn #1swxYwYt)j'|| |(r|)nO#tT$rYnCwxYw# |(r|)ww#tT$rYwwxYwxYwdddn #1swxYwYtWdt|tY|dS#tZ$r&}t\/d|Yd}~dSd}~wwxYw)aoPersist a minimal copy of the Nous OAuth state to the shared store. Best-effort: any failure is swallowed after logging. The shared store is a convenience layer; the per-profile auth.json remains the source of truth. We deliberately omit the runtime ``agent_key`` compatibility field; the OAuth tokens are the cross-profile source of truth. rrNr r#r$r:r9r7r8rr) _schemarrr#r:r9r7r8rrrTrrrrrorrr nous_shared_store_written)rrefresh_token_fpz*Failed to write shared Nous auth store: %s)0r3rr2rDEFAULT_NOUS_SCOPEDEFAULT_NOUS_CLIENT_IDDEFAULT_NOUS_PORTAL_URLDEFAULT_NOUS_INFERENCE_URLrrrrrrMrJrrrrr4rrrrrrrrrrrrrrrrrrrrrrrrrqrrr') r;rrrDrtmprr rs rI_write_shared_nous_stateras"IIo..M99^,,L }c * *}/B/B/D/D |S ) )l.@.@.B.B$&ii --97##9'9YY{++E/E 99%677R;R#ii(<==[A[yy//ii --l8<00::<<  F!H $ & &  *,,D K  dT  : : : d # # #..DI!T!TBIKK!T!T$*,,BR!T!TUUCC bj(294 t|+B Yr3999*RHHTZqDIIIJJJHHJJJHRYY[[)))*************** 3%%%zz||% Dzz||% %D1               4  'T/ >>      HHH A3GGGGGGGGGHs!N7/C!M>L3(A%K L3K L3 K !L3:(L#"M># L0-M>/L00M>3M/5(MM/ M, )M/+M, ,M//M>2 N7>NN7N/N77 O'O""O'ch t}n#t$rYdSwxYw|sdS tj|}n;#t tf$r'}t d||Yd}~dSd}~wwxYwt|tsdS| d}| d}t|tr|sdSt|tr|sdS|S)uReturn the shared Nous OAuth state if present and well-formed. Returns ``None`` when the file is missing, unreadable, malformed, or lacks required fields. Callers should treat ``None`` as "no shared credentials available — fall through to device-code". Nz.Shared Nous auth store at %s is unreadable: %srr)rJrrrrrrrrr'rrGr3r2r)rrrrrs rIrPrPsI&(( tt <<>>t*T^^--.. Z  EtSQQQttttt gt $ $tKK00M;;~..L }c * *}/B/B/D/Dt |S ) )l.@.@.B.Bt Ns# &A B1BBrcD t5t} |n#t$rYnwxYwdddn #1swxYwYt d|dS#t $r&}t d|Yd}~dSd}~wwxYw)zBRemove the shared Nous OAuth store after a terminal token failure.Nnous_shared_store_clearedrz*Failed to clear shared Nous auth store: %s)rMrJrFileNotFoundErrorrrrr')rrrs rI_clear_shared_nous_staterg s H $ & &  *,,D  $                     0@@@@@@ HHH A3GGGGGGGGGHsYA/A5A AAAA A/AA/AA// B9BBrc|t|to'|jdko|jdvot |jS)z>True when retrying the same Nous refresh token cannot succeed.rJrrrrrArCrDrrErs rI_is_terminal_nous_refresh_errorrl.sJ 3 "" ' LF " ' HR R ' % & & rHc|t|to'|jdko|jdvot |jS)uTrue when retrying the same xAI OAuth refresh token cannot succeed. ``xai_refresh_failed`` covers HTTP 400/401/403 from the token endpoint (invalid_grant, token revoked, refresh_token_reused). ``xai_auth_missing_refresh_token`` means the pool entry has no refresh token at all — retrying will never work. Both carry ``relogin_required=True``; transient failures (429, 5xx) do not. rQ>rrrjrks rIrr8sJ 3 "" ' LK ' ' HP P ' % & & rHc|t|to'|jdko|jdvot |jS)uTrue when retrying the same Codex OAuth refresh token cannot succeed. ``codex_refresh_failed`` covers HTTP 400/401/403 from the token endpoint (invalid_grant, token revoked, refresh_token_reused). ``codex_auth_missing_refresh_token`` means the pool entry has no refresh token at all — retrying will never work. Both carry ``relogin_required=True``; transient failures (429, 5xx) do not. rL>rrrrrrjrks rI&_is_terminal_codex_oauth_refresh_errorroIsN 3 "" ' LN * ' H   ' % & & rHcdD]}||dd|jt||dtjt jd|d<t|tdS)zKKeep routing metadata but remove dead OAuth material so it is not replayed.) rrrrrrrrrrrNrJTrr) r7rDr2rrrrrrg!invalidate_nous_auth_status_cache)r;rPrrs rI_quarantine_nous_oauth_staterr`s     #t u:: l8<((2244   E V$$$%'''''rHc|d}t|tsdS|d}t|tsdSg}d}tdth}|D]F}t|tr|d|vrd}1||G|r||d<t d||j|S) zHRemove singleton-seeded Nous pool entries that contain dead OAuth state.rFrJzmanual:rT!nous_pool_device_code_quarantined)rr?)r3rrGrNOUS_DEVICE_CODE_SOURCEr.rrD) r:rPrrr%retainedremovedsingleton_sourcesrs rI_quarantine_nous_pool_entriesrys >>+ , ,D dD ! !uhhvG gt $ $uHG02UO'O'OG  V  /z    NrHcn tt|dzt5t}|s ddddS|d|d|dpt |dpt |dpt|d pd |d pt|d |d dddddd }d d}t||d|}t|dddn #1swxYwYn#t$rw}tdt|jt|ddt!|rt#dt$d|Yd}~dSd}~wt($rI}tdt|jt$d|Yd}~dSd}~wwxYw|S)!uAttempt to rehydrate Nous OAuth state from the shared store. Reads the shared file (if present), runs a forced refresh using the stored refresh_token to produce a fresh inference JWT scoped to this profile, and returns the full auth_state dict ready for ``persist_nous_credentials()``. Returns ``None`` when no shared state is available or the rehydrate fails for any reason (expired refresh_token, portal unreachable, etc.) — caller should then fall through to the normal device-code flow. rrNrrr9r7r8r#r$r:rrFrr rrr9r7r8r#r:rrrrr updated_stater<_reasonr2rrHc$t|dSrJ)ra)r}r~s rI_persist_shared_refreshz>_try_import_shared_nous_state.._persist_shared_refreshs(77777rHTrr4on_state_updatenous_shared_import_failedrD) error_typer?&shared_import_terminal_refresh_failurezShared Nous import failed: %s)r)r}r<r~r2rrH)rMrrrPr3r]r^r_r\refresh_nous_oauth_from_staterarArrrBrrlrgrr'r)rrDr;rr,rs rI_try_import_shared_nous_staters 2 $S39NPi5j5j k k k 0 0,..F  0 0 0 0 0 0 0 0!' > : :!'O!H--H2c0||dd|id|d}|jdkr-|}d|vrtdd d d |S |}n%#t$r}td d d |d}~wwxYwt |dd}t |dpd } |dv} | } |dksd| vsd| vrd} d } t| d || )Nr7zx-nous-refresh-tokenr)rr9rr rz%Refresh response missing access_tokenrJrTrBzRefresh token exchange failedrCrErPrrrirreusezreuse detecteduNous Portal detected refresh-token reuse and revoked this session. This usually means an external process (monitoring script, custom self-heal hook, or another Hermes install sharing ~/.hermes/auth.json) called POST /api/oauth/token with Hermes's refresh token without persisting the rotated token back. Nous refresh tokens are single-use — only Hermes may call the refresh endpoint. For health checks, use `hermes auth status` instead. Re-authenticate with: hermes auth add nous)r%r&rrArr2r3r) rr7r9rr)rr>rrDr@reloginlowereds rI_refresh_access_tokenrs{{ ,,,'7)"  Hs""--//  ( (C%+/TXZZZ ZI  III7!'$@@@EH II }  /:: ; ;Dm''(;<<_@_``KPPG!!G %%%G););?OSZ?Z?Z 9  K&tg V V VVsA// B9B  B)rverifyr8r bool | strcxtj|}tj|ddi|5}||dddd|i}d d d n #1swxYwY|jd krd |j} |}t|d p|d p|}n2#t$r%} t d| Yd } ~ nd } ~ wwxYwt|dd|} | d} t| tsgSg} | D]} t| ts| d}t|trT|r@|}d|vr| |dd}| |tt| S)z6Fetch available model IDs from the Nous inference API.rrrrrrz/modelsrr)rNr z#/models request failed with status rrPz'Could not parse error response JSON: %srJmodels_fetch_failedrrr3hermesmidr2rr?cj|}d|vrd|fSd|vrd|vrd|fSd|vrd|fSd|fS)Nopusrprosonnetr r)r)rlows rI_model_priorityz*fetch_nous_models.._model_priorityNsXiikk S==s8O C<N>N]R]^^KK G G G LLBA F F F F F F F F G f;PQQQQmmooG ;;v  D dD ! ! I " "$%%  88D>> h $ $ ")9)9 "..""C399;;&&   S ! ! !NNN'''  i(( ) ))s*3A--A14A1A C D &DD c *|d}t|tr|sdSt ||d|dt dt |S)NrFr:rrr)r3rr2rrrr)r;rrs rI_agent_key_is_usabler\s ))K C c3  syy{{u % ii  99344As?3344    rH)rrrr6c t5t}t|d}|stdddt |dp.t jdpt jdpt d}t|d pt}t||| }tt|d zt 5t!|} |d } |d} t#| tr| stdddt%|d|s<| r t'|d|t)|| cdddcdddSt#| tr| stdddt+j|r|nd} t+j| ddi|5} t1| ||| }nf#t$rY}t3|rDt5||dt7||dt'|d|t)|d}~wwxYw dddn #1swxYwYt9jt<j}tA|d}|d |d <|dp| |d<|dp|dpd|d<|dp|d|d<|!|d<||d<t9j"|#|zt<j!|d<||d<||d <|d ut#|tr|ndd!|d"<t'|d|t)|tI||d cdddcdddS#1swxYwY ddddS#1swxYwYdS)#zKResolve a refresh-aware Nous Portal access token for managed tool gateways.rJ&Hermes is not logged into Nous Portal.Trr7HERMES_PORTAL_BASE_URLNOUS_PORTAL_BASE_URLrr9rrrrr,No access token found for Nous Portal login.rNz2Session expired and no refresh token is available.r!rrrrr7r9r$managed_access_token_refresh_failurererr#r$r:rrFr{r)%rr1r2rArr3rrr^rr2r]r(rMrrrWrrr8rr$rrrrlrrryrrrrrrrrra)rrrr6r:r;r7r9r merged_sharedrrrrr,rr access_ttls rIresolve_nous_access_tokenrhs;   ^)^)%'' $Z88 8!%  uyy):;; < < 'y122 'y/00 '' &++   +..H2HII  (iTYZZZ $S39NPi5j5j k k kJ )J ):5AAM 99^44L!IIo66MlC00   B#%)   , 7 79MNN $ 1(VUCCC$Z000#J )J )J )J )J )J )J ))^)^)^)^)^)^)^)^)JmS11  H#%) m$POODQQG!#56  5%(7"+&3 !!!II !6s;; 54!#I 6&#I -ZGGG(444                 8,x|,,C,Y]]<-H-HIIJ$-n$=E. !%.]]?%C%C%T}E/ ""+-- "="="d'>HVVDE%L !VU ; ; ; Z ( ( ( $U + + +(UJ )J )J )J )J )J )J ))^)^)^)^)^)^)^)^)(J )J )J )J )J )J )J )J )J ))^)^)^)^)^)^)^)^)^)^)^)^)^)^)^)^)^)^)sC8Q1B)Q0 Q1 AQ#J,%H98J,9 J AJ J J, Q,J0 0Q3J0 4F Q? Q1Q Q1Q Q11Q58Q5r$ r#r:rrrrrrrr4rr#rrr/Optional[Callable[[Dict[str, Any], str], None]]c  |||pt|ptd|ptd|pd|pt||| | t | | dd }t | | |}tj| r| nd}tj |ddi| 5}t| d | d | d  }|s|| d}t|tr|s+|td|dd|dtdddt||d|d|}t!jt$j}t)| d}|d |d <| dp||d<| dp| dpd|d<| d p| d |d <t+| d}|r||d<||d<||d<t!j||zt$j|d <||t3|dt5|t7|dddn #1swxYwY|S) a Refresh Nous OAuth state without mutating auth.json directly. ``on_state_update`` is called after a successful access-token refresh. Callers that own persistent state can use it to save the newly rotated refresh token before later validation can fail. rr$r{r|rr!rrrrr:rrNrrO) and no refresh token is available. Re-authenticate with: hermes auth add nousrJTrBz.No refresh token is available for Nous Portal.rr7r9rrr#r8rrpost_refresh_access_token)r]r^rr_r\rr(r$rrrr3rr2rArrrrrrrrrrrGrr)rrr9r7r8r#r:rrrrrrrr4rr;rrrcurrent_invoke_jwt_statusrefresh_token_valuer,rr refreshed_urls rIrefresh_nous_oauth_purers4%&8"8+F/FNNsSS1O5OWWX[\\ ,H,,"  4X"  E"h)PU V V VFmHOODIIG g:L/MV\ ] ] ]/'ag$; IIn % %))G$$yy..% % % ! & J5A"'))O"<"< 1377 ?R ,8#E5EEE"(6)-  D#%) . %&7 8 ,1 I ,x|,,C,Y]]<-H-HIIJ$-n$=E. !%.]]?%C%C%ZGZE/ ""+-- "="="d>'$$''+&&#'!   rH)r"cddlm}t|}|rEt|r$t||d<t 5t }t|d|t|dddn #1swxYwYt||d}td| DdS)u-Persist Nous OAuth credentials as the singleton provider state and ensure the credential pool is in sync. Nous credentials are read at runtime from two independent locations: - ``providers.nous``: singleton state read by ``resolve_nous_runtime_credentials()`` during 401 recovery and by ``_seed_from_singletons()`` during pool load. - ``credential_pool.nous``: used by the runtime ``pool.select()`` path. Historically ``hermes auth add nous`` wrote a ``manual:device_code`` pool entry only, skipping ``providers.nous``. When the runtime credential expired, the recovery path read the empty singleton state and raised ``AuthError`` silently (``logger.debug`` at INFO level). This helper writes ``providers.nous`` then calls ``load_pool("nous")`` so ``_seed_from_singletons`` materialises the canonical ``device_code`` pool entry from the singleton. Re-running login upserts the same entry in place; the pool never accumulates duplicate device_code rows. ``label`` is an optional user-chosen display name (from ``hermes auth add nous --label ``). It gets embedded in the singleton state so that ``_seed_from_singletons`` uses it as the pool entry's label on every subsequent ``load_pool("nous")`` instead of the auto-derived token fingerprint. When ``None``, the auto-derived label via ``label_from_token`` is used (unchanged default behaviour). Returns the upserted :class:`PooledCredential` entry (or ``None`` if seeding somehow produced no match — shouldn't happen). rrr"rJNc3:K|]}|jtk|VdSrJ)rru)rrs rIrz+persist_nous_credentials..s/JJqah2I&I&I&I&I&I&IJJrH) rrrGr2rrr1r8rranextr%)r.r"rr;r:rs rIpersist_nous_credentialsrOs7F0///// KKE ,U!!##,U))++g   %%%'' Z777$$$%%%%%%%%%%%%%%%U### 9V  D JJDLLNNJJJ   s+/B&&B*-B*c ddlm}|ddS#t$r&}td|Yd}~dSd}~wwxYw)zGBest-effort pool reseed after providers.nous changes; never fail login.rrrJz7Failed to sync Nous credential pool from auth store: %sN)rrrrr')rrs rI_sync_nous_pool_from_auth_storers{U333333 & UUU NPSTTTTTTTTTUs AAA)rrrr4c  tjjddt5t t dst dddtdt dp.tj d ptj d pt d }t d ptj d pt d }t dpt }dEfd }t#||}t%j|r|nd} t)dt+ dt%j| ddi|5}  d}  d} t/| tr| st dddt1|  d d } |s| t3t5|d!zt6"5t9rm d}  d} t1|  d d } |d#|s| Xt/| tr| s| pd$}t d%|d&d|d'|rd$n| pd(}t)d)|t+| * t;| ||| +}nQ#t $rD}t=|r/t?|d,-tA|d,-|d.d}~wwxYwtCj"tFj$}tK| d/}| }|dd<| dp| d<| d0p d0pd1d0<| dp dd<tM| d }|r|}|'d2<|d/<tCj(|)|ztFj$3'd<d} d} t)d4|t+|t+| 5|d6dddn #1swxYwYtU| 7tW| 8|d<|d <|d<|dut/|tr|ndd9d:<dddn #1swxYwY|d;dddn #1swxYwYrtY d<}t/|tr|st d=dd>? d@}t[|}|1t5dAt]|t_j/z n!tK dB}d|| dC||t`t`dDS)FaX Resolve Nous inference credentials for runtime use. Ensures access_token is a valid inference-scoped JWT, refreshing it when needed. Concurrent processes coordinate through the auth store file lock. Returns dict with: provider, base_url, api_key, key_id, expires_at, expires_in, source ("invoke_jwt"), and auth_path. NrprJrTrFr7rrrr8NOUS_INFERENCE_BASE_URLr9rr2rrHc  ttkrtd|dS tdtn8#t$r+}td|t |jd}~wwxYwtd|tdtd td tdS) Nnous_state_persist_skipped)ryrrJnous_state_persist_failed)ryrrnous_state_persistedrr)ryrr[rT) rrr8rrrrBrqr3rGra)rrr:persisted_stateryr;state_persisteds rI_persist_statez8resolve_nous_runtime_credentials.._persist_states@ /u551/BBCC0 +!  $Z??? ,,,,   / +!#Cyy1    &'!3EIIo4N4N!O!O 2599^3L3L M M     #5kkO"O %U + + + + +s A B "&BB rr!nous_runtime_credentials_startr)ryr[rrrrrr:rrrr!post_shared_merge_access_unusabler4rrrBaccess_unusable refresh_start)ryrr[rruntime_access_refresh_failurere'terminal_runtime_access_refresh_failurerr#r$rrrefresh_success)ryrprevious_refresh_token_fpnew_refresh_token_fprrrr{r&resolve_nous_runtime_credentials_finalrz*Failed to resolve a Nous inference API key server_errorrrrrr)rCr!rNkey_idrrrrrr2rrH)1rrrrr1r2rArGrr3rrr^rr_r2r]r(r$rrrqrrrrMrrrWrrlrrryrrrrrrrrrrrrrrrNOUS_AUTH_PATH_INVOKE_JWT)rrrr4r7r8r9rrrrrrinvoke_jwt_statusrrefresh_reasonr,rrrprevious_refresh_tokenrrNrrrr:rryr;rs @@@@@rI resolve_nous_runtime_credentialsrs0 *,,"3B3'K   uAuA%'' $Z88 DD%+dDDD Du++ uyy):;; < < 'y122 'y/00 '' &++  uyy)=>> ? ? *y233 *) &++   +..H2HII & ,& ,& ,& ,& ,& ,& ,& ,& ,& ,P!(iTYZZZ-? LMM ,#/ /0J0JKK    \'H>P3QZ` a a ak ek 99^44L!IIo66MlC00 H  H N)/$HHHH!8ii(( 99\22!!!  K D 1 =,SSVAVXq=r=rsssJDJD5e<<L',yy'@'@ (- /(B(B ,C("'))G"4"4',yy'>'>---) ''JKKK$?D(9(E)-== ] %6%I/F"+!M$*!M!M!M*0%+15 ###=J)wPaPvev$+(3#1-? -N-N  "(='-*3=)))II ) " " ">sCC Z <$)$'+K!"!"!"!" !>$.$'+K!"!"!"!" !//X Y Y Y! "'l8<88%8|9T9T%U%U 1>.09.0In-1:1O1O1`S`o..7mmL.I.I.pUYYWcMdMd.phpl+)2w)?)?)U599WCUCUg(QR[R_R_`tRuRu(v(v (?1>./2}}m,.8l+.6.DMMOOj8X\///#)++l+(-^'< (-o(> $-(3#16HI_6`6`1CM1R1R ''BCCCUJDJDJDJDJDJDJDJDJDJDJDJDJDJDJDX .)     $)'    (7E# $*'>HVVDE%LQk k k k k k k k k k k k k k k Z ?@@@kuAuAuAuAuAuAuAuAuAuAuAuAuAuAuAn*')))ii $$G gs # #>7>D!'n>>> >122J(44M  $ As=49;;.//000 +A!B!B C C&))N++  +.   sF W=B7W CU1(M<;U1< O ?O O FU1% W1U5 5W8U5 9AW W=W W="W #W==XXc dddddddddS)NF)rr7r8access_expires_atrr+inference_credential_presentcredential_sourcer>r>rHrI_empty_nous_auth_statusr}s)"! $"(-!   rHc  ddlm}|d}|r|stSt |}|stSdd}t || }t|d d }|stSt|d d }tt|d dpd }t|dd }t|o#| dpt|} t|dd} d } | rt|dd pt} | | t|dd p!t|dd pt|dd | r|nd t|dd t|dd t|dd| d| d S#t$rtcYSwxYw)zBest-effort status from the credential pool. This is a fallback only. The auth-store provider state is the runtime source of truth because it is what ``resolve_nous_runtime_credentials()`` refreshes. rrrJrr rtuple[float, float, int]ctt|ddpd}tt|ddpd}tt|ddpd}||| fS)NrrOrpriorityr)rrr)r agent_exp access_exprs rI_entry_sort_keyz3_snapshot_nous_pool_status.._entry_sort_keyso,WU>HzH95 5rHrrNrr5r6roauthr"unknownr7r8runtime_base_urlr!rrTpool:) rr7r8rrrr+rrr)rr rr)rrrrrr%rrr2rrrrr^r) rrr%rr runtime_keyrr5ris_portal_oauthr"portal_status_urls rI_snapshot_nous_pool_statusrsY 2)333333y   -4//11 -*,, ,t||~~&& -*,, , 6 6 6 6 G111e%6==  -*,, ,und;; {B77=2>>DDFFLLNN == |,,   ) ) @T--@-@ w 22   0$77+*  )0")%1Et"L"L#0u0$77#0uj$//,;ELL!( d!C!C$+E3I4$P$P!%m!4!4,0!0%eoo    )))&((((()s#4G0G(5GD8GG21G2z7Optional[Tuple[float, Optional[float], Dict[str, Any]]]_nous_auth_status_cachec tjS#t$rYdSt$rYdSwxYwrJ)rrst_mtimerfrr>rHrI_auth_file_mtimers]  %%''00 tt tts$' A AAc dadS)u`Clear the get_nous_auth_status() process-level memo. Call this from any code path that mutates Nous auth state without going through resolve_nous_runtime_credentials() (e.g. tests). Login/logout flows touch auth.json, so the mtime check below invalidates them automatically — explicit invalidation is the belt-and-braces option. N)rr>rHrIrqrqs#rHctj}t}t}|)|\}}}||kr||z tkrt |St }||t |fa|S)aStatus snapshot for Nous auth. Prefer the auth-store provider state, because that is the live source of truth for refresh operations. When provider state exists, validate it by resolving runtime credentials so revoked refresh sessions do not show up as a healthy login. If provider state is absent, fall back to the credential pool for the just-logged-in / not-yet-promoted case. The returned snapshot is memoised for ~15s keyed on the auth.json mtime, so menu/status surfaces that ask repeatedly don't trigger one refresh POST per call. Login/logout flows write to auth.json and therefore invalidate the cache automatically; tests can also call ``invalidate_nous_auth_status_cache()`` explicitly. )rrrr_NOUS_AUTH_STATUS_CACHE_TTLrG_compute_nous_auth_status)rmtimer< cached_at cached_mtime cached_statusrs rIget_nous_auth_statusrs .  C   E $F 17. < E ! !y$??? && & & ( (F"E4<<8 MrHctd}|rt|d|d|d|d|dt|d|dt|dp|dd d d } t}tdp|}|d |dp|d|d p)|dp|d|dp|d |dp)|dp|dt|dd d d|dd|dd |S#t $r^}|dt |tt|ddt|ddd|cYd}~Sd}~wwxYwtS)zEUncached implementation of get_nous_auth_status(). See that function.rJrr7r8rrrrr:) rr7r8rrr+rrrrTr!rzruntime:rportalr) rr7r8rrr+rrrrFrErDN)rrPrEr?) r:rr3rrrAr2rr)r; base_statusr.refreshed_staters rIrrs #F + +E ,eii7788$yy):;;"')),@"A"A!&>)-o.A.A/.R.R)S)S48)5H8X)F)FHH#ii11   $       "S$(6H%)P)P$Q$Q%c6488               & ' ''s 5EI J2AJ-'J2-J2c  ddlm}|d}|r|r|}|wt |ddpt |dd}|rSt |dsCdt tt |d dd d t |d d |dSn#t$rYnwxYw t}dt t| d | d| d| ddS#t$r6}dt tt |dcYd}~Sd}~wwxYw)zStatus snapshot for Codex auth. Checks the credential pool first (where `hermes auth` stores credentials), then falls back to the legacy provider state. rrrLNrrr6Trrrr"rrr:rrrrNrrrNFrr:rP) rrrrrrr2rrrr3rArrrrNr.rs rIget_codex_auth_statusr:s 333333y((  D((** KKMME E#4d;;:unb99#B7A#N#N%)&)/*;*;&<&<(/~t(L(L%."N'%)*L*L"N"N#*        133o//00!IIn55;//ii))yy++        o//00XX         1B3B77 CCA;E F+E?9F?Fc  ddlm}|d}|r|r|}|wt |ddpt |dd}|rSt |dsCdt tt |ddd d t |d d |d Sn#t$rYnwxYw t}dt t| d| d| d| dd S#t$r6}dt tt |dcYd}~Sd}~wwxYw)NrrrQrrr6Trrrr"rrrrrNFr) rrrrrrr2rrr r3rArs rIget_xai_oauth_auth_statusrks 333333y%%  D((** KKMME E#4d;;:unb99#@!#L#L%)&)/*;*;&<&<(/~t(L(L%1"N'%)*L*L"N"N#*        577o//00!IIn55;//ii))yy++        o//00XX         rct|}|r |jdkrddiSd}d}t||\}}d}|jr,t j|jd}|dvrt||j |}n |r|}n|j }t|||j ||t|dS)z>>`bH .-07Av|G,,,T+Px/B/B

rr s rI$resolve_api_key_provider_credentialsr2Ds_  ##K00G  g'944 C C C C #    GJ:;PPGZ -{j00-,9 GB)G4b99??AA777)'73MwWW   ('2LgVV .>>#&&- OOC(()   rHct|}|r |jdkrtd|d|d|jr,t j|jdnd}|s|j}t jddp(t jddpd }t jd d}|rtj |nd d g}|rtj |nd }|s+| dstd|d|d|d|d|p||ddS)z>Resolve runtime details for local subprocess-backed providers.r]r/z&' is not an external-process provider.rrr6rrrWrrrNrz(Could not find the Copilot CLI command 'zQ'. Install GitHub Copilot CLI or set HERMES_COPILOT_ACP_COMMAND/COPILOT_CLI_PATH.missing_copilot_clir\rprocess)rCrNr!rrr)rr3r5rArArrrr8rrrrrr)rrr!rrrrs rI-resolve_external_process_provider_credentialsr6qs##K00G  g'+=== L L L L #    CJBZbry1266<<>>>`bH .- .3399;;  9' , , 2 2 4 4   y2B77==??H$, F5;x 7I2FD07Av|G,,,T  H$7$7 $E$E  ]w ] ] ] &       OOC((#.w   rH default_modelc^t5t}||d<t|dddn #1swxYwYt}|jddt }|d}t|trt|}nBt|tr+| rd| i}ni}||d<|r-| r| d|d <n| d d| d d| d d|r!|dd }|rd|vr||d<||d<t||d |S)aUpdate config.yaml and auth.json to reflect the active provider. When *default_model* is provided the function also writes it as the ``model.default`` value. This prevents a race condition where the gateway (which re-reads config per-message) picks up the new provider before the caller has finished model selection, resulting in a mismatched model/provider (e.g. ``anthropic/claude-opus-4.6`` sent to MiniMax's API). rNTrrrrCrr!rNapi_moder6Fr})rr1rrrrrr3rrGr2rrr7r) rr8r7r: config_pathconfig current_modelrB cur_defaults rI_update_config_for_providerr?s   %%%'' (3 $%$$$%%%%%%%%%%%%%%% "##KTD999   FJJw''M-&&'' M3 ' 'M,?,?,A,A 3 3 5 56  'Ij(06688( 2 9 9# > > *  j$'''MM)T""" MM*d### 1mmIr22  1c[00#0Ii F7Ok6U;;;; s#>AAcP t}n#t$rYdSwxYw|sdS|d}t|tsdS|d}t|t sdS|}|pdS)z?Return model.provider from config.yaml, normalized, if present.NrrC)rrr3rrGr2rr)r<rrCs rI_get_config_providerrAs "" tt t JJw  E eT " "tyy$$H h $ $t~~%%''H  ts  cv|sdSt|kS)z=Return True when config.yaml currently selects *provider_id*.F)rArr)rs rI_config_provider_matchesrCs8 u  ! ![%6%6%8%8%>%>%@%@ @@rHc|sdS|}|tvot|S)z?Return True when logout should reset the model provider config.F)rrrrCrs rI'_should_reset_config_provider_on_logoutrEsF u""$$**,,J * * S/G /S/SSrHc.t}|dvr|SdS)aFallback logout target when auth.json has no active provider. `hermes logout` historically keyed off auth.json.active_provider only. That left users stuck when auth state had already been cleared but config.yaml still selected an OAuth provider such as openai-codex for the agent model: there was no active auth provider to target, so logout printed "No provider is currently logged in" and never reset model.provider. >rJrQrLN)rA)rCs rI$_logout_default_provider_from_configrGs%$%%H888 4rHct}|s|St}|s|S|d}t |t rd|d<d|vr t |d<t||d|S)z5Reset config.yaml provider back to auto after logout.rr_rCr!Fr:)rrrr3rrGrr)r;r<rs rI_reset_config_providerrIs!##K        F  JJw  E%4"j    3E* k6U;;;; rHrCr!rNrrCr!c ddlm}|||||}n#t$rd}YnwxYw|dSttdt|jtd t d}n&#ttf$rtYdSwxYw|d vS) zDPrompt before saving a model whose known pricing exceeds guardrails.r)expensive_model_warningrJNTzH========================================================================zSwitch anyway? [y/N]: F>yrv) hermes_cli.model_cost_guardrLrrrFr4rrr6r5)rrCr!rNrLrr)s rI"_confirm_expensive_model_selectionrO"s GGGGGG))      t GGG (OOO '/ (OOO12288::@@BB x ( uu | ##s ''/3B##CCrr=pricing#Optional[Dict[str, Dict[str, str]]]unavailable_modelsOptional[List[str]] portal_urlunavailable_messageconfirm_providerconfirm_base_urlconfirm_api_keyc v '()*+,-ddlm} |pg} d;fd } g} r|vr| |D]} | | vr| | t| t| z}t ot fd|D++rt d |Dd d znd,i(d -d)d *+r|D]} | }|rh| |dd}| |dd}|dd}|r | |nd}|rd*nd\}}}|||f(| <t -t|t|-t )t|)؉*rt )d)()*+,-fd'd}d}+r1d}d|dd,ddd-ddd-}*r |ddd)z }||dzz }d }d!} dd"l m }'fd#| D}|d$|d%|pt d&}| }|s| rd'|d(}g}+rV|dd)}t|d)kr-||d)| r?| D]#} |d*'| $|d+|d,|rd|nd-} |d||d.| d/}!|!dkrd-St%|!t| kr| | |!S|!t| krJ t'd0 }"n#t(t*f$rYd-SwxYw|"r | |"nd-Sd-S#t,t.t0t2jf$rYnwxYwt%|tt7t| d z}#t9| d)D]'\}$} t%d|$d|#d1'| (t| }%t%d|%d)zd|#d2t%d|%d zd|#d3| r|pt d&}| pd4|d5}t%t%d|d6|d,|| D](} t%ddd|#d|'| |)t% t'd7|%d zd8 }&|&sd-St;|&}!d)|!cxkr|%krnn| | |!d)z S|!|%d)zkr0t'd0 }"|"r | |"nd-S|!|%d zkrd-St%d9|%d zn2#t<$rt%d:Ynt*t(f$rYd-SwxYw)|sdSrt|sdS|S)NrJ)rO)rrXrWrVs rI_confirmed_selectionz5_prompt_model_selection.._confirmed_selection[sG 4  $F %%# % % %   4 rHc3BK|]}|VdSrJr3)rmrPs rIrz*_prompt_model_selection..ss-&J&J!w{{1~~&J&J&J&J&J&JrHc34K|]}t|VdSrJ)r)rr_s rIrz*_prompt_model_selection..ts(//qCFF//////rHrrrFpromptr6 completioninput_cache_readTr6r6r6c rC|d\}}}d|d d|d } r |d|dz }|d |}n|}|kr|dz }|S)Nrdr+>rp._labels  *..sLAAOCeCSC9CCCCCyCCCCJ 8757977777 3H333z33DDD -   , ,D rHzSelect default model:z rrgr+InrpOutCachez /Mtokzz)curses_radiolistc&g|] }|Sr>r>)rrrss rIr)z+_prompt_model_selection..s!222366#;;222rHzEnter custom model namezSkip (keep current)r Upgrade at z for paid modelsr z u ── u ──Nr)selectedcancel_returnsr@ searchablezEnter model name: z. z. Enter custom model namez. Skip (keep current)u6Unavailable models (requires paid tier — upgrade at )u── z Choice [1-z] (default: skip): zPlease enter 1-zPlease enter a number)rr2rrG)hermes_cli.modelsrZr.rranyrr3rhermes_cli.curses_uirwr^rrrextendrSrTrr4r5r6rNotImplementedErrorr subprocessSubprocessErrorr2 enumeraterr).rr=rPrRrTrUrVrWrXrZ _unavailabler\rYr all_modelsprirj cache_readrk default_idx menu_titlepadheader_DIM_RESETrwchoices _upgrade_urlunavailable_footer desc_lines header_partr@idxr num_widthinchoicersrmrnrorprqrrs. `` ``` @@@@@@@rI_prompt_model_selectionrDs&988888%+L        G&)33}%%%   g   NN3   gl!3!33JwJ3&J&J&J&Jz&J&J&J#J#JKKKCNUs//J///;;;a??TUH57LIII* 3 3C C  A -,,QUU8R-@-@AA,,QUU<-D-DEEUU#5r:: >HP..z:::b% $I",S%!$c5 1L Is3xxS::IIs5zz22II  *Iq))I           K)J)UcU2UUUUUDU9UUUUUUUUU  2 171Y1111 1Ffy((  D F1 9999992222'2220111,---"=&=EEcJJ 06688! Nl N!M|!M!M!M  !#  ?%**433K;!##!!+a.";";"="=>>>  G# 7 7!!"5s "5"56666   E*<EEE F F F/9Cdii +++t  #  #     774  W  '' 55 5 CLL  344::<</0   tt 39C''///t Ct ,gz7Q R      *CG q())**IGQ''443 212y2222VVC[[223333 G A r6rMrvrLr!Login successful! Config updated: z (model.provider=openai-codex)Nz?Existing Codex credentials are expired. Starting fresh login...z:Found existing Codex CLI credentials at ~/.codex/auth.jsonzOHermes will create its own session to avoid conflicts with Codex CLI / VS Code.zCImport these credentials? (a separate login is recommended) [y/N]: r>rMrvrrz=Credentials imported. Note: if Codex CLI refreshes its token,z /auth.json)rr3rr2rrr4rrr5r6r?rrArrrrr_codex_device_code_loginrr) rrrr! _resolved_keyrr; cli_tokens do_importr!r._dhhs rI_login_openai_codexr&s g  8::H %LLB77M--- Y- YHghuwyHzHz YNOOO !"EFFLLNNTTVVEE "34   EEE ,,,"=nhll[eg}N~N~""KGGG-...Z{ZZZ[[[F -WXXX    D  -//   N O O O c d d d !"ghhnnppvvxx /0     L((":...9%k>kllK GGG <<<<<< -4466 - - -... J{ J J JKKKKKsOAD"3BDB,)D+B,,A DD D,+D,"3FF,+F,c2~|s t}|dd}t|tr|rt |dst d t d}n#ttf$rd}YnwxYw|dvr[td|d t}t t d t d |d dSn#t$rYnwxYwt t d t dt tt|ddpd}t|dd }t!rd}t#t|dd} t%||| } t'| d| d| dd| dtd| d t}t t d ddlm} t d| dt d |d dS)NrNr6r&z:Existing xAI OAuth credentials found in Hermes auth store.rrM>r6rMrvrQr!rrz (model.provider=xai-oauth)z6Signing in to xAI Grok OAuth (SuperGrok / Premium+)...z,(Hermes creates its own local OAuth session)rrr:F manual_pasterrCrr rrirrrrr>r)r r3rr2rrr4rrr5r6r?rrArrr2r_xai_oauth_loopback_loginrrr) rrrr!rNrr;rrCrr.rs rI_login_xai_oauthrps   <>>Hll9b11G'3'' G    I!,     +$(&   D/!/ (. $%:  C,o..     /# / / ,     s""}""$$  3 & &8+/7''''R9((%,!&     Gx/C G G G'+3#T### 5 ,     --//  > > > -      gt $ $  @ -    Ns/)A A>#A99A>6D D0D++D0rrCrc  d=d}t|}|d}|d}d}|rdtdtt}t |t } t | } tjj } tjj } t||| | | } td t| t|}d }nt\}}}} t |t } t | } tjj } tjj } t||| | | } td t| ttd |t|t |ret!sWt#rI t%j| }n#t($rd}YnwxYw|rtdntd t+|||t-d|dz|}n#t.$r}t1|dddks |sttdtdtdtdtdt|}|d|d|d }Yd}~nd}~wwxYwnq#t($rd ||n#t($rYnwxYw |dn#t($rYnwxYwwxYw|dr2|dp|d}t/d |d!d"#|d$}|d%rd }||s|r| }|| krt/d&d!d'#t;|dpd}|st/d(d!d)#t?|||| | |*}t;|d+dpd}t;|d,dpd}|st/d-d!d.#|st/d/d!d.#tAtCj"d0d#d1p9tCj"d2d#d1tH3}||t;|d4dpd|d5t;|d6pd7pd7d8|||tKj&tNj()*d9d:d;d<S)>uRun the xAI OAuth PKCE flow. When ``manual_paste=True`` the loopback HTTP listener is skipped entirely and the user is prompted to paste the failed callback URL into stdin (regression fix for #26923 — browser-only remote consoles like GCP Cloud Shell / GitHub Codespaces / EC2 Instance Connect, where the laptop's browser can't reach 127.0.0.1 on the remote VM). The same PKCE verifier, ``state``, and ``nonce`` are used for both paths so the upstream-side OAuth flow is identical. rrc tttjddS#t$rYdSwxYw)NrcdS)NFr>r>rHrIzQ_xai_oauth_loopback_login.._stdin_supports_manual_paste..SsUrHF)rrrrrr>rHrI_stdin_supports_manual_pastez?_xai_oauth_loopback_login.._stdin_supports_manual_pasteQsP C 8]]CCEEFF F   55 s03 AArrFrr)rrirr;rz+Open this URL to authorize Hermes with xAI:TzWaiting for callback on r;z%Browser opened for xAI authorization.r=g>@ rrDr6rz xAI loopback callback timed out.z9If your browser reached a failed 127.0.0.1 callback page,z:paste that FULL callback URL below to continue this login.z5You can also re-run with `--manual-paste` to skip thez!loopback listener from the start.NrPrrrzxAI authorization failed: rQxai_authorization_failedrr;rz)xAI authorization failed: state mismatch.xai_state_mismatchz5xAI authorization failed: missing authorization code.xai_code_missing)rrDrirrrrrz2xAI token exchange did not return an access_token.rz2xAI token exchange did not return a refresh_token.rrrrrrr#r$)rrrrr#rrzoauth-loopback)r rrir!rrrr)+rrXAI_OAUTH_REDIRECT_PORTrrrrrrrrrrqrr?XAI_OAUTH_DOCS_URLr2r@r3rrr rrArr3rrrTr2rrrrrrrrrrrrr)rrCrrrrrallow_missing_staterirrr;rrErGrrcallback_resultrFrrcallback_staterDrrrr!s rIrrAsc  %_55I&'?@/0N^ )- ) )0G )& ) )  ,L999133 3MBB    6#9%)     ;<<< m0>>"8R8T8T5A  / = = =577M7 FFNJLL$EJLL$E:'=)- M ? @ @ @ - GGG ;\;; < < < $\266<"==CCEEL OR88>B??EEGGM   @ -      @ -    0 ',,2244;;C@@ = 9^R ( ( . . 0 0 7 7 < <+H)*GKK B77=2>>DDFF!++l33gkk,77C8DDJJLLXPX   $ X\22<<>>FFxQTUU"   s6C"LG.-L. G=:L<G==$L"%IL LB6L L LL N!(M  N MNMNM21N2 M?<N>M??Nc \ ddl}d}t} tjtjd5}||dd|idd i }dddn #1swxYwYn'#t $r}td |d d d}~wwxYw|jdkrtd|jdd d| }| dd}| dd}tdt| dd} |r|stdd dtdtdtd|dtdtd|d td!d"} |} d} tjtjd5}|| z | krz|| ||d#||d$dd i } | jdkr| } n%| jd%vrztd&| jdd d'dddn #1swxYwYn,#t $rtd(t#d)wxYw| td*d d+| d,d}| d-d}|d.}|r|std/d d0 tjtjd5}|t$d,||||d1dd2i3}dddn #1swxYwYn'#t $r}td4|d d5d}~wwxYw|jdkrtd6|jdd d7| }| d8d}| d9d}|std:d d;t'jd|t1jt4jd?d@dAdBdCS)DzBRun the OpenAI device code login flow and return credentials dict.rNzhttps://auth.openai.comr!rz!/api/accounts/deviceauth/usercoder9rr)rrzFailed to request device code: rLdevice_code_request_failedrr z$Device code request returned status rdevice_code_request_errorr,r6device_auth_idrr/5z-Device code response missing required fields.device_code_incompletez!To continue, follow these steps: z# 1. Open this URL in your browser:z z/codex/device z 2. Enter this code:z z/Waiting for sign-in... (press Ctrl+C to cancel)iz/api/accounts/deviceauth/token)rr,>rrz$Device auth polling returned status device_code_poll_error Login cancelled.z!Login timed out after 15 minutes.device_code_timeoutrrz/deviceauth/callbackzADevice auth response missing authorization_code or code_verifier.device_code_incomplete_exchangerrrrzToken exchange failed: token_exchange_failedzToken exchange returned status token_exchange_errorrrz.Token exchange did not return an access_token.token_exchange_no_access_tokenrr)rrrrrz device-code)r r!rrr)rrr$rrr%rrAr&rr3rrrrrr6r7rrrrrrrrrrrr)_timeissuerr9rr*r device_datar,rrmax_waitr code_resp poll_resprrri token_respr rrr!s rIrr s &F%I  \%-"5"5 6 6 6 &;;<<<!9-');<D                    3c 3 3#*F      3 F43C F F F#*E    ))++K R00I __%5r::N3{z3??@@AAM  N  ;#*B     ./// /000 8& 8 8 8999 !""" .) . . ./// ;<<<H OO  EI \%-"5"5 6 6 6 &//##e+h66 M***"KK===,:SS+-?@( (C// ) 0 0I*j88#Wy?TWWW!/6N               &  "###oo /#*?    #';R@@MM/266M222L  ]  O#*K     \%-"5"5 6 6 6 &%"6.$0!*%2 ()LM%  J                    +c + +#*A     $$ Gj.D G G G#*@    __  F::nb11LJJ33M   <#*J     )2..4466==cBB " ! )*   X\22<<>>FFxQTUU   s'A. A" A."A&&A.)A&*A.. B8B  B='J$BJ: JJ  J J J)J;'M?&M3' M?3M77M?:M7;M?? N# NN#r?cVddl}|ddd}tjt j| d}|d}|||fS)zGGenerate (code_verifier, code_challenge_S256, state) for MiniMax OAuth.rNrw`rr/) secrets token_urlsaferr~r4r5r6rrr)rverifier challenger;s rI_minimax_pkce_pairrsNNN$$R(("-H(x(())0022 fhhvvc{{  ! !" % %E Y %%rHc ||dd|t|d|dddttjd}|jd kr!t d |jp|jd d | }dD]}||vrt d|d d | d|krt dd d |S)Nz /oauth/coderDr)rr9r:rrr;rr)rrz x-request-idrr z$MiniMax OAuth authorization failed: r{authorization_failedr)r,r- expired_inz&MiniMax OAuth response missing field: authorization_incompleter;z-MiniMax OAuth state mismatch (possible CSRF).state_mismatch) r%MINIMAX_OAUTH_SCOPEr2rrr&rAr reason_phraserr3)rr7r9rr;r)rrs rI_minimax_request_user_coders@{{ '''#"(,%+   @( --  H s"" \8=3ZHDZ \ \$+A    mmooG@   @@@(/I  {{7u$$ ;$+;     NrHrnow_msc.t||dzkS)zMTrue if ``expired_in`` is plausibly a unix-ms absolute time (vs TTL seconds).r)r)rrs rI&_minimax_expired_in_looks_like_unix_msrs z??fk **rHrrct|}t|dz}t||r|dz S|td|zS)zRReturn access-token expiry as unix seconds (MiniMax uses ms epoch or TTL seconds).rr@@r )rrrr)rrrXrs rI"_minimax_resolve_token_expiry_unixrsa j//C 4' ( (F-c&AAAV| ==??SC[[ ((rHr, interval_mscddl}t|dz}t|} t| |r| dz } n%|td| z} td|pddz } || kr=||dt |||d d d d  } | jr| nin#t$riYnwxYw| j dkrI dipi dp| j} td| pddd d}|dkrtddd|dkr/tfddDstdddS| | || k=tddd )!Nrrrrr g@i /oauth/token)rr9r,rrrrrr  base_resp status_msgzMiniMax OAuth error: rr{rrrrPz8MiniMax OAuth reported an error. Please try again later.authorization_deniedsuccessc3BK|]}|VdSrJr^)rkrs rIrz&_minimax_poll_token..s-__!w{{1~~______rH)rrrzhmmoooBGG   GGG   3 & &;;{B//52::<HHYHMC:(8y::(/F  X&& W  J(/E  Y  ____/^_____ R,3EN HQ **,, ! !T A y   s C** C98C9ct5t}t|d|t|ddddS#1swxYwYdS)zGPersist MiniMax OAuth state to Hermes auth store (~/.hermes/auth.json).r{N)rr1r8r)rr:s rI_minimax_save_auth_stater  s   %%%'' Z*EEE$$$%%%%%%%%%%%%%%%%%%s/A  AAr~rCrr~c~td}|dkr|jd}|jd}n|j}|j}t \}}}t rd}t d|dt d|tjtj |d d id 5} t| ||j || } t| d} t| d} t t dt d| t d| |rAtr3tj| rt dnt d| d} | t#| nd}t dt%| ||j | |t#| d|}dddn #1swxYwYt'jt*j}t/t#|d|}t1dt#||z }d||||j t4|dd|d|d|d |t'j|t*j!|d" }t;|t d#|d$x}rt d%||S)&z?Run MiniMax OAuth flow, persist tokens, return auth state dict.r{r rrFz#Starting Hermes login via MiniMax (z ) OAuth...Portal: rrT)rrfollow_redirects)r7r9rr;r-r, To continue: 1. Open:  2. If prompted, enter code: # (Opened browser for verification)z< Could not open browser automatically -- use the URL above.r/NzWaiting for approval...r)r7r9r,rrrrrr#r$rrr%r) rCr~r7r8r9r:r#rrr%rrru#✓ MiniMax OAuth login successful.notification_messagezNote from MiniMax: )rr=r7r8rr2rr$rrrr9r2r@r3rr3rrrrrrrrrrrrr )r~rCrrr7r8rrr;r code_dataverification_urlr, interval_rawr token_datarexpires_at_unix expires_in_srrs rI_minimax_oauth_loginr(s  0G ~~!-(<=$]+BC!1$7!3!5!5Hi  B B B BCCC &_ & &''' emO<<');<'+ - - - 06. O'$E   y);<== +.//   n .,../// :y::;;;  V799 V/00 V;<<<<TUUU }}Z00 +7+Cc,'''  '(((( O'x9\233#    3               B ,x| $ $C8 J| $%%3Oq#o ?@@AAL$*0&$ nn\8<<">2#O4"~66}},_NNNXXZZ"J Z((( 2333nn3444s+ )C))*** s/D-G((G,/G,)rforcerc |dstdddd tj|dd}n#t $rd }YnwxYwt j}|s||z tkr|S|d }tj tj |d 5}| |d d|d |ddddd}dddn #1swxYwY|j dkrV|j tfddD}td|j p|jdd||} | ddkrtddddtjt&j} t+t-| d| } t/dt-| | z } t1|} | | d| d|d| tj| t&j | d!t9| | S)"zBRefresh MiniMax OAuth access token if close to expiry (or forced).rz:MiniMax OAuth state has no refresh_token; please re-login.r{no_refresh_tokenTrBrr6rOr7)rrrr9rrrrrNr c3 K|]}|vV dSrJr>)rr_r*s rIrz/_refresh_minimax_oauth_state..s?ZZAa4iZZZZZZrH)rrinvalid_refresh_tokenzMiniMax OAuth refresh failed: refresh_failedrrz-MiniMax OAuth refresh did not return success.rrrrr)rrrrr)r3rArrrrr"MINIMAX_OAUTH_REFRESH_SKEW_SECONDSr$rrr%r&rrrrrrrrrrrrGrrrr )r;rrrrr7rr)rrnow_dtrr new_stater*s @rI_refresh_minimax_oauth_stater%{sg 99_ % %  H$+=PT    +EIIlB,G,GHHRRTT   )++C j3&*LLL -.O emO<<'+ - - -  06;; , , ,-";/!&!7 !D,                   s""}""$$ZZZZXZZZZZ VX]-Th>T V V$+;$    mmooG{{8 )) ;$+;!    \(, ' 'F8 GL !""Oq#o0@0@0B0BBCCDDLU I / _eO6LMM'')),_NNNXXZZ" Y''' s#:A&& A54A5 /DD D c|jr|dsdSdD]}||dd|jpdt |ddt jtj d|d < t|dS#t$r&}t d |Yd}~dSd}~wwxYw) aWipe dead tokens from auth.json after a terminal refresh failure. Shared by both the eager-resolve path and the lazy per-request token provider. Mirrors the Nous / xAI-OAuth / Codex-OAuth quarantine pattern so subsequent calls fail fast without a network retry. rN)rrrrrr{r!rTrrz6MiniMax OAuth: failed to persist quarantined state: %s)rEr3r7rDr2rrrrrr rrr')r;r_kr s rI-_minimax_oauth_quarantine_on_terminal_refreshr(s  UYY%?%?Z "d#,,s88+ l8<((2244   E Z ''''' ZZZ MyYYYYYYYYYZs B C $CC Callable[[], str]cdd}|S)uReturn a zero-arg callable that yields a fresh MiniMax access token. The Anthropic SDK caches ``api_key`` as a static string at construction time, so a session that resolves credentials once at startup will keep sending the same bearer until MiniMax's server returns 401 — typically ~15 minutes in, because MiniMax issues short-lived access tokens. Returning a *callable* instead of a string lets us hook into the existing Entra-ID bearer infrastructure in :mod:`agent.anthropic_adapter`: ``build_anthropic_client`` detects a callable and routes through ``_build_anthropic_client_with_bearer_hook``, which mints a fresh ``Authorization`` header on every outbound request. Each invocation re-reads the persisted state from ``auth.json`` and calls :func:`_refresh_minimax_oauth_state` — that helper is a no-op when the token still has more than ``MINIMAX_OAUTH_REFRESH_SKEW_SECONDS`` of life left, so the steady-state cost is one file read + one timestamp compare per request. Reading state fresh each time also means a refresh persisted by one process (CLI, gateway, cron) is immediately visible to every other process sharing the same ``auth.json``. rr2c4td}|r|dstdddd t|}n##t$r}t ||d}~wwxYw|d}|stdddd|S) Nr{rMNot logged into MiniMax OAuth. Run `hermes model` and select MiniMax (OAuth). not_logged_inTrBz6MiniMax OAuth state has no access_token after refresh.no_access_token)r:r3rAr%r()r;rrs rI_providez4build_minimax_oauth_token_provider.._provides'88 EIIn55 #(QU   077EE    9% E E E   .)) H(/@SW  A A+A&&A+rr2r>)r/s rI"build_minimax_oauth_token_providerr2s.* OrH)min_token_ttl_secondsas_token_providerr3r4cNtd}|r|dstdddd t|}n##t$r}t ||d}~wwxYw|rt }n|d}d||dd d d S) uReturn {provider, api_key, base_url, source} for minimax-oauth. When ``as_token_provider`` is True, ``api_key`` is a zero-arg callable that mints a fresh access token per call (proactively refreshing if the cached token is within ``MINIMAX_OAUTH_REFRESH_SKEW_SECONDS`` of expiry). This is what the runtime provider path uses so that long sessions survive MiniMax's short access-token lifetime — see :func:`build_minimax_oauth_token_provider` for the rationale. The default (string ``api_key``) preserves the historical contract for diagnostic call sites like ``hermes status`` that just want to know whether a valid token exists right now. r{rr,r-TrBNr8rrr0)r:r3rAr%r(r2r)r3r4r;rrNs rI)resolve_minimax_oauth_runtime_credentialsr6s" $O 4 4E   .11  $?T    ,U33 5eSAAA (9;;'#./66s;;   r0ctd}|r|dsdddS tj|dd}|t jz dk}n2#t $r%t|d}YnwxYw|d|dd |dd S) z3Return auth status dict for MiniMax OAuth provider.r{rFrrr6rr~r})rrCr~r)r:r3rrrrrr)r;r token_valids rIrr.s #O 4 4E A .11A"@@@6+EIIlB,G,GHHRRTT !DIKK/14 666599^4455 6!#))Hh//ii --   sAB,B10B1ct|ddpd}t|dd }t|ddpd} t|||dS#t$r0}tt |t d d}~wwxYw) z"CLI entry for MiniMax OAuth login.r~Nr}r:Frr!r r )rrrArrcr7)rrr~rCrrs rI_login_minimax_oauthr:@s T8T * * 6hFt\5999LdIt,,4G g        $$%%%mmsA B+BBr7r8r9r:rCrrrc h td}|p.tjdptjdp|jd}|ptjdp|jd} |p|j}|p|j}tj |} |rdn|r|nd} trd}td|j d td ||rtd n|rtd |d tj | ddi| 5} t| |||} t| d}t| d}t!| d}t!| d}ttdtd|td||r5t#j|}|rtdntdt'dt)|t*}td|dt-| ||t| d||}d d d n #1swxYwYt/jt2j}t7|dd!}||z}t=|d"p| }|| krtd#|id$|d"|d%|d&|d&p|d'|d'd(d)|d)d*|d*d+|d,t/j |t2j-d|d.| dutC| tr| nd d/d0d d1d d2d d3d d4d d5d } tE||d6S#tF$r}|j$d7kr|d$tJd}tM|}tt|td8|d9ttd:tOdd }~wwxYw);zMRun the Nous device-code flow and return full OAuth state without persisting.rJrrrrFTzStarting Hermes login via z...r z'TLS verification: disabled (--insecure)z$TLS verification: custom CA bundle (r}rrr)rr7r9r:r.r,rr/rrrru= Could not open browser automatically — use the URL above.r z$Waiting for approval (polling every zs)...r#)rr7r9r#rrNrr8z%Using portal-provided inference URL: r7r9r:r#r$rrrrrrr{rrrrrr)rr4r\z Subscribe here: z/billingz>,+J+JKK#33J:>>*>??@@ # "!888 N6LNNOOO?4 Y ((1E  jnn\8<<   >2  88 s}} h,ZHLIIISSUU & %#-fc#:#:D   T !" #$ %& D'( )J,, +        8. . .#!#:fSkk (,,G GGG 'NNN ;z;;; < < < GGG P Q Q QQ--   s,,D>I66I:=I:+O== R1B%R,,R1c  t|ddpd}tt|dd}t|ddp'tjdptjd} d}t }|r t }n#t $rd}YnwxYwt|rtd |ntd  td  }n#ttf$rd }YnwxYw|d vr0tdt|}|td|jtt|ddt|ddt|ddp|jt|ddt|dd |||}|d} t!5t#} | d} dddn #1swxYwYt!5t#} t'| d|t)| } dddn #1swxYwYt+|t-ttdtd| d} |dp|d}t/|t0r|st3ddd d!d"lm}m}m}m}m}m }|}tg}d#}|r|d}|d$%}|d&d#}|rY d!d'l!m"}m#}|d$%}||d()pd#}n#tH$rd#}YnwxYw||||\}}|||d$*\}}n||||\}}|d&d#}|r8td+tK|d,tM|||||d| |-}nR|rA|ptN(d.} td/t|pd0| d1ntd2nj#tH$r]}!t/|!t2rtS|!nt1|!}"ttd3|"Yd}!~!nd}!~!wwxYw|st!5t#} | r| | d<n| *ddt)| dddn #1swxYwYttd4td5dStWd| |6}#|r!tY|td7|td8|#d9dS#t$rtd:t[d;tH$r&}!td<|!t[d=d}!~!wwxYw)>z&Nous Portal device authorization flow.rNr!rFrr r!z)Found existing Nous OAuth credentials at z,Found existing shared Nous OAuth credentialsz!Import these credentials? [Y/n]: rM>r6rMrvz3Rehydrating Nous session from shared credentials...ruKCould not refresh shared credentials — falling back to device-code login.rT inference_urlr9r:r:r;r8rrJrr>rrz,No runtime API key available to fetch modelsrrr)get_curated_nous_model_idsget_pricing_for_providercheck_nous_free_tierpartition_nous_models_by_tier&union_with_portal_free_recommendations&union_with_portal_paid_recommendationsr6Trhr7rezpaid Nous modelsrj) free_tierzShowing u= curated models — use "Enter custom model name" for others.)rPrRrTrUrVrWrXrz#No free models currently available.ryz to access paid models.z,No curated models available for Nous Portal.z?Login succeeded, but could not fetch available models. Reason: z:No provider change. Nous credentials saved for future use.z4 Run `hermes model` again to switch to Nous Portal.)r7zDefault model set to: rz (model.provider=nous)rrzLogin failed: r ).rrrrrPrJrrr4rrr5r6rrAr9rr1r3r8rrarrr2rAr~rDrErFrGrHrIrlrfrgrrrr^rrcr7r?rr7)$rrrrrrrD shared_pathrr8 _prior_storeprior_active_providerr:rIselected_modelrrDrErFrGrHrIrrRrUrPrJ_portal_for_recsrfrg _account_info_portal_urlrrFr;s$ rI _login_nousrSsdIt44<OGD*e4455Hk4(( & 9' ( ( & 9_ % %  )**  i #577  # # #"  # GGG FO+OOPPPPDEEE !"EFFLLNNTTVV /0     ,,,KLLL:$3 %ghhh  0 'lD A A#*4$#G#G!$ T::Og>OdGT22!(|U!C!CC /!#   J((<=    H H+--L$0$4$45F$G$G ! H H H H H H H H H H H H H H H   4 4)++J VZ @ @ @' 33H 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 !,,,')))  !""" )x))*** S _$..55W9W9WKk3// { B#(                  3244I GGG') "$ ) 226::10TBBB #->>2CR#H#H #1 )E(DQU(V(V(V BB -+=" " ,+%111.0+++1*P)O!7,<**&Iw5R4Q!7d5551I11*P)O!7,<**&Iw!nn%6;;G FpYpppqqq!8w'9&(;%+%7$/"""$ F:#:BB3GG;<<<)X-X4-X-X-XYYYYDEEE _ _ _0:3 0J0JX',,,PSTWPXPXG GGG ]T[]] ^ ^ ^ ^ ^ ^ ^ ^ _ "## - --// (<4IJ011NN#4d;;; ,,,  - - - - - - - - - - - - - - - GGG N O O O H I I I F1 &n     = ~ . . . ;>;; < < < F;FFFGGGGG  "###oo  $s$$%%%mms&,V5?B V5 BV5B5V53DV5DV5DB9V5$H: V5H  V5 H V5/I V5IV5!I"AV54B0Q0%#N Q0 NQ0NCQ0/V50 S:AS V5SV5*> 0;00111mm " "F  LF L&J&L&LF  3444A&II26::M6"" ;&9 ;  % " $ $ $ /}///000  A29-A#B#B A = > > > > >  A M N N N N N ? @ @ @ @ @ 9999:::::rHr1)rNr2rr2rr2rr2)rr rrrr)rr2rr1rr)r )rNr2rrrr)rPrrr)rr rrU)rPrrr2)rPrArr2)rr rrGr)rzr2ryrGr{r rrH)rr )rr)rr<)rr rrrrrr2)rrrJ)rrrr<)r:r<rr )r:r<rr2rr)r:r<rr2r;r<rrH) r:r<rr2r;r<r rrrH)rr2rrH)rr2rr)rr2rr2)rrGrr<)rr2r%r&rr )rr2rr2rrH)rr2rr2rr)rr2rr)rrG)rrGrrr)rLr2rr2)r]rGr[rGr\rGrr2)rr rr)rr rrrr)rr rr)rr rrG)rrGrrG)rr rr<)rr rr) rr r:r rr rrrrG) rr r:r rr rrrr)r;r<rr rrH)rr ryrGrrH)rr rr rrG)r;r<rrGrrH)r;r<rr ryrGrrH)r;r<rr<)rr rrrr)r r<rr )rr rrrr)r)r r<rrrr<)r.r<rrH)r4rr5rr6rrr<)r4rrr<)rrGrrS)rrGrr2)NN)r]rGr;rrr2)r;rrr2)rw)rxrrr2)rr2rr2)r9r2rir2r:r2r;r2rr2rtr2rr2)rir2rr)rr2rr)rir2rrrr)rrGrr2)rrrr) rr rrrrrrrrGrr)rr<r9r2rir2rr2rtr2rnr2rrrr<)r9r2rDr2rir2rr2rtr2rrrr<)r;r<rrrr<)r-r2rr2)rXr2rrG)rir2rrG)rir2r<rzrrH)rrrr<) r:r<r r.rrGrrrrH)r r.rr2r"r2rrH)rr2rr2rrrr<)r r.rrrr.)rr) r r<rrrir2rrGrrH)r)rr2rrrr)rr2rr2rr2)rr2rr2rr2)r!)rrrr.) rr2rr2rr2rrrr<) r r<rr2rir2rrrr<)rr )rrrrGrrrr ) rr)r7r2r9r2r:rGrr<)rr)r7r2r9r2r#r2rrrrrr<)r;r<rr)r;r<rrH)rrr)rrrr)r;r<rPrArr2rrH)r:r<rPrArr2rr)rrrr) rr)r7r2r9r2rr2rr<) r8r2rNr2rrrrrrS)r;r<rrrr) rrrrrrGr6rrr2)"rr2rr2r9r2r7r2r8r2r#r2r:r2rrGrrGrrGrrGrrrrrrGr4rrrrr<) r;r<rrr4rrrrr<)r.r<r"rG) rrrrrrGr4rrr<)rr)rr2rr<)rr2r8r2r7rGrr ) rr2rCr2r!r2rNr2rr)r6NNr6r6r6r6r6)rrSr=r2rPrQrRrSrTr2rUr2rVr2rWr2rXr2rrG)rr2rrH)rr1rrrrH) rr2rir2rr2r;r2rr2rr2)rr2rDr2rir2rr2rr2rrrr<)rrrCrrrrr<)rr?) rr)r7r2r9r2rr2r;r2rr<)rrrrrr)rrrrrr)rr)r7r2r9r2r,r2rr2rrrrUrr<)rr<rrH)r~r2rCrrrrr<)r;r<rrrrrr<)r;r<rrArrH)rr))r3rr4rrr<)rr1rrH)r7rGr8rGr9rGr:rGrCrrrrrrrGrr<(UrE __future__rrloggingrrrrrrrr4rrrrr3 contextlibr dataclassesrrrr http.serverr r r pathlibr typingr rrrrrr urllib.parserrrr$rrrrrrragent.credential_persistencerutilsrrr getLoggerrBrrrrrrr^r_r]rr\rur!ACCESS_TOKEN_REFRESH_SKEW_SECONDSNOUS_INVOKE_JWT_MIN_TTL_SECONDSr<rrMINIMAX_OAUTH_CLIENT_IDrrMINIMAX_OAUTH_GLOBAL_BASEMINIMAX_OAUTH_CN_BASEMINIMAX_OAUTH_GLOBAL_INFERENCEMINIMAX_OAUTH_CN_INFERENCEr"r;DEFAULT_GITHUB_MODELS_BASE_URLDEFAULT_COPILOT_ACP_BASE_URLDEFAULT_OLLAMA_CLOUD_BASE_URLSTEPFUN_STEP_PLAN_INTL_BASE_URLSTEPFUN_STEP_PLAN_CN_BASE_URLrr'CODEX_ACCESS_TOKEN_REFRESH_SKEW_SECONDSXAI_OAUTH_ISSUERrrrrrr%XAI_ACCESS_TOKEN_REFRESH_SKEW_SECONDSr(r'&QWEN_ACCESS_TOKEN_REFRESH_SKEW_SECONDSrurorjr0r1)SPOTIFY_ACCESS_TOKEN_REFRESH_SKEW_SECONDSrr}rTrVr/rFrN.GEMINI_OAUTH_ACCESS_TOKEN_REFRESH_SKEW_SECONDSr1r1rrr_list_providers_for_registryrr4r5env_varsr? _api_key_varsr _base_url_var display_namer!rrrrrrrr r#r+r>rRrrArTrZrcrbrqrxrrrrrlocalrrrr1rr2r8rrrrr$r+r2r4r8r:r=rErIrKrZrrrrrrrrrrrrrrrrrrrrrr rrr-r2r=r@rCrPrRrZr\rerkrqrvrrrrrrrrrrrrr r rr r%r)r,r8rJr2r[r@r rqryr?rrrrrrrrrrrrrrrrr rr(r5rArHrLrFrJrMrWrarPrgrlrrorrryrrrrrrrrrrrrrrrrqrrrrr rrrr2r6r?rArCrErGrIrOrrrrrrrrrrrrrrr rr%r(r2r6rr:rArSrVr>rHrIrzs!$#"""""   %%%%%%((((((((''''''''OOOOOOOOOOHHHHHHHHHHHHHHHHHH6666666666 OOOOOOOOOOCCCCCCCCMMMMMMDDDDDDDDDD  8 $ $LLLL EEEMMMM FFF <H%00'($'!"C()%@2@9G42!CA%'"3!@. 7"G F6=*-'&-PPP<R%%(+%9A),&$B!;H[A,/)W\ "  y* %<!13. 1           S0 NN  %/5(    S0NN  "1 S0 ..  6,* !S00  4"5 1S0<..  "0 =S0H  $"< IS0T  5(& US0d~~  9M/ eS0t>>  !$7/ uS0B nn  M=* CS0R >>  9G'    SS0b>>  8@(   cS0xnn  &7- yS0F~~  :-+ GS0V ^^  8-) WS0f >>  ;)'    gS0v~~  =-+ wS0S0F^^  0!19)!!9N(BDD   GS0\  6\- ]S0l~~  S/- mS0|>> *JM7 }S0L..  ?0. MS0\  8., ]S0l >>  0)'    mS0| nn  @,* }S0LNN  720 MS0\>>   ;1/   ]S0v  <., wS0F>>  =&& GS0V nn  :,* WS0f  @., gS0vNN  8,* wS0F~~  L+ GS0V^^  31 WS0S0SSSSp HHHHHH++--HH 8( ( (  =I % %S\ %  8b b b ppppppp gggggimnn &4nx!-SX"|*:cl*0b ' ' ' #(#k H HF...,=ch,G!&) H/H4   D @3    "    89      &&&&l4gY(S d>d>df|}CEkEkEknCD  #####L....p/11111 111"    ----*BKKKK&DDDD---- >B[[[[[[,%%%%>!!!!H2222$IO%%DDDDN.G$%<%<%<%<%MsIIIIIEEEEEP%%%%* $ F @    >%%%%( ''''''T6     44444 #&*0#&*(((((( ( ( ( ( ( - - - - -!!!!! HHHH !!!!! HHHH 4444*11110#+#+#+#+R#$$$$$$N11110////o'o'o'o'f2%0%0%0%0%0Z#/3 ++++++\    .04!!!!!!V",,,,,,d"======D $ I ------`&::::z\)\)\)\)DJ*3 * *    6666r////d''''6     KO+ + + + + + l)-......j;? b,b,b,b,b,J%%%%%@" }}}}}}@*H $ G FFFFFFR%%%%X-1++++++b+/"& %%%%%%.$&&&&R5555p.....j! ______L B $ E OOOOOOl( $#+/      N6.E.E.E.EP.*9?,,0000(25N6    F@H@H@H@HF< H H H H".((((BF"DDDDDDN7W7W7W7W|" 6*6*6*6*6*6*r    "## A f)f)f)f)f)f)`#!% $#*.!##GK#^^^^^^H"GK @ 888888vUUUU"## bbbbbbR    8)8)8)8)F#SWWWWW # # # #@1(1(1(1(h. . . . b' ' ' ' T><" " " " " JJJJJZ****Z%%%%^$(?????D$AAAATTTT    , $$$$$$H37.2!FFFFFR"" GLGLGLGLGLGL\" 9I9I9I9I9I9IxEEEEH"uuuuuut" IIIIIIXNNNNf&&&&%%%%P++++ ))))<<<<~%%%%D!PPPPPPh8<??????DZZZZ2,,,,`%G#&&&&&&R$     &*(,#!#~~~~~~BIIIIX;;;;;;s7?CC CCC! C!/CR55R=<R=