Ji UdZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlmZddlmZmZddlmZmZddlmZddlmZmZmZmZddlZddlZdd l m!Z!m"Z"dd l#m$Z$ej%e&Z' ddl(Z(n #e)$rdZ(YnwxYw ddl*Z*n #e)$rdZ*YnwxYwd Z+d Z,d Z-dZ.dZ/dZ0dZ1dZ2d Z3dZ4dZ5dZ6dZ7dZ8dZ9eGddZ:ide:ddde-e.e/e0de:ddd e4!d"e:d"d#d$e5d%&d'e:d'd(d)e6d*+d,e:d,d-d$d.d/d01d2e:d2d3d$d4d5d61d7e:d7d8d$d9d:d;1d<e:dd?&d@e:d@dAd$dBdCdD1dEe:dEdFd$dGdHdI1dJe:dJdKd$dLdMdN1dOe:dOdPd$dQdRdS1dTe:dTdUd$dVdWdX1dYe:dYdZd$d[d\d]1d^e:d^d_d$d`dadb1dce:dcddd$dedfdg1Z;dheddqZ?ddsZ@hdtZAdudvdd|ZBddZCgdZDdddZEGddeFZGddZHddZIddZJddddZKddZLddZMe jNZOee,fd dZPd!d"dZQd#dZRd$dZSd%dZTd!d&dZUd'dZVd(dZWddZXd!d)dZYd*dZZ d!dddd+dZ[d,dZ\d-dZ]d.dZ^d/dZ_d0dZ`d1dZaddZbddd2dZcd!d3dĄZdddƜd4dȄZed5dɄZfd6dʄZgdde9d̜d7dЄZhddddќd8dׄZid9d݄Zjd:dZkd;dZlddZod dde2dd?dZpde0dddde1d ddddd d@dZqe1d ddddAdZre1d dddddBdZsdCdZtdCdZudDdZvdDdZwd!d&dZxdDdZydDdZzdEdZ{ d!dFdZ|ddZ}dGdHdZ~dId Zd*d ZdJd ZdCd Zdddddd dddd dKdZdJdZd*dZdS(LaZ Multi-provider authentication system for Hermes Agent. Supports OAuth device code flows (Nous Portal, future: OpenAI Codex) and traditional API key providers (OpenRouter, custom endpoints). Auth state is persisted in ~/.hermes/auth.json with cross-process file locking. Architecture: - ProviderConfig registry defines known OAuth providers - Auth store (auth.json) holds per-provider credential state - resolve_provider() picks the active provider via priority chain - resolve_*_runtime_credentials() handles token refresh and key minting - logout_command() is the CLI entry point for clearing auth ) annotationsN)contextmanager) dataclassfield)datetimetimezone)Path)AnyDictListOptional)get_hermes_homeget_config_path)OPENROUTER_BASE_URL.@zhttps://portal.nousresearch.comz)https://inference-api.nousresearch.com/v1 hermes-clizinference:mint_agent_keyixz%https://chatgpt.com/backend-api/codexzhttps://api.githubcopilot.comz acp://copilotapp_EMoamEEZ73f0CkXaXp7hrannz#https://auth.openai.com/oauth/tokenceZdZUdZded<ded<ded<dZded<dZded<dZded <dZded <e e Z d ed <dZ ded<dZ ded<dS)ProviderConfigz%Describes a known inference provider.stridname auth_typeportal_base_urlinference_base_url client_idscope)default_factoryDict[str, Any]extratupleapi_key_env_varsbase_url_env_varN)__name__ __module__ __qualname____doc____annotations__rrrr rdictr#r&r'r$,/home/ubuntu/hermes-agent/hermes_cli/auth.pyrrQs// GGG IIINNNO     IEOOOO!E$777E7777     r.rnousz Nous Portaloauth_device_code)rrrrrrr openai-codexz OpenAI Codexoauth_external)rrrrcopilotzGitHub Copilotapi_key)COPILOT_GITHUB_TOKENGH_TOKEN GITHUB_TOKEN)rrrrr& copilot-acpzGitHub Copilot ACPexternal_processCOPILOT_ACP_BASE_URL)rrrrr'zaiz Z.AI / GLMhttps://api.z.ai/api/paas/v4) GLM_API_KEY ZAI_API_KEY Z_AI_API_KEY GLM_BASE_URL)rrrrr&r' kimi-codingzKimi / Moonshotzhttps://api.moonshot.ai/v1) KIMI_API_KEY KIMI_BASE_URLminimaxMiniMaxz https://api.minimax.io/anthropic)MINIMAX_API_KEYMINIMAX_BASE_URL anthropic Anthropiczhttps://api.anthropic.com)ANTHROPIC_API_KEYANTHROPIC_TOKENCLAUDE_CODE_OAUTH_TOKENalibabazAlibaba Cloud (DashScope)z6https://dashscope-intl.aliyuncs.com/compatible-mode/v1)DASHSCOPE_API_KEYDASHSCOPE_BASE_URL minimax-cnzMiniMax (China)z"https://api.minimaxi.com/anthropic)MINIMAX_CN_API_KEYMINIMAX_CN_BASE_URLdeepseekDeepSeekzhttps://api.deepseek.com/v1)DEEPSEEK_API_KEYDEEPSEEK_BASE_URL ai-gatewayz AI Gatewayzhttps://ai-gateway.vercel.sh/v1)AI_GATEWAY_API_KEYAI_GATEWAY_BASE_URL opencode-zenz OpenCode Zenzhttps://opencode.ai/zen/v1)OPENCODE_ZEN_API_KEYOPENCODE_ZEN_BASE_URL opencode-goz OpenCode Gozhttps://opencode.ai/zen/go/v1)OPENCODE_GO_API_KEYOPENCODE_GO_BASE_URLkilocodez Kilo Codezhttps://api.kilo.ai/api/gateway)KILOCODE_API_KEYKILOCODE_BASE_URL huggingfacez Hugging Facez https://router.huggingface.co/v1)HF_TOKEN HF_BASE_URLzDict[str, ProviderConfig]PROVIDER_REGISTRYzhttps://api.kimi.com/coding/v1r default_url env_overridereturncF|r|S|drtS|S)zReturn the correct Kimi base URL based on the API key prefix. If the user has explicitly set KIMI_BASE_URL, that always wins. Otherwise, sk-kimi- prefixed keys route to api.kimi.com/coding/v1. zsk-kimi-) startswithKIMI_CODE_BASE_URL)r5rhris r/_resolve_kimi_base_urlrns4 *%%"!! r. list[str]cng}tjd}|r||ddtt jdz dz dz fD]Z}||vrt j|r4t j |t j r||[|S)zIReturn candidate ``gh`` binary paths, including common Homebrew installs.ghz/opt/homebrew/bin/ghz/usr/local/bin/ghz.localbin) shutilwhichappendrr homeospathisfileaccessX_OK) candidatesresolved candidates r/_gh_cli_candidatesrsJ|D!!H$(###  DIKK( "U *T 122))  " "  7>>) $ $ )9bg)F)F )   i ( ( ( r. Optional[str]c^tD]} tj|ddgddd}n?#ttjf$r&}t d||Yd}~Vd}~wwxYw|jdkr4|j r|j cSdS) zGReturn a token from ``gh auth token`` when the GitHub CLI is available.authtokenT)capture_outputtexttimeoutz#gh CLI token lookup failed (%s): %sNr) r subprocessrunFileNotFoundErrorTimeoutExpiredloggerdebug returncodestdoutstrip)gh_pathresultexcs r/_try_gh_cli_tokenrs%'' ) ) ^&'*# FF ":#<=    LL> M M M HHHH    ! !fm&9&9&;&; !=&&(( ( ( ( 4s.A*A%%A*> ***** your-api-key*nonenulldummyexamplechangeme placeholder your_api_key) min_lengthvaluer rintboolct|tsdS|}t||krdS|t vrdSdS)zIReturn True when a configured secret looks usable, not empty/placeholder.FT) isinstancerrlenlower_PLACEHOLDER_SECRET_VALUES)rrcleaneds r/has_usable_secretr4sZ eS ! !ukkmmG 7||j  u}}444u 4r. provider_idpconfigtuple[str, str]cR|dkrZ ddlm}|\}}|r||fSn=#t$r%}td|Yd}~nd}~wt $rYnwxYwdS|jD]>}tj|d }t|r||fcS?dS)zDResolve an API-key provider's token and indicate where it came from.r4r)resolve_copilot_tokenz#Copilot token validation failed: %sN)rrr) hermes_cli.copilot_authr ValueErrorrwarning Exceptionr&rwgetenvrr)rrrrsourcerenv_varvals r/ _resolve_api_key_provider_secretr@s i  E E E E E E1133ME6 %f}$ % G G G NN@# F F F F F F F F    D v+  i$$**,, S ! ! <     6s" AA  AA))globalr=glm-5Global)cnz$https://open.bigmodel.cn/api/paas/v4rChina)z coding-globalz#https://api.z.ai/api/coding/paas/v4glm-4.7zGlobal (Coding Plan))z coding-cnz+https://open.bigmodel.cn/api/coding/paas/v4rzChina (Coding Plan) @rfloatOptional[Dict[str, str]]c tD]\}}}} tj|dd|dd|ddddd gd | }|jd kr%td ||||||dcStd||j#t $r&}td||Yd}~d}~wwxYwdS)zProbe z.ai endpoints to find one that accepts this API key. Returns {"id": ..., "base_url": ..., "model": ..., "label": ...} for the first working endpoint, or None if all fail. z/chat/completionsBearer application/json) Authorization Content-TypeFruserping)rolecontent)modelstream max_tokensmessages)headersjsonrzZ.AI endpoint probe: %s (%s) OK)rbase_urlrlabelz#Z.AI endpoint probe: %s returned %sz"Z.AI endpoint probe: %s failed: %sN) ZAI_ENDPOINTShttpxpost status_coderrr)r5rep_idrrrresprs r/detect_zai_endpointrjs? *7KK%x K:...%8w%8%8$6 ##"#*0V!D!D E      D3&& >xPPP (""  LL>tGW X X X X K K K LL=uc J J J J J J J J K 4sAB *!B  B<B77B<c.eZdZdZdddddfdZxZS) AuthErrorz,Structured auth error with UX mapping hints.rNFprovidercoderelogin_requiredmessagerrrrrrrjNonectt|||_||_||_dSN)super__init__rrr)selfrrrr __class__s r/rzAuthError.__init__s9 !!!   0r.) rrrrrrrrrjr)r(r)r*r+r __classcell__)rs@r/rrsX66 "!& 1 1 1 1 1 1 1 1 1 1 1 1r.rerrorrct|tst|S|jr|dS|jdkr dS|jdkr dS|jdkr|dSt|S)z2Map auth failures to concise user-facing guidance.z' Run `hermes model` to re-authenticate.subscription_requiredzfNo active paid subscription found on Nous Portal. Please purchase/activate a subscription, then retry.insufficient_creditszTSubscription credits are exhausted. Top up/renew credits in Nous Portal, then retry.temporarily_unavailablez Please retry in a few seconds.)rrrrr)rs r/format_auth_errorrs eY ' '5zz A@@@@ z,,, C   z+++ ?   z...8888 u::r.rct|tsdS|}|sdStj|dddS)zJReturn a short hash fingerprint for telemetry without leaking token bytes.Nutf-8 )rrrhashlibsha256encode hexdigest)rrs r/_token_fingerprintrsd eS ! !tkkmmG t >'..11 2 2 < < > >ss CCr.c|tjdd}|dvS)NHERMES_OAUTH_TRACEr>1onyestrue)rwrrr)raws r/_oauth_trace_enabledrs8 )(" - - 3 3 5 5 ; ; = =C , ,,r. sequence_ideventrfieldsrc tsdSd|i}|r||d<||tdt j|dddS)Nrrzoauth_trace %sTF) sort_keys ensure_ascii)rupdaterinfordumps)rrrpayloads r/ _oauth_tracer sp  ! !&.G-!,  NN6 KK $*WSX"Y"Y"YZZZZZr.r c$tdz S)N auth.json)rr$r.r/_auth_file_pathrs   { **r.cDtdS)Nz.lock)r with_suffixr$r.r/_auth_lock_pathrs    ( ( 1 11r.timeout_secondsc#KttdddkrLtxjdz c_ dVtxjdzc_n#txjdzc_wxYwdSt}|jddt 8t1dt_ dVdt_n#dt_wxYwdStrH|r| j dkr| dd | trd nd 5}tj td |z} t r?t j|t jt jznG|dtj|tjdnX#t,t.t0f$r=tj |krt3d tjdYnwxYwdt_ dVdt_t r3t j|t jntr` |dtj|tjdn#t.t:f$rYnwxYwn#dt_t r2t j|t jwtr` |dtj|tjdw#t.t:f$rYwwxYwwxYwddddS#1swxYwYdS)zCCross-process advisory lock for auth.json reads+writes. Reentrant.depthrrNTparentsexist_ok rencodingzr+za+g?z%Timed out waiting for auth store lockg?)getattr_auth_lock_holderrrparentmkdirfcntlmsvcrtexistsstatst_size write_textopentimemaxflockfilenoLOCK_EXLOCK_NBseeklockingLK_NBLCKBlockingIOErrorOSErrorPermissionError TimeoutErrorsleepLOCK_UNLK_UNLCKIOError)r lock_path lock_filedeadlines r/_auth_store_lockr;s '1--111$ ) EEE  # #q ( # # #  # #q ( # # # # # #!!I 4$777 }"# ( EEE&'  # #a  # ' ' ' '4y''))4Y^^-=-=-E-J-JS7333 0D 1 1Y9;;S/!:!:: ! !KK 0 0 2 2EMEM4QRRRRNN1%%%N9#3#3#5#5vJJJ#Wo> ! ! !9;;(**&'NOOO 4      ! !#$  EEE&'  #  I,,.. >>>> NN1%%%N9#3#3#5#5vJJJJ)D  '(  #  I,,.. >>>> NN1%%%N9#3#3#5#5vJJJJ)D  -sA A$.B??C ?&O &B G43O 4AIO IO L A O +AK32O 3LO LO  A N9AN! N9!N5 2N94N5 5N99O  O O  auth_fileOptional[Path]r"c|p t}|s tidS tj|}n#t $r tidcYSwxYwt|trht| dts(t| dtr| di|St|trPt| dtr(|d}i}d|vr |d|d<t||rdnddStidS)N)version providersr@credential_poolsystems nous_portalr0)r?r@active_provider) rr"AUTH_STORE_VERSIONrloads read_textrrr-get setdefault)r<rrBr@s r/_load_auth_storerJs._..I     @-B???@j,,..// @@@-B?????@#t377;''.. cgg/00$ 7 7 {B''' #tBCGGI,>,>!E!EBi. G # # ' 6If -I-6#@66DBB B* ; ;;s&AA.-A. auth_storecBt}|jddt|d<t jt j|d<tj |ddz}| |j dtjd tjj} |d d 5}|||tj|dddn #1swxYwYtj|| tjt1|jtj}n#t4$rd}YnwxYw|C tj|tj|n#tj|wxYw |r|nO#t4$rYnCwxYw# |r|ww#t4$rYwwxYwxYw |t>j t>j!zn#t4$rYnwxYw|S) NTrr? updated_at)indent z.tmp..wrr)"rrrrErnowrutc isoformatrr  with_namerrwgetpiduuiduuid4hexr&writeflushfsyncr*replacerO_RDONLYr1closer"unlinkchmodr#S_IRUSRS_IWUSR)rKr<r tmp_pathhandledir_fds r/_save_auth_storerh;s!!I 4$777.Jy'|HL99CCEEJ|jA...5G""in#[#[29;;#[#[IY#[#[\\H ]]3] 1 1 &V LL ! ! ! LLNNN HV]]__ % % % & & & & & & & & & & & & & & & 8Y''' WS!122BK@@FF   FFF    !               "!!!    D     "!!!! "    D   t|34444      s H""AD>2 H">EH"EH"1FH" F H"F  H"&G:H"G%%H")(H HH"I$(I I IIII",J JJOptional[Dict[str, Any]]c|d}t|tsdS||}t|trt|ndS)Nr@)rHrr-)rKrr@states r/_load_provider_staterl_sZ{++I i & &t MM+ & &E$UD11 ;4;;;t;r.rkc|di}t|ts i|d<|d}|||<||d<dS)Nr@rD)rIrr-)rKrrkr@s r/_save_provider_staterngsX%%k266I i & &,"$ ;{+ "Ik$/J !!!r.ct}|d}t|tsi}|t|S||}t|trt |ngS)z>+ , ,D dD ! !Dzzxx ,,%/0@$%G%G O4 ! ! !ROr.entriesList[Dict[str, Any]]ct5t}|d}t|tsi}||d<t |||<t |cdddS#1swxYwYdS)z7Persist one provider's credential pool under auth.json.rAN)r;rJrHrr-rprh)rrtrKrqs r/write_credential_poolrw|s   ,,%'' ~~/00$%% 1D,0J( ) MM[ ++,,,,,,,,,,,,,,,,,,sA A<<BBc>t}t||S)z4Return persisted auth state for a provider, or None.)rJrl)rrKs r/get_provider_auth_staterys!##J  K 8 88r.cHt}|dS)z8Return the currently active provider ID from auth store.rD)rJrHrKs r/get_active_providerr|s !##J >>+ , ,,r.c$t5t}|p|d}|s ddddS|di}t|tsi}||d<|d}t|tsi}||d<d}||vr||=d}||vr||=d}|s ddddS|d|krd|d<t |dddn #1swxYwYdS)z Clear auth state for a provider. Used by `hermes logout`. If provider_id is None, clears the active provider. Returns True if something was cleared. rDNFr@rAT)r;rJrHrr-rh)rrKtargetr@rqcleareds r/clear_provider_authrs   %%%'' A /@ A A  %%%%%%%% NN;33 )T** 0I&/J{ #~~/00$%% 1D,0J( ) Y  &!G T>>V G 3%%%%%%%%4 >>+ , , 6 6,0J( )$$$9%%%%%%%%%%%%%%%: 4s)DA:D -DD  D ct5t}d|d<t|ddddS#1swxYwYdS)z Clear active_provider in auth.json without deleting credentials. Used when the user switches to a non-OAuth provider (OpenRouter, custom) so auto-resolution doesn't keep picking the OAuth provider. NrD)r;rJrhr{s r/deactivate_providerrs   %%%'' (, $%$$$%%%%%%%%%%%%%%%%%%s#?AA)explicit_api_keyexplicit_base_url requestedrrcX|pd}iddddddddddd dd d d d d dddddddddddddddddidddddddddd d!d d"d d#d$d%d$d&d'd(d'd)d'd*d+d,d+d-d+d.d+d/d+d+d+d+d0}|||}|d1krd1S|d+krd+S|tvr|S|dkrt d2|d3d45|s|rd1S t }|d6}|r/|tvr&t |}|d7r|Sn2#t$r%}t d8|Yd9}~nd9}~wwxYwttj d:s!ttj d;rd1St D]J\} } | jdd?5)@a~ Determine which inference provider to use. Priority (when requested="auto" or None): 1. active_provider in auth.json with valid credentials 2. Explicit CLI api_key/base_url -> "openrouter" 3. OPENAI_API_KEY or OPENROUTER_API_KEY env vars -> "openrouter" 4. Provider-specific API keys (GLM, Kimi, MiniMax) -> that provider 5. Fallback: "openrouter" autoglmr<zz-aizz.aizhipukimirBmoonshotz minimax-chinarQ minimax_cnclauderIz claude-codegithubr4zgithub-copilotz github-modelsz github-modelzgithub-copilot-acpr9zcopilot-acp-agent aigatewayrXvercelzvercel-ai-gatewayopencoder[zenhfrdz hugging-facezhuggingface-hubgor^zopencode-go-subkiloraz kilo-codez kilo-gatewaylmstudiocustomz lm-studio lm_studioollamavllm)llamacppz llama.cppz llama-cpp openrouterzUnknown provider 'z'.invalid_provider)rrD logged_inz)Could not detect active auth provider: %sNOPENAI_API_KEYOPENROUTER_API_KEYr5rzNo inference provider configured. Run 'hermes model' to choose a provider and model, or set an API key (OPENROUTER_API_KEY, OPENAI_API_KEY, etc.) in ~/.hermes/.env.no_provider_configured)rrrHrgrrJget_auth_statusrrrrrwritemsrr&) rrr normalized_PROVIDER_ALIASESrKactivestatusepidrrs r/resolve_providerrs %v,,..4466J ue%+U4;U )= (4\ +  -k  )  .y    %3I  m.A- \$,\ m,]=N} m/   (6DZ H*86A( (#H;CH!$#&&z:>>J\!!|Xx&&&V / / / /#    ,|E%''  122  f 111$V,,Fzz+&&  EEE @!DDDDDDDDE#344559J29UiKjKj9k9k|*//11   W   ) )  )   /  G 7B!7!788      3&    s,AE E0 E++E0Optional[float]clt|tr|sdS|}|sdS|dr |dddz} t j|}n#t $rYdSwxYw|j |tj }| S)NZ+00:00)tzinfo) rrrendswithr fromisoformatrrr^rrT timestamp)rrparseds r/_parse_iso_timestampr(s eS ! !t ;;==D t }}S$CRCy8#'-- tt }x|44     sA** A87A8expires_at_iso skew_secondsc\t|}|dS|tj|zkS)NT)rr')rr expires_epochs r/ _is_expiringr9s0(88Mt TY[[<7 88r. expires_inch t|}n#t$rd}YnwxYwtd|S)Nr)rrr()rttls r/_coerce_ttl_secondsr@sF*oo  q#;;s  !!ct|tsdS|d}|r|ndS)N/)rrrrstrip)rrs r/_optional_base_urlrHsC eS ! !tkkmm""3''G '774'r.ct|tr|ddkriS|dd}|ddt |dzz dzzz } t j|d}tj | d}n#t$ricYSwxYwt|tr|niS)NrQrNr=rr) rrcountsplitrbase64urlsafe_b64decoderrrFdecoderr-)rr rclaimss r/_decode_jwt_claimsrOs eS ! !U[[%5%5%:%: kk#q!G sq3w<'>??CJJw//00  -- 56625s+AB:: C C  access_tokenc t|}|d}t|ttfsdSt |t jt dt|zkS)NexpFr)rrHrrrr'r()rrrrs r/_codex_access_token_is_expiringr\si  - -F **U  C cC< ( (u ::$)++AsRefresh Codex OAuth tokens without mutating Hermes auth state.rr2rTr@Acceptr)rrr!application/x-www-form-urlencodedr) grant_typerr)rdataNrcodex_refresh_failedz'Codex token refresh failed with status rQFrerror_descriptionrzCodex token refresh failed: > invalid_grant invalid_tokeninvalid_requestz*Codex token refresh returned invalid JSON.codex_refresh_invalid_jsonrz6Codex token refresh response was missing access_token."codex_refresh_missing_access_tokenrr)rrr)rrrrrTimeoutr(rClientrCODEX_OAUTH_TOKEN_URLCODEX_OAUTH_CLIENT_IDrrr-rHrrrSrrTrUr^)rrrrclientresponserrrerrerr_codeerr_descrefresh_payloadrrefreshed_accessupdated next_refreshs r/refresh_codex_oauth_purers  mS ) ) 1D1D1F1F  Y#3!     mCU?%;%;<<==G g:L/M N N N  RX;; !#%HI-!.2                  s""%SH>++D77#677M3779;M;Mh,,P1A1APOX^^=M=MOOG    D  H H H#  #-     "--//  8#-!      '**>:: & , , 4D4J4J4L4L  D#5!     )..00&,,.. X\22<<>>FFxQTUUG #&&77L,$$8););)=)=8#/#5#5#7#7 Ns=)B::B>B>!C%G GG1H H)H$$H)c tt|ddpdt|ddpd|}t|}|d|d<|d|d<t ||S)zzRefresh Codex access token using the refresh token. Saves the new tokens to Hermes auth store automatically. rrrr)rrrHr-r)rr refreshedupdated_tokenss r/_refresh_codex_auth_tokensrs) FJJ~r * * 0b11 FJJ + + 1r22'I &\\N%.~%>N>"&/&@N?#~&&& r.cLtjdd}|s#tt jdz }t |dz }|sdS tj | }| d}t|tsdS| dr| dsdSt|S#t$rYdSwxYw) zTry to read tokens from ~/.codex/auth.json (Codex CLI shared file). Returns tokens dict if valid, None otherwise. Does NOT write to the shared file. CODEX_HOMEr.codexrNrrr)rwrrrr rv expanduseris_filerrFrGrHrr-r) codex_home auth_pathr rs r/_import_codex_cli_tokensr s <,,2244J 1x/00 Z  ++-- ;I     t *Y002233X&&&$'' 4zz.)) O1L1L 4F|| ttsAD*DD D#"D#F) force_refreshrefresh_if_expiringrefresh_skew_secondsr rrc\ t}n#t$r}|jdkrt}|retdt dt dt dt|t}nYd}~nd}~wwxYwt|d}t| dd pd  }ttjd d }t|} | s|rt!||} | rt#t%tt&|d z 5td}t|d}t| dd pd  }t|} | s|rt!||} | rGt)||}t| dd pd  }dddn #1swxYwYtjdd  dpt,} d| |d| dddS)z@Resolve runtime credentials from Hermes's own Codex token store.rz?Migrating Codex credentials from ~/.codex/ to Hermes auth storeu?⚠️ Migrating Codex credentials to Hermes's own auth store.z4 This avoids conflicts with Codex CLI and VS Code.z= Run `hermes login` to create a fully independent session. Nrrr$HERMES_CODEX_REFRESH_TIMEOUT_SECONDS20rrFrHERMES_CODEX_BASE_URLrr2zhermes-auth-storerr)rrr5rrr)rrrr rr printrr-rrHrrrwrrrr;r(AUTH_LOCK_TIMEOUT_SECONDSrrDEFAULT_CODEX_BASE_URL) r rrrorig_err cli_tokensrrrefresh_timeout_secondsshould_refreshrs r/!resolve_codex_runtime_credentialsr2s!##  =0 0 0 .//   KKY Z Z Z S T T T H I I I R S S S z * * *%''DD  DDDD"$x. ! !Fvzz."55;<<BBDDL#BI.TVZ$[$[\\-((N ] 3]8G[\\ Q c%8Q2R2RTknqTq.r.r s s s Q Q%E222D$x.))Fvzz."==CDDJJLLL!-00N" e(; e!@Oc!d!d Q3Fz(_request_device_code..s;;;QQd]]q]]]r.z%Device code response missing fields: z, )rraise_for_statusrrjoin)rrrr rrequired_fieldsmissingrs @r/_request_device_coder:s{{ 222  #(0b H  ==??DO<;;;/;;;GWU7ASASUUVVV Kr.r- poll_intervalc&tjtd|z}tdt|t}tj|kr$||dd||d}|jdkr)|} d| vrtd| S |} n1#t$r$| td wxYw| d d } | d krtj || d kr)t|dzd}tj || dpd} t| d| td)zDPoll the token endpoint until the user approves or the code expires.r/api/oauth/tokenz,urn:ietf:params:oauth:grant-type:device_code)rrr-r,rrz+Token response did not include access_tokenz1Token endpoint returned a non-JSON error responserrauthorization_pending slow_downrzUnknown authentication errorz: z*Timed out waiting for device authorization)r'r(min%DEVICE_AUTH_POLL_INTERVAL_CAP_SECONDSrrrrrr6 RuntimeErrorrHr4r3) rrrr-rr;r:current_intervalrr  error_payload error_code descriptions r/_poll_for_tokenrHsy{{SJ///H1c-1VWWXX )++ ;; 0 0 0L&*    3 & &mmooGW,, !NOOON T$MMOOMM T T T  % % ' ' 'RSS S T#&&w33 0 0 0 J' ( ( (   $ $"#3a#7<<  J' ( ( ( #''(;<<^@^ j99K99::: C D DDs 3C.C6c||dd||d}|jdkr-|}d|vrtddd d |S |}n%#t$r}td dd |d}~wwxYwt |dd}t |dpd } |dv} t| d|| )Nr=r)rrrr,rrz%Refresh response missing access_tokenr0rTrzRefresh token exchange failedrrrrrrr)rrrrrrrH) rrrrrr rErrrGrelogins r/_refresh_access_tokenrMsO{{ ,,,)"*  Hs""--//  ( (C%+/TXZZZ ZI  III7!'$@@@EH II }  /:: ; ;Dm''(;<<_@_``K88G K&tg V V VVsA-- B7B  Bmin_ttl_secondsc ||ddd|idtdt|i}|jdkr,|}d|vrt d d d |S |}n%#t $r}t d d d |d}~wwxYwt|dd }t|dpd } |dv} t | d || )z0Mint (or reuse) a short-lived inference API key.z/api/oauth/agent-keyrrrN<)rrrr5zMint response missing api_keyr0 server_errorrrzAgent key mint request failedNrrrKr) rr(rrrrrrrH) rrrrNrr rErrrGrLs r/_mint_agent_keyrSsa{{ 000 ":L":":;R_)=)=!>!> ?H s""--// G # #;%+.BBB BG  GGG7!'n>>>CF GG }  .99 : :Dm''(;<<_@_``K88G K&tg V V VVs6B B-B((B-)rverifyrrT List[str]cxtj|}tj|ddi|5}||dddd|i}d d d n #1swxYwY|jd krd |j} |}t|d p|d p|}n2#t$r%} t d| Yd } ~ nd } ~ wwxYwt|dd|} | d} t| tsgSg} | D]} t| ts| d}t|trT|r@|}d|vr| |dd}| |tt| S)z6Fetch available model IDs from the Nous inference API.rrrrrTrz/modelsrr)rNrz#/models request failed with status rrz'Could not parse error response JSON: %sr0models_fetch_failedrRrrhermesmidrrjr%cj|}d|vrd|fSd|vrd|vrd|fSd|vrd|fSd|fS)NopusrprosonnetrrN)r)rZlows r/_model_priorityz*fetch_nous_models.._model_prioritySsXiikk S==s8O C<N>N]R]^^KK G G G LLBA F F F F F F F F G f;PQQQQmmooG ;;v  D dD ! ! I " "$%%  88D>> h $ $ ")9)9 "..""C399;;&&   S ! ! !NNN'''  i(( ) ))s*3A--A14A1A C D &DD c|d}t|tr|sdSt |d| S)N agent_keyFagent_key_expires_at)rHrrrr)rkrNrbs r/_agent_key_is_usablerlasY ))K C c3  syy{{uEII&<==OO OOr.)rrrrct5t}t|d}|stdddt |dp.t jdpt jdpt d}t|d pt}t||| }|d } |d } t| tr| std ddt|d|s| cdddSt| tr| stdddtj|r|nd} tj| ddi|5} t%| ||| } dddn #1swxYwYt'jt*j}t/| d}| d |d <| d p| |d <| dp|dpd|d<| dp|d|d<||d<||d<t'j||zt*j|d<||d<||d <|dut|tr|ndd|d<t7|d|t9||d cdddS#1swxYwYdS)zKResolve a refresh-aware Nous Portal access token for managed tool gateways.r0&Hermes is not logged into Nous Portal.TrJrHERMES_PORTAL_BASE_URLNOUS_PORTAL_BASE_URLrrrrr,No access token found for Nous Portal login. expires_atN2Session expired and no refresh token is available.rrrrWrrrrr token_typeBearerr obtained_attzFrrr#)r;rJrlrrrHrwrDEFAULT_NOUS_PORTAL_URLrrDEFAULT_NOUS_CLIENT_IDr)rrrrrrMrrSrrTrrU fromtimestamprrnrh)rrrrrKrkrrrTrrrrrrS access_ttls r/resolve_nous_access_tokenrhsm   H%H%%'' $Z88 8!%  uyy):;; < < 'y122 'y/00 '' &++   +..H2HII  (iTYZZZyy00  /22 ,,, L >!%  EIIl335IJJ =H%H%H%H%H%H%H%H%@--- ] D!%  -? LMM \12   - /#+ I               l8<(((|)D)DEE ). 9n!*!?!?!P=o'mmL99`UYY|=T=T`X`l"w//E599W3E3Eg"}}m(l&4 MMOOj (|    )++ l$3 &k%#-fc#:#:D  e  Z777$$$^$QH%H%H%H%H%H%H%H%H%H%H%H%H%H%H%H%H%H%s>E M0%AM0?G M0G# #M0&G# 'E2 3 L ,x|,,C!-!1!1)!$>E. !,8,<,<\,J,JE( ),8,<,<\,J,JE( )(,\-=-=h-N-N(O(OE$ %-0]]__E) *+L,<,<=Q,R,RSSJ 9.8*+O'9'9'9'9'9'9'9'9'9'9'9'9'9'9'9R Ls'KN  NNrrr rc|dpi}t|dd|dd|dd|dt|dt|d d |d t|d |d |d|d|||d|d||S)zRRefresh Nous OAuth from a state dict. Thin wrapper around refresh_nous_oauth_pure.r#rrrrrrrrurvr rwrrrjrkrrr)rHrr{rr)rkrrr rr#s r/refresh_nous_oauth_from_staters ))E   bC " ."%% /2&& +|,, #%<== &(BCC99\844ii!344IIm,,99\**))K(("YY'=>>/'$$''+&&##   r.)rrrrrc tdt|}tjjddt 5t tdstdddt dp.tj d ptj d ptd }t d ptj d ptd }t! dpt"}dMfd }t%||} t'j|r|nd} t+dt-||t/ dt'j| ddi| 5}  d}  d} t3| t r| stdddt5 dt6rt3| t r| stdddt+d d!t/| "t9| ||| #}t;jt>j }tC| d$}| }|dd<| dp| d<| d%p d%pd&d%<| d'p d'd'<t| d }|r|}|"d(<|d$<t;j#|$|zt>j )"d<d} d} t+d*d!t/|t/| +|d,d-}d}|s%tK|rd}t+d./nz t+d0t/| 1tM| || |2}nE#t$r7}t+d3|j'4 d}|j'd5vrt3|t r|rt+d d6t/|"t9| |||#}t;jt>j }tC| d$}|dd<| dp|d<| d%p d%pd&d%<| d'p d'd'<t| d }|r|}|"d(<|d$<t;j#|$|zt>j )"d<d} d} t+d*d6t/|t/| +|d7tM| || |2}nYd}~nd}~wwxYw|t;jt>j }| d8d9<| d:d;<| dd<<| d$d=<t-| d>d-d?<|"d@<t| d }|r|}t+dAt-| d>d-B|d<|d <|d<| d-ut3| t r| nddCdD<dddn #1swxYwY|dEdddn #1swxYwY d9}t3|t r|stdFddGH d<}tQ|}|1tdIt|tSj)z n!tC d=}d|| d;|||rdJndKdLS)Na Resolve Nous inference credentials for runtime use. Ensures access_token is valid (refreshes if needed) and a short-lived inference key is present with minimum TTL (mints/reuses as needed). Concurrent processes coordinate through the auth store file lock. Returns dict with: provider, base_url, api_key, key_id, expires_at, expires_in, source ("cache" or "portal"). rPNrr0rnTrJrrorprrNOUS_INFERENCE_BASE_URLrreasonrrjrc d tdtn8#t$r+}td|t |jd}~wwxYwtd|t dt ddS)Nr0nous_state_persist_failed)rr error_typenous_state_persistedrr)rrrefresh_token_fpaccess_token_fp)rnrhrr typer(rrH)rrrKrrks r/_persist_statez8resolve_nous_runtime_credentials.._persist_stateYs $Z??? ,,,,   / +!#Cyy1    &'!3EIIo4N4N!O!O 2599^3L3L M M       s $ A&AArrnous_runtime_credentials_startr)rrrrrrrWrrqrrrs refresh_startaccess_expiring)rrrrtrrurvr rwrxrefresh_success)rrprevious_refresh_token_fpnew_refresh_token_fppost_refresh_access_expiringFagent_key_reuser mint_start)rrr mint_error)rrrKmint_retry_after_invalid_tokenpost_refresh_mint_retryr5rjrrrkrrrr mint_success)rrrzr#&resolve_nous_runtime_credentials_finalz*Failed to resolve a Nous inference API keyrQrRrcacheportal)rrr5rrrrr)rrrjr)*r(rrXrYrZr;rJrlrrrHrwrr{rrrr|r)rrr rrrrrrrMrrSrrTrrUr}rrlrSrrr')rrrrrrrrrrTrrrrrrSr~previous_refresh_tokenrused_cached_keyrrlatest_refresh_tokenrr5rrrrrKrrks @@@r/ resolve_nous_runtime_credentialsr/s $b#&9":":;;*,,"3B3'K   JAJA%'' $Z88 DD%+dDDD D uyy):;; < < 'y122 'y/00 '' &++  uyy)=>> ? ? *y233 *) &++   +..H2HII         (!(iTYZZZ-? LMM ,#J'' 3/ /0J0JKK     \'H>P3QZ` a a aU ek 99^44L!IIo66MlC00 H  H N)/$HHHHEIIl335VWW( ?!-55L]L#$X-3dLLLL# +,%7 %F%F  2!?'} l8<000|1L1LMM )6&(1.(An%)2)G)G)X=o&&/mmL&A&A&hUYY|E\E\&h`hl#!*w!7!7!M599W;M;Mg 29==AU3V3V W W  7)6&'*}}m$&0l#&.&<MMOOj0X\''')++l# %^4 %o 6 % +,.@AW.X.X);M)J)J =>>>$O59LD "6u>Q"R"RD "&.KHHHHH@ $$/(:<(H(H $3%%1CV$$$LL!666 $$/ X ,199_+E+E($FFF&';SAAG0G%+(3#C-?@T-U-U  %:#)?&/?S%%% 'l8<88%8|9T9T%U%U 09.0In-1:1O1O1gSgo..7mmL.I.I.pUYYWcMdMd.phpl+)2w)?)?)U599WCUCUg(:9==I];^;^(_(_ (?1>./2}}m,.8l+.6.DMMOOj8X\///#)++l+(-^'< (-o(> $-(3#C6HI]6^6^1CM1R1R ''@AAA'6#)?)5GZ(((  % c6p'l8<00%1%5%5i%@%@k"(4(8(8(B(Bn%0<0@0@0N0N,-0<0@0@0N0N,-,01A1A(E1R1R,S,S()14-./ 0@0@AU0V0VWW 4)3&" + 0 05 A ABB(7E# $*'>HVVDE%LeU U U U U U U U U U U U U U U n ?@@@UJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAXii $$G gs # #>7>D!'n>>> >122J(44M  $ As=49;;.//000 +A!B!B C C&))N++  ,:''(  sdFa6+Ja2R<:a< [>H-[94a9[>>E a a6a a6a a66a:=a:c `td}|s dddddddSt|d|d|d|d|d t|d dS) z+Status snapshot for `hermes status` output.r0FN)rrraccess_expires_atrkhas_refresh_tokenrrrrrrkr)ryrrH)rks r/get_nous_auth_statusr,s #F + +E  #"&!%$(!&    %))N3344 99%677#ii(<=="YY|44 % *@ A A!%))O"<"<==   r.cZ t}dtt|d|d|ddS#t$r6}dttt|dcYd}~Sd}~wwxYw) zStatus snapshot for Codex auth.Trrr)rrKrrrF)rrKrN)rrrrHr)credsrs r/get_codex_auth_statusrBs 133o//00!IIn55;//ii))        o//00XX         sA'A** B*4+B%B*%B*ct|}|r |jdkrddiSd}d}t||\}}d}|jr,t j|jd}|dkrt||j |}n |r|}n|j }t|||j ||t|dS)z>>`bH .-07Av|G,,,T+Px/B/B

>#&&- OOC(()   r.ct|}|r |jdkrtd|d|d|jr,t j|jdnd}|s|j}t jddp(t jddpd }t jd d}|rtj |nd d g}|rtj |nd }|s+| dstd|d|d|d|d|p||ddS)z>Resolve runtime details for local subprocess-backed providers.r:rz&' is not an external-process provider.rrRrrrr4rrrNrz(Could not find the Copilot CLI command 'zQ'. Install GitHub Copilot CLI or set HERMES_COPILOT_ACP_COMMAND/COPILOT_CLI_PATH.missing_copilot_clir9rprocess)rr5rrrr)rgrHrrr'rwrrrrrrsrtrlr)rrrrrrrs r/-resolve_external_process_provider_credentialsrs##K00G  g'+=== L L L L #    CJBZbry1266<<>>>`bH .- .3399;;  9' , , 2 2 4 4   y2B77==??H$, F5;x 7I2FD07Av|G,,,T  H$7$7 $E$E  ]w ] ] ] &       OOC((#.w   r.cg}t}|rCtjdz dz }|dt |d|dd|S)a;Scan for credentials from other CLI tools that Hermes can reuse. Returns a list of dicts, each with: - provider: str -- Hermes provider id (e.g. "openai-codex") - path: str -- filesystem path where creds were found - label: str -- human-friendly description for the setup UI rrr2zCodex CLI credentials found (u5) — run `hermes login` to create a separate session)rrxr)r r rvrur)foundr codex_paths r/detect_external_credentialsrst#%E*++J Y[[8+k9  & OOvZvvv     Lr. default_modelct5t}||d<t|dddn #1swxYwYt}|jddi}|rS tj| pi}t|tr|}n#t$ri}YnwxYw| d}t|trt|}nBt|tr+|rd|i}ni}||d<|r-|r|d|d <n|d d|r!| dd } | rd| vr||d<||d<|tj|d |S) aUpdate config.yaml and auth.json to reflect the active provider. When *default_model* is provided the function also writes it as the ``model.default`` value. This prevents a race condition where the gateway (which re-reads config per-message) picks up the new provider before the caller has finished model selection, resulting in a mismatched model/provider (e.g. ``anthropic/claude-opus-4.6`` sent to MiniMax's API). rDNTrrrrrrrFr)r;rJrhrrrr"yaml safe_loadrGrr-rrHrrrpopr% safe_dump) rrrrK config_pathconfigloaded current_model model_cfg cur_defaults r/_update_config_for_providerr sd   %%%'' (3 $%$$$%%%%%%%%%%%%%%% "##KTD999F ^K$9$9$;$;<<BF&$''    FFF JJw''M-&&'' M3 ' 'M,?,?,A,A 3 3 5 56  'Ij(06688( 2 9 9# > > *  j$''' 1mmIr22  1c[00#0Ii F7O4>&EBBBCCC s!#>AA ?C CCct}|s|S tj|pi}n#t $r|cYSwxYwt |ts|S|d}t |trd|d<d|vr t|d<| tj |d|S)z5Reset config.yaml provider back to auto after logout.rrrrFr) rr"rrrGrrr-rHrr%r)rrrs r/_reset_config_providerrKs!##K      5 5 7 788>B  fd # # JJw  E%4"j    3E* 4>&EBBBCCC s(A AArrerc & g}r|vr||D]}||vr||fd d} ddlm} fd|D}|d|d|||ddd d d d }|}|dSt |t |kr||S|t |kr't d} | r| ndSdS#ttf$rYnwxYwt d t|dD]#\} }t d| d |$t |} t d| dzdt d| dzdt  t d| dzd} | sdSt| }d|cxkr| krnn ||dz S|| dzkr't d} | r| ndS|| dzkrdSt d| dzn2#t$rt dYnttf$rYdSwxYw)zeInteractive model selection. Puts current_model first with a marker. Returns chosen model ID or None.c|kr|dS|S)Nu ← currently in user$)rZrs r/_labelz'_prompt_model_selection.._labelms" -  111 1 r.r) TerminalMenuc,g|]}d|S) r$)r3rZrs r/r5z+_prompt_model_selection..xs*999#%s %%999r.z Enter custom model namez Skip (keep current)z-> )fg_greenbold)rTFzSelect default model:) cursor_index menu_cursormenu_cursor_stylemenu_highlight_style cycle_cursor clear_screentitleNzEnter model name: rrz. z. Enter custom model namerNz. Skip (keep current)z Choice [1-z] (default: skip): zPlease enter 1-zPlease enter a number)rusimple_term_menurshowrrinputr ImportErrorNotImplementedError enumeraterrKeyboardInterruptEOFError)rerorderedrZ default_idxrchoicesmenuidxrinchoicers ` @r/_prompt_model_selectionr bsvG&)33}%%%   g   NN3    K 11111199999992333.///| $2!.)    iikk ;4  W  3<  CLL /006688F#-66 -t , -      !"""GQ''''3 %1%%s %%&&&& G A /q1u / / /000 +q1u + + +,,, GGG BABBBCCIIKKF tf++CC}}}}1}}}}}sQw''A344::<<!'1vvT1At +AE++ , , , , + + + ) * * * * *!8,   44 !sOA'D/(D9DD('D(9*I %)I /I ? I I J;JJrgcddlm}m}|}t|dt r ||dd<nd|i|d<||dS)uSave the selected model to config.yaml (single source of truth). The model is stored in config.yaml only — NOT in .env. This avoids conflicts in multi-agent setups where env vars would stomp each other. r) save_config load_configrrN)hermes_cli.configr r rrHr-)rgr r rs r/_save_model_choicersz ;::::::: []]F&**W%%t,,0%-w ""$h/wKr.cztdtdtdtd)z9Deprecated: use 'hermes model' or 'hermes setup' instead.z,The 'hermes login' command has been removed.z2Use 'hermes model' to select a provider and model,z-or 'hermes setup' for full interactive setup.r)r SystemExit)rs r/ login_commandrs; 8999 >??? 9::: Q--r.c t}td td}n#t t f$rd}YnwxYw|dvr[td|dt}ttdtd|d d Sn#t$rYnwxYwt}|rtd td  td }n#t t f$rd}YnwxYw|dvrt|tjdddpt}td|}ttdtdtd|d d Sttdtdtt!}t|d|dtd|dt}ttdddlm} td| dtd|d d S)zNOpenAI Codex login via device code flow. Tokens stored in ~/.hermes/auth.json.z6Existing Codex credentials found in Hermes auth store.z!Use existing credentials? [Y/n]: y)rrrr2rLogin successful! Config updated: z (model.provider=openai-codex)Nz:Found existing Codex CLI credentials at ~/.codex/auth.jsonzOHermes will create its own session to avoid conflicts with Codex CLI / VS Code.zCImport these credentials? (a separate login is recommended) [y/N]: r)rrrrrz=Credentials imported. Note: if Codex CLI refreshes its token,z>DDFFLLNNEE+,   EEE  $ $ $5nhllS]_uFvFvwwK GGG % & & & R{RRR S S S F %      *++J JKKK _``` cddjjllrrttII+,   III   $ $ z * * *y!8"==CCEELLSQQkUkH5nhOOK GGG Q R R R P Q Q Q R{RRR S S S F GGG )*** RSSS GGG $ & &EuX .(A(ABBB-neii Tj>k>kllK GGG <<<<<< -4466 - - -... J{ J J JKKKKKsGC 3AC A*'C )A**A C CC 3EEEc \ ddl}d}t} tjtjd5}||dd|idd i }dddn #1swxYwYn'#t $r}td |d d d}~wwxYw|jdkrtd|jdd d| }| dd}| dd}tdt| dd} |r|stdd dtdtdtd|dtdtd|d td!d"} |} d} tjtjd5}|| z | krz|| ||d#||d$dd i } | jdkr| } n%| jd%vrztd&| jdd d'dddn #1swxYwYn,#t $rtd(t#d)wxYw| td*d d+| d,d}| d-d}|d.}|r|std/d d0 tjtjd5}|t$d,||||d1dd2i3}dddn #1swxYwYn'#t $r}td4|d d5d}~wwxYw|jdkrtd6|jdd d7| }| d8d}| d9d}|std:d d;t'jd|t1jt4jd?d@dAdBdCS)DzBRun the OpenAI device code login flow and return credentials dict.rNzhttps://auth.openai.comr)rz!/api/accounts/deviceauth/usercoderrr)rrzFailed to request device code: r2device_code_request_failedrRrz$Device code request returned status rQdevice_code_request_errorr.rdevice_auth_idr_r15z-Device code response missing required fields.device_code_incompletez!To continue, follow these steps: z# 1. Open this URL in your browser:z z/codex/device z 2. Enter this code:z z/Waiting for sign-in... (press Ctrl+C to cancel)iz/api/accounts/deviceauth/token)r#r.)iiz$Device auth polling returned status device_code_poll_error Login cancelled.z!Login timed out after 15 minutes.device_code_timeoutauthorization_code code_verifierz/deviceauth/callbackzADevice auth response missing authorization_code or code_verifier.device_code_incomplete_exchange)rr redirect_urirr+r)rrzToken exchange failed: token_exchange_failedzToken exchange returned status token_exchange_errorrrz.Token exchange did not return an access_token.token_exchange_no_access_tokenrr)rrrrrz device-code)rrrrr)r'rrrrrrrrrrHr(rr monotonicr4rrrrwrrrrrrSrrTrUr^)_timeissuerrrrr device_datar.r#r;max_waitstart code_resp poll_respr*r+r- token_resprrrrs r/rr s &F%I  \%-"5"5 6 6 6 &;;<<<!9-');<D                    3c 3 3#*F      3 F43C F F F#*E    ))++K R00I __%5r::N3{z3??@@AAM  N  ;#*B     ./// /000 8& 8 8 8999 !""" .) . . ./// ;<<<H OO  EI \%-"5"5 6 6 6 &//##e+h66 M***"KK===,:SS+-?@( (C// ) 0 0I*j88#Wy?TWWW!/6N               &  "###oo /#*?    #';R@@MM/266M222L  ]  O#*K     \%-"5"5 6 6 6 &%"6.$0!*%2 ()LM%  J                    +c + +#*A     $$ Gj.D G G G#*@    __  F::nb11LJJ33M   <#*J     )2..4466==cBB " ! )*   X\22<<>>FFxQTUU   s'A. A" A."A&&A.)A&*A.. B8B  B='J$BJ: JJ  J J J)J;'M?&M3' M?3M77M?:M7;M?? N# NN#, rrrr open_browserrrrrr<c td} |p.tjdptjdp| jd}|ptjdp| jd} |p| j}|p| j}tj |} |rdn|r|nd} trd}td| j d td ||rtd n|rtd |d tj | ddi| 5} t| |||}t|d}t|d}t!|d}t!|d}ttdtd|td||r5t#j|}|rtdntdt'dt)|t*}td|dt-| ||t|d||}d d d n #1swxYwYt/jt2j}t7|dd!}||z}t=|d"p| }|| krtd#|id$|d"|d%|d&|d&p|d'|d'd(d)|d)d*|d*d+|d,t/j |t2j-d|d.| dutC| tr| nd d/d0d d1d d2d d3d d4d d5d }tE|||dd6S)7zMRun the Nous device-code flow and return full OAuth state without persisting.r0rorprrFTzStarting Hermes login via z...zPortal: z'TLS verification: disabled (--insecure)z$TLS verification: custom CA bundle ()rrrW)rrrr r0r.rr1z To continue:z 1. Open: z 2. If prompted, enter code: z# (Opened browser for verification)u= Could not open browser automatically — use the URL above.rz$Waiting for approval (polling every zs)...r-)rrrr-rr;Nrrz%Using portal-provided inference URL: rrr rurvrrrwrrrxr#rzrjrrkrrrr)#rgrwrrrrrr rrrrrrr:rr webbrowserr&r(rArBrHrrSrrTrrHrrrUr}rr)rrrr r<rrrrrrequested_inference_urlrrTrr4verification_urlr.rr1openedeffective_interval token_datarStoken_expires_inrrresolved_inference_urlrs r/_nous_device_code_loginrG s 'G # 9- . . # 9+ , , #  " fSkk   & 9. / / &  % fSkk  .W.I  "W]EmO,,G"*Ri1QTF  8w| 8 8 8999 &_ & &'''C 78888 C AYAAABBB g:L/MV\ ] ] ]# ag*+    {+FGHH K011 \233 {:.//  n .,../// :y::;;;  W_%566F W;<<<<UVVV C2W$X$XYY N5GNNNOOO$+K 677!"    9# # # # # # # # # # # # # # # J ,x| $ $C*:>>,+J+JKK#33J:>>*>??@@ # "!888 N6LNNOOO?4 Y ((1E  jnn\8<<   >2  88 s}} h,ZHLIIISSUU & %#-fc#:#:D   T !" #$ %& D'( )J, )/'    s,D>I66I:=I:c t|ddpd}tt|dd}t|ddp'tjdptjd} t t|d dp|jt|d dp|jt|d dp|jt|d dp|jt|d d |||d }|d}|rdn|r|nd}t5t}t|d|t|} dddn #1swxYwYtd|} ttdtd| td| d |dp|d} t!| t"r| st%dddddlm} | dg} t| rStdt+| dt-| }|r!t/|td |ntd!dSdS#t0$r^}t!|t$rt3|nt#|}ttd"|Yd}~dSd}~wwxYw#t4$rtd#t7d$t0$r&}td%|t7d&d}~wwxYw)'z&Nous Portal device authorization flow.rNrrFrr$r% portal_url inference_urlrr no_browserr:r;rTr0rrrz (model.provider=nous)rjrz,No runtime API key available to fetch modelsrrRr)_PROVIDER_MODELSzShowing u= curated models — use "Enter custom model name" for others.zDefault model set to: z,No curated models available for Nous Portal.z?Login succeeded, but could not fetch available models. Reason: r'r(zLogin failed: r)rrrwrrGrrrr r;rJrnrhrrrHrrrhermes_cli.modelsrLrr rrrrr)rrrrrrrrTrKsaved_tor runtime_keyrLreselected_modelrrs r/ _login_nousrQ s dIt44<OGD*e4455Hk4(( & 9' ( ( & 9_ % % ;,#D,==XAX&t_dCCawGadK66K':K$..?'-$T<???+ &    ((<=&.VUU)5UYYQU    4 4)++J VZ @ @ @' 33H 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 2&:LMM   !""" )x))*** F;FFFGGG _$..55W9W9WKk3// { B#( ; : : : : :(,,VR88I GGG FpYpppqqq!8!C!C!E&~666C>CCDDDDEEEEE _ _ _0:3 0J0JX',,,PSTWPXPXG GGG ]T[]] ^ ^ ^ ^ ^ ^ ^ ^ ^ _  "###oo  $s$$%%%mmsd,B K5 /E; K5E  K5E AK5%C!J K2AK-'K5-K22K551M &!MM ct|dd}|r*|tvr!td|tdt }|p|}|stddS|tvrt|jn|}t |rWttd|dtj drtd dStd dStd |ddS) z Clear auth state for a provider.rNzUnknown provider: rz#No provider is currently logged in.zLogged out of rQrz)Hermes will use OpenRouter for inference.z9Run `hermes model` or configure an API key to use Hermes.zNo auth state found for ) rrgrrr|rrrrwr)rrrr~ provider_names r/logout_commandrTP s-$ D11K{*;;; 0;00111mm " "F  "FF  34446<@Q6Q6Q%f-22W]M6"";    /}///000 9) * * O = > > > > > M N N N N N 9999:::::r.)r5rrhrrirrjr)rjro)rjr)rr rrrjr)rrrrrjr)r)r5rrrrjr)rrrjr)rr rjr)rjr)rrrrrr rjr)rjr )rrr)r<r=rjr")rKr"rjr )rKr"rrrjri)rKr"rrrkr"rjr)rrrjr")rrrtrurjr )rrrjri)rrrjr)rjr)rrrrrrrjr)rr rjr)rr rrrjr)rr rjr)rr rjr)rr rjr")rr rrrjr)rrrjr")rrrrrjr)rrrrrrrjr")rrrrrjr)rjr)r rrrrrrjr")rr rrrrirjr!) rr*rrrrr rrjr")rr*rrrrr-rrrr;rrjr") rr*rrrrrrrjr") rr*rrrrrNrrjr") rrr5rrrrTr!rjrU)rkr"rNrrjr) rrrr rrrrrjr)$rrrrrrrrrrrurr rrwrrrrrjrrkrrrrrrr rrr rrrrjr") rkr"rrrrr rrrrjr") rrrrrr rrrrrjr")rjr")rrrjr")rjru)rrrrrrrjr )r)rerUrrrjr)rgrrjr)rrrjr)rrrrrrr rr<rrrrrrrrrrjr")r+ __future__rrloggingrwrsrr#rrr threadingr'rXr? contextlibr dataclassesrrrrpathlibr typingr r r r rrrrrrr getLoggerr(rr rr!rErr{rr|r!DEFAULT_AGENT_KEY_MIN_TTL_SECONDSrrBrDEFAULT_GITHUB_MODELS_BASE_URLDEFAULT_COPILOT_ACP_BASE_URLrr'CODEX_ACCESS_TOKEN_REFRESH_SKEW_SECONDSrrgr,rmrnrrrrrrrrCrrrrr rrlocalrr;rJrhrlrnrsrwryr|rrrrrrrrrrrrrrr rr)r:rHrMrSrhrlrrrrrrrrrrrrrrr rrrrrGrQrTr$r.r/rbs    #"""""   %%%%%%(((((((('''''''',,,,,,,,,,,, >>>>>>>>000000  8 $ $LLLL EEEMMMM FFF <H%/$+!$'!()%@!@.6=*-'           A0 NN  %/5(    A0NN  "1 A0 ~~  9M !A0.>>  !$7/ /A0< >>  9G'    =A0L>>  7*( MA0\~~  =-+ ]A0l  6\ mA0z~~  (S/- {A0J..  ?0. KA0Z  8., [A0j..  <0. kA0zNN  720 {A0J>>   ;1/   KA0b  <., cA0r>>  =&& sA0AAAAX6    *$   89      B !!!!!P11111 111"4DDDD---- >B[[[[[[++++2222$IO%%.G66666r<<<<<:!!!!H<<<<0000 P P P P P , , , ,9999 ---- #####L % % % %" $W'+'+ WWWWWW|"9999(((( 6 6 6 6CCCCAAAA)-......b % % % % %$" OOOOOOd*2 $ G <<<<<<J $#+/ >6.E.E.E.Ej W W W WFWWWWJ" 6*6*6*6*6*6*rPPPP"## A P%P%P%P%P%P%t#!% $#*.@!##%RRRRRRp A! B A!## vvvvvvz,    &><      !!!!H%%%%X<$(;;;;;|.JJJJJZ"6L6L6L6LrNNNNf&*(,#!#%sssssslEEEEP;;;;;;s$ BBB B%%B/.B/