KrustyPlanet/hermes-agent
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
hermes-agent/tests/hermes_cli
History
Ben a618789dba fix(dashboard-auth): share /api/* public allowlist between legacy and OAuth gates 
Two parallel public-path allowlists drifted: _PUBLIC_API_PATHS in
hermes_cli/web_server.py (legacy _SESSION_TOKEN middleware) and
_GATE_PUBLIC_PREFIXES in hermes_cli/dashboard_auth/middleware.py
(OAuth gate). The legacy list included /api/status (documented as a
non-sensitive read-only liveness target); the OAuth gate's list did not.

Effect: every wildcard-subdomain agent surfaced as STARTING/down to the
portal even though the dashboard was serving correctly. Nous account
service (src/server/agents/fly-provider.ts
getInstanceRuntimeStatus) fetches ``/api/status`` without a cookie
as its sole liveness probe; the OAuth gate's 401 looked identical to
'agent dead' on the portal side.

Fix: lift the allowlist into hermes_cli/dashboard_auth/public_paths.py
and have both middlewares import it. _path_is_public now consults
the shared frozenset first, then falls back to the gate's
auth-bootstrap/static prefix list. Future additions to the public list
hit both gates automatically.

Endpoint inventory (verified safe to remain public):

* /api/status            — version, gateway state, active session count,
                           auth-gate shape. Portal liveness probe target.
* /api/config/defaults   — config-defaults feed for the SPA's Config page
* /api/config/schema     — config schema for the SPA's Config page
* /api/model/info        — model catalogue metadata (context windows)
* /api/dashboard/themes  — theme manifests for the skin engine
* /api/dashboard/plugins — plugin manifests for the dashboard

No user data, no session content, no secrets. Same shape an external
monitoring agent would hit on /healthz.

Tests:

* New: test_gated_status_is_public (regression guard with the NAS
  fly-provider.ts liveness-probe rationale spelled out in the docstring)
* New: test_other_public_api_paths_are_public_under_gate (parametrised
  over the rest of PUBLIC_API_PATHS — proves 401 / 302-to-login is
  never the response)
* New: docker integration check #3 in
  test_dashboard_oauth_gate_engaged_by_default — /api/status
  remains 200 under the gate AND reports auth_required=True so the
  portal can distinguish modes
* Updated: test_full_login_round_trip_unlocks_gated_api now probes
  /api/sessions instead of /api/status (status is public, so it
  can no longer distinguish 'logged in' from 'gate accidentally
  disabled')
* Updated: TestApi401Envelope (the no-cookie / invalid-cookie /
  dead-cookie tests) probes /api/sessions for the same reason
* Updated: docker integration check #2 in
  test_dashboard_oauth_gate_engaged_by_default probes
  /api/sessions to prove the gate is intercepting
* Removed: dead _login() helper in
  test_dashboard_auth_status_endpoint.py (no longer needed since
  /api/status is reachable cold)

Companion to docs/handover/hermes-agent-dashboard-s6-insecure-fix.md
(the --insecure flag fix that shipped earlier).
2026-05-29 12:17:12 +10:00
..
__init__.py
conftest.py fix(update): quarantine hermes.exe vs concurrent Windows instance (#26670) (#26677) 2026-05-19 11:10:51 -07:00
conftest_dashboard_auth.py fix(dashboard-auth): use fixed-length sig suffix in stub token framing 2026-05-27 02:12:27 -07:00
test_anthropic_model_flow_stale_oauth.py fix(cli): show masked feedback for secret prompts 2026-05-25 01:20:33 -07:00
test_anthropic_oauth_flow.py fix(cli): show masked feedback for secret prompts 2026-05-25 01:20:33 -07:00
test_anthropic_provider_persistence.py
test_api_key_providers.py remove Vercel AI Gateway and Vercel Sandbox (#33067) 2026-05-27 00:43:32 -07:00
test_apply_model_switch_result_context.py
test_apply_profile_override.py
test_arcee_provider.py remove Vercel AI Gateway and Vercel Sandbox (#33067) 2026-05-27 00:43:32 -07:00
test_argparse_flag_propagation.py Fix CLI verbose tool progress config fallback 2026-05-23 21:03:51 -07:00
test_at_context_completion_filter.py
test_atomic_json_write.py
test_atomic_yaml_write.py
test_auth_codex_provider.py fix(auth): sync manual:device_code Codex pool entries on re-auth (#33744) 2026-05-28 01:33:10 -07:00
test_auth_commands.py test(auth): align copilot-remove test with borrowed-credential policy (#31416) 2026-05-25 01:23:31 -07:00
test_auth_loopback_ssh_hint.py
test_auth_manual_paste.py fix(xai-oauth): accept bare-code manual paste (state=None) (#26923) (#33880) 2026-05-28 05:47:30 -07:00
test_auth_nous_provider.py feat(auth) normalise the way in which we check whether a user has free/paid access to nous portal so we can expose behaviour and error messages accordingly. 2026-05-28 00:19:31 -07:00
test_auth_profile_fallback.py fix(auth): fall back to global auth.json in _load_provider_state 2026-05-27 09:38:58 -07:00
test_auth_provider_gate.py
test_auth_qwen_provider.py fix(cli): validate runtime token refresh capability in Qwen auth status 2026-05-23 17:47:36 -07:00
test_auth_ssl_macos.py
test_auth_toctou_file_modes.py
test_auth_usable_secret.py security: harden API server key placeholder handling (#30738) 2026-05-24 04:25:32 -07:00
test_auth_xai_oauth_provider.py fix(xai-oauth): pin inference base_url to x.ai origin (#28952) 2026-05-19 14:51:21 -07:00
test_aux_config.py
test_azure_detect.py
test_azure_foundry_entra.py
test_backup.py fix(backup): skip symlinked files in zip archives (#25289) 2026-05-25 05:07:52 -07:00
test_banner.py
test_banner_git_state.py fix(docker): bake build-time git SHA into the image 2026-05-28 15:14:05 +10:00
test_banner_pip_update.py
test_banner_skills.py
test_bedrock_model_picker.py
test_build_info.py fix(docker): bake build-time git SHA into the image 2026-05-28 15:14:05 +10:00
test_bundles.py feat(skills): add skill bundles — alias /<name> loads multiple skills (#28373) 2026-05-18 21:38:05 -07:00
test_chat_skills_flag.py
test_claw.py
test_clear_stale_base_url.py
test_cli_output.py fix(cli): show masked feedback for secret prompts 2026-05-25 01:20:33 -07:00
test_cmd_update.py fix(update): stream + idle-kill npm run build so a stalled webui-build can't soft-brick the install (#33803) 2026-05-28 03:34:47 -07:00
test_cmd_update_docker.py test(docker-update): stub subprocess.run in git-install regression guard 2026-05-28 15:50:25 +10:00
test_coalesce_session_args.py
test_codex_cli_model_picker.py
test_codex_models.py fix(codex): drop dead model slugs that HTTP 400 on ChatGPT Pro (#33424) 2026-05-27 12:16:15 -07:00
test_codex_runtime_plugin_migration.py
test_codex_runtime_switch.py
test_commands.py fix(gateway): prioritize Telegram command menu 2026-05-20 19:14:21 -07:00
test_completion.py
test_config.py fix(dashboard): suffix-allowlist plugin assets + denylist subprocess-influencing env vars (#32277) 2026-05-25 15:07:19 -07:00
test_config_drift.py
test_config_env_expansion.py
test_config_env_refs.py
test_config_validation.py
test_container_aware_cli.py
test_container_boot.py fix(container_boot): publish reconciled service dirs atomically 2026-05-24 18:05:33 -07:00
test_copilot_auth.py
test_copilot_catalog_oauth_fallback.py
test_copilot_context.py
test_copilot_in_model_list.py
test_copilot_token_exchange.py
test_cron.py
test_curator_archive_prune.py
test_curator_recent_run_notice.py
test_curator_run.py
test_curator_status.py
test_curses_color_compat.py fix(cli): clamp curses color 8 for 8-color terminals (Docker) 2026-05-21 23:40:58 -07:00
test_custom_provider_context_length.py
test_custom_provider_model_switch.py fix(model): match custom provider by active base url 2026-05-19 14:50:38 -07:00
test_dashboard_auth_401_reauth.py fix(dashboard-auth): share /api/* public allowlist between legacy and OAuth gates 2026-05-29 12:17:12 +10:00
test_dashboard_auth_audit.py feat(dashboard-auth): json-lines audit log at $HERMES_HOME/logs/dashboard-auth.log 2026-05-27 02:12:27 -07:00
test_dashboard_auth_cookies.py feat(dashboard-auth): honour X-Forwarded-Prefix + __Host-/__Secure- cookies 2026-05-27 02:12:27 -07:00
test_dashboard_auth_gate.py feat(dashboard-auth): Nous plugin always-on; default portal URL; specific error messages 2026-05-27 02:12:27 -07:00
test_dashboard_auth_middleware.py fix(dashboard-auth): share /api/* public allowlist between legacy and OAuth gates 2026-05-29 12:17:12 +10:00
test_dashboard_auth_plugin_hook.py feat(plugins): add register_dashboard_auth_provider hook on PluginContext 2026-05-27 02:12:27 -07:00
test_dashboard_auth_prefix.py feat(dashboard-auth): HERMES_DASHBOARD_PUBLIC_URL / dashboard.public_url override 2026-05-27 02:12:27 -07:00
test_dashboard_auth_provider_base.py test(dashboard-auth): cover registry register/get/list/clear semantics 2026-05-27 02:12:27 -07:00
test_dashboard_auth_status_endpoint.py fix(dashboard-auth): share /api/* public allowlist between legacy and OAuth gates 2026-05-29 12:17:12 +10:00
test_dashboard_auth_stub_provider.py test(dashboard-auth): stub auth provider for E2E gate testing 2026-05-27 02:12:27 -07:00
test_dashboard_auth_ws_auth.py fix(dashboard-auth): bypass loopback WS peer check in gated mode 2026-05-27 02:12:27 -07:00
test_dashboard_auth_ws_tickets.py feat(dashboard-auth): single-use WS tickets + POST /api/auth/ws-ticket 2026-05-27 02:12:27 -07:00
test_dashboard_browser_safe_imports.py
test_dashboard_lifecycle_flags.py
test_dashboard_profiles_nav_label.py
test_debug.py fix(debug): redact BlueBubbles webhook secrets 2026-05-24 15:43:48 -07:00
test_dep_ensure.py
test_deprecated_cwd_warning.py
test_destructive_slash_confirm_gate.py
test_detect_api_mode_for_url.py
test_determine_api_mode_hostname.py
test_dingtalk_auth.py
test_discord_skill_clamp_warning.py
test_doctor.py remove Vercel AI Gateway and Vercel Sandbox (#33067) 2026-05-27 00:43:32 -07:00
test_doctor_command_install.py
test_doctor_dedicated_provider_skip.py
test_dump_git_commit.py fix(docker): bake build-time git SHA into the image 2026-05-28 15:14:05 +10:00
test_env_load_cache.py
test_env_loader.py fix(env): strip null bytes from .env before python-dotenv loads 2026-05-23 17:17:05 -07:00
test_env_sanitize_on_load.py
test_fallback_cmd.py fix(fallback): merge fallback_providers with legacy fallback_model configurations 2026-05-23 05:24:57 -07:00
test_gateway.py fix(gateway): harden Windows gateway install lifecycle 2026-05-19 11:23:15 -07:00
test_gateway_linger.py
test_gateway_platform_gating.py
test_gateway_proc_fallback.py
test_gateway_runtime_health.py
test_gateway_s6_dispatch.py feat(docker): auto-redirect gateway run to supervised mode inside s6 image 2026-05-28 12:42:13 +10:00
test_gateway_service.py ci(tests): add pytest-timeout 60s hard cap to break suite-teardown deadlock (#28861) 2026-05-19 17:27:24 -07:00
test_gateway_service_paths.py
test_gateway_windows.py fix(gateway): drain on Windows hermes gateway stop so sessions survive restart (#33798) 2026-05-28 03:25:32 -07:00
test_gateway_wsl.py ci(tests): add pytest-timeout 60s hard cap to break suite-teardown deadlock (#28861) 2026-05-19 17:27:24 -07:00
test_gemini_free_tier_setup_block.py
test_gemini_provider.py
test_gmi_provider.py remove Vercel AI Gateway and Vercel Sandbox (#33067) 2026-05-27 00:43:32 -07:00
test_goals.py
test_hooks_cli.py
test_ignore_user_config_flags.py
test_image_gen_picker.py fix(auth): refresh Nous entitlement in tool menus 2026-05-28 00:19:31 -07:00
test_install_cua_driver.py fix(cli): pre-check CUA release asset for Intel macOS before install 2026-05-21 19:17:45 -07:00
test_inventory.py fix(model picker): unify /model and hermes model lists, add disk cache (#33867) 2026-05-28 11:33:16 -07:00
test_kanban_blocked_sticky.py test(kanban): cover sticky blocks for worker-initiated kanban_block (#28712) 2026-05-19 17:26:23 -07:00
test_kanban_boards.py
test_kanban_cli.py feat(kanban): configure worktree paths and branches 2026-05-18 21:33:08 -07:00
test_kanban_core_functionality.py test(kanban): update dispatcher tick counter for hoisted zombie reaper 2026-05-27 14:31:55 -07:00
test_kanban_db.py fix(kanban): content-addressed corrupt-DB backup filename 2026-05-28 03:38:09 -07:00
test_kanban_db_init.py
test_kanban_decompose.py
test_kanban_decompose_db.py
test_kanban_default_assignee.py feat(kanban): default_assignee fallback + per-profile concurrency cap (#27145, #21582) (#34244) 2026-05-28 19:02:55 -07:00
test_kanban_diagnostics.py
test_kanban_notify.py fix(tests): allowlist tmp_path for kanban_notify artifact delivery (#30852) 2026-05-23 02:34:34 -07:00
test_kanban_per_profile_cap.py feat(kanban): default_assignee fallback + per-profile concurrency cap (#27145, #21582) (#34244) 2026-05-28 19:02:55 -07:00
test_kanban_promote.py feat(kanban): --ids bulk promote + AUTHOR_MAP entry for #29464 2026-05-23 23:10:36 -07:00
test_kanban_specify.py
test_kanban_specify_db.py
test_kanban_swarm.py
test_kanban_worker_image_extraction.py feat(kanban): attach images referenced in task bodies to worker vision (#34210) 2026-05-28 17:50:42 -07:00
test_launcher.py
test_list_picker_providers.py
test_logs.py
test_managed_installs.py fix(tests): catch up 25 stale tests after recent merges (#28626) 2026-05-19 01:28:32 -07:00
test_mcp_add_command_dest.py
test_mcp_catalog.py feat(mcp): Nous-approved MCP catalog with interactive picker (#30870) 2026-05-26 12:48:14 -07:00
test_mcp_config.py
test_mcp_reload_confirm_gate.py
test_mcp_tools_config.py feat(mcp): Nous-approved MCP catalog with interactive picker (#30870) 2026-05-26 12:48:14 -07:00
test_memory_reset.py
test_migrate_xai.py fix(xai): align migrate retirement map with docs 2026-05-20 09:18:23 -07:00
test_model_catalog.py
test_model_normalize.py
test_model_picker_viewport.py
test_model_provider_persistence.py
test_model_switch_context_display.py
test_model_switch_copilot_api_mode.py
test_model_switch_custom_providers.py fix(model-switch): mark bare custom provider as current 2026-05-19 10:57:35 -07:00
test_model_switch_opencode_anthropic.py
test_model_switch_variant_tags.py
test_model_validation.py feat(opencode-go): route qwen3.7-max via anthropic_messages 2026-05-26 20:44:43 -07:00
test_models.py feat(auth) normalise the way in which we check whether a user has free/paid access to nous portal so we can expose behaviour and error messages accordingly. 2026-05-28 00:19:31 -07:00
test_models_dev_preferred_merge.py
test_non_ascii_credential.py
test_nous_account.py feat(auth) normalise the way in which we check whether a user has free/paid access to nous portal so we can expose behaviour and error messages accordingly. 2026-05-28 00:19:31 -07:00
test_nous_auth_status_cache.py
test_nous_hermes_non_agentic.py
test_nous_inference_url_validation.py fix(security): wire Nous URL allowlist into refresh / mint persistence sites 2026-05-22 14:17:40 -07:00
test_nous_subscription.py fix(auth): refresh Nous entitlement in tool menus 2026-05-28 00:19:31 -07:00
test_ollama_cloud_auth.py
test_ollama_cloud_provider.py
test_openai_codex_model_validation_fallback.py
test_opencode_go_flat_namespace.py
test_opencode_go_in_model_list.py
test_opencode_go_validation_fallback.py
test_overlay_slug_resolution.py
test_path_completion.py
test_pin_kanban_board_env.py
test_pip_install_detection.py
test_placeholder_usage.py
test_plugin_auxiliary_tasks.py feat(plugins): add register_auxiliary_task() to PluginContext API 2026-05-23 17:49:47 -07:00
test_plugin_cli_registration.py
test_plugin_scanner_recursion.py
test_plugins.py
test_plugins_cmd.py fix(cli): show masked feedback for secret prompts 2026-05-25 01:20:33 -07:00
test_plugins_transcription_registration.py feat(stt): add register_transcription_provider() plugin hook 2026-05-25 01:41:19 -07:00
test_plugins_tts_registration.py feat(tts): add register_tts_provider() plugin hook (closes #30398) 2026-05-24 18:04:54 -07:00
test_post_setup_gating.py
test_profile_describer.py
test_profile_distribution.py fix(profile): reject symlinks in distributions (#25292) 2026-05-25 05:07:58 -07:00
test_profile_export_credentials.py
test_profiles.py
test_profiles_s6_hooks.py fix(profiles): short-circuit s6 hooks on host before importing service_manager 2026-05-24 18:07:47 -07:00
test_project_plugin_rce_bypass.py test(plugins): regression coverage for project-plugin RCE chain (#29156) 2026-05-23 01:43:52 -07:00
test_prompt_api_key.py fix(cli): show masked feedback for secret prompts 2026-05-25 01:20:33 -07:00
test_provider_config_validation.py
test_proxy.py test(xai-proxy): regression coverage for #28932 429 handling 2026-05-28 02:36:37 -07:00
test_psutil_android_extract.py fix(android): reject unsafe tar members in psutil compatibility installer 2026-05-28 02:36:09 -07:00
test_pty_bridge.py test: use subprocesses for each test file (#29016) 2026-05-21 16:40:04 +05:30
test_reasoning_effort_menu.py
test_redact_config_bridge.py
test_regression_16767.py
test_relaunch.py
test_resolve_last_session.py
test_run_with_idle_timeout.py fix(update): stream + idle-kill npm run build so a stalled webui-build can't soft-brick the install (#33803) 2026-05-28 03:34:47 -07:00
test_runtime_provider_resolution.py remove Vercel AI Gateway and Vercel Sandbox (#33067) 2026-05-27 00:43:32 -07:00
test_secret_prompt.py fix(cli): show masked feedback for secret prompts 2026-05-25 01:20:33 -07:00
test_security_advisories.py
test_security_audit.py feat(security): on-demand supply-chain audit via OSV.dev (#31460) 2026-05-24 15:15:16 -07:00
test_send_cmd.py
test_service_manager.py fix(docker): align HOME for dashboard and s6 gateway services (#33481) 2026-05-28 13:42:27 +10:00
test_session_browse.py
test_session_handoff.py
test_session_recap.py
test_sessions_delete.py
test_set_config_value.py remove Vercel AI Gateway and Vercel Sandbox (#33067) 2026-05-27 00:43:32 -07:00
test_setup.py remove Vercel AI Gateway and Vercel Sandbox (#33067) 2026-05-27 00:43:32 -07:00
test_setup_agent_settings.py
test_setup_hermes_script.py
test_setup_irc.py
test_setup_matrix_e2ee.py
test_setup_model_provider.py fix(cli): preserve setup config picker writes 2026-05-19 14:23:19 -07:00
test_setup_noninteractive.py
test_setup_ollama_cloud_force_refresh.py
test_setup_openclaw_migration.py fix(tests): catch up 25 stale tests after recent merges (#28626) 2026-05-19 01:28:32 -07:00
test_setup_prompt_menus.py fix(cli): show masked feedback for secret prompts 2026-05-25 01:20:33 -07:00
test_setup_reconfigure.py
test_signal_handler_kanban_worker.py fix(kanban): SIGTERM on worker must terminate the process (#28181) 2026-05-28 11:59:58 -07:00
test_skills_config.py
test_skills_hub.py fix(skills-hub): stop ellipsis-truncating the Identifier column (#33810) 2026-05-28 04:53:13 -07:00
test_skills_install_flags.py
test_skills_skip_confirm.py
test_skills_subparser.py
test_skin_engine.py
test_slack_cli.py
test_spotify_auth.py
test_startup_plugin_gating.py
test_status.py fix(auth): refresh Nous entitlement in tool menus 2026-05-28 00:19:31 -07:00
test_status_model_provider.py feat(auth) normalise the way in which we check whether a user has free/paid access to nous portal so we can expose behaviour and error messages accordingly. 2026-05-28 00:19:31 -07:00
test_subparser_routing_fallback.py
test_subprocess_timeouts.py
test_suppress_eio_on_interrupt.py
test_teams_pipeline_plugin_cli.py
test_tencent_tokenhub_provider.py remove Vercel AI Gateway and Vercel Sandbox (#33067) 2026-05-27 00:43:32 -07:00
test_terminal_menu_fallbacks.py
test_timeouts.py fix(codex): size and propagate timeouts for Responses-API requests; lower stale defaults 2026-05-25 01:47:55 -07:00
test_tips.py
test_tool_token_estimation.py
test_tools_config.py fix: expose context engine tools with saved toolsets 2026-05-28 00:28:42 -07:00
test_tools_disable_enable.py
test_tts_picker.py feat(tts): add register_tts_provider() plugin hook (closes #30398) 2026-05-24 18:04:54 -07:00
test_tui_bundled.py
test_tui_mouse_residue_suppression.py fix(tui): suppress mouse-residue leaks during Python launcher startup (#31213) 2026-05-27 22:03:45 -05:00
test_tui_npm_install.py fix(tui): surface verbose tool details (#30225) 2026-05-22 00:16:52 -05:00
test_tui_resume_flow.py perf(termux): speed up bare cli prompt startup 2026-05-22 14:27:38 -07:00
test_update_autostash.py
test_update_check.py
test_update_concurrent_quarantine.py test+harden(cli): cover parent-chain walk in concurrent-instance detection 2026-05-24 19:51:46 -07:00
test_update_config_clears_custom_fields.py
test_update_hangup_protection.py
test_update_post_pull_syntax_guard.py feat(update): syntax-validate critical files post-pull, auto-rollback on failure (#28669) 2026-05-19 03:01:02 -07:00
test_update_stale_dashboard.py
test_update_yes_flag.py
test_update_zip_symlink_reject.py fix(tests): four pre-existing flakes from the security cluster merge (#32072) 2026-05-25 05:50:29 -07:00
test_user_providers_model_switch.py
test_video_gen_picker.py
test_voice_wrapper.py
test_web_oauth_dispatch.py
test_web_server.py remove Vercel AI Gateway and Vercel Sandbox (#33067) 2026-05-27 00:43:32 -07:00
test_web_server_cron_profiles.py fix(cron): reject id mutation + validate output paths under OUTPUT_DIR 2026-05-25 01:15:24 -07:00
test_web_server_host_header.py fix(dashboard): validate WebSocket Host and Origin 2026-05-24 15:00:44 -07:00
test_web_server_oauth_write.py Protect dashboard OAuth credentials with the same file-safety guarantees as other auth paths 2026-05-24 17:47:24 -07:00
test_web_ui_build.py fix(update): stream + idle-kill npm run build so a stalled webui-build can't soft-brick the install (#33803) 2026-05-28 03:34:47 -07:00
test_webhook_cli.py fix(state): restrict sensitive store file permissions 2026-05-24 04:55:18 -07:00
test_whatsapp_setup_ordering.py
test_xai_oauth_pkce_token_exchange.py
test_xai_provider_labels.py fix(model): include Premium+ in xAI OAuth label 2026-05-24 18:12:16 -07:00
test_xai_retirement.py fix(xai): align migrate retirement map with docs 2026-05-20 09:18:23 -07:00
test_xiaomi_provider.py remove Vercel AI Gateway and Vercel Sandbox (#33067) 2026-05-27 00:43:32 -07:00