Replace the loopback/PKCE-callback server and manual-paste fallback with the RFC 8628 device-code flow as the only xAI Grok OAuth login path. The flow works in headless/SSH/container sessions with no 127.0.0.1 listener, shrinking the local attack surface. - Poll the token endpoint with server-provided interval, honoring slow_down and expires_in; store tokens with auth_mode oauth_device_code. - Adaptive proactive refresh skew for short-lived device-code JWTs; rotated tokens sync back to auth.json, the global root store, and the credential pool (no refresh-token replay). - Clear source suppression on successful re-login (CLI + dashboard) and drop the duplicate dashboard pool entry so exactly one seeded device_code entry exists. - Use the shared device_code source name for consistency with the nous/codex device-code providers. - Desktop: remove the loopback OAuth flow states and dead type variants; pkce providers' sign-in URL selection is unchanged. - Docs (EN + zh-Hans) rewritten for device-code login; drop the deleted --manual-paste flag from documented commands.
62 lines
2.1 KiB
Python
62 lines
2.1 KiB
Python
"""``hermes model`` subcommand parser.
|
|
|
|
Extracted verbatim from ``hermes_cli/main.py:main()`` (god-file Phase 2).
|
|
Handler injected to avoid importing ``main``.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
from typing import Callable
|
|
|
|
|
|
def build_model_parser(subparsers, *, cmd_model: Callable) -> None:
|
|
"""Attach the ``model`` subcommand to ``subparsers``."""
|
|
# =========================================================================
|
|
# model command
|
|
# =========================================================================
|
|
model_parser = subparsers.add_parser(
|
|
"model",
|
|
help="Select default model and provider",
|
|
description="Interactively select your inference provider and default model",
|
|
)
|
|
model_parser.add_argument(
|
|
"--refresh",
|
|
action="store_true",
|
|
help="Wipe the model picker disk cache and re-fetch every provider's live /v1/models list.",
|
|
)
|
|
model_parser.add_argument(
|
|
"--portal-url",
|
|
help="Portal base URL for Nous login (default: production portal)",
|
|
)
|
|
model_parser.add_argument(
|
|
"--inference-url",
|
|
help="Inference API base URL for Nous login (default: production inference API)",
|
|
)
|
|
model_parser.add_argument(
|
|
"--client-id",
|
|
default=None,
|
|
help="OAuth client id to use for Nous login (default: hermes-cli)",
|
|
)
|
|
model_parser.add_argument(
|
|
"--scope", default=None, help="OAuth scope to request for Nous login"
|
|
)
|
|
model_parser.add_argument(
|
|
"--no-browser",
|
|
action="store_true",
|
|
help="Do not attempt to open the browser automatically during Nous login",
|
|
)
|
|
model_parser.add_argument(
|
|
"--timeout",
|
|
type=float,
|
|
default=15.0,
|
|
help="HTTP request timeout in seconds for Nous login (default: 15)",
|
|
)
|
|
model_parser.add_argument(
|
|
"--ca-bundle", help="Path to CA bundle PEM file for Nous TLS verification"
|
|
)
|
|
model_parser.add_argument(
|
|
"--insecure",
|
|
action="store_true",
|
|
help="Disable TLS verification for Nous login (testing only)",
|
|
)
|
|
model_parser.set_defaults(func=cmd_model)
|