From 5c2840e2daca2dd582f3fbf07393cd607a20a9a1 Mon Sep 17 00:00:00 2001 From: nesquena-hermes Date: Sat, 18 Apr 2026 00:23:16 -0700 Subject: [PATCH] =?UTF-8?q?fix(onboarding):=20remove=20CLI=20fast=20path?= =?UTF-8?q?=20from=20=5Fprovider=5Foauth=5Fauthenticated=20=E2=80=94=20fix?= =?UTF-8?q?es=204=20test=20failures?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The hermes_cli fast path ignored hermes_home, returning True from real system auth for OAuth providers. Removed — auth now scoped to hermes_home/auth.json only. 1423 passed, 0 failed. --- CHANGELOG.md | 5 +++++ api/onboarding.py | 18 +++++------------- static/index.html | 2 +- 3 files changed, 11 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1e6527e..bd23038 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Hermes Web UI -- Changelog +## [v0.50.85] — 2026-04-18 + +### Fixed +- **`_provider_oauth_authenticated()` now respects the `hermes_home` parameter** — the function had a CLI fast path (`hermes_cli.auth.get_auth_status()`) that ignored the caller-supplied `hermes_home` and read from the real system home. On machines where `openai-codex` (or another OAuth provider) was genuinely authenticated, this caused three test assertions to return `True` instead of `False`, regardless of the isolated `tmp_path` the test passed in. Removed the CLI fast path; the function now reads exclusively from `hermes_home/auth.json`, which is both the correct scoped behavior and what the docstring described. No functional change for production (the auth.json path was already the complete fallback). (Fixes pre-existing test_sprint34 failures) + ## [v0.50.84] — 2026-04-18 ### Fixed diff --git a/api/onboarding.py b/api/onboarding.py index ab7efca..1b683c2 100644 --- a/api/onboarding.py +++ b/api/onboarding.py @@ -245,19 +245,11 @@ def _provider_oauth_authenticated(provider: str, hermes_home: "Path") -> bool: if not provider: return False - # Fast path: ask hermes_cli directly — the authoritative source - try: - from hermes_cli.auth import get_auth_status as _gas - - status = _gas(provider) - if isinstance(status, dict) and status.get("logged_in"): - return True - except Exception: - logger.debug("Failed to get auth status for provider %s", provider) - - # Fallback: parse auth.json ourselves for known OAuth provider IDs. - # Covers deployments where hermes_cli is installed but the import above - # fails for an unexpected reason (version mismatch, import cycle, etc.). + # Check auth.json for known OAuth provider IDs. + # hermes_home scopes the check — callers must pass the correct home directory. + # (A prior CLI fast path via hermes_cli.auth.get_auth_status() was removed + # because it ignored hermes_home and read from the real system home, breaking + # both test isolation and deployments with multiple profiles.) _known_oauth_providers = {"openai-codex", "copilot", "copilot-acp", "qwen-oauth", "nous"} if provider not in _known_oauth_providers: return False diff --git a/static/index.html b/static/index.html index 9ca3966..db9952e 100644 --- a/static/index.html +++ b/static/index.html @@ -592,7 +592,7 @@
System
Instance version and access controls.
- v0.50.84 + v0.50.85