ip UdZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlmZddlmZmZddlmZmZddlmZddlmZmZmZmZddlZddlZdd l m!Z!m"Z"m#Z#dd l$m%Z%ej&e'Z( ddl)Z)n #e*$rdZ)YnwxYw ddl+Z+n #e*$rdZ+YnwxYwd Z,d Z-d Z.dZ/dZ0dZ1dZ2dZ3d Z4dZ5dZ6dZ7dZ8dZ9dZ:dZ;dZdZ?dZ@dZAeGddZBid eBd d!d"e.e/e0e1#d$eBd$d%d&e5'd(eBd(d)d&e6'd*eBd*d+d&e@'d,eBd,d-d.e7d/d01d2eBd2d3d4e8d56d7eBd7d8d.d9d:d;1d<eBdd?d@1dAeBdAdBd.dCdDdE1dFeBdFdGd.dHdIJdKeBdKdLd.dMdNdO1dPeBdPdQd.dRdSdT1dUeBdUdVd.dWdXJdYeBdYdZd.d[d\d]1d^eBd^d_d.d`dadb1dceBdcddd.dedfdg1dheBdhdid.djdkdl1eBdmdnd.dodpdq1eBdrdsd.dtdudv1eBdwdxd.dydzd{1eBd|d}d.d~dd1eBddd.ddd1eBddd.ddd1eBddd.e9dd1eBdddddd1dZCdeDd<dddZEdZFdedZGhdZHdddfdZIdgdZJdd>dgdfdddgdfddgddfddgddfgZKdhdidZLdedZMGddeNZOdjdÄZPdkdƄZQdldDŽZRddȜdmd̈́ZSdndτZTdndЄZUe jVZWee-fdod҄ZXdpdqdքZYdrd؄ZZdsdڄZ[dtd܄Z\dpdud݄Z]dvdZ^dwdZ_dxdZ`dydZadzdZbd{dZcdpd|dZdd}dZed~dZf dpdddddZgddZhddZiddZjddZkddZlddZmdndZnddZoddZpe?fddZqdddZrdde?ddd Zsdd Ztdd dd Zudd ZvdldZwddddZxddddZydpddZzddddZ{ddZ|ddZ}dde<dddZ~dddddd#Zdd)Zdd,Zdd-Zdd/Zd dd0dd4Zdd5Zd dde3d6dd7Zd8e1dddde2d ddddd9 ddAZe2d dddBddCZe2d ddddDddEZddFZddGZddHZddIZdpdudJZddKZddLZ dpddNZdndOZ dddXZddZZd}d[Zdd\Zdd]Zdddddd ddd^d_ ddaZddbZd}dcZdS(aZ Multi-provider authentication system for Hermes Agent. Supports OAuth device code flows (Nous Portal, future: OpenAI Codex) and traditional API key providers (OpenRouter, custom endpoints). Auth state is persisted in ~/.hermes/auth.json with cross-process file locking. Architecture: - ProviderConfig registry defines known OAuth providers - Auth store (auth.json) holds per-provider credential state - resolve_provider() picks the active provider via priority chain - resolve_*_runtime_credentials() handles token refresh and key minting - logout_command() is the CLI entry point for clearing auth ) annotationsN)contextmanager) dataclassfield)datetimetimezone)Path)AnyDictListOptional)get_hermes_homeget_config_pathread_raw_config)OPENROUTER_BASE_URL.@zhttps://portal.nousresearch.comz)https://inference-api.nousresearch.com/v1 hermes-clizinference:mint_agent_keyixz%https://chatgpt.com/backend-api/codexzhttps://portal.qwen.ai/v1zhttps://api.githubcopilot.comz acp://copilotzhttps://ollama.com/v1app_EMoamEEZ73f0CkXaXp7hrannz#https://auth.openai.com/oauth/token f0304373b74a44d2b584a3fb70ca9e56z(https://chat.qwen.ai/api/v1/oauth2/tokenzcloudcode-pa://google<ceZdZUdZded<ded<ded<dZded<dZded<dZded <dZded <e e Z d ed <dZ ded<dZ ded<dS)ProviderConfigz%Describes a known inference provider.stridname auth_typeportal_base_urlinference_base_url client_idscope)default_factoryDict[str, Any]extratupleapi_key_env_varsbase_url_env_varN)__name__ __module__ __qualname____doc____annotations__r r!r"r#rdictr&r)r*r'7/home/agentuser/.hermes/hermes-agent/hermes_cli/auth.pyrrZs// GGG IIINNNO     IEOOOO!E$777E7777     r1rnousz Nous Portaloauth_device_code)rrrr r!r"r# openai-codexz OpenAI Codexoauth_external)rrrr! qwen-oauthz Qwen OAuthgoogle-gemini-clizGoogle Gemini (OAuth)copilotzGitHub Copilotapi_key)COPILOT_GITHUB_TOKENGH_TOKEN GITHUB_TOKENCOPILOT_API_BASE_URL)rrrr!r)r* copilot-acpzGitHub Copilot ACPexternal_processCOPILOT_ACP_BASE_URL)rrrr!r*geminizGoogle AI Studioz7https://generativelanguage.googleapis.com/v1beta/openai)GOOGLE_API_KEYGEMINI_API_KEYGEMINI_BASE_URLzaiz Z.AI / GLMzhttps://api.z.ai/api/paas/v4) GLM_API_KEY ZAI_API_KEY Z_AI_API_KEY GLM_BASE_URL kimi-codingzKimi / Moonshotzhttps://api.moonshot.ai/v1) KIMI_API_KEY KIMI_BASE_URLkimi-coding-cnzKimi / Moonshot (China)zhttps://api.moonshot.cn/v1)KIMI_CN_API_KEY)rrrr!r)arceezArcee AIzhttps://api.arcee.ai/api/v1)ARCEEAI_API_KEYARCEE_BASE_URLminimaxMiniMaxz https://api.minimax.io/anthropic)MINIMAX_API_KEYMINIMAX_BASE_URL anthropic Anthropiczhttps://api.anthropic.com)ANTHROPIC_API_KEYANTHROPIC_TOKENCLAUDE_CODE_OAUTH_TOKENalibabazAlibaba Cloud (DashScope)z6https://dashscope-intl.aliyuncs.com/compatible-mode/v1)DASHSCOPE_API_KEYDASHSCOPE_BASE_URL minimax-cnzMiniMax (China)z"https://api.minimaxi.com/anthropic)MINIMAX_CN_API_KEYMINIMAX_CN_BASE_URLdeepseekDeepSeekzhttps://api.deepseek.com/v1)DEEPSEEK_API_KEYDEEPSEEK_BASE_URLxaixAIzhttps://api.x.ai/v1) XAI_API_KEY XAI_BASE_URL ai-gatewayzVercel AI Gatewayzhttps://ai-gateway.vercel.sh/v1)AI_GATEWAY_API_KEYAI_GATEWAY_BASE_URL opencode-zenz OpenCode Zenzhttps://opencode.ai/zen/v1)OPENCODE_ZEN_API_KEYOPENCODE_ZEN_BASE_URL opencode-goz OpenCode Gozhttps://opencode.ai/zen/go/v1)OPENCODE_GO_API_KEYOPENCODE_GO_BASE_URLkilocodez Kilo Codezhttps://api.kilo.ai/api/gateway)KILOCODE_API_KEYKILOCODE_BASE_URL huggingfacez Hugging Facez https://router.huggingface.co/v1)HF_TOKEN HF_BASE_URLxiaomiz Xiaomi MiMozhttps://api.xiaomimimo.com/v1)XIAOMI_API_KEYXIAOMI_BASE_URL ollama-cloudz Ollama Cloud)OLLAMA_API_KEYOLLAMA_BASE_URLbedrockz AWS Bedrockaws_sdkz/https://bedrock-runtime.us-east-1.amazonaws.comr'BEDROCK_BASE_URL)rjrmrprsrvryr|rzDict[str, ProviderConfig]PROVIDER_REGISTRYreturnrcddlm}tdjD](}||pt j|d}|r|cS)dS)aQReturn the first usable Anthropic credential, or ``""``. Checks both the ``.env`` file (via ``get_env_value``) and the process environment (``os.getenv``). The fallback order mirrors the ``PROVIDER_REGISTRY["anthropic"].api_key_env_vars`` tuple: ANTHROPIC_API_KEY -> ANTHROPIC_TOKEN -> CLAUDE_CODE_OAUTH_TOKEN r) get_env_valuerWr)hermes_cli.configrrr)osgetenv)rvarvalues r2get_anthropic_keyr7sh0///// -> c""8biR&8&8  LLL  2r1zhttps://api.kimi.com/coding/v1 default_url env_overridecF|r|S|drtS|S)zReturn the correct Kimi base URL based on the API key prefix. If the user has explicitly set KIMI_BASE_URL, that always wins. Otherwise, sk-kimi- prefixed keys route to api.kimi.com/coding/v1. zsk-kimi-) startswithKIMI_CODE_BASE_URL)r:rrs r2_resolve_kimi_base_urlrTs4 *%%"!! r1> ***** your-api-key*nonenulldummyexamplechangeme placeholder your_api_key) min_lengthrr rintboolct|tsdS|}t||krdS|t vrdSdS)zIReturn True when a configured secret looks usable, not empty/placeholder.FT) isinstancerstriplenlower_PLACEHOLDER_SECRET_VALUES)rrcleaneds r2has_usable_secretrqsZ eS ! !ukkmmG 7||j  u}}444u 4r1 provider_idpconfigtuple[str, str]cR|dkrZ ddlm}|\}}|r||fSn=#t$r%}td|Yd}~nd}~wt $rYnwxYwdS|jD]>}tj|d }t|r||fcS?dS)zDResolve an API-key provider's token and indicate where it came from.r9r)resolve_copilot_tokenz#Copilot token validation failed: %sN)rrr) hermes_cli.copilot_authr ValueErrorloggerwarning Exceptionr)rrrr)rrrtokensourceexcenv_varvals r2 _resolve_api_key_provider_secretr}s i  E E E E E E1133ME6 %f}$ % G G G NN@# F F F F F F F F    D v+  i$$**,, S ! ! <     6s" AA  AAglobalzglm-5Globalcnz$https://open.bigmodel.cn/api/paas/v4Chinaz coding-globalz#https://api.z.ai/api/coding/paas/v4)zglm-5.1z glm-5v-turbozglm-4.7zGlobal (Coding Plan)z coding-cnz+https://open.bigmodel.cn/api/coding/paas/v4zChina (Coding Plan) @timeoutfloatOptional[Dict[str, str]]c tD]\}}}}|D]} tj|dd|dd|ddddd gd | }|jd kr(td |||||||dccStd|||j#t $r'}td|||Yd}~d}~wwxYwdS)a+Probe z.ai endpoints to find one that accepts this API key. Returns {"id": ..., "base_url": ..., "model": ..., "label": ...} for the first working endpoint, or None if all fail. For endpoints with multiple candidate models, tries each in order and returns the first that succeeds. z/chat/completionsBearer application/json) Authorization Content-TypeFruserping)rolecontent)modelstream max_tokensmessages)headersjsonrz(Z.AI endpoint probe: %s (%s) model=%s OK)rbase_urlrlabelz,Z.AI endpoint probe: %s model=%s returned %sz+Z.AI endpoint probe: %s model=%s failed: %sN) ZAI_ENDPOINTShttpxpost status_coderdebugr) r:rep_idr probe_modelsrrresprs r2detect_zai_endpointrsn1>__,xu! _ _E _z222)<7)<)<(: "'"'&'.4%H%H$I  $   #s**LL!KUT\^cddd#$,!&!&   KUTY[_[kllll _ _ _ JESXZ]^^^^^^^^ _3 _6 4sAB1"B CCCc|r|St}t|dpi}|d}t|tr|dr|dd}|t j|ddkr)t d|d|dSt|}|r|drt j|dd}|d|d d|d d|d d|d |d<t|d|t d |d |d|dSt d||S)aYReturn the correct Z.AI base URL by probing endpoints. If the user has explicitly set GLM_BASE_URL, that always wins. Otherwise, probe the candidate endpoints to find one that accepts the key. The detected endpoint is cached in provider state (auth.json) keyed on a hash of the API key so subsequent starts skip the probe. rFdetected_endpointrkey_hashrNzZ.AI: using cached endpoint %srrr)r endpoint_idrrrz$Z.AI: auto-detected endpoint %s (%s)z.Z.AI: probe failed, falling back to default %s)_load_auth_store_load_provider_stategetrr0hashlibsha256encode hexdigestrrr_save_provider_stateinfo)r:rr auth_storestatecachedrdetecteds r2_resolve_zai_base_urlrs"##J U 3 3 9rE YY* + +F&$&FJJz$:$:&::j"-- w~gnn&6&677AACCCRCH H H LL96*;M N N N*% %#7++H $HLL,, $>'.."2"233==??D ,#<<b11\\'2..\\'2.. & & !" Z666 :HW'..11 2 2 < < > >ss CCr1c|tjdd}|dvS)NHERMES_OAUTH_TRACEr>1onyestrue)rrrr)raws r2_oauth_trace_enabledr2s8 )(" - - 3 3 5 5 ; ; = =C , ,,r1 sequence_ideventrfieldsrc tsdSd|i}|r||d<||tdt j|dddS)Nrrzoauth_trace %sTF) sort_keys ensure_ascii)rupdaterrrdumps)rrrpayloads r2 _oauth_tracer7sp  ! !&.G-!,  NN6 KK $*WSX"Y"Y"YZZZZZr1r c$tdz S)N auth.json)rr'r1r2_auth_file_pathrEs   { **r1cDtdS)Nz.lock)r with_suffixr'r1r2_auth_lock_pathr!Is    ( ( 1 11r1timeout_secondsc#KttdddkrLtxjdz c_ dVtxjdzc_n#txjdzc_wxYwdSt}|jddt 8t1dt_ dVdt_n#dt_wxYwdStrH|r| j dkr| dd | trd nd 5}tj td |z} t r?t j|t jt jznG|dtj|tjdnX#t,t.t0f$r=tj |krt3d tjdYnwxYwdt_ dVdt_t r3t j|t jntr` |dtj|tjdn#t.t:f$rYnwxYwn#dt_t r2t j|t jwtr` |dtj|tjdw#t.t:f$rYwwxYwwxYwddddS#1swxYwYdS)zCCross-process advisory lock for auth.json reads+writes. Reentrant.depthrrNTparentsexist_ok rencodingzr+za+g?z%Timed out waiting for auth store lockg?)getattr_auth_lock_holderr$r!parentmkdirfcntlmsvcrtexistsstatst_size write_textopentimemaxflockfilenoLOCK_EXLOCK_NBseeklockingLK_NBLCKBlockingIOErrorOSErrorPermissionError TimeoutErrorsleepLOCK_UNLK_UNLCKIOError)r" lock_path lock_filedeadlines r2_auth_store_lockrJOs '1--111$ ) EEE  # #q ( # # #  # #q ( # # # # # #!!I 4$777 }"# ( EEE&'  # #a  # ' ' ' '4y''))4Y^^-=-=-E-J-JS7333 0D 1 1Y9;;S/!:!:: ! !KK 0 0 2 2EMEM4QRRRRNN1%%%N9#3#3#5#5vJJJ#Wo> ! ! !9;;(**&'NOOO 4      ! !#$  EEE&'  #  I,,.. >>>> NN1%%%N9#3#3#5#5vJJJJ)D  '(  #  I,,.. >>>> NN1%%%N9#3#3#5#5vJJJJ)D  -sA A$.B??C ?&O &B G43O 4AIO IO L A O +AK32O 3LO LO  A N9AN! N9!N5 2N94N5 5N99O  O O  auth_fileOptional[Path]r%c|p t}|s tidS tj|}n#t $r tidcYSwxYwt|trht| dts(t| dtr| di|St|trPt| dtr(|d}i}d|vr |d|d<t||rdnddStidS)N)version providersrOcredential_poolsystems nous_portalr3)rNrOactive_provider) rr1AUTH_STORE_VERSIONrloads read_textrrr0r setdefault)rKrrQrOs r2rrs._..I     @-B???@j,,..// @@@-B?????@#t377;''.. cgg/00$ 7 7 {B''' #tBCGGI,>,>!E!EBi. G # # ' 6If -I-6#@66DBB B* ; ;;s&AA.-A.rcBt}|jddt|d<t jt j|d<tj |ddz}| |j dtjd tjj} |d d 5}|||tj|dddn #1swxYwYtj|| tjt1|jtj}n#t4$rd}YnwxYw|C tj|tj|n#tj|wxYw |r|nO#t4$rYnCwxYw# |r|ww#t4$rYwwxYwxYw |t>j t>j!zn#t4$rYnwxYw|S) NTr%rN updated_atindent z.tmp..wrr))"rr-r.rTrnowrutc isoformatrr with_namerrgetpiduuiduuid4hexr5writeflushfsyncr9replacerO_RDONLYr@closer1unlinkchmodr2S_IRUSRS_IWUSR)rrKrtmp_pathhandledir_fds r2_save_auth_storerus!!I 4$777.Jy'|HL99CCEEJ|jA...5G""in#[#[29;;#[#[IY#[#[\\H ]]3] 1 1 &V LL ! ! ! LLNNN HV]]__ % % % & & & & & & & & & & & & & & & 8Y''' WS!122BK@@FF   FFF    !               "!!!    D     "!!!! "    D   t|34444      s H""AD>2 H">EH"EH"1FH" F H"F  H"&G:H"G%%H")(H HH"I$(I I IIII",J JJOptional[Dict[str, Any]]c|d}t|tsdS||}t|trt|ndS)NrO)rrr0)rrrOrs r2rrsZ{++I i & &t MM+ & &E$UD11 ;4;;;t;r1rc|di}t|ts i|d<|d}|||<||d<dS)NrOrS)rWrr0)rrrrOs r2rrsX%%k266I i & &,"$ ;{+ "Ik$/J !!!r1ct}|d}t|tsi}|t|S||}t|trt |ngS)z>+ , ,D dD ! !Dzzxx ,,%/0@$%G%G O4 ! ! !ROr1entriesList[Dict[str, Any]]ct5t}|d}t|tsi}||d<t |||<t |cdddS#1swxYwYdS)z7Persist one provider's credential pool under auth.json.rPN)rJrrrr0rzru)rr~rr{s r2write_credential_poolrs   ,,%'' ~~/00$%% 1D,0J( ) MM[ ++,,,,,,,,,,,,,,,,,,sA A<<BBrct5t}|di}||g}||vr||t |ddddS#1swxYwYdS)z@Mark a credential source as suppressed so it won't be re-seeded.suppressed_sourcesN)rJrrWappendru)rrr suppressed provider_lists r2suppress_credential_sourcers   %%%'' **+?DD "--k2>>  & &   ( ( ($$$ %%%%%%%%%%%%%%%%%%sA#A??BBc t}|di}|||gvS#t$rYdSwxYw)z=Check if a credential source has been suppressed by the user.rF)rrr)rrrrs r2is_source_suppressedrsa%'' ^^$8"==  R8888 uus;> A  A c>t}t||S)z4Return persisted auth state for a provider, or None.)rr)rrs r2get_provider_auth_staters!##J  K 8 88r1cHt}|dS)z8Return the currently active provider ID from auth store.rS)rrrs r2get_active_providerrs !##J >>+ , ,,r1c|pd} t}|dpd}|r||krdSn#t$rYnwxYw ddlm}|}|d}t|trC|dpd}||krdSn#t$rYnwxYwdh}t|} | r?| j d kr4| j D],} | |vrttj| drdS-d S) aReturn True only if the user has explicitly configured this provider. Checks: 1. active_provider in auth.json matches 2. model.provider in config.yaml matches 3. Provider-specific env vars are set (e.g. ANTHROPIC_API_KEY) This is used to gate auto-discovery of external credentials (e.g. Claude Code's ~/.claude/.credentials.json) so they are never used without the user's explicit choice. See PR #4210 for the same pattern applied to the setup wizard gate. rrSTr) load_configrrr[r:F)rrrrrrrrr0rrr)rrr) r normalizedractivercfg model_cfg cfg_provider_IMPLICIT_ENV_VARSrrs r2!is_provider_explicitly_configuredrs#**,,2244J %'' ..!2339r@@BBHHJJ  f **4        111111kmmGGG$$ i & & %MM*55;BBDDJJLLLz))t      44##J//G7$ 11/  G,,, 7B!7!788 tt  5s%AA>> B  B A;D DDc$t5t}|p|d}|s ddddS|di}t|tsi}||d<|d}t|tsi}||d<d}||vr||=d}||vr||=d}|s ddddS|d|krd|d<t |dddn #1swxYwYdS)z Clear auth state for a provider. Used by `hermes logout`. If provider_id is None, clears the active provider. Returns True if something was cleared. rSNFrOrPT)rJrrrr0ru)rrtargetrOr{cleareds r2clear_provider_authrGs   %%%'' A /@ A A  %%%%%%%% NN;33 )T** 0I&/J{ #~~/00$%% 1D,0J( ) Y  &!G T>>V G 3%%%%%%%%4 >>+ , , 6 6,0J( )$$$9%%%%%%%%%%%%%%%: 4s)DA:D -DD  D ct5t}d|d<t|ddddS#1swxYwYdS)z Clear active_provider in auth.json without deleting credentials. Used when the user switches to a non-OAuth provider (OpenRouter, custom) so auto-resolution doesn't keep picking the OAuth provider. NrS)rJrrurs r2deactivate_providerrms   %%%'' (, $%$$$%%%%%%%%%%%%%%%%%%s#?AA provider_namecj ddlm}|}|sdSdg}|D]s}|jdkrdnd}|d|d |j|jr|jdnd}|r|d |td |S#t$rYdSwxYw) zReturn a helpful hint string when provider resolution fails. Checks for common config.yaml mistakes (malformed custom_providers, etc.) and returns a human-readable diagnostic, or empty string if nothing found. r)validate_config_structureruCConfig issue detected — run 'hermes doctor' for full diagnostics:rERRORWARNINGz [z] u → r]) rrseverityrrhint splitlinesjoinr)rrissueslinesciprefix first_hints r2%_get_config_hint_for_unknown_providerr~s ??????**,, 2VW 6 6B " w 6 6WWIF LL5v5555 6 6 646GC++--a00J 6 4 44555yy rrsB$B B$$ B21B2)explicit_api_keyexplicit_base_url requestedrrc Z|pd}iddddddddddd dd dd d d d dd ddddddddddddddidddddddddd d!d d"d d#d d$d%d&d%d'd(d)d(d*d(d+d,d-d,d.d/d0d/id/d/d1d1d2d1d3d1d4d5d6d5d7d5d8d9d:d9d;d<d=d<d>d<d?d<d@dAdBdAdCdDdEdDdDdFdFdFdFdGdFdFdFdFdH }|||}|dIkrdIS|dFkrdFS|tvr|S|dkr6t |}dJ|dK}|r |dL|z }n|dMz }t |dNO|s|rdIS t }|dP}|r/|tvr&t|} | dQr|Sn2#t$r%} t dR| YdS} ~ ndS} ~ wwxYwttj dTs!ttj dUrdIStD]J\} } | jdVkr| d kr| jD]*} ttj | dWr| ccS+K dXdYlm}|rd "openrouter" 3. OPENAI_API_KEY or OPENROUTER_API_KEY env vars -> "openrouter" 4. Provider-specific API keys (GLM, Kimi, MiniMax) -> that provider 5. Fallback: "openrouter" autoglmrFzz-aizz.aizhipugooglerBz google-geminizgoogle-ai-studiozx-airfzx.aigrokkimirKzkimi-for-codingmoonshotzkimi-cnrNz moonshot-cnzarcee-airParceeaiz minimax-chinar_ minimax_cnclauderWz claude-codegithubr9zgithub-copilotz github-modelsz github-modelzgithub-copilot-acpr?zcopilot-acp-agent aigatewayrjvercelzvercel-ai-gatewayopencodermzenz qwen-portalr7qwen-clir8z gemini-cliz gemini-oauthhfrvz hugging-facezhuggingface-hubmimoryz xiaomi-mimoawsrz aws-bedrockzamazon-bedrockamazongorpzopencode-go-subkilorsz kilo-codecustomr|) z kilo-gatewaylmstudioz lm-studio lm_studioollama ollama_cloudvllmllamacppz llama.cppz llama-cpp openrouterzUnknown provider 'z'.z z` Check 'hermes model' for available providers, or run 'hermes doctor' to diagnose config issues.invalid_provider)rrS logged_inz)Could not detect active auth provider: %sNOPENAI_API_KEYOPENROUTER_API_KEYr:rrhas_aws_credentialszNo inference provider configured. Run 'hermes model' to choose a provider and model, or set an API key (OPENROUTER_API_KEY, OPENAI_API_KEY, etc.) in ~/.hermes/.env.no_provider_configured)rrrrrrrget_auth_statusrrrrrritemsrr)agent.bedrock_adapterr ImportError)rrrr_PROVIDER_ALIASES _config_hintmsgrrstatusepidrrrs r2resolve_providerrs %v,,..4466J ue%+U4;U(+X7I8 u'-e   1- BL]  #  &34D  G  '  (4\ + -k ).y %3I m.A- \$,\ |&0@L\\oqDFRTgiwyL m,]=N} ! (!" y#"(#"5Ei#"RZ[d#$ m%$/ %&  '&('&FP8(NhH14#&&z:>>J\!!|Xx&&&V'>??CJJw//00  -- 56625s+AB:: C C  access_tokenc t|}|d}t|ttfsdSt |t jt dt|zkS)NexpFr)rrrrrr6r7)rrrrs r2_codex_access_token_is_expiringr>si  - -F **U  C cC< ( (u ::$)++As>DDFFM   N!-    : C, .!.1 $      /# / /!&     s""}""$$ G'+3#T### 5!&     --//  > > >!,      gt $ $ C NB0O0O0USU,V,V,\,\,^,^  ?!0    \**J) __ )))()GKK;;ArBBHHJJW[[-HHYMZZ``bb'++lFJJ|X4V4VWWc[cddjjllxpxGKK >Sc8d8deeyiyzzAACC49;;-..Q8J1K1Kd1RR I)$$$ sB )A77 BBB C55 D?DDF!! F0/F0FT) force_refreshrefresh_if_expiringrefresh_skew_secondsr1r2r3c t}t|ddpd}t |}|s%|r#t |d|}|rFt |}t|ddpd}|stdddtj dd d pt}d||d |dttd S) Nrrr)z?Qwen OAuth access token missing. Re-run 'qwen auth qwen-oauth'.r7qwen_access_token_missingr HERMES_QWEN_BASE_URLrr)rrr:r expires_at_msrK) rrrrrrr0rrrrDEFAULT_QWEN_BASE_URLr )r1r2r3rrshould_refreshrs r2 resolve_qwen_runtime_credentialsr:sP # $ $Fvzz."55;<<BBDDL-((N i1i7 =8Q8QSghhI)&116::nb99?R@@FFHH   M!,    y/44::<<CCCHHaLaH M22,..//   r1cJt} td}dt||d|d|ddS#t$r*}dt|t|dcYd}~Sd}~wwxYw) NF)r2Trr:r7)rrKrr:r7rrKr)r r:rrr)rcredsrs r2get_qwen_auth_statusr>s#%%I 0UKKKYii))yy++"YY77        YXX         sAA.. B"8BB"B"r1c  ddlm}m}m}m}n(#t $r}t d|dd|d}~wwxYw ||}n2#|$r*}t t|d|j|d}~wwxYw|}t}d||d |r|j ndt||r|j nd pd |r|j nd pd d S) z2Resolve runtime OAuth creds for google-gemini-cli.r)GoogleOAuthError_credentials_pathget_valid_access_tokenload_credentialsz&agent.google_oauth is not importable: r8google_oauth_module_missingr Nr? google-oauthr)rrr:rr7rKemail project_id) agent.google_oauthrArBrCrDrrrr!DEFAULT_GEMINI_CLOUDCODE_BASE_URL expires_msrGrH) r1rArBrCrDrrr=rs r2(resolve_gemini_oauth_runtime_credentialsrLsy               :S : :(.     --MJJJ  HH(         E0H' .3=%****,,--!&.%++B52+08u''b?R   s'  4/4 AA4 %A//A4c ddlm}m}n#t$rdddcYSwxYw|}|}||jsdt |ddSd t |d |j|j|j|jd S) z>Return a status dict for `hermes auth list` / `hermes status`.r)rBrDFzagent.google_oauth unavailable)rrNz not logged inr<TrF)rrKrr:r7rGrH) rIrBrDrrrrKrGrH)rBrDrr=s r2get_gemini_oauth_auth_statusrN#sOJJJJJJJJJ OOO"-MNNNNNO!!##I    E }E.}Y$   ^^ %)&  s  clttjdptjdS)zGDetect if running in an SSH session where webbrowser.open() won't work. SSH_CLIENTSSH_TTY)rrrr'r1r2_is_remote_sessionrRAs)  ,''?29Y+?+? @ @@r1_lockrTc|r5t5t}dddn #1swxYwYnt}t|d}|stdddd|d}t |t stddd d|d }|d }t |tr|std dd dt |tr|stdddd||ddS)zRead Codex OAuth tokens from Hermes auth store (~/.hermes/auth.json). Returns dict with 'tokens' (access_token, refresh_token) and 'last_refresh'. Raises AuthError if no Codex tokens are stored. Nr5z?No Codex credentials stored. Run `hermes auth` to authenticate.codex_auth_missingTrrzICodex auth state is missing tokens. Run `hermes auth` to re-authenticate.codex_auth_invalid_shaperrzICodex auth is missing access_token. Run `hermes auth` to re-authenticate.codex_auth_missing_access_tokenJCodex auth is missing refresh_token. Run `hermes auth` to re-authenticate. codex_auth_missing_refresh_token last_refresh)rr[) rJrrrrrr0rr)rTrrrrrs r2_read_codex_tokensr\Ns  (    , ,)++J , , , , , , , , , , , , , , ,&'' ^ < Refresh Codex OAuth tokens without mutating Hermes auth state.rYr5rZTr@r r)rrrrrr!)rrNrcodex_refresh_failedz'Codex token refresh failed with status r^Frerror_descriptionrzCodex token refresh failed: > invalid_grant invalid_tokeninvalid_requestrefresh_token_reusedzCodex refresh token was already consumed by another client (e.g. Codex CLI or VS Code extension). Run `codex` in your terminal to generate fresh tokens, then run `hermes auth` to re-authenticate.z*Codex token refresh returned invalid JSON.codex_refresh_invalid_jsonrz6Codex token refresh response was missing access_token."codex_refresh_missing_access_tokenrr)rrr[)rrrrrTimeoutr7rClientrCODEX_OAUTH_TOKEN_URLCODEX_OAUTH_CLIENT_IDrrr0rrrr`rrarbrk)rrr"rclientr,rrrerrerr_codeerr_descrefresh_payloadrrefreshed_accessupdated next_refreshs r2refresh_codex_oauth_purers  mS ) ) 1D1D1F1F  X#3!     mCU?%;%;<<==G g:L/M N N N  RX;; !#%HI-!.2                  s""%SH>++D77#677M3779;M;Mh,,P1A1APOX^^=M=MOOG    D  H H H#  ) ) )=  $  #-     "--//  8#-!      '**>:: & , , 4D4J4J4L4L  D#5!     )..00&,,.. X\22<<>>FFxQTUUG #&&77L,$$8););)=)=8#/#5#5#7#7 Ns=)B::B>B>!C%G GG;H H3H..H3c tt|ddpdt|ddpd|}t|}|d|d<|d|d<t |t |d|d|d|S)zzRefresh Codex access token using the refresh token. Saves the new tokens to Hermes auth store automatically. rrrrlr[r])rrrr0rkrf)rr"r/updated_tokenss r2_refresh_codex_auth_tokensrs) FJJ~r * * 0b11 FJJ + + 1r22'I &\\N%.~%>N>"&/&@N?#~&&&.!/"]]>22 r1ctjdd}|s#tt jdz }t |dz }|sdS tj | }| d}t|tsdS| d}| d}|r|sdSt|d rtd |dSt|S#t"$rYdSwxYw) zTry to read tokens from ~/.codex/auth.json (Codex CLI shared file). Returns tokens dict if valid and not expired, None otherwise. Does NOT write to the shared file. r_rr`rNrrrru7Codex CLI tokens at %s are expired — skipping import.)rrrrr rrarbrrUrVrrr0rrrr)rcrrrrrs r2_import_codex_cli_tokensr-sZ <,,2244J 1x/00 Z  ++-- ;I     t*Y002233X&&&$'' 4zz.11  ?33  = 4 +< ; ;  LLI9   4F|| tts%AE.E +E7E EEc\ t}n#t$r}|jdkrt}|retdt dt dt dt|t}nYd}~nd}~wwxYwt|d}t| dd pd  }ttjd d }t|} | s|rt!||} | rt#t%tt&|d z 5td}t|d}t| dd pd  }t|} | s|rt!||} | rGt)||}t| dd pd  }dddn #1swxYwYtjdd  dpt,} d| |d| dddS)z@Resolve runtime credentials from Hermes's own Codex token store.rVz?Migrating Codex credentials from ~/.codex/ to Hermes auth storeu?⚠️ Migrating Codex credentials to Hermes's own auth store.z4 This avoids conflicts with Codex CLI and VS Code.z< Run `hermes auth` to create a fully independent session. Nrrr$HERMES_CODEX_REFRESH_TIMEOUT_SECONDS20rnrlFrSHERMES_CODEX_BASE_URLrr5zhermes-auth-storer[ri)rrr:rr[rj)r\rrrrrprintrkr0rrrrrrrrrJr7AUTH_LOCK_TIMEOUT_SECONDSrrDEFAULT_CODEX_BASE_URL) r1r2r3rorig_err cli_tokensrrrefresh_timeout_secondsr9rs r2!resolve_codex_runtime_credentialsrOs!##  =0 0 0 .//   KKY Z Z Z S T T T H I I I Q R R R z * * *%''DD  DDDD"$x. ! !Fvzz."55;<<BBDDL#BI.TVZ$[$[\\-((N ] 3]8G[\\ Q c%8Q2R2RTknqTq.r.r s s s Q Q%E222D$x.))Fvzz."==CDDJJLLL!-00N" e(; e!@Oc!d!d Q3Fz(_request_device_code..s;;;QQd]]q]]]r1z%Device code response missing fields: z, )rraise_for_statusrrr)r{r r"r#r,required_fieldsmissingrs @r2_request_device_coders{{ 222  #(0b H  ==??DO<;;;/;;;GWU7ASASUUVVV Kr1r poll_intervalc&tjtd|z}tdt|t}tj|kr$||dd||d}|jdkr)|} d| vrtd| S |} n1#t$r$| td wxYw| d d } | d krtj || d kr)t|dzd}tj || dpd} t| d| td)zDPoll the token endpoint until the user approves or the code expires.r/api/oauth/tokenz,urn:ietf:params:oauth:grant-type:device_code)r"r"rrrrz+Token response did not include access_tokenz1Token endpoint returned a non-JSON error responserrauthorization_pending slow_downrpzUnknown authentication errorr z*Timed out waiting for device authorization)r6r7min%DEVICE_AUTH_POLL_INTERVAL_CAP_SECONDSrrrrrr RuntimeErrorrrCrB) r{r r"rrrrIcurrent_intervalr,r error_payload error_code descriptions r2_poll_for_tokenrsy{{SJ///H1c-1VWWXX )++ ;; 0 0 0L&*    3 & &mmooGW,, !NOOON T$MMOOMM T T T  % % ' ' 'RSS S T#&&w33 0 0 0 J' ( ( (   $ $"#3a#7<<  J' ( ( ( #''(;<<^@^ j99K99::: C D DDs 3C.C6c||dd||d}|jdkr-|}d|vrtddd d |S |}n%#t$r}td dd |d}~wwxYwt |dd}t |dpd } |dv} t| d|| )Nrr)r"r"rrrrz%Refresh response missing access_tokenr3rrTrzRefresh token exchange failedrrrrqrprqrr)rrrrrrr) r{r r"rr,rrrrrrelogins r2_refresh_access_tokenr sO{{ ,,,)"*  Hs""--//  ( (C%+/TXZZZ ZI  III7!'$@@@EH II }  /:: ; ;Dm''(;<<_@_``K88G K&tg V V VVsA-- B7B  Bmin_ttl_secondsc ||ddd|idtdt|i}|jdkr,|}d|vrt d d d |S |}n%#t $r}t d d d |d}~wwxYwt|dd }t|dpd } |dv} t | d || )z0Mint (or reuse) a short-lived inference API key.z/api/oauth/agent-keyrrrr)rrrr:zMint response missing api_keyr3 server_errorr zAgent key mint request failedNrrprr) rr7rrrrrrr) r{r rrr,rrrrrrs r2_mint_agent_keyr,sa{{ 000 ":L":":;R_)=)=!>!> ?H s""--// G # #;%+.BBB BG  GGG7!'n>>>CF GG }  .99 : :Dm''(;<<_@_``K88G K&tg V V VVs6B B-B((B-)r"verifyr!r List[str]cxtj|}tj|ddi|5}||dddd|i}d d d n #1swxYwY|jd krd |j} |}t|d p|d p|}n2#t$r%} t d| Yd } ~ nd } ~ wwxYwt|dd|} | d} t| tsgSg} | D]} t| ts| d}t|trT|r@|}d|vr| |dd}| |tt| S)z6Fetch available model IDs from the Nous inference API.r rrrrrz/modelsrr)rNrz#/models request failed with status rprz'Could not parse error response JSON: %sr3models_fetch_failedr rrhermesmidrrr(cj|}d|vrd|fSd|vrd|vrd|fSd|vrd|fSd|fS)NopusrprosonnetrrZ)r)rlows r2_model_priorityz*fetch_nous_models.._model_priorityxsXiikk S==s8O C<N>N]R]^^KK G G G LLBA F F F F F F F F G f;PQQQQmmooG ;;v  D dD ! ! I " "$%%  88D>> h $ $ ")9)9 "..""C399;;&&   S ! ! !NNN'''  i(( ) ))s*3A--A14A1A C D &DD c|d}t|tr|sdSt |d| S)N agent_keyFagent_key_expires_at)rrrrr)rrrs r2_agent_key_is_usablersY ))K C c3  syy{{uEII&<==OO OOr1)r"rrr3ct5t}t|d}|stdddt |dp.t jdpt jdpt d}t|d pt}t||| }|d } |d } t| tr| std ddt|d|s| cdddSt| tr| stdddtj|r|nd} tj| ddi|5} t%| ||| } dddn #1swxYwYt'jt*j}t/| d}| d |d <| d p| |d <| dp|dpd|d<| dp|d|d<||d<||d<t'j||zt*j|d<||d<||d <|dut|tr|ndd|d<t7|d|t9||d cdddS#1swxYwYdS)zKResolve a refresh-aware Nous Portal access token for managed tool gateways.r3&Hermes is not logged into Nous Portal.Trr HERMES_PORTAL_BASE_URLNOUS_PORTAL_BASE_URLrr"rrr,No access token found for Nous Portal login. expires_atN2Session expired and no refresh token is available.rr rrr{r r"rrr&r'r# obtained_attzFrrr)rJrrrrrrrDEFAULT_NOUS_PORTAL_URLrrDEFAULT_NOUS_CLIENT_IDrrrrrwrxrrr`rrarrb fromtimestamprrru)r"rrr3rrr r"rrrrr{r/r` access_ttls r2resolve_nous_access_tokenrsm   H%H%%'' $Z88 8!%  uyy):;; < < 'y122 'y/00 '' &++   +..H2HII  (iTYZZZyy00  /22 ,,, L >!%  EIIl335IJJ =H%H%H%H%H%H%H%H%@--- ] D!%  -? LMM \12   - /#+ I               l8<(((|)D)DEE ). 9n!*!?!?!P=o'mmL99`UYY|=T=T`X`l"w//E599W3E3Eg"}}m(l&4 MMOOj (|    )++ l$3 &k%#-fc#:#:D  e  Z777$$$^$QH%H%H%H%H%H%H%H%H%H%H%H%H%H%H%H%H%H%s>E M0%AM0?G M0G# #M0&G# 'E2 3 L ,x|,,C!-!1!1)!$>E. !,8,<,<\,J,JE( ),8,<,<\,J,JE( )(,\-=-=h-N-N(O(OE$ %-0]]__E) *+L,<,<=Q,R,RSSJ 9.8*+O'9'9'9'9'9'9'9'9'9'9'9'9'9'9'9R Ls'KN  NNrr"r1rc|dpi}t|dd|dd|dd|dt|dt|d d |d t|d |d |d|d|||d|d||S)zRRefresh Nous OAuth from a state dict. Thin wrapper around refresh_nous_oauth_pure.rrrrr"rr r!r&r'r#rrrrrrr)rr rrr)rrr"r1rrs r2refresh_nous_oauth_from_stater 5s ))E   bC " ."%% /2&& +|,, #%<== &(BCC99\844ii!344IIm,,99\**))K(("YY'=>>/'$$''+&&##   r1)rr"rrrc tdt|}tjjddt 5t tdstdddt dp.tj d ptj d ptd }t d ptj d ptd }t! dpt"}dMfd }t%||} t'j|r|nd} t+dt-||t/ dt'j| ddi| 5}  d}  d} t3| t r| stdddt5 dt6rt3| t r| stdddt+d d!t/| "t9| ||| #}t;jt>j }tC| d$}| }|dd<| dp| d<| d%p d%pd&d%<| d'p d'd'<t| d }|r|}|"d(<|d$<t;j#|$|zt>j )"d<d} d} t+d*d!t/|t/| +|d,d-}d}|s%tK|rd}t+d./nz t+d0t/| 1tM| || |2}nE#t$r7}t+d3|j'4 d}|j'd5vrt3|t r|rt+d d6t/|"t9| |||#}t;jt>j }tC| d$}|dd<| dp|d<| d%p d%pd&d%<| d'p d'd'<t| d }|r|}|"d(<|d$<t;j#|$|zt>j )"d<d} d} t+d*d6t/|t/| +|d7tM| || |2}nYd}~nd}~wwxYw|t;jt>j }| d8d9<| d:d;<| dd<<| d$d=<t-| d>d-d?<|"d@<t| d }|r|}t+dAt-| d>d-B|d<|d <|d<| d-ut3| t r| nddCdD<dddn #1swxYwY|dEdddn #1swxYwY d9}t3|t r|stdFddGH d<}tQ|}|1tdIt|tSj)z n!tC d=}d|| d;|||rdJndKdLS)Na Resolve Nous inference credentials for runtime use. Ensures access_token is valid (refreshes if needed) and a short-lived inference key is present with minimum TTL (mints/reuses as needed). Concurrent processes coordinate through the auth store file lock. Returns dict with: provider, base_url, api_key, key_id, expires_at, expires_in, source ("cache" or "portal"). rNrr3rTrr rrrr!NOUS_INFERENCE_BASE_URLr"reasonrrrc d tdtn8#t$r+}td|t |jd}~wwxYwtd|t dt ddS)Nr3nous_state_persist_failed)rr error_typenous_state_persistedrr)rrrefresh_token_fpaccess_token_fp)rrurrtyper+rr)rrrrrs r2_persist_statez8resolve_nous_runtime_credentials.._persist_state~s $Z??? ,,,,   / +!#Cyy1    &'!3EIIo4N4N!O!O 2599^3L3L M M       s $ A&AArrnous_runtime_credentials_startr)rrrrr rrrrrr refresh_startaccess_expiring)rrrrrr&r'r#rrrefresh_success)rrprevious_refresh_token_fpnew_refresh_token_fppost_refresh_access_expiringFagent_key_reuser mint_start)rrr mint_error)rrrmint_retry_after_invalid_tokenpost_refresh_mint_retryr:rrrrrrrr mint_success)rrrr&resolve_nous_runtime_credentials_finalz*Failed to resolve a Nous inference API keyrr rcacheportal)rrr:rrrr)rrrr)*r7rrerfrgrJrrrrrrrrrrrrrrrwrrrrxrrrrrr`rrarrbrrrrrrr6)rr"rrrr r!r"rrrr{rrr/r`rprevious_refresh_tokenrused_cached_keyrrlatest_refresh_tokenrr:rrrrrrs @@@r2 resolve_nous_runtime_credentialsr+Ts $b#&9":":;;*,,"3B3'K   JAJA%'' $Z88 DD%+dDDD D uyy):;; < < 'y122 'y/00 '' &++  uyy)=>> ? ? *y233 *) &++   +..H2HII         (!(iTYZZZ-? LMM ,#J'' 3/ /0J0JKK     \'H>P3QZ` a a aU ek 99^44L!IIo66MlC00 H  H N)/$HHHHEIIl335VWW( ?!-55L]L#$X-3dLLLL# +,%7 %F%F  2!?'} l8<000|1L1LMM )6&(1.(An%)2)G)G)X=o&&/mmL&A&A&hUYY|E\E\&h`hl#!*w!7!7!M599W;M;Mg 29==AU3V3V W W  7)6&'*}}m$&0l#&.&<MMOOj0X\''')++l# %^4 %o 6 % +,.@AW.X.X);M)J)J =>>>$O59LD "6u>Q"R"RD "&.KHHHHH@ $$/(:<(H(H $3%%1CV$$$LL!666 $$/ X ,199_+E+E($FFF&';SAAG0G%+(3#C-?@T-U-U  %:#)?&/?S%%% 'l8<88%8|9T9T%U%U 09.0In-1:1O1O1gSgo..7mmL.I.I.pUYYWcMdMd.phpl+)2w)?)?)U599WCUCUg(:9==I];^;^(_(_ (?1>./2}}m,.8l+.6.DMMOOj8X\///#)++l+(-^'< (-o(> $-(3#C6HI]6^6^1CM1R1R ''@AAA'6#)?)5GZ(((  % c6p'l8<00%1%5%5i%@%@k"(4(8(8(B(Bn%0<0@0@0N0N,-0<0@0@0N0N,-,01A1A(E1R1R,S,S()14-./ 0@0@AU0V0VWW 4)3&" + 0 05 A ABB(7E# $*'>HVVDE%LeU U U U U U U U U U U U U U U n ?@@@UJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAXii $$G gs # #>7>D!'n>>> >122J(44M  $ As=49;;.//000 +A!B!B C C&))N++  ,:''(  sdFa6+Ja2R<:a< [>H-[94a9[>>E a a6a a6a a66a:=a:c N ddlm}|d}|r|r|}|t |ddpt |dd}|rdt |d dpt |d dt |d dpt |d d|t |d dt |d dt t |dddSn#t $rYnwxYwtd}|s dddddddSt |d|d |d |d |d t |ddS)zStatus snapshot for `hermes status` output. Checks the credential pool first (where the dashboard device-code flow and ``hermes auth`` store credentials), then falls back to the legacy auth-store provider state. r load_poolr3Nrruntime_api_keyrTr rr!rrr)rr r!raccess_expires_atrhas_refresh_tokenF)rr r!r0rr1) agent.credential_poolr.has_credentialsselectr+rrrr)r.r{entryrrs r2get_nous_auth_statusr6Q s 333333y    D((** KKMME E>488=u&7<< %)+25:KT+R+R,@&uj$??.5e=QSW.X.X/@&uj$??(4-4UL$-O-O07?UW[0\0\-1'%RV2W2W-X-X          $F + +E  #"&!%$(!&    %))N3344 99%677#ii(<=="YY|44 % *@ A A!%))O"<"<==   sC$C(( C54C5c  ddlm}|d}|r|r|}|wt |ddpt |dd}|rSt |dsCdt tt |d dd d t |d d |dSn#t$rYnwxYw t}dt t| d | d| d| ddS#t$r6}dt tt |dcYd}~Sd}~wwxYw)zStatus snapshot for Codex auth. Checks the credential pool first (where `hermes auth` stores credentials), then falls back to the legacy provider state. rr-r5Nr/rrTr[rizpool:runknown)rrr[rjrr:rjrr:F)rrr) r2r.r3r4r+rrrrrrr)r.r{r5r:r=rs r2get_codex_auth_statusr9 s 333333y((  D((** KKMME E#4d;;:unb99#B7A#N#N%)&)/*;*;&<&<(/~t(L(L%."N'%)*L*L"N"N#*        133o//00!IIn55;//ii))yy++        o//00XX         s1B3B77 CCA;E F+E?9F?Fct|}|r |jdkrddiSd}d}t||\}}d}|jr,t j|jd}|dvrt||j |}n |r|}n|j }t|||j ||t|dS)z>>`bH .-07Av|G,,,T+Px/B/B

rNrOrrrr@rrr)rrrrs r2rr sE  1/11F #%%% $&&& #%%% $$$+--- 3F;;;##F++G37$ 11*6222\7$ 11 \ A A A A A A!4!4!6!6FKK K \ \ \!&FEZ[[ [ [ [ \  s:C C C ct|}|r |jdkrtd|d|dd}d}t ||\}}d}|jr,t j|jd}|dvrt||j |}n<|dkrt||j |}n|r| d }n|j }||| d |pd d S) zwResolve API key and base URL for an API-key provider. Returns dict with: provider, api_key, base_url, source. r: Provider 'z' is not an API-key provider.rr rr<rFrdefault)rr:rr) rrrrrr*rrrrr!rrr>s r2$resolve_api_key_provider_credentialsrT s<  ##K00G  g'944 C C C C #    GJ:;PPGZGB)G4b99??AA777)'73MwWW   ('2LgVV .>>#&&- OOC(()   r1ct|}|r |jdkrtd|d|d|jr,t j|jdnd}|s|j}t jddp(t jddpd }t jd d}|rtj |nd d g}|rtj |nd }|s+| dstd|d|d|d|d|p||ddS)z>Resolve runtime details for local subprocess-backed providers.r@rRz&' is not an external-process provider.rr rrBrCr9rDrErFNrGz(Could not find the Copilot CLI command 'zQ'. Install GitHub Copilot CLI or set HERMES_COPILOT_ACP_COMMAND/COPILOT_CLI_PATH.missing_copilot_clir?rprocess)rr:rrHrIr)rrrrr*rrrr!rKrrLrMrr)rrrrHrNrIrJs r2-resolve_external_process_provider_credentialsrX7 s##K00G  g'+=== L L L L #    CJBZbry1266<<>>>`bH .- .3399;;  9' , , 2 2 4 4   y2B77==??H$, F5;x 7I2FD07Av|G,,,T  H$7$7 $E$E  ]w ] ] ] &       OOC((#.w   r1 default_modelc4t5t}||d<t|dddn #1swxYwYt}|jddt }|d}t|trt|}nBt|tr+| rd| i}ni}||d<|r-| r| d|d <n| d d|r!|dd }|rd|vr||d<||d<|tj|d |S) aUpdate config.yaml and auth.json to reflect the active provider. When *default_model* is provided the function also writes it as the ``model.default`` value. This prevents a race condition where the gateway (which re-reads config per-message) picks up the new provider before the caller has finished model selection, resulting in a mismatched model/provider (e.g. ``anthropic/claude-opus-4.6`` sent to MiniMax's API). rSNTr%rrSrrrrFr)rJrrurr-r.rrrr0rrrpopr4yaml safe_dump) rr!rYr config_pathconfig current_modelr cur_defaults r2_update_config_for_providerrcc s   %%%'' (3 $%$$$%%%%%%%%%%%%%%% "##KTD999   FJJw''M-&&'' M3 ' 'M,?,?,A,A 3 3 5 56  'Ij(06688( 2 9 9# > > *  j$''' 1mmIr22  1c[00#0Ii F7O4>&EBBBCCC s#>AAc>t}|s|St}|s|S|d}t |t rd|d<d|vr t |d<|tj |d|S)z5Reset config.yaml provider back to auto after logout.rrrrFr[) rr1rrrr0rr4r]r^)r_r`rs r2_reset_config_providerre s!##K        F  JJw  E%4"j    3E* 4>&EBBBCCC r1rrrapricing#Optional[Dict[str, Dict[str, str]]]unavailable_modelsOptional[List[str]] portal_urlc F !"#$%&'ddlm}|pg}g}r|vr||D]}||vr||t|t|z} t ot fd| D%%rt d| Dddznd&i"d'd#d$%r| D]}|} | rh|| d d } || d d } | d d } | r || nd }|rd $nd\} } }| | |f"|<t 't| t| 't #t|#؉$rt #d#"#$%&'fd!d}d}%r1d}d|d d&ddd'ddd'}$r |ddd#z }||dzz }d}d} ddl m }!fd|D}|d|d |pt d!}|rwt|t|D]!}t|d!||"tt|d"|d#|td$}n|}|||d%d&d'd d|(}|}dd)lm}||d*St|t|kr||S|t|kr't#d+}|r|nd*Sd*S#t&t(t*t,jf$rYnwxYwt|tt1t|dz}t3|d,D]'\}}td|d|d-!|(t|}td|d,zd|d.td|dzd|d/|rm|pt d!}ttd|d0|d1||D](}tdd d|d|!||)t t#d2|dzd3} | sd*St5| }d,|cxkr|krnn ||d,z S||d,zkr't#d+}|r|nd*S||dzkrd*Std4|dzn2#t6$rtd5Ynt8t:f$rYd*SwxYw)6aInteractive model selection. Puts current_model first with a marker. Returns chosen model ID or None. If *pricing* is provided (``{model_id: {prompt, completion}}``), a compact price indicator is shown next to each model in aligned columns. If *unavailable_models* is provided, those models are shown grayed out and unselectable, with an upgrade link to *portal_url*. r)_format_price_per_mtokc3BK|]}|VdSrr)rmrfs r2 z*_prompt_model_selection.. s-&J&J!w{{1~~&J&J&J&J&J&Jr1c34K|]}t|VdSr)r)rros r2rpz*_prompt_model_selection.. s(//qCFF//////r1)rSrZrFpromptr completioninput_cache_readTrrrc rC|d\}}}d|d d|d } r |d|dz }|d |}n|}|kr|dz }|S)Nrur(> ._label s  *..sLAAOCeCSC9CCCCCyCCCCJ 8757977777 3H333z33DDD -   , ,D r1zSelect default model:z r]rxr(InryOutCachez /Mtokzz) TerminalMenuc,g|]}d|S)ryr')rrrs r2rz+_prompt_model_selection.. s*999#%s %%999r1z Enter custom model namez Skip (keep current)ru ── Upgrade at u for paid models ──zAvailable free models:z-> )fg_greenbold)r) cursor_index menu_cursormenu_cursor_stylemenu_highlight_style cycle_cursor clear_screentitle) flush_stdinNzEnter model name: rz. z. Enter custom model namez. Skip (keep current)u=── Unavailable models (requires paid tier — upgrade at u) ──z Choice [1-z] (default: skip): zPlease enter 1-zPlease enter a number)hermes_cli.modelsrlrrzranyr7rrsimple_term_menurrrrshowhermes_cli.curses_uirinputrrNotImplementedErrorr@ subprocessSubprocessErrorr enumeraterrKeyboardInterruptEOFError)(rrarfrhrjrl _unavailableorderedr all_modelspr{r| cache_readr& default_idx menu_titlepadheader_DIM_RESETrchoices _upgrade_urleffective_titlemenuidxrr num_widthinchoicerrrrrrrs( `` @@@@@@@r2_prompt_model_selectionr s988888%+LG&)33}%%%   g   NN3   gl!3!33JwJ3&J&J&J&Jz&J&J&J#J#JKKKCNUs//J///;;;a??TUH57LIII* 3 3C C  A -,,QUU8R-@-@AA,,QUU<-D-DEEUU#5r:: >HP..z:::b% $I",S%!$c5 1L Is3xxS::IIs5zz22II  *Iq))I           K)J)UcU2UUUUUDU9UUUUUUUUU  2 171Y1111 1Ffy((  D F/ 11111199999992333./// #=&=EEcJJ  ) *    GGG# ; ;99FF3KK999:::: GGG T\\|\\TZ\\ ] ] ] GGG6OO(O| $2!.!    iikk444444 ;4  W  3<  CLL /006688F#-66 -t ,gz7Q R      *CG q())**IGQ''443 212y2222VVC[[223333 G A k>kllK GGG <<<<<< -4466 - - -... J{ J J JKKKKKsOAD3BDB'$D&B''A D D D'&D'3FF$#F$c \ ddl}d}t} tjtjd5}||dd|idd i }dddn #1swxYwYn'#t $r}td |d d d}~wwxYw|jdkrtd|jdd d| }| dd}| dd}tdt| dd} |r|stdd dtdtdtd|dtdtd|d td!d"} |} d} tjtjd5}|| z | krz|| ||d#||d$dd i } | jdkr| } n%| jd%vrztd&| jdd d'dddn #1swxYwYn,#t $rtd(t#d)wxYw| td*d d+| d,d}| d-d}|d.}|r|std/d d0 tjtjd5}|t$d,||||d1dd2i3}dddn #1swxYwYn'#t $r}td4|d d5d}~wwxYw|jdkrtd6|jdd d7| }| d8d}| d9d}|std:d d;t'jd|t1jt4jd?d@dAdBdCS)DzBRun the OpenAI device code login flow and return credentials dict.rNzhttps://auth.openai.comr)rz!/api/accounts/deviceauth/usercoder"rr)rrzFailed to request device code: r5device_code_request_failedr rz$Device code request returned status r^device_code_request_errorrrdevice_auth_idrr5z-Device code response missing required fields.device_code_incompletez!To continue, follow these steps: z# 1. Open this URL in your browser:z z/codex/device z 2. Enter this code:z z/Waiting for sign-in... (press Ctrl+C to cancel)iz/api/accounts/deviceauth/token)rr)iiz$Device auth polling returned status device_code_poll_error Login cancelled.z!Login timed out after 15 minutes.device_code_timeoutauthorization_code code_verifierz/deviceauth/callbackzADevice auth response missing authorization_code or code_verifier.device_code_incomplete_exchange)r"r redirect_urir"rr)rrzToken exchange failed: token_exchange_failedzToken exchange returned status token_exchange_errorrrz.Token exchange did not return an access_token.token_exchange_no_access_tokenrr)rrrrriz device-code)rrr[rjr)r6rzrrxrwrrrrrrr7rr monotonicrCrrryrrrrrrr`rrarbrk)_timeissuerr"r{rr device_datarrrmax_waitstart code_resp poll_resprrr token_resprrrrs r2rr s &F%I  \%-"5"5 6 6 6 &;;<<<!9-');<D                    3c 3 3#*F      3 F43C F F F#*E    ))++K R00I __%5r::N3{z3??@@AAM  N  ;#*B     ./// /000 8& 8 8 8999 !""" .) . . ./// ;<<<H OO  EI \%-"5"5 6 6 6 &//##e+h66 M***"KK===,:SS+-?@( (C// ) 0 0I*j88#Wy?TWWW!/6N               &  "###oo /#*?    #';R@@MM/266M222L  ]  O#*K     \%-"5"5 6 6 6 &%"6.$0!*%2 ()LM%  J                    +c + +#*A     $$ Gj.D G G G#*@    __  F::nb11LJJ33M   <#*J     )2..4466==cBB " ! )*   X\22<<>>FFxQTUU   s'A. A" A."A&&A.)A&*A.. B8B  B='J$BJ: JJ  J J J)J;'M?&M3' M?3M77M?:M7;M?? N# NN#, r r!r"r# open_browserr"rrrrc N td} |p.tjdptjdp| jd}|ptjdp| jd} |p| j}|p| j}tj |} |rdn|r|nd} trd}td| j d td ||rtd n|rtd |d tj | ddi| 5} t| |||}t|d}t|d}t!|d}t!|d}ttdtd|td||r5t#j|}|rtdntdt'dt)|t*}td|dt-| ||t|d||}d d d n #1swxYwYt/jt2j}t7|dd!}||z}t=|d"p| }|| krtd#|id$|d"|d%|d&|d&p|d'|d'd(d)|d)d*|d*d+|d,t/j |t2j-d|d.| dutC| tr| nd d/d0d d1d d2d d3d d4d d5d } tE|||dd6S#tF$r}|j$d7kr|d$tJd}ttd8td9|d:ttd;tMdd }~wwxYw)Your Nous Portal account does not have an active subscription.z Subscribe here: z/billingz>,+J+JKK#33J:>>*>??@@ # "!888 N6LNNOOO?4 Y ((1E  jnn\8<<   >2  88 s}} h,ZHLIIISSUU & %#-fc#:#:D   T !" #$ %& D'( )J,,  3+          8. . .#!#:fSkk  GGG R S S S ;z;;; < < < GGG P Q Q QQ--   s,,D>I66I:=I:+O?? R$ BRR$c \ t|ddpd}tt|dd}t|ddp'tjdptjd} t t|d dt|d dt|d dp|jt|d dp|jt|d d |||d }|d}t5t}| d}dddn #1swxYwYt5t} t| d|t| } dddn #1swxYwYttdtd| d} | dp| d} t| tr| stdddddlm} m}m}m}m}| dg}tg}|r4|d}|||}|}|r|||d\}}| dd}|r4td t-|d!t/||||"} nP|r?|pt0d#}td$td%|d&ntd'nj#t4$r]}t|trt7|nt|}ttd(|Yd}~nd}~wwxYw| st5t} |r|| d<n| ddt| dddn #1swxYwYttd)td*dSt;d|| +}| r!t=| td,| td-|d.dS#t>$rtd/tAd0t4$r&}td1|tAd2d}~wwxYw)3z&Nous Portal device authorization flow.rNrrFrrrrj inference_urlr"r# no_browserrrr!rSr3rrrrz,No runtime API key available to fetch modelsrrr r)_PROVIDER_MODELSget_pricing_for_providerfilter_nous_free_modelscheck_nous_free_tierpartition_nous_models_by_tierT) free_tierr rzShowing u= curated models — use "Enter custom model name" for others.)rfrhrjrz#No free models currently available.z Upgrade at z to access paid models.z,No curated models available for Nous Portal.z?Login succeeded, but could not fetch available models. Reason: z:No provider change. Nous credentials saved for future use.z4 Run `hermes model` again to switch to Nous Portal.)rYzDefault model set to: rz (model.provider=nous)rrzLogin failed: r)!r+rrrrr"r#rJrrrrurrrrrrrrrrrrrrrrr\rcrrr)rIrr"rrrr! _prior_storeprior_active_providerrsaved_toselected_model runtime_keyrrrrrrrhrfr_portal_urlrrr_s r2 _login_nousr s}dIt44<OGD*e4455Hk4(( & 9' ( ( & 9_ % % t,#D,==&t_dCCdK66K':K$..?'-$T<???+ &    ((<=    H H+--L$0$4$45F$G$G ! H H H H H H H H H H H H H H H   4 4)++J VZ @ @ @' 33H 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4  !""" )x))*** * _$..55W9W9WKk3// { B#(               ),,VR88I GGG')  226::33IwGG 0022 4Q4Q!7d5551I1!nn%6;;G FpYpppqqq!8w'9&""" $ F:#:BB3GG;<<<ADAAABBBBDEEE _ _ _0:3 0J0JX',,,PSTWPXPXG GGG ]T[]] ^ ^ ^ ^ ^ ^ ^ ^ _ "## - --// (<4IJ011NN#4d;;; ,,,  - - - - - - - - - - - - - - - GGG N O O O H I I I F1 &n     = ~ . . . ;>;; < < < F;FFFGGGGG  "###oo  $s$$%%%mms,BQ4$D$ Q$D((Q+D(,Q=/E8, Q8E<<Q?E<4Q5ELQ M6AM1,Q1M66Q > > > > M N N N N N 9999:::::r1)rr)r:rrrrrrr)rr rrrr)rrrrrr)r)r:rrrrr)rrrr)rr rr)rr)rrrrrr rr)rr )r"rr)rKrLrr%)rr%rr )rr%rrrrv)rr%rrrr%rr)rrrr%)rrr~rrr )rrrrrr)rrrrrr)rrrrv)rr)rrrr)rrrr)rr)rrrr)rrrrrrrr)rr rr)rr rrrr)rr rr)rr rr)rr rr%)rr rrrr)rr%)rr%rr )rr rrrr)r)rr%r"rrr%)r1rr2rr3rrr%)r1rrr%)rTrrr%)rrrrr[rrr)rrgr[rrr)rrrrr"rrr%)rrgr"rrrg)rr)rrrrrrvrr) r{rr rr"rr#rrr%)r{rr rr"rrrrrrrrr%) r{rr rr"rrrrr%) r{rr rrrrrrr%) r!rr:rr"rrrrr)rr%rrrr) r"rrrrrr3rrr)$rrrrr"rr rr!rr&rr#rrrrrrrrrrrr"rrrrrr1rrrrr%) rr%rrr"rr1rrrrr%) rrr"rrrrrrrrr%)rrrr%)rrr!rrYrrr )rNNr) rrrarrfrgrhrirjrrr)rrrr)rrrr)r rr!rr"rr#rrrr"rrrrrrrrr%)r. __future__rrrrrLrKr2rrr threadingr6rer contextlibr dataclassesrrrrpathlibr typingr r r r rr]rrrrrrrr+rr/rr0rTrrrrr!DEFAULT_AGENT_KEY_MIN_TTL_SECONDSrrrr8DEFAULT_GITHUB_MODELS_BASE_URLDEFAULT_COPILOT_ACP_BASE_URLDEFAULT_OLLAMA_CLOUD_BASE_URLrzry'CODEX_ACCESS_TOKEN_REFRESH_SKEW_SECONDSr+r*&QWEN_ACCESS_TOKEN_REFRESH_SKEW_SECONDSrJ.GEMINI_OAUTH_ACCESS_TOKEN_REFRESH_SKEW_SECONDSrrr/rrrrrrrrrrrrrrrrr!localr,rJrrurrr}rrrrrrrrrrrrrrrrr rrrr0r:r>rLrNrRr\rfrkrrrrrrrrrrrrr r r+r6r9r@rOrrTrXrcrerrrrrrrrr'r1r2rs|   #"""""   %%%%%%(((((((('''''''',,,,,,,,,,,, OOOOOOOOOO000000  8 $ $LLLL EEEMMMM FFF <H%/$+!$'!()%@3!@. 76=*-'9A),&%<!13.           E0 NN  %/5(    E0NN  "1 E0 ..  "0 !E0,  $"< -E08~~  9M/ 9E0H>>  !$7/ IE0V nn  T=* WE0f >>  9G'    gE0v>>  7*( wE0Fnn  &7- GE0T ^^  8-) UE0d~~  =-+ eE0t  6\ uE0B~~  (S/- CE0R..  ?0. SE0b  8., cE0r >>  0)'    sE0B!.  <0. #N  720 ">   ;1/     <., ">  =&& n  :,* #N  8,* ~  L+ {E0E0E0EEEEX46       89      L4gY(S d>d>df|}CEkEkEknCD  #####L&&&&Z11111 111"4DDDD---- >B[[[[[[++++2222$IO%%.G66666r<<<<<:!!!!H<<<<0000 P P P P P , , , ,%%%%9999 ---- 0000f#####L % % % %"4 $l'+'+ llllllf"9999(((( 6 6 6 6CCCC66662MsIIIIIEEEEET $ F @    < ''''''T<AAAA)-......j#' (S(S(S(S(S(SV % % % % %$" WWWWWWt6H $ G <<<<<<J $#+/      N6.E.E.E.Ej W W W WFWWWWJ" 6*6*6*6*6*6*rPPPP"## A P%P%P%P%P%P%t#!% $#*.@!##%RRRRRRp A! B A!## vvvvvvz4444n. . . . b><     6####L%%%%^$(44444n*37.2 mmmmm`">L>L>L>LBNNNNf&*(,#!#%@@@@@@F~~~~B;;;;;;s$BBB"B''B10B1