i$UdZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlZddlZddlmZddlmZmZddlmZmZddlmZmZddlmZdd lmZm Z m!Z!m"Z"dd l#m$Z$m%Z%m&Z&ddl'Z'ddl(Z(dd l)m*Z*m+Z+m,Z,dd l-m.Z.dd l/m0Z0m1Z1m2Z2ej3e4Z5 ddl6Z6n #e7$rdZ6YnwxYw ddl8Z8n #e7$rdZ8YnwxYwdZ9dZ:dZ;dZdZ?dZ@dZAdZBdZCdZDdZEdZFdZGdZHdZIdZJdZKd ZLd!ZMd"ZNd#ZOd$ZPd%ZQd&ZRdZSd'ZTd(ZUdZVd)ZWd*ZXd+ZYd,ZZd-Z[dZ\d.]d/Z^d0d1iZ_d2e`d3<d4ZadZbd5ZceGd6d7Zdid8edd8d9d:e;e;d<eddeB?d@edd@dAd>eK?dBeddBdCd>ea?dDeddDdEdFdGdHdIJdKeddKdLdFeLdMdNJdOeddOdPdQeMdRSdTeddTdUdFdVdWdXJdYeddYdZdFd[d\d]Jd^edd^d_dFd`dadbJdceddcdddFdedfgdheddhdidFeOdjdkJdleddldmdFdndodpJdqeddqdrdFdsdtduJdveddvdwdFddxdyJdzeddzd{d|eFeHeCeDd}eGeId~deddddFdddJideddddFdddJdeddddFdddJdeddddFdddJdeddddFdddJdeddddFdddJdeddddFdddJdeddddFdddJdeddddFdddJdeddddFdddJdeddddFdddJdeddddFdddJdeddddFdddJdeddddFdddĬJdeddddFeNddȬJdedddddddάJdeddddFdddӬJZede`d<dd؄ZfdZgdd܄ZhhdݣZiddߜddZjddZkd}d[dgdfdddgdfddgddfddgddfgZldddZmddZnGddeoZpddZqddZrddZsdddd Ztdd Zudd ZvejwZxee:fddZydddZzddZ{ddZ|ddZ}ddddZ~ddZddZddd Zdd#Zdd%Zdd&Zdd'Zdd(Zdd)Zdd*Zddd+Zdd,Zdd.Z dddd/dd3Zd d5Zd d8Zd d:Zd d;Zd d<Zdd>Zdd?Zdd@ZddBZeVfddDZdddFZdGdeVdHddLZddMZdGdNddOZddPZdddSZdddTZ dddVZ dddWZdddXZdddYZddd\Zdd^ZdddZddfZd diZdjdkd!dmZddnd"dsZdEdkd#duZdEdkd$dvZdGde\dHddwZddxZd%dzZdd{Zdd|Zdd}d&dZdd'dZdEdkd(dZd)dZd*dZdGdeSdHddZd+dZddddd,dZd-dZd.dZd/dZd0dZdddd1dZd2dZddde@dd3dZde>dddde?ddddGdGd d4dZe?ddGdGdd5dZdZddd6dZe?ddddGdd7dZÐddZĐddZŐddZƐddZǐd8dZȐd8dZɐdddZʐd8dZːd8dZ dd9dZ͐ddZΐddZϐddZАddZ d:d;dɄZҐd<d˄ZӐdd̄ZԐdGd͜d=dτZՐddЄZ֐d>d҄Zאd?dӄZؐd@d؄ZِdAdلZd}dddڜdBd݄ZddGdޜdCdZeJddDdZݐddZސdEdZdddddddGddd dFdZdEdZddZdS(GaZ Multi-provider authentication system for Hermes Agent. Supports OAuth device code flows (Nous Portal, future: OpenAI Codex) and traditional API key providers (OpenRouter, custom endpoints). Auth state is persisted in ~/.hermes/auth.json with cross-process file locking. Architecture: - ProviderConfig registry defines known OAuth providers - Auth store (auth.json) holds per-provider credential state - resolve_provider() picks the active provider via priority chain - resolve_*_runtime_credentials() handles token refresh and key minting - logout_command() is the CLI entry point for clearing auth ) annotationsN)contextmanager) dataclassfield)datetimetimezone)BaseHTTPRequestHandler HTTPServer)Path)AnyDictListOptional)parse_qs urlencodeurlparse)get_hermes_homeget_config_pathread_raw_config)OPENROUTER_BASE_URL)atomic_replaceatomic_yaml_writeis_truthy_value.@zhttps://portal.nousresearch.comz)https://inference-api.nousresearch.com/v1 hermes-clizinference:mint_agent_keyixz%https://chatgpt.com/backend-api/codexz$78257093-7e40-4613-99e0-527b14b39113z!group_id profile model.completionz*urn:ietf:params:oauth:grant-type:user_codezhttps://api.minimax.iozhttps://api.minimaxi.comz https://api.minimax.io/anthropicz"https://api.minimaxi.com/anthropic<zhttps://portal.qwen.ai/v1zhttps://api.githubcopilot.comz acp://copilotzhttps://ollama.com/v1z#https://api.stepfun.ai/step_plan/v1z$https://api.stepfun.com/step_plan/v1app_EMoamEEZ73f0CkXaXp7hrannz#https://auth.openai.com/oauth/token f0304373b74a44d2b584a3fb70ca9e56z(https://chat.qwen.ai/api/v1/oauth2/tokenzhttps://accounts.spotify.comzhttps://api.spotify.com/v1z'http://127.0.0.1:43827/spotify/callbackzFhttps://hermes-agent.nousresearch.com/docs/user-guide/features/spotifyz'https://developer.spotify.com/dashboard ) zuser-modify-playback-statezuser-read-playback-statezuser-read-currently-playingzuser-read-recently-playedzplaylist-read-privatezplaylist-read-collaborativezplaylist-modify-publiczplaylist-modify-privatezuser-library-readzuser-library-modifyspotifySpotifyDict[str, str]SERVICE_PROVIDER_NAMESzcloudcode-pa://googlezdummy-lm-api-keyceZdZUdZded<ded<ded<dZded<dZded<dZded <dZded <e e Z d ed <dZ ded<dZ ded<dS)ProviderConfigz%Describes a known inference provider.stridname auth_typeportal_base_urlinference_base_url client_idscope)default_factoryDict[str, Any]extratupleapi_key_env_varsbase_url_env_varN)__name__ __module__ __qualname____doc____annotations__r-r.r/r0rdictr3r6r7r44/home/ubuntu/.hermes/hermes-agent/hermes_cli/auth.pyr'r's// GGG IIINNNO     IEOOOO!E$777E7777     r>r'nousz Nous Portaloauth_device_code)r)r*r+r-r.r/r0 openai-codexz OpenAI Codexoauth_external)r)r*r+r. qwen-oauthz Qwen OAuthgoogle-gemini-clizGoogle Gemini (OAuth)lmstudioz LM Studioapi_keyzhttp://127.0.0.1:1234/v1) LM_API_KEY LM_BASE_URL)r)r*r+r.r6r7copilotzGitHub Copilot)COPILOT_GITHUB_TOKENGH_TOKEN GITHUB_TOKENCOPILOT_API_BASE_URL copilot-acpzGitHub Copilot ACPexternal_processCOPILOT_ACP_BASE_URL)r)r*r+r.r7geminizGoogle AI Studioz0https://generativelanguage.googleapis.com/v1beta)GOOGLE_API_KEYGEMINI_API_KEYGEMINI_BASE_URLzaiz Z.AI / GLMzhttps://api.z.ai/api/paas/v4) GLM_API_KEY ZAI_API_KEY Z_AI_API_KEY GLM_BASE_URL kimi-codingzKimi / Moonshotzhttps://api.moonshot.ai/v1) KIMI_API_KEYKIMI_CODING_API_KEY KIMI_BASE_URLkimi-coding-cnzKimi / Moonshot (China)zhttps://api.moonshot.cn/v1)KIMI_CN_API_KEY)r)r*r+r.r6stepfunzStepFun Step Plan)STEPFUN_API_KEYSTEPFUN_BASE_URLarceezArcee AIzhttps://api.arcee.ai/api/v1)ARCEEAI_API_KEYARCEE_BASE_URLgmiz GMI Cloudzhttps://api.gmi-serving.com/v1) GMI_API_KEY GMI_BASE_URLminimaxMiniMax)MINIMAX_API_KEYMINIMAX_BASE_URL minimax-oauthuMiniMax (OAuth · minimax.io) oauth_minimaxglobal)regioncn_portal_base_urlcn_inference_base_url)r)r*r+r-r.r/r0r3 anthropic Anthropiczhttps://api.anthropic.com)ANTHROPIC_API_KEYANTHROPIC_TOKENCLAUDE_CODE_OAUTH_TOKENANTHROPIC_BASE_URLalibabazAlibaba Cloud (DashScope)z6https://dashscope-intl.aliyuncs.com/compatible-mode/v1)DASHSCOPE_API_KEYDASHSCOPE_BASE_URLalibaba-coding-planzAlibaba Cloud (Coding Plan)z-https://coding-intl.dashscope.aliyuncs.com/v1)ALIBABA_CODING_PLAN_API_KEYr{ALIBABA_CODING_PLAN_BASE_URL minimax-cnzMiniMax (China))MINIMAX_CN_API_KEYMINIMAX_CN_BASE_URLdeepseekDeepSeekzhttps://api.deepseek.com/v1)DEEPSEEK_API_KEYDEEPSEEK_BASE_URLxaixAIzhttps://api.x.ai/v1) XAI_API_KEY XAI_BASE_URLnvidiaz NVIDIA NIMz#https://integrate.api.nvidia.com/v1)NVIDIA_API_KEYNVIDIA_BASE_URL ai-gatewayzVercel AI Gatewayzhttps://ai-gateway.vercel.sh/v1)AI_GATEWAY_API_KEYAI_GATEWAY_BASE_URL opencode-zenz OpenCode Zenzhttps://opencode.ai/zen/v1)OPENCODE_ZEN_API_KEYOPENCODE_ZEN_BASE_URL opencode-goz OpenCode Gozhttps://opencode.ai/zen/go/v1)OPENCODE_GO_API_KEYOPENCODE_GO_BASE_URLkilocodez Kilo Codezhttps://api.kilo.ai/api/gateway)KILOCODE_API_KEYKILOCODE_BASE_URL huggingfacez Hugging Facez https://router.huggingface.co/v1)HF_TOKEN HF_BASE_URLxiaomiz Xiaomi MiMozhttps://api.xiaomimimo.com/v1)XIAOMI_API_KEYXIAOMI_BASE_URLtencent-tokenhubzTencent TokenHubz#https://tokenhub.tencentmaas.com/v1)TOKENHUB_API_KEYTOKENHUB_BASE_URL ollama-cloudz Ollama Cloud)OLLAMA_API_KEYOLLAMA_BASE_URLbedrockz AWS Bedrockaws_sdkz/https://bedrock-runtime.us-east-1.amazonaws.comr4BEDROCK_BASE_URLz azure-foundryz Azure Foundryr,)AZURE_FOUNDRY_API_KEYAZURE_FOUNDRY_BASE_URLzDict[str, ProviderConfig]PROVIDER_REGISTRYreturnr(cddlm}tdjD](}||pt j|d}|r|cS)dS)aQReturn the first usable Anthropic credential, or ``""``. Checks both the ``.env`` file (via ``get_env_value``) and the process environment (``os.getenv``). The fallback order mirrors the ``PROVIDER_REGISTRY["anthropic"].api_key_env_vars`` tuple: ANTHROPIC_API_KEY -> ANTHROPIC_TOKEN -> CLAUDE_CODE_OAUTH_TOKEN r get_env_valuertr,)hermes_cli.configrrr6osgetenv)rvarvalues r?get_anthropic_keyrsh0///// -> c""8biR&8&8  LLL  2r>zhttps://api.kimi.com/coding default_url env_overridecN|r|S|s|S|drtS|S)zReturn the correct Kimi base URL based on the API key prefix. If the user has explicitly set KIMI_BASE_URL, that always wins. Otherwise, sk-kimi- prefixed keys route to api.kimi.com/coding/v1. zsk-kimi-) startswithKIMI_CODE_BASE_URL)rGrrs r?_resolve_kimi_base_urlrsB  *%%"!! r>> ***** your-api-key*nonenulldummyexamplechangeme placeholder your_api_key) min_lengthrr rintboolct|tsdS|}t||krdS|t vrdSdS)zIReturn True when a configured secret looks usable, not empty/placeholder.FT) isinstancer(striplenlower_PLACEHOLDER_SECRET_VALUES)rrcleaneds r?has_usable_secretrsZ eS ! !ukkmmG 7||j  u}}444u 4r> provider_idpconfigtuple[str, str]c|dkre ddlm}m}|\}}|r |||fSn=#t$r%}td|Yd}~nd}~wt $rYnwxYwdSddlm}|j D]6}||pd } t| r| |fcS7 dd l m } | |} | r| ro| } | rYt!| d dpt!| d d} t#|  } t| r| d |fSn#t $rYnwxYwdS) zDResolve an API-key provider's token and indicate where it came from.rJr)resolve_copilot_tokenget_copilot_api_tokenz#Copilot token validation failed: %sN)r,r,rr, load_pool access_tokenruntime_api_keyzcredential_pool:)hermes_cli.copilot_authrr ValueErrorloggerwarning Exceptionrrr6rragent.credential_poolrhas_credentialspeekgetattrr()rrrrtokensourceexcrenv_varvalrpoolentrykeys r? _resolve_api_key_provider_secretrs i  \ \ \ \ \ \ \ \1133ME6 <,,U33V;; < G G G NN@# F F F F F F F F    D v//////+  }W%%+2244 S ! ! <      333333y%%  AD((** AIIKKE Ae^R88aGEK\^`__,xu! _ _E _z222)<7)<)<(: "'"'&'.4%H%H$I  $   #s**LL!KUT\^cddd#$,!&!&   KUTY[_[kllll _ _ _ JESXZ]^^^^^^^^ _3 _6 4sAB1"B CCCc|r|S|s|St}t|dpi}|d}t|tr|dr|dd}|t j|ddkr)t d|d|dSt|}|r|drt j|dd}|d|d d|d d|d d|d |d<t|d|t d |d |d|dSt d||S)aYReturn the correct Z.AI base URL by probing endpoints. If the user has explicitly set GLM_BASE_URL, that always wins. Otherwise, probe the candidate endpoints to find one that accepts the key. The detected endpoint is cached in provider state (auth.json) keyed on a hash of the API key so subsequent starts skip the probe. rVdetected_endpointrkey_hashr,NzZ.AI: using cached endpoint %sr)rr)r endpoint_idrrrz$Z.AI: auto-detected endpoint %s (%s)z.Z.AI: probe failed, falling back to default %s)_load_auth_store_load_provider_stategetrr=hashlibsha256encode hexdigestrr r_save_provider_stateinfo)rGrr auth_storestatecachedrdetecteds r?_resolve_zai_base_urlr#Zs "##J U 3 3 9rE YY* + +F&$&FJJz$:$:&::j"-- w~gnn&6&677AACCCRCH H H LL96*;M N N N*% %#7++H $HLL,, $>'.."2"233==??D ,#<<b11\\'2..\\'2.. & & !" Z666 :HWc.eZdZdZdddddfdZxZS) AuthErrorz,Structured auth error with UX mapping hints.r,NFprovidercoderelogin_requiredmessager(r'r( Optional[str]r)rrNonectt|||_||_||_dSN)super__init__r'r(r))selfr*r'r(r) __class__s r?r0zAuthError.__init__s9 !!!   0r>) r*r(r'r(r(r+r)rrr,)r8r9r:r;r0 __classcell__)r2s@r?r%r%sX66 "!& 1 1 1 1 1 1 1 1 1 1 1 1r>r%errorrct|tst|S|jr|dS|jdkr dS|jdkr dS|jdkr|dSt|S)z2Map auth failures to concise user-facing guidance.z' Run `hermes model` to re-authenticate.subscription_requiredzfNo active paid subscription found on Nous Portal. Please purchase/activate a subscription, then retry.insufficient_creditszTSubscription credits are exhausted. Top up/renew credits in Nous Portal, then retry.temporarily_unavailablez Please retry in a few seconds.)rr%r(r)r()r4s r?format_auth_errorr9s eY ' '5zz A@@@@ z,,, C   z+++ ?   z...8888 u::r>rr+ct|tsdS|}|sdStj|dddS)zJReturn a short hash fingerprint for telemetry without leaking token bytes.Nutf-8 )rr(rrrrr)rrs r?_token_fingerprintr=sd eS ! !tkkmmG t >'..11 2 2 < < > >ss CCr>c|tjdd}|dvS)NHERMES_OAUTH_TRACEr,>1onyestrue)rrrr)raws r?_oauth_trace_enabledrEs8 )(" - - 3 3 5 5 ; ; = =C , ,,r> sequence_ideventrGfieldsr,c tsdSd|i}|r||d<||tdt j|dddS)NrHrGzoauth_trace %sTF) sort_keys ensure_ascii)rEupdaterrrdumps)rHrGrIpayloads r? _oauth_tracerPsp  ! !&.G-!,  NN6 KK $*WSX"Y"Y"YZZZZZr>r cFtdz }tjdrpt jdz dz d} |d}n#t$r|}YnwxYw||krtd|d|S)N auth.jsonPYTEST_CURRENT_TESTz.hermesF)strictz8Refusing to touch real user auth store during test run: zq. Set HERMES_HOME to a tmp_path in your test fixture, or run via scripts/run_tests.sh for hermetic CI-parity env.) rrenvironrr homeresolver RuntimeError)pathreal_home_authresolveds r?_auth_file_pathr\s   { *D  z~~+,, )++ 1K?HHPUHVV ||5|11HH   HHH  ~ % %G4GGG  KsA66 BBcDtdS)Nz.lock)r\ with_suffixr4r>r?_auth_lock_pathr_s    ( ( 1 11r>timeout_secondsc#KttdddkrLtxjdz c_ dVtxjdzc_n#txjdzc_wxYwdSt}|jddt 8t1dt_ dVdt_n#dt_wxYwdStrH|r| j dkr| dd | trd nd 5}tj td |z} t r?t j|t jt jznG|dtj|tjdnX#t,t.t0f$r=tj |krt3d tjdYnwxYwdt_ dVdt_t r3t j|t jntr` |dtj|tjdn#t.t:f$rYnwxYwn#dt_t r2t j|t jwtr` |dtj|tjdw#t.t:f$rYwwxYwwxYwddddS#1swxYwYdS)zCCross-process advisory lock for auth.json reads+writes. Reentrant.depthrrNTparentsexist_okr!r;encodingzr+za+?z%Timed out waiting for auth store lockg?)r_auth_lock_holderrbr_parentmkdirfcntlmsvcrtexistsstatst_size write_textopentimemaxflockfilenoLOCK_EXLOCK_NBseeklockingLK_NBLCKBlockingIOErrorOSErrorPermissionError TimeoutErrorsleepLOCK_UNLK_UNLCKIOError)r` lock_path lock_filedeadlines r?_auth_store_lockrs '1--111$ ) EEE  # #q ( # # #  # #q ( # # # # # #!!I 4$777 }"# ( EEE&'  # #a  # ' ' ' '4y''))4Y^^-=-=-E-J-JS7333 0D 1 1Y9;;S/!:!:: ! !KK 0 0 2 2EMEM4QRRRRNN1%%%N9#3#3#5#5vJJJ#Wo> ! ! !9;;(**&'NOOO 4      ! !#$  EEE&'  #  I,,.. >>>> NN1%%%N9#3#3#5#5vJJJJ)D  '(  #  I,,.. >>>> NN1%%%N9#3#3#5#5vJJJJ)D  -sA A$.B??C ?&O &B G43O 4AIO IO L A O +AK32O 3LO LO  A N9AN! N9!N5 2N94N5 5N99O  O O  auth_fileOptional[Path]r2cz|p t}|s tidS tj|}nz#t $rm}|d} ddl}|j ||n#t $rYnwxYwt d|||tidcYd}~Sd}~wwxYwt|trht|dts(t|dtr|di|St|trPt|dtr(|d}i}d|vr |d|d <t||rd ndd StidS) N)version providersz .json.corruptruYauth: failed to parse %s (%s) — starting with empty store. Corrupt file preserved at %srcredential_poolsystems nous_portalr@)rractive_provider)r\rnAUTH_STORE_VERSIONrloads read_textrr^shutilcopy2rrrr=r setdefault)rrDr corrupt_pathrrrs r?rr-s._..I     @-B???@j,,..//  @ @ @ ,,_==   MMM FLL 1 1 1 1    D  + sL   .B???????? @#t377;''.. cgg/00$ 7 7 {B''' #tBCGGI,>,>!E!EBi. G # # ' 6If -I-6#@66DBB B* ; ;;sA&A C!C 7B  C  BC B)C C Crc8t}|jddt|d<t jt j|d<tj |ddz}| |j dtjd tjj} |d d 5}|||tj|dddn #1swxYwYt/|| tjt1|jtj}n#t4$rd}YnwxYw|C tj|tj|n#tj|wxYw |r|nO#t4$rYnCwxYw# |r|ww#t4$rYwwxYwxYw |t>j t>j!zn#t4$rYnwxYw|S) NTrcr updated_at)indent z.tmp..wr;rf)"r\rjrkrrnowrutc isoformatrrN with_namer*rgetpiduuiduuid4hexrrwriteflushfsyncrvrr(O_RDONLYr}closernunlinkchmodroS_IRUSRS_IWUSR)rrrOtmp_pathhandledir_fds r?_save_auth_storerUs!!I 4$777.Jy'|HL99CCEEJ|jA...5G""in#[#[29;;#[#[IY#[#[\\H ]]3] 1 1 &V LL ! ! ! LLNNN HV]]__ % % % & & & & & & & & & & & & & & & x+++ WS!122BK@@FF   FFF    !               "!!!    D     "!!!! "    D   t|34444      s H"AD>2 H>EHEH1F H FHFH!G 5H G  H$(H HHI(I I IIII,J JJOptional[Dict[str, Any]]c|d}t|tsdS||}t|trt|ndS)Nr)rrr=)rrrr s r?rrysZ{++I i & &t MM+ & &E$UD11 ;4;;;t;r>r c|di}t|ts i|d<|d}|||<||d<dSNrrrrr=)rrr rs r?rrsX%%k266I i & &,"$ ;{+ "Ik$/J !!!r>T set_activerc|di}t|ts i|d<|d}|||<|r||d<dSdSrr)rrr rrs r?_store_provider_statersl%%k266I i & &,"$ ;{+ "Ik4(3 $%%%44r>cv|pd}|tvp|tvSNr,)rrrr%r normalizeds r?is_known_auth_providerrs;#**,,2244J * * Rjc|pd}|tvrt|jSt||Sr)rrrr*r%rrs r?get_auth_provider_display_namersT#**,,2244J&&& ,11 ! % %j+ > >>r>ct}|d}t|tsi}|t|S||}t|trt |ngS)z>+ , ,D dD ! !Dzzxx ,,%/0@$%G%G O4 ! ! !ROr>entriesList[Dict[str, Any]]ct5t}|d}t|tsi}||d<t |||<t |cdddS#1swxYwYdS)z7Persist one provider's credential pool under auth.json.rN)rrrrr=rr)rrrrs r?write_credential_poolrs   ,,%'' ~~/00$%% 1D,0J( ) MM[ ++,,,,,,,,,,,,,,,,,,sA A<<BBrct5t}|di}||g}||vr||t |ddddS#1swxYwYdS)z@Mark a credential source as suppressed so it won't be re-seeded.suppressed_sourcesN)rrrappendrrrr suppressed provider_lists r?suppress_credential_sourcers   %%%'' **+?DD "--k2>>  & &   ( ( ($$$ %%%%%%%%%%%%%%%%%%sA#A??BBc t}|di}|||gvS#t$rYdSwxYw)z=Check if a credential source has been suppressed by the user.rF)rrr)rrrrs r?is_source_suppressedrsa%'' ^^$8"==  R8888 uus;> A  A ct5t}|d}t|ts ddddS||}t|t r||vr ddddS|||s||d|s|ddt| ddddS#1swxYwYdS)zClear a suppression marker so the source will be re-seeded on the next load. Returns True if a marker was cleared, False if no marker existed. rNFT) rrrrr=rremovepoprrs r?unsuppress_credential_sourcers   %'' ^^$899 *d++   #{33 -.. & 2M2M V$$$ . NN; - - - 7 NN/ 6 6 6$$$s:C4/C4AC44C8;C8c>t}t||S)z4Return persisted auth state for a provider, or None.)rr)rrs r?get_provider_auth_staters!##J  K 8 88r>cHt}|dS)z8Return the currently active provider ID from auth store.r)rrrs r?get_active_providerrs !##J >>+ , ,,r>c|pd} t}|dpd}|r||krdSn#t$rYnwxYw ddlm}|}|d}t|trC|dpd}||krdSn#t$rYnwxYwdh}t|} | r?| j d kr4| j D],} | |vrttj| drdS-d S) aReturn True only if the user has explicitly configured this provider. Checks: 1. active_provider in auth.json matches 2. model.provider in config.yaml matches 3. Provider-specific env vars are set (e.g. ANTHROPIC_API_KEY) This is used to gate auto-discovery of external credentials (e.g. Claude Code's ~/.claude/.credentials.json) so they are never used without the user's explicit choice. See PR #4210 for the same pattern applied to the setup wizard gate. r,rTr) load_configrr'rxrGF)rrrrrrrrr=rr+r6rrr) rrractivercfg model_cfg cfg_provider_IMPLICIT_ENV_VARSrrs r?!is_provider_explicitly_configuredrs#**,,2244J %'' ..!2339r@@BBHHJJ  f **4        111111kmmGGG$$ i & & %MM*55;BBDDJJLLLz))t      44##J//G7$ 11/  G,,, 7B!7!788 tt  5s%AA>> B  B A;D DDc(t5t}|p|d}|s ddddS|di}t|tsi}||d<|d}t|tsi}||d<d}||vr||=d}||vr||=d}|d|krd|d<d}|s ddddSt |dddn #1swxYwYdS)z Clear auth state for a provider. Used by `hermes logout`. If provider_id is None, clears the active provider. Returns True if something was cleared. rNFrrT)rrrrr=r)rrtargetrrcleareds r?clear_provider_authr(s   %%%'' A /@ A A  %%%%%%%% NN;33 )T** 0I&/J{ #~~/00$%% 1D,0J( ) Y  &!G T>>V G >>+ , , 6 6,0J( )G ;%%%%%%%%< $$$=%%%%%%%%%%%%%%%> 4s)DBD,DD D ct5t}d|d<t|ddddS#1swxYwYdS)z Clear active_provider in auth.json without deleting credentials. Used when the user switches to a non-OAuth provider (OpenRouter, custom) so auto-resolution doesn't keep picking the OAuth provider. Nr)rrrrs r?deactivate_providerrPs   %%%'' (, $%$$$%%%%%%%%%%%%%%%%%%s#?AA provider_namecj ddlm}|}|sdSdg}|D]s}|jdkrdnd}|d|d |j|jr|jdnd}|r|d |td |S#t$rYdSwxYw) zReturn a helpful hint string when provider resolution fails. Checks for common config.yaml mistakes (malformed custom_providers, etc.) and returns a human-readable diagnostic, or empty string if nothing found. r)validate_config_structurer,uCConfig issue detected — run 'hermes doctor' for full diagnostics:r4ERRORWARNINGz [z] u → r) rrseverityrr*hint splitlinesjoinr)rrissueslinesciprefix first_hints r?%_get_config_hint_for_unknown_providerras ??????**,, 2VW 6 6B " w 6 6WWIF LL5v5555 6 6 646GC++--a00J 6 4 44555yy rrsB$B B$$ B21B2)explicit_api_keyexplicit_base_url requestedrrc |pd}iddddddddddd dd dd d d d dd ddddddddddddddidddddddddd d!d d"d#d$d#d%d#d&d'd(d'd)d'd*d+d,d+d-d.d/d.d0d.id1d.d2d3d4d3d5d6d7d6d8d6d9d:d;d:dd=d=d=d?d?d@d?dAd?dBdCdDdCdEdCidFdGdHdGdIdJdKdJdLdJdMdJdNdOdPdOdQdOdRdOdSdTdUdTdVdWdXdWdYdWdZdZd[dZdZd\d]d\d\d\d\d^}|||}|d_krd_S|d\krd\S|tvr|S|dkr6t |}d`|da}|r |db|z }n|dcz }t |dde|s|rd_S t }|df}|r/|tvr&t|} | dgr|Sn2#t$r%} t dh| Ydi} ~ ndi} ~ wwxYwttj djs!ttj dkrd_StD]H\} } | jdlkr| dmvr| jD]*} ttj | dnr| ccS+I dodplm}|rdOSn#t&$rYnwxYwt dqdre)sa~ Determine which inference provider to use. Priority (when requested="auto" or None): 1. active_provider in auth.json with valid credentials 2. Explicit CLI api_key/base_url -> "openrouter" 3. OPENAI_API_KEY or OPENROUTER_API_KEY env vars -> "openrouter" 4. Provider-specific API keys (GLM, Kimi, MiniMax) -> that provider 5. Fallback: "openrouter" autoglmrVzz-aizz.aizhipugooglerRz google-geminizgoogle-ai-studiozx-airzx.aigrokkimir[zkimi-for-codingmoonshotzkimi-cnr_z moonshot-cnsteprazstepfun-coding-planzarcee-airdarceeaiz gmi-cloudrggmicloudz minimax-chinar minimax_cnzminimax-portalrnzminimax-global minimax_oauthalibaba_codingr}zalibaba-codingalibaba_coding_planclaudertz claude-codegithubrJzgithub-copilotz github-modelsz github-modelzgithub-copilot-acprOzcopilot-acp-agent aigatewayrvercelzvercel-ai-gatewayopencoderzenz qwen-portalrDqwen-clirEz gemini-cliz gemini-oauthhfrz hugging-facezhuggingface-hubmimorz xiaomi-mimotencentrtokenhubz tencent-cloud tencentmaasawsrz aws-bedrockzamazon-bedrockamazongorzopencode-go-subkilorz kilo-codez kilo-gatewayrFz lm-studiocustomr) lm_studioollama ollama_cloudvllmllamacppz llama.cppz llama-cpp openrouterzUnknown provider 'z'.z z` Check 'hermes model' for available providers, or run 'hermes doctor' to diagnose config issues.invalid_provider)r(r logged_inz)Could not detect active auth provider: %sNOPENAI_API_KEYOPENROUTER_API_KEYrG)rJrFr,rhas_aws_credentialszNo inference provider configured. Run 'hermes model' to choose a provider and model, or set an API key (OPENROUTER_API_KEY, OPENAI_API_KEY, etc.) in ~/.hermes/.env.no_provider_configured)rrrrrr%rget_auth_statusrrr rrritemsr+r6agent.bedrock_adapterr) ImportError)rrrr_PROVIDER_ALIASES _config_hintmsgrrstatusepidrrr)s r?resolve_providerr5zsf %v,,..4466J  u e %+U 4;U ( +X 7I8   u '-e    1- BL]  #  &34D    1)   G '  U '   (4\  / ,<_ O^_n  / 2BCX  4  +  -k  ) .y     %3I  m!  .A-! " \# "$,\# "% & |' &&0' &@L\' &\oqD' &FRTg' &iwyL' ( m) (,]) (=N})   * + *(+ , %- ,(23E- . +/ ..;>J\!!|Xx&&&V expires_inch t|}n#t$rd}YnwxYwtd|S)Nr)rrrt)rHttls r?_coerce_ttl_secondsrKsF*oo  q#;;s  !!ct|tsdS|d}|r|ndS)N/)rr(rrstrip)rrs r?_optional_base_urlrOsC eS ! !tkkmm""3''G '774'r>ct|tr|ddkriS|dd}|ddt |dzz dzzz } t j|d}tj | d}n#t$ricYSwxYwt|tr|niS)Nrrr=rr;) rr(countsplitrbase64urlsafe_b64decoderrrdecoderr=)rrOrDclaimss r?_decode_jwt_claimsrXs eS ! !U[[%5%5%:%: kk#q!G sq3w<'>??CJJw//00  -- 56625s+AB:: C C rc t|}|d}t|ttfsdSt |t jt dt|zkS)NexpFr)rXrrrrrsrt)rrDrWrZs r?_codex_access_token_is_expiringr[+si  - -F **U  C cC< ( (u ::$)++Asc4tjdz dz S)Nz.qwenzoauth_creds.json)r rVr4r>r?_qwen_cli_auth_pathr]3s 9;; #5 55r>cnt}|stddd tj|d}n+#t $r}td|d|dd |d}~wwxYwt|tstd |d dd |S) NzAQwen CLI credentials not found. Run 'qwen auth qwen-oauth' first.rDqwen_auth_missingr'r(r;rfz)Failed to read Qwen CLI credentials from : qwen_auth_read_failedz Invalid Qwen CLI credentials in rqwen_auth_invalid) r]rnr%rrrrrr=) auth_pathdatars r?_read_qwen_cli_tokensrf7s#%%I       O!$    z)--w-??@@  J J JS J J!(      dD ! !  ;y ; ; ;!$    Ks(A B)BBtokenscdt}|jdd|d}|t j|dddzdtj|tj tj z| ||S) NTrcz.tmpr)rrKrr;rf) r]rjrkr^rqrrNrrrorrr>)rgrdrs r?_save_qwen_cli_tokensriPs#%%I 4$777$$V,,H  6!tDDDtKV]^^^HXt|dl2333 Y r>expiry_date_msc t|}n#t$rYdSwxYwtjtdt|zdz|kS)NTr)rrrsrt)rjrD expiry_mss r?_qwen_access_token_is_expiringrnZse'' tt IKK#a\!2!233 3t ;y HHs   4@c t|ddpd}|stddd t jt ddd d|td | }n(#t$r}td |dd |d}~wwxYw|j dkr5|j }td|rd|ndzdd  | }n(#t$r}td|dd|d}~wwxYwt|tr7t|ddpdstddd|d} t|}n#t$rd}YnwxYwt|ddpdt|d|p|t|d|ddpdpdt|d|ddpdttjdzt!d|dzzd} t#| | S)N refresh_tokenr,z@Qwen OAuth refresh token missing. Re-run 'qwen auth qwen-oauth'.rDqwen_refresh_token_missingr`!application/x-www-form-urlencodedrrAccept grant_typerqr/rrerzQwen OAuth refresh failed: qwen_refresh_failedz9Qwen OAuth refresh failed. Re-run 'qwen auth qwen-oauth'. Response: z*Qwen OAuth refresh returned invalid JSON: qwen_refresh_invalid_jsonrz1Qwen OAuth refresh response missing access_token.qwen_refresh_invalid_responserHi`T token_typeBearer resource_urlzportal.qwen.airlr)rrqr~r expiry_date)r(rrr%r r QWEN_OAUTH_TOKEN_URLQWEN_OAUTH_CLIENT_IDrr r@rrr=rrsrtri) rgr`rqresponserbodyrOrHexpires_in_seconds refresheds r?_refresh_qwen_cli_tokensrbs ?B77=2>>DDFFM   N!-    : C, .!.1 $      /# / /!&     s""}""$$ G'+3#T### 5!&     --//  > > >!,      gt $ $ C NB0O0O0USU,V,V,\,\,^,^  ?!0    \**J) __ )))()GKK;;ArBBHHJJW[[-HHYMZZ``bb'++lFJJ|X4V4VWWc[cddjjllxpxGKK >Sc8d8deeyiyzzAACC49;;-..Q8J1K1Kd1RR I)$$$ sB )A77 BBB C55 D?DDF!! F0/F0F) force_refreshrefresh_if_expiringrefresh_skew_secondsrrrc t}t|ddpd}t |}|s%|r#t |d|}|rFt |}t|ddpd}|stdddtj dd d pt}d||d |dttd S) Nrr,rz?Qwen OAuth access token missing. Re-run 'qwen auth qwen-oauth'.rDqwen_access_token_missingr`HERMES_QWEN_BASE_URLrMr)r'rrGr expires_at_msr) rfr(rrrrnrr%rrrNDEFAULT_QWEN_BASE_URLr])rrrrgrshould_refreshrs r? resolve_qwen_runtime_credentialsrsP # $ $Fvzz."55;<<BBDDL-((N i1i7 =8Q8QSghhI)&116::nb99?R@@FFHH   M!,    y/44::<<CCCHHaLaH M22,..//   r>cJt} td}dt||d|d|ddS#t$r*}dt|t|dcYd}~Sd}~wwxYw) NF)rTrrGr)r%rrrGrr%rr4)r]rr(rr%)rdcredsrs r?get_qwen_auth_statusrs#%%I 0UKKKYii))yy++"YY77        YXX         sAA.. B"8BB"B"rc  ddlm}m}m}m}n(#t $r}t d|dd|d}~wwxYw ||}n2#|$r*}t t|d|j|d}~wwxYw|}t}d||d |r|j ndt||r|j nd pd |r|j nd pd d S) z2Resolve runtime OAuth creds for google-gemini-cli.r)GoogleOAuthError_credentials_pathget_valid_access_tokenload_credentialsz&agent.google_oauth is not importable: rEgoogle_oauth_module_missingr`Nr google-oauthr,)r'rrGrrremail project_id) agent.google_oauthrrrrr.r%r(r(!DEFAULT_GEMINI_CLOUDCODE_BASE_URL expires_msrr) rrrrrrrrrs r?(resolve_gemini_oauth_runtime_credentialsrsy               :S : :(.     --MJJJ  HH(         E0H' .3=%****,,--!&.%++B52+08u''b?R   s'  4/4 AA4 %A//A4c ddlm}m}n#t$rdddcYSwxYw|}|}||jsdt |ddSd t |d |j|j|j|jd S) z>Return a status dict for `hermes auth list` / `hermes status`.r)rrFzagent.google_oauth unavailable)r%r4Nz not logged inrTr)r%rrrGrrr) rrrr.rr(rrr)rrrdrs r?get_gemini_oauth_auth_statusrsOJJJJJJJJJ OOO"-MNNNNNO!!##I    E }E.}Y$   ^^ %)&  s   raw_scope List[str]c|pt}d|D}t}g}|D]0}||vr*||||1|S)Ncg|]}||Sr4r4).0parts r? z'_spotify_scope_list..-s : : :tT :d : : :r>)DEFAULT_SPOTIFY_SCOPErrSsetaddr)r scope_textscopesseenorderedr0s r?_spotify_scope_listr+s44;;==J : :z//11 : : :FUUDG""    HHUOOO NN5 ! ! ! Nr>cFdt|S)Nr!)rr)rs r?_spotify_scope_stringr7s 88' 22 3 33r>explicitcddlm}||d|dt|tr|dndf}|D]+}t |pd}|r|cS,tddd ) NrrHERMES_SPOTIFY_CLIENT_IDSPOTIFY_CLIENT_IDr/r,zPSpotify client_id is required. Set HERMES_SPOTIFY_CLIENT_ID or pass --client-id.r"spotify_client_id_missingr`)rrrr=rr(rr%rr r candidates candidaters r?_spotify_client_idr;s0/////  011 )**",UD"9"9C +t J   io2&&,,..  NNN  Z (   r>cddlm}||d|dt|tr|dndt f}|D]+}t |pd}|r|cS,t S)NrrHERMES_SPOTIFY_REDIRECT_URISPOTIFY_REDIRECT_URI redirect_urir,)rrrr=rDEFAULT_SPOTIFY_REDIRECT_URIr(rrs r?_spotify_redirect_urirRs0/////  344 ,--%/t%<%<F .!!!$$ J  io2&&,,..  NNN  ''r>cddlm}|dt|tr|dndt f}|D]>}t |pdd}|r|cS?t S)NrrHERMES_SPOTIFY_API_BASE_URL api_base_urlr,rM) rrrr=rDEFAULT_SPOTIFY_API_BASE_URLr(rrNr rrrrs r?_spotify_api_base_urlrfs//////  344%/t%<%<F .!!!$$J   io2&&,,..55c::  NNN  ''r>cddlm}|dt|tr|dndt f}|D]>}t |pdd}|r|cS?t S)Nrr HERMES_SPOTIFY_ACCOUNTS_BASE_URLaccounts_base_urlr,rM) rrrr=r!DEFAULT_SPOTIFY_ACCOUNTS_BASE_URLr(rrNrs r?_spotify_accounts_base_urlrus//////  899*4UD*A*AK %&&&t)J   io2&&,,..55c::  NNN  ,,r>@lengthctjtj|d}|dddS)NasciirQ)rTurlsafe_b64encoderurandomrVrN)rrDs r?_spotify_code_verifierrsC  "2:f#5#5 6 6 = =g F FC ::c??4C4  r> code_verifierctj|d}t j|ddS)Nr;rrQ)rrrdigestrTrrVrN)rrs r?_spotify_code_challengersX ^M0099 : : A A C CF  #F + + 2 27 ; ; B B3 G GGr>r/rr0code_challengerc >t|d|||d|d}|d|S)Nr(S256)r/ response_typerr0r code_challenge_methodrz /authorize?)r)r/rr0r rrquerys r?_spotify_build_authorize_urlrsH $!'(  E 3 3E 3 33r>tuple[str, int, str]ct|}|jdkrtddd|jpd}|dvrtddd|jstd dd||j|jpd fS) NhttpzHSpotify PKCE redirect_uri must use http://localhost or http://127.0.0.1.r"spotify_redirect_invalidr`r,> 127.0.0.1 localhostz?Spotify PKCE redirect_uri must point to localhost or 127.0.0.1.zBSpotify PKCE redirect_uri must include an explicit localhost port.rM)rschemer%hostnameportrY)rrAhosts r?_spotify_validate_redirect_urirs l # #F } V+    ? bD --- M+    ;  P+    fk0S 00r> expected_path3tuple[type[BaseHTTPRequestHandler], dict[str, Any]]cHdddddGfddt}|fS)N)r(r r4error_descriptionc&eZdZd fd Zd dZd S) ?_make_spotify_callback_handler.._SpotifyCallbackHandlerrr,ct|j}|jkrE|d||jddSt |j}|ddgdd<|ddgdd<|ddgdd<|ddgdd<|d| d d |drd }nd }|j| d dS)Ns Not found.r(rr r4rrrztext/html; charset=utf-8zW

Spotify authorization failed.

You can close this tab.zY

Spotify authorization received.

You can close this tab.r;) rrY send_response end_headerswfilerrrr send_headerr)r1rAparamsrrresults r?do_GETzF_make_spotify_callback_handler.._SpotifyCallbackHandler.do_GETsidi((F{m++""3'''  """   ///fl++F#ZZ77:F6N$jj4&99!formatr(argsr cdSr.r4)r1rrs r? log_messagezK_make_spotify_callback_handler.._SpotifyCallbackHandler.log_messages Fr>Nrr,)rr(rr rr,)r8r9r:rr)rrsr?_SpotifyCallbackHandlerrsL 3 3 3 3 3 3 3.      r>r)r )rrrs` @r?_make_spotify_callback_handlerrsc! F"86 #F **r>f@r`dict[str, Any]c t|\}}}t|\}}Gddt} |||f|}n.#t$r!} t d|d|d| dd| d} ~ wwxYwt j|jd d id } | tj td |z} tj | kr{|ds|dr@|| | | dStjd tj | k{| | | dnC#| | | dwxYwt ddd)NceZdZdZdS)4_spotify_wait_for_callback.._ReuseHTTPServerTN)r8r9r:allow_reuse_addressr4r>r?_ReuseHTTPServerr s"r>r z*Could not bind Spotify callback server on :rar"spotify_callback_bind_failedr` poll_intervalg?T)rkwargsdaemon@r(r4rhrz?Spotify authorization timed out waiting for the local callback.spotify_callback_timeout)rrr r}r% threadingThread serve_foreverstartrsrtshutdown server_closerr) rr`rrrY handler_clsrr serverrthreadrs r?_spotify_wait_for_callbackrs> 6lCCD$8>>K#####:###!!4, <<  M M M M M M M/      V%9?TWBXae f f fF LLNNNy{{So666H!ikkH$$f~    C     JsOOOikkH$$  C       C     I '   s*A A4A//A4(F5+FAG)previous_state token_payloadrequested_scoperr cttjtj}t |dd}tj||ztj} t|pi} | |||||t|dp| t|ddpd pdt|ddpd t|d p| d pd | | |d d | S) NrHrtzr0r~rrr,rq oauth_pkce) r/rrrr0 granted_scoper~rrq obtained_at expires_atrHr+) rrrrrKr fromtimestampr?r=rMr(rr) r!r/rr"rrr rrHr)r s r?_spotify_token_payload_to_stater+s ,x| $ $C$]%6%6|Q%G%GHHJ' *(DVVVJ %2 & &E LL$.$ ]..w77J?KKQQSS-++L(CCOxPPVVXXd\dM--nbAAGRHHNNPP   o . . yy))    %''}} **,, !#& Lr>r(c  tj|dddi|d|||d|}n(#t$r}td|dd |d}~wwxYw|jd kr5|j}td |rd |ndzdd |} t| tr7t| ddpdstddd | S)N /api/tokenrrsauthorization_code)r/rwr(rrrxzSpotify token exchange failed: r"spotify_token_exchange_failedr`rzzSpotify token exchange failed.r{r,rz7Spotify token response did not include an access_token.spotify_token_exchange_invalid) r r rr%r r@rrrr=r(r) r/r(rrrr`rrdetailrOs r?!_spotify_exchange_code_for_tokensr2,su: , , ,#%HI&2 ,!. $      3c 3 30     s""$$&& ,)/7%V%%%R 90     mmooG gt $ $ C NB0O0O0USU,V,V,\,\,^,^  E1    Ns#& A AA c t|ddpd}|stddddt |}t |} t j|d d d id||d | }n(#t$r}td|dd|d}~wwxYw|j dkr6|j }td|rd|ndzddd| }t|tr7t|ddpdstddddt||t|t|dpt |t#||S)Nrqr,z?Spotify refresh token missing. Run `hermes auth spotify` again.r"spotify_refresh_token_missingTr&r r-rrsrvrxzSpotify token refresh failed: spotify_refresh_failedr`rzz>Spotify token refresh failed. Run `hermes auth spotify` again.r{rz9Spotify refresh response did not include an access_token.spotify_refresh_invalidr0)r/rr"rrr )r(rrr%rrr r rr r@rrr=r+rrr) r r`rqr/rrrr1rOs r?_refresh_spotify_oauth_stater8[sB  /266<"==CCEEM   M0!     #///I2599: , , ,#%HI-!.& $      2S 2 2)     s""$$&& L)/7%V%%%R 9)!     mmooG gt $ $ C NB0O0O0USU,V,V,\,\,^,^  G*!      +*777EIIg..G2GHH+*511   s-!B B4B//B4ct5t}t|d}|stddddt |}|s%|r#t |d|}|r1t|}t|d|dt|dddn #1swxYwYt|d d pd  }|std dd dd||t|d dpdt|t|dp|dpd  t|t||dt|dd pd  d S)Nr"z>Spotify is not authenticated. Run `hermes auth spotify` first.spotify_auth_missingTr&r)Frrr,z>Spotify access token missing. Run `hermes auth spotify` again.spotify_access_token_missingr~rr'r0r5rq) r'rrGr~rr0r/rr)rq)rrrr%rrGrr8rrr(rrrr)rrrrr rrs r?#resolve_spotify_runtime_credentialsr<sK   ))%'' $Z;; P"+!%  m,, Y"5 Y)%))L*A*ACWXXN  )077E !*i5 Q Q Q Q Z ( ( (#)))))))))))))))&uyy44:;;AACCL   L/!     $%))L(;;GxHH)%00UYY//K599W3E3EKLLRRTT'e444-E:::ii --UYY;;ArBBHHJJ   sBB88B<?B<c td}|sddiS|d}t|ddpd}t |pt |d |dd |d |d |d p|d ||dt |dS)Nr"r%Fr)rqr,rr+r&r/rr'r0r)r%r+r/rr0r)rhas_refresh_token)rrr(rrrG)r r)rqs r?get_spotify_auth_statusr?s #I . .E $U##<((J /266<"==CCEEM-J|J/J/J+JKKYY{L99YY{++ .11?++Auyy/A/A  .11!-00   r>redirect_uri_hintcddlm}ttdtdtdttdtdtdttdtttd td td td td tdtd|tdtdtdtdtt s+ t jtn#t$rYnwxYw td }n2#ttf$rttdwxYw|s5ttdtdtd|d||r|tkr |d|ttdt|S)zWalk the user through creating a Spotify developer app, persist the resulting client_id to ~/.hermes/.env, and return it. Raises SystemExit if the user aborts or submits an empty value. r)save_env_valuezF======================================================================zSpotify first-time setupz=Spotify requires every user to register their own lightweightz>developer app. This takes about two minutes and only has to bezdone once per machine.z Full guide: zSteps:z 1. Opening z in your browser...z$ 2. Click 'Create app' and fill in:z1 App name: anything (e.g. hermes-agent)z Description: anythingz Redirect URI: z API/SDK: Web APIz$ 3. Agree to the terms, click Save.z9 4. Open the app's Settings page and copy the Client ID.z 5. Paste it below.zSpotify Client ID: zSpotify setup cancelled.zNo Client ID entered. See z for the full guide.z)Spotify setup cancelled: empty Client ID.rrz0Saved HERMES_SPOTIFY_CLIENT_ID to ~/.hermes/.env)rrBprintSPOTIFY_DOCS_URLSPOTIFY_DASHBOARD_URL_is_remote_session webbrowserrrrinputrEOFErrorKeyboardInterrupt SystemExitr)r@rBrDs r?_spotify_interactive_setuprLs 100000 GGG (OOO $%%% (OOO GGG IJJJ JKKK "### GGG +) + +,,, GGG (OOO D/ D D DEEE 0111 =>>> )*** 5"3 5 5666 ())) 0111 EFFF !!! GGG     O1 2 2 2 2    D 5)**0022 ' (555 34445 F  Q+;QQQRRRDEEEN-s333I.2NNN46GHHH GGG <=== GGG Js/F FF!F<JJ    3 # #'B B B .%dNDAAaEa    )~t)L)Ln]]L !'$">">"].BTBTU\B]B] ^ ^E2>BB(88Lt\5999L*,,M,];;N*,,"K0!%+ M *+++ # # #$$$ )< ) )*** UVVV GGG ./// - GGG 1/ 1 1222 GGGR.00R _]33FF   FFF   R = > > > > P Q Q Q)gdIt<<EFFH||GD122Ghw6GB&BBCCC||G ++HIII5 f%%+ , ,!#+gdIt<<DEE M4!+! M   00%'' j)]uUUUU#J//000000000000000  %&&& %8 % %&&& :;;; '% ' '(((((s85 Br?rFrF{s)  ,''?29Y+?+? @ @@r>_lockr^c|r5t5t}dddn #1swxYwYnt}t|d}|stdddd|d}t |t stddd d|d }|d }t |tr|std dd dt |tr|stdddd||ddS)zRead Codex OAuth tokens from Hermes auth store (~/.hermes/auth.json). Returns dict with 'tokens' (access_token, refresh_token) and 'last_refresh'. Raises AuthError if no Codex tokens are stored. NrBz?No Codex credentials stored. Run `hermes auth` to authenticate.codex_auth_missingTr&rgzICodex auth state is missing tokens. Run `hermes auth` to re-authenticate.codex_auth_invalid_shaperrqzICodex auth is missing access_token. Run `hermes auth` to re-authenticate.codex_auth_missing_access_tokenJCodex auth is missing refresh_token. Run `hermes auth` to re-authenticate. codex_auth_missing_refresh_token last_refresh)rgre) rrrr%rrr=r(r)r^rr rgrrqs r?_read_codex_tokensrfs  (    , ,)++J , , , , , , , , , , , , , , ,&'' ^ < rrrrr)rgrerr s r?_save_codex_tokensrjs|HL11;;==EEhPSTT   %%%'' $Z@@FB h ,n&kZ???$$$%%%%%%%%%%%%%%%%%%sAB22B69B6rqc T~t|tr|stddddt jt dt|}t j|ddi 5}| td d id |td }dddn #1swxYwY|j dkr d}d|j d}d} | } t| tr| d} t| tr| dp| d} t| tr(| r| }| d} t| tr+| rd| }nt| tr| r~| }| dp| d} t| tr+| rd| }n#t $rYnwxYw|dvrd}|dkrd}d}|j dvr|sd}t|d|| | }n&#t $r}tddd d|d}~wwxYw|d!}t|tr|std"dd#d||t#jt&jd$d%d&}|d }t|tr+|r||d <|S)'z>Refresh Codex OAuth tokens without mutating Hermes auth state.rcrBrdTr&rrurrrrrsrqrv)rreNrcodex_refresh_failedz'Codex token refresh failed with status rFr4r(typer*zCodex token refresh failed: r> invalid_grant invalid_tokeninvalid_requestrefresh_token_reusedzCodex refresh token was already consumed by another client (e.g. Codex CLI or VS Code extension). Run `codex` in your terminal to generate fresh tokens, then run `hermes auth` to re-authenticate.)iz*Codex token refresh returned invalid JSON.codex_refresh_invalid_jsonrz6Codex token refresh response was missing access_token."codex_refresh_missing_access_tokenr:r8)rrqre)rr(rr%r TimeoutrtrClientr CODEX_OAUTH_TOKEN_URLCODEX_OAUTH_CLIENT_IDr rr=rrrrrrrr>)rrqr`rclientrr(r*r)errerr_obj nested_code nested_msgerr_descrefresh_payloadrrefreshed_accessupdated next_refreshs r?refresh_codex_oauth_purers  mS ) ) 1D1D1F1F  X#3!     mCU?%;%;<<==G g:L/M N N N  RX;; !#%HI-!.2                  s""%SH:: & , , 4D4J4J4L4L  D#5!     )..00&,,.. X\22<<>>FFxQTUUG #&&77L,$$8););)=)=8#/#5#5#7#7 Ns=)B::B>B>!F8J J'&J'K00 L:LLc tt|ddpdt|ddpd|}t|}|d|d<|d|d<t ||S)zzRefresh Codex access token using the refresh token. Saves the new tokens to Hermes auth store automatically. rr,rqr)rr(rr=rj)rgr`rupdated_tokenss r?_refresh_codex_auth_tokensr/ s) FJJ~r * * 0b11 FJJ + + 1r22'I &\\N%.~%>N>"&/&@N?#~&&& r>ctjdd}|s#tt jdz }t |dz }|sdS tj | }| d}t|tsdS| d}| d}|r|sdSt|d rtd |dSt|S#t"$rYdSwxYw) zTry to read tokens from ~/.codex/auth.json (Codex CLI shared file). Returns tokens dict if valid and not expired, None otherwise. Does NOT write to the shared file. CODEX_HOMEr,z.codexrRNrgrrqru7Codex CLI tokens at %s are expired — skipping import.)rrrr(r rV expanduseris_filerrrrrr=r[rr r) codex_homerdrOrgrrqs r?_import_codex_cli_tokensrD sZ <,,2244J 1x/00 Z  ++-- ;I     t*Y002233X&&&$'' 4zz.11  ?33  = 4 +< ; ;  LLI9   4F|| tts%AE.E +E7E EEc&t}t|d}t|ddpd}t t jdd}t|}|s|rt||}|rttt t|dz5td }t|d}t|ddpd}t|}|s|rt||}|rGt||}t|ddpd}d d d n #1swxYwYt jd dd pt}d ||d|dddS)z@Resolve runtime credentials from Hermes's own Codex token store.rgrr,$HERMES_CODEX_REFRESH_TIMEOUT_SECONDS20rrFr]NHERMES_CODEX_BASE_URLrMrBzhermes-auth-storererh)r'rrGrreri)rfr=r(rrrrrrr[rrtAUTH_LOCK_TIMEOUT_SECONDSrrNDEFAULT_CODEX_BASE_URL) rrrrergrrefresh_timeout_secondsrrs r?!resolve_codex_runtime_credentialsrf sZ   D $x. ! !Fvzz."55;<<BBDDL#BI.TVZ$[$[\\-((N ] 3]8G[\\ Q c%8Q2R2RTknqTq.r.r s s s Q Q%E222D$x.))Fvzz."==CDDJJLLL!-00N" e(; e!@Oc!d!d Q3Frz httpx.Clientr-c||dd|i|rd|ini}||gd}fd|D}|r%tdd|S) zFPOST to the device code endpoint. Returns device_code, user_code, etc.z/api/oauth/device/coder/r0re) device_code user_codeverification_uriverification_uri_completerHintervalcg|]}|v| Sr4r4)rfres r?rz(_request_device_code.. s;;;QQd]]q]]]r>z%Device code response missing fields: z, )r raise_for_statusrrr)rzr-r/r0rrequired_fieldsmissingres @r?_request_device_coder s{{ 222  #(0b H  ==??DO<;;;/;;;GWU7ASASUUVVV Kr>rrc&tjtd|z}tdt|t}tj|kr$||dd||d}|jdkr)|} d| vrtd| S |} n1#t$r$| td wxYw| d d } | d krtj || d kr)t|dzd}tj || dpd} t| d| td)zDPoll the token endpoint until the user approves or the code expires.r/api/oauth/tokenz,urn:ietf:params:oauth:grant-type:device_code)rwr/rrrrz+Token response did not include access_tokenz1Token endpoint returned a non-JSON error responser4r,authorization_pending slow_downrzUnknown authentication errorraz*Timed out waiting for device authorization)rsrtmin%DEVICE_AUTH_POLL_INTERVAL_CAP_SECONDSr r rrrrrXrrr) rzr-r/rrHrrcurrent_intervalrrO error_payload error_code descriptions r?_poll_for_tokenr sy{{SJ///H1c-1VWWXX )++ ;; 0 0 0L&*    3 & &mmooGW,, !NOOON T$MMOOMM T T T  % % ' ' 'RSS S T#&&w33 0 0 0 J' ( ( (   $ $"#3a#7<<  J' ( ( ( #''(;<<^@^ j99K99::: C D DDs 3C.C6c||dd||d}|jdkr-|}d|vrtddd d |S |}n%#t$r}td dd |d}~wwxYwt |dd}t |dpd } |dv} | } d| vsd| vrd} t| d|| )Nrrqrwr/rqrrrz%Refresh response missing access_tokenr@rpTr&zRefresh token exchange failedr'r)r4rorrorpreusezreuse detecteduNous Portal detected refresh-token reuse and revoked this session. This usually means an external process (monitoring script, custom self-heal hook, or another Hermes install sharing ~/.hermes/auth.json) called POST /api/oauth/token with Hermes's refresh token without persisting the rotated token back. Nous refresh tokens are single-use — only Hermes may call the refresh endpoint. For health checks, use `hermes auth status` instead. Re-authenticate with: hermes auth add nous)r r rr%rr(rr) rzr-r/rqrrOrrr(rreloginlowereds r?_refresh_access_tokenr s{{ ,,,)"*  Hs""--//  ( (C%+/TXZZZ ZI  III7!'$@@@EH II }  /:: ; ;Dm''(;<<_@_``K88G!!G'-88 9  K&tg V V VVsA-- B7B  Bmin_ttl_secondsc ||ddd|idtdt|i}|jdkr,|}d|vrt d d d |S |}n%#t $r}t d d d |d}~wwxYwt|dd }t|dpd } |dv} t | d || )z0Mint (or reuse) a short-lived inference API key.z/api/oauth/agent-keyrrrr)rrrrGzMint response missing api_keyr@ server_errorr`zAgent key mint request failedNr4rrr&) r rtrr rr%rr(r) rzr-rrrrOrrr(rrs r?_mint_agent_keyrY sa{{ 000 ":L":":;R_)=)=!>!> ?H s""--// G # #;%+.BBB BG  GGG7!'n>>>CF GG }  .99 : :Dm''(;<<_@_``K88G K&tg V V VVs6B B-B((B-)r`verifyr.r bool | strcxtj|}tj|ddi|5}||dddd|i}d d d n #1swxYwY|jd krd |j} |}t|d p|d p|}n2#t$r%} t d| Yd } ~ nd } ~ wwxYwt|dd|} | d} t| tsgSg} | D]} t| ts| d}t|trT|r@|}d|vr| |dd}| |tt| S)z6Fetch available model IDs from the Nous inference API.rurrrrrMz/modelsrr)rNrz#/models request failed with status rr4z'Could not parse error response JSON: %sr@models_fetch_failedr`rer)hermesmidr(rr5cj|}d|vrd|fSd|vrd|vrd|fSd|vrd|fSd|fS)Nopusrprosonnetrr)r)rlows r?_model_priorityz*fetch_nous_models.._model_priority sXiikk S==s8O C<r)rr(rr5)r rvrwrrNr rr(rrr r%rrr=rrrsortfromkeys)r.rGr`rrrzrrr{r3rOre model_idsitemmodel_idrrs r?fetch_nous_modelsrz smO,,G g:L/MV\ ] ] ] ag::!((-- 6 6 6$&9&9&9:                 s""RHN>N]R]^^KK G G G LLBA F F F F F F F F G f;PQQQQmmooG ;;v  D dD ! ! I " "$%%  88D>> h $ $ ")9)9 "..""C399;;&&   S ! ! !NNN'''  i(( ) ))s*3A--A14A1A C D &DD c|d}t|tr|sdSt |d| S)N agent_keyFagent_key_expires_at)rrr(rrG)r rrs r?_agent_key_is_usabler sY ))K C c3  syy{{uEII&<==OO OOr>)r`rrrct5t}t|d}|stdddt |dp.t jdpt jdpt d}t|d pt}t||| }|d } |d } t| tr| std ddt|d|s| cdddSt| tr| stdddtj|r|nd} tj| ddi|5} t%| ||| } dddn #1swxYwYt'jt*j}t/| d}| d |d <| d p| |d <| dp|dpd|d<| dp|d|d<||d<||d<t'j||zt*j|d<||d<||d <|dut|tr|ndd|d<t7|d|t9||d cdddS#1swxYwYdS)zKResolve a refresh-aware Nous Portal access token for managed tool gateways.r@&Hermes is not logged into Nous Portal.Trr-HERMES_PORTAL_BASE_URLNOUS_PORTAL_BASE_URLrMr/rrrq,No access token found for Nous Portal login.r)N2Session expired and no refresh token is available.rrurrrzr-r/rqrHr~rr0r(r$Frrr)rrrr%rOrrrDEFAULT_NOUS_PORTAL_URLrNr(DEFAULT_NOUS_CLIENT_IDrrrGr rvrwrrrrrrKrr*r?rr)r`rrrrr r-r/rrrqrrzrr access_ttls r?resolve_nous_access_tokenr sm   H%H%%'' $Z88 8!%  uyy):;; < < 'y122 'y/00 '' &++   +..H2HII  (iTYZZZyy00  /22 ,,, L >!%  EIIl335IJJ =H%H%H%H%H%H%H%H%@--- ] D!%  -? LMM \12   - /#+ I               l8<(((|)D)DEE ). 9n!*!?!?!P=o'mmL99`UYY|=T=T`X`l"w//E599W3E3Eg"}}m(l&4 MMOOj (|    )++ l$3 &k%#-fc#:#:D  e  Z777$$$^$QH%H%H%H%H%H%H%H%H%H%H%H%H%H%H%H%H%H%s>E M0%AM0?G M0G# #M0&G# 'E2 3 L ,x|,,C!-!1!1)!$>E. !,8,<,<\,J,JE( ),8,<,<\,J,JE( )(,\-=-=h-N-N(O(OE$ %-0]]__E) *+L,<,<=Q,R,RSSJ 9.8*+O'9'9'9'9'9'9'9'9'9'9'9'9'9'9'9R Ls'KN  NNrr`rrc|dpi}t|dd|dd|dd|dt|dt|d d |d t|d |d |d|d|||d|d||S)zRRefresh Nous OAuth from a state dict. Thin wrapper around refresh_nous_oauth_pure.rrr,rqr/rr-r.r~rr0r(r)rrrrr)rrrr r )r rr`rrrs r?refresh_nous_oauth_from_staterb s ))E   bC " ."%% /2&& +|,, #%<== &(BCC99\844ii!344IIm,,99\**))K(("YY'=>>/'$$''+&&##   r>)rrrcddlm}t|}|rEt|r$t||d<t 5t }t|d|t|dddn #1swxYwY|d}td| DdS)u4Persist minted Nous OAuth credentials as the singleton provider state and ensure the credential pool is in sync. Nous credentials are read at runtime from two independent locations: - ``providers.nous``: singleton state read by ``resolve_nous_runtime_credentials()`` during 401 recovery and by ``_seed_from_singletons()`` during pool load. - ``credential_pool.nous``: used by the runtime ``pool.select()`` path. Historically ``hermes auth add nous`` wrote a ``manual:device_code`` pool entry only, skipping ``providers.nous``. When the 24h agent_key TTL expired, the recovery path read the empty singleton state and raised ``AuthError`` silently (``logger.debug`` at INFO level). This helper writes ``providers.nous`` then calls ``load_pool("nous")`` so ``_seed_from_singletons`` materialises the canonical ``device_code`` pool entry from the singleton. Re-running login upserts the same entry in place; the pool never accumulates duplicate device_code rows. ``label`` is an optional user-chosen display name (from ``hermes auth add nous --label ``). It gets embedded in the singleton state so that ``_seed_from_singletons`` uses it as the pool entry's label on every subsequent ``load_pool("nous")`` instead of the auto-derived token fingerprint. When ``None``, the auto-derived label via ``label_from_token`` is used (unchanged default behaviour). Returns the upserted :class:`PooledCredential` entry (or ``None`` if seeding somehow produced no match — shouldn't happen). rrrr@Nc3:K|]}|jtk|VdSr.)rNOUS_DEVICE_CODE_SOURCE)rr3s r? z+persist_nous_credentials.. s/JJqah2I&I&I&I&I&I&IJJr>) rrr=r(rrrrrnextr)rrrr rrs r?persist_nous_credentialsr s)F0///// KKE ,U!!##,U))++g   %%%'' Z777$$$%%%%%%%%%%%%%%% 9V  D JJDLLNNJJJ   s+/B&&B*-B*)rr`rrrc tdt|}tjjddt 5t tdstdddt dp.tj d ptj d ptd }t d ptj d ptd }t! dpt"}dMfd }t%||} t'j|r|nd} t+dt-||t/ dt'j| ddi| 5}  d}  d} t3| t r| stdddt5 dt6rt3| t r| stdddt+d d!t/| "t9| ||| #}t;jt>j }tC| d$}| }|dd<| dp| d<| d%p d%pd&d%<| d'p d'd'<t| d }|r|}|"d(<|d$<t;j#|$|zt>j )"d<d} d} t+d*d!t/|t/| +|d,d-}d}|s%tK|rd}t+d./nz t+d0t/| 1tM| || |2}nE#t$r7}t+d3|j'4 d}|j'd5vrt3|t r|rt+d d6t/|"t9| |||#}t;jt>j }tC| d$}|dd<| dp|d<| d%p d%pd&d%<| d'p d'd'<t| d }|r|}|"d(<|d$<t;j#|$|zt>j )"d<d} d} t+d*d6t/|t/| +|d7tM| || |2}nYd}~nd}~wwxYw|t;jt>j }| d8d9<| d:d;<| dd<<| d$d=<t-| d>d-d?<|"d@<t| d }|r|}t+dAt-| d>d-B|d<|d <|d<| d-ut3| t r| nddCdD<dddn #1swxYwY|dEdddn #1swxYwY d9}t3|t r|stdFddGH d<}tQ|}|1tdIt|tSj)z n!tC d=}d|| d;|||rdJndKdLS)Na Resolve Nous inference credentials for runtime use. Ensures access_token is valid (refreshes if needed) and a short-lived inference key is present with minimum TTL (mints/reuses as needed). Concurrent processes coordinate through the auth store file lock. Returns dict with: provider, base_url, api_key, key_id, expires_at, expires_in, source ("cache" or "portal"). rNr<r@rTrr-rrrMr.NOUS_INFERENCE_BASE_URLr/reasonr(rr,c d tdtn8#t$r+}td|t |jd}~wwxYwtd|t dt ddS)Nr@nous_state_persist_failed)rGr error_typenous_state_persistedrqr)rGrrefresh_token_fpaccess_token_fp)rrrrPrnr8r=r)rrrrGr s r?_persist_statez8resolve_nous_runtime_credentials.._persist_state s $Z??? ,,,,   / +!#Cyy1    &'!3EIIo4N4N!O!O 2599^3L3L M M       s $ A&AArrnous_runtime_credentials_startrq)rGrrr!rurrrrr)r refresh_startaccess_expiring)rGrr!rrHr~rr0r(r$refresh_success)rGrprevious_refresh_token_fpnew_refresh_token_fppost_refresh_access_expiringFagent_key_reuserF mint_start)rGr"r mint_error)rGr(rmint_retry_after_invalid_tokenpost_refresh_mint_retryrGrrrrrrrr  mint_success)rGrrr&resolve_nous_runtime_credentials_finalz*Failed to resolve a Nous inference API keyrr`rcacheportal)r'rrGrr)rHr)rr(rr,)*rtrrrrrrrr%rOrrrrrNr r(rrr rvrPrr=rwrrGr rrrrrrKrr*r?rrr(rBrs)rr`rrrr-r.r/r#rrrzrrqrrrprevious_refresh_tokenr used_cached_keyrrlatest_refresh_tokenrrGr)rFrHrrGr s @@@r? resolve_nous_runtime_credentialsr7 s $b#&9":":;;*,,"3B3'K   JAJA%'' $Z88 DD%+dDDD D uyy):;; < < 'y122 'y/00 '' &++  uyy)=>> ? ? *y233 *) &++   +..H2HII         (!(iTYZZZ-? LMM ,#J'' 3/ /0J0JKK     \'H>P3QZ` a a aU ek 99^44L!IIo66MlC00 H  H N)/$HHHHEIIl335VWW( ?!-55L]L#$X-3dLLLL# +,%7 %F%F  2!?'} l8<000|1L1LMM )6&(1.(An%)2)G)G)X=o&&/mmL&A&A&hUYY|E\E\&h`hl#!*w!7!7!M599W;M;Mg 29==AU3V3V W W  7)6&'*}}m$&0l#&.&<MMOOj0X\''')++l# %^4 %o 6 % +,.@AW.X.X);M)J)J =>>>$O59LD "6u>Q"R"RD "&.KHHHHH@ $$/(:<(H(H $3%%1CV$$$LL!666 $$/ X ,199_+E+E($FFF&';SAAG0G%+(3#C-?@T-U-U  %:#)?&/?S%%% 'l8<88%8|9T9T%U%U 09.0In-1:1O1O1gSgo..7mmL.I.I.pUYYWcMdMd.phpl+)2w)?)?)U599WCUCUg(:9==I];^;^(_(_ (?1>./2}}m,.8l+.6.DMMOOj8X\///#)++l+(-^'< (-o(> $-(3#C6HI]6^6^1CM1R1R ''@AAA'6#)?)5GZ(((  % c6p'l8<00%1%5%5i%@%@k"(4(8(8(B(Bn%0<0@0@0N0N,-0<0@0@0N0N,-,01A1A(E1R1R,S,S()14-./ 0@0@AU0V0VWW 4)3&" + 0 05 A ABB(7E# $*'>HVVDE%LeU U U U U U U U U U U U U U U n ?@@@UJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAXii $$G gs # #>7>D!'n>>> >122J(44M  $ As=49;;.//000 +A!B!B C C&))N++  ,:''(  sdFa6+Ja2R<:a< [>H-[94a9[>>E a a6a a6a a66a:=a:cdddddddS)NF)r%r-r.access_expires_atrr>r4r4r>r?_empty_nous_auth_statusr: s#"! $"   r>c  ddlm}|d}|r|stSt |}|stSdd}t || }t|d d pt|d d }|stSdt|dd pt|dd t|dd pt|dd |t|dd t|dd tt|dd dt|dddS#t$rtcYSwxYw)zBest-effort status from the credential pool. This is a fallback only. The auth-store provider state is the runtime source of truth because it is what ``resolve_nous_runtime_credentials()`` refreshes and mints against. rrr@rr rtuple[float, float, int]ctt|ddpd}tt|ddpd}tt|ddpd}||| fS)Nrr)priorityr)rBrr)r agent_exp access_expr?s r?_entry_sort_keyz3_snapshot_nous_pool_status.._entry_sort_key so,WU>HzH95 5r>rrNrr,Tr-rr.r)rrqpool:runknown)r%r-r.rr9rr>r)rr rr<) rrrr:rrrtrrr)rrrrBrrs r?_snapshot_nous_pool_statusrE s&)333333y   -4//11 -*,, ,t||~~&& -*,, , 6 6 6 6 G111 E>4 0 0 5u/44  -*,, ,&u.?FF 0uj$//")%1Et"L"L#0uj$//(!( d!C!C$+E3I4$P$P!%ge_d&K&K!L!LBgeWi@@BB    )))&((((()s$4E0E(AE/BEE! E!c td}|rkt|d|d|d|d|dt|d|ddd } td }tdp|}|d |dp|d|d p)|dp|d|dp|d|dp)|dp|dt|dd|dd|dd|S#t $r^}|dt |tt|ddt|ddd|cYd}~Sd}~wwxYwtS)aStatus snapshot for Nous auth. Prefer the auth-store provider state, because that is the live source of truth for refresh + mint operations. When provider state exists, validate it by resolving runtime credentials so revoked refresh sessions do not show up as a healthy login. If provider state is absent, fall back to the credential pool for the just-logged-in / not-yet-promoted case. r@rr-r.r)rrqr)r%r-r.r9rr>rrr)rTrr9zruntime:rr3r)r%r-r.r9rr>rrFr)r(N)r%r4r)r) rrrr7rMr%r(rrE)r  base_statusrrefreshed_staters r?get_nous_auth_statusrI s $F + +E &eii7788$yy):;;"')),@"A"A!&>)-o.A.A/.R.R)S)SH8X)F)FHH#ii11             "S$(6H%)P)P$Q$Q%c6488               & ' ''s >EH I;AI60I;6I;c  ddlm}|d}|r|r|}|wt |ddpt |dd}|rSt |dsCdt tt |d dd d t |d d |dSn#t$rYnwxYw t}dt t| d | d| d| ddS#t$r6}dt tt |dcYd}~Sd}~wwxYw)zStatus snapshot for Codex auth. Checks the credential pool first (where `hermes auth` stores credentials), then falls back to the legacy provider state. rrrBNrrr,TrerhrCrrD)r%rrerirrGrirrGF)r%rr4) rrrselectrr[r(r\rrrr%)rrrrGrrs r?get_codex_auth_statusrL& s 333333y((  D((** KKMME E#4d;;:unb99#B7A#N#N%)&)/*;*;&<&<(/~t(L(L%."N'%)*L*L"N"N#*        133o//00!IIn55;//ii))yy++        o//00XX         s1B3B77 CCA;E F+E?9F?Fct|}|r |jdkrddiSd}d}t||\}}d}|jr,t j|jd}|dvrt||j |}n |r|}n|j }t|||j ||t|dS)zc t|}|r |jdkrddiStjddp(tjddpd}tjdd}|rt j|nd d g}|jr,tj|jdnd}|s|j }|rtj |nd }t|p| d ||j||||t|p| d d S)z:Status snapshot for providers that run a local subprocess.rPrNFHERMES_COPILOT_ACP_COMMANDr,COPILOT_CLI_PATHrJHERMES_COPILOT_ACP_ARGS--acp--stdioN acp+tcp://)rNr'r*commandrresolved_commandrr%)rrr+rrrshlexrSr7r.rwhichrrr*)rrr[raw_argsrrr\s r?$get_external_process_provider_statusr`v sy##K00G %g'+===e$$ .3399;;  9' , , 2 2 4 4   y2B77==??H$, F5;x 7I2FDBIBZbry1266<<>>>`bH .-07Av|G,,,T+Px/B/B

c|p t}|dkrtS|dkrtS|dkrtS|dkrt S|dkrt S|dkrt |St|}|r|j dkrt|S|r5|j dkr* d d l m }||d S#t$r d |d dcYSwxYwdd iS)zGeneric auth status dispatcher.r"r@rBrDrErOrGrrr(r%r'Fzboto3 not installed)r%r'r4r%)rr?rIrLrrr`rrr+rSr-r)r.)rrrr)s r?r+r+ s\  1/11F &((( #%%% $&&& #%%% $$$+--- 3F;;;##F++G37$ 11*6222\7$ 11 \ A A A A A A!4!4!6!6FKK K \ \ \!&FEZ[[ [ [ [ \  sC!!C43C4c t|}|r |jdkrtd|d|dd}d}t ||\}}|s|dkr t }|pd}d}|jr,tj|jd }|d vrt||j |}n<|d krt||j |}n|r| d }n|j }||| d |pdd S) zwResolve API key and base URL for an API-key provider. Returns dict with: provider, api_key, base_url, source. rG Provider 'z' is not an API-key provider.r$r`r,rFrrOrVrMr'rGrr)rrr+r%rLMSTUDIO_NOAUTH_PLACEHOLDERr7rrrrr.r#rNrQs r?$resolve_api_key_provider_credentialsrg s_  ##K00G  g'944 C C C C #    GJ:;PPGZ -{j00-,9 GB)G4b99??AA777)'73MwWW   ('2LgVV .>>#&&- OOC(()   r>ct|}|r |jdkrtd|d|d|jr,t j|jdnd}|s|j}t jddp(t jddpd }t jd d}|rtj |nd d g}|rtj |nd }|s+| dstd|d|d|d|d|p||ddS)z>Resolve runtime details for local subprocess-backed providers.rPrdz&' is not an external-process provider.r$r`r,rUrVrJrWrXrYNrZz(Could not find the Copilot CLI command 'zQ'. Install GitHub Copilot CLI or set HERMES_COPILOT_ACP_COMMAND/COPILOT_CLI_PATH.missing_copilot_clirOrMprocess)r'rGrr[rr)rrr+r%r7rrrr.r]rSrr^rrN)rrrr[r_rr\s r?-resolve_external_process_provider_credentialsrk s##K00G  g'+=== L L L L #    CJBZbry1266<<>>>`bH .- .3399;;  9' , , 2 2 4 4   y2B77==??H$, F5;x 7I2FD07Av|G,,,T  H$7$7 $E$E  ]w ] ] ] &       OOC((#.w   r> default_modelc^t5t}||d<t|dddn #1swxYwYt}|jddt }|d}t|trt|}nBt|tr+| rd| i}ni}||d<|r-| r| d|d <n| d d| d d| d d|r!|dd }|rd|vr||d<||d<t||d |S)aUpdate config.yaml and auth.json to reflect the active provider. When *default_model* is provided the function also writes it as the ``model.default`` value. This prevents a race condition where the gateway (which re-reads config per-message) picks up the new provider before the caller has finished model selection, resulting in a mismatched model/provider (e.g. ``anthropic/claude-opus-4.6`` sent to MiniMax's API). rNTrcrrr'rMrrGapi_moder,FrK)rrrrrjrkrrrr=r(rrNrr) rr.rlr config_pathconfig current_modelr cur_defaults r?_update_config_for_providerrt s   %%%'' (3 $%$$$%%%%%%%%%%%%%%% "##KTD999   FJJw''M-&&'' M3 ' 'M,?,?,A,A 3 3 5 56  'Ij(06688( 2 9 9# > > *  j$'''MM)T""" MM*d### 1mmIr22  1c[00#0Ii F7Ok6U;;;; s#>AAcP t}n#t$rYdSwxYw|sdS|d}t|tsdS|d}t|t sdS|}|pdS)z?Return model.provider from config.yaml, normalized, if present.Nrr')rrrrr=r(rr)rqrr's r?_get_config_providerrvLs "" tt t JJw  E eT " "tyy$$H h $ $t~~%%''H  ts  cv|sdSt|kS)z=Return True when config.yaml currently selects *provider_id*.F)rvrr)rs r?_config_provider_matchesrx^s8 u  ! ![%6%6%8%8%>%>%@%@ @@r>c.t}|dvr|SdS)aFallback logout target when auth.json has no active provider. `hermes logout` historically keyed off auth.json.active_provider only. That left users stuck when auth state had already been cleared but config.yaml still selected an OAuth provider such as openai-codex for the agent model: there was no active auth provider to target, so logout printed "No provider is currently logged in" and never reset model.provider. >r@rBN)rv)r's r?$_logout_default_provider_from_configrzes%$%%H+++ 4r>ct}|s|St}|s|S|d}t |t rd|d<d|vr t |d<t||d|S)z5Reset config.yaml provider back to auto after logout.rrr'rFro)rrnrrrr=rr)rprqrs r?_reset_config_providerr|ts!##K        F  JJw  E%4"j    3E* k6U;;;; r>rrrpricing#Optional[Dict[str, Dict[str, str]]]unavailable_modelsOptional[List[str]] portal_urlc F !"#$%&'ddlm}|pg}g}r|vr||D]}||vr||t|t|z} t ot fd| D%%rt d| Dddznd&i"d'd#d$%r| D]}|} | rh|| d d } || d d } | d d } | r || nd }|rd $nd\} } }| | |f"|<t 't| t| 't #t|#؉$rt #d#"#$%&'fd!d}d}%r1d}d|d d&ddd'ddd'}$r |ddd#z }||dzz }d}d} ddl m }!fd|D}|d|d |pt d!}|rwt|t|D]!}t|d!||"tt|d"|d#|td$}n|}|||d%d&d'd d|(}|}dd)lm}||d*St|t|kr||S|t|kr't#d+}|r|nd*Sd*S#t&t(t*t,jf$rYnwxYwt|tt1t|dz}t3|d,D]'\}}td|d|d-!|(t|}td|d,zd|d.td|dzd|d/|rm|pt d!}ttd|d0|d1||D](}tdd d|d|!||)t t#d2|dzd3} | sd*St5| }d,|cxkr|krnn ||d,z S||d,zkr't#d+}|r|nd*S||dzkrd*Std4|dzn2#t6$rtd5Ynt8t:f$rYd*SwxYw)6aInteractive model selection. Puts current_model first with a marker. Returns chosen model ID or None. If *pricing* is provided (``{model_id: {prompt, completion}}``), a compact price indicator is shown next to each model in aligned columns. If *unavailable_models* is provided, those models are shown grayed out and unselectable, with an upgrade link to *portal_url*. r)_format_price_per_mtokc3BK|]}|VdSr.r)rmr}s r?rz*_prompt_model_selection..s-&J&J!w{{1~~&J&J&J&J&J&Jr>c34K|]}t|VdSr.)r)rrs r?rz*_prompt_model_selection..s(//qCFF//////r>rrrFpromptr, completioninput_cache_readTr,r,r,c rC|d\}}}d|d d|d } r |d|dz }|d |}n|}|kr|dz }|S)Nrr!> ._labels  *..sLAAOCeCSC9CCCCCyCCCCJ 8757977777 3H333z33DDD -   , ,D r>zSelect default model:z rrr!InrOutCachez /Mtokzz) TerminalMenuc,g|]}d|S)rr4)rrrs r?rz+_prompt_model_selection..s*999#%s %%999r>z Enter custom model namez Skip (keep current)rMu ── Upgrade at u for paid models ──zAvailable free models:z-> )fg_greenbold)r) cursor_index menu_cursormenu_cursor_stylemenu_highlight_style cycle_cursor clear_screentitle) flush_stdinNzEnter model name: rz. z. Enter custom model namez. Skip (keep current)u=── Unavailable models (requires paid tier — upgrade at u) ──z Choice [1-z] (default: skip): zPlease enter 1-zPlease enter a number)hermes_cli.modelsrrrranyrtrrsimple_term_menurrrNrCshowhermes_cli.curses_uirrHrr.NotImplementedErrorr} subprocessSubprocessErrorr( enumeraterrrJrI)(rrrr}rrr _unavailablerr all_modelsprr cache_readr2 default_idx menu_titlepadheader_DIM_RESETrchoices _upgrade_urleffective_titlemenuidxrr num_widthinchoicerrrrrrrs( `` @@@@@@@r?_prompt_model_selectionrs988888%+LG&)33}%%%   g   NN3   gl!3!33JwJ3&J&J&J&Jz&J&J&J#J#JKKKCNUs//J///;;;a??TUH57LIII* 3 3C C  A -,,QUU8R-@-@AA,,QUU<-D-DEEUU#5r:: >HP..z:::b% $I",S%!$c5 1L Is3xxS::IIs5zz22II  *Iq))I           K)J)UcU2UUUUUDU9UUUUUUUUU  2 171Y1111 1Ffy((  D F/ 11111199999992333./// #=&=EEcJJ  ) *    GGG# ; ;99FF3KK999:::: GGG T\\|\\TZ\\ ] ] ] GGG6OO(O| $2!.!    iikk444444 ;4  W  3<  CLL /006688F#-66 -t ,gz7Q R      *CG q())**IGQ''443 212y2222VVC[[223333 G A cztdtdtdtd)z9Deprecated: use 'hermes model' or 'hermes setup' instead.z,The 'hermes login' command has been removed.z(Use 'hermes auth' to manage credentials,zF'hermes model' to select a provider, or 'hermes setup' for full setup.r)rCrK)rs r? login_commandrHs; 8999 4555 RSSS Q--r>)force_new_loginrc~~|s) t}|dd}t|tr|rt |dst d t d}n#ttf$rd}YnwxYw|dvr[td|d t}t t d t d |d d Snt dn#t$rYnwxYw|s"t}|rt dt d t d}n#ttf$rd}YnwxYw|dvrt|t!jdddpt} td| }t t dt dt d |d d St t dt dt t'} t| d| dtd| d t}t t d ddlm} t d| dt d |d d S) zNOpenAI Codex login via device code flow. Tokens stored in ~/.hermes/auth.json.rGr,rz6Existing Codex credentials found in Hermes auth store.z!Use existing credentials? [Y/n]: y)r,rrBrBrLogin successful! Config updated: z (model.provider=openai-codex)Nz?Existing Codex credentials are expired. Starting fresh login...z:Found existing Codex CLI credentials at ~/.codex/auth.jsonzOHermes will create its own session to avoid conflicts with Codex CLI / VS Code.zCImport these credentials? (a separate login is recommended) [y/N]: r)rrBrrMz=Credentials imported. Note: if Codex CLI refreshes its token,zk>kllK GGG <<<<<< -4466 - - -... J{ J J JKKKKKsOAD"3BDB,)D+B,,A DD D,+D,"3FF,+F,c \ ddl}d}t} tjtjd5}||dd|idd i }dddn #1swxYwYn'#t $r}td |d d d}~wwxYw|jdkrtd|jdd d| }| dd}| dd}tdt| dd} |r|stdd dtdtdtd|dtdtd|d td!d"} |} d} tjtjd5}|| z | krz|| ||d#||d$dd i } | jdkr| } n%| jd%vrztd&| jdd d'dddn #1swxYwYn,#t $rtd(t#d)wxYw| td*d d+| d,d}| d-d}|d.}|r|std/d d0 tjtjd5}|t$d,||||d1dd2i3}dddn #1swxYwYn'#t $r}td4|d d5d}~wwxYw|jdkrtd6|jdd d7| }| d8d}| d9d}|std:d d;t'jd|t1jt4jd?d@dAdBdCS)DzBRun the OpenAI device code login flow and return credentials dict.rNzhttps://auth.openai.comrrz!/api/accounts/deviceauth/usercoder/rr)rrzFailed to request device code: rBdevice_code_request_failedr`rz$Device code request returned status rdevice_code_request_errorrr,device_auth_idrr5z-Device code response missing required fields.device_code_incompletez!To continue, follow these steps: z# 1. Open this URL in your browser:z z/codex/device z 2. Enter this code:z z/Waiting for sign-in... (press Ctrl+C to cancel)iz/api/accounts/deviceauth/token)rr)rsrz$Device auth polling returned status device_code_poll_error Login cancelled.z!Login timed out after 15 minutes.device_code_timeoutr.rz/deviceauth/callbackzADevice auth response missing authorization_code or code_verifier.device_code_incomplete_exchange)rwr(rr/rrsrerzToken exchange failed: token_exchange_failedzToken exchange returned status token_exchange_errorrrqz.Token exchange did not return an access_token.token_exchange_no_access_tokenrrM)rrqr:r8rhz device-code)rgrrerir)rsryr rwrvr rr%r rrrtrrC monotonicrrJrKrxrrrrNrrrrrrr>)_timeissuerr/rzrr device_datarrrmax_waitr code_resp poll_respr.rr token_resprgrrqrs r?rrs &F%I  \%-"5"5 6 6 6 &;;<<<!9-');<D                    3c 3 3#*F      3 F43C F F F#*E    ))++K R00I __%5r::N3{z3??@@AAM  N  ;#*B     ./// /000 8& 8 8 8999 !""" .) . . ./// ;<<<H OO  EI \%-"5"5 6 6 6 &//##e+h66 M***"KK===,:SS+-?@( (C// ) 0 0I*j88#Wy?TWWW!/6N               &  "###oo /#*?    #';R@@MM/266M222L  ]  O#*K     \%-"5"5 6 6 6 &%"6.$0!*%2 ()LM%  J                    +c + +#*A     $$ Gj.D G G G#*@    __  F::nb11LJJ33M   <#*J     )2..4466==cBB " ! )*   X\22<<>>FFxQTUU   s'A. A" A."A&&A.)A&*A.. B8B  B='J$BJ: JJ  J J J)J;'M?&M3' M?3M77M?:M7;M?? N# NN#r5cVddl}|ddd}tjt j| d}|d}|||fS)zGGenerate (code_verifier, code_challenge_S256, state) for MiniMax OAuth.rNr`rQr) secrets token_urlsaferTrrrrrrVrN)rverifier challenger s r?_minimax_pkce_pairr-sNNN$$R(("-H(x(())0022 fhhvvc{{  ! !" % %E Y %%r>c ||dd|t|d|dddttjd}|jd kr!t d |jp|jd d | }dD]}||vrt d|d d | d|krt dd d |S)Nz /oauth/coder(r)rr/r0rrr rsr)rruz x-request-idrrz$MiniMax OAuth authorization failed: rnauthorization_failedr`)rr expired_inz&MiniMax OAuth response missing field: authorization_incompleter z-MiniMax OAuth state mismatch (possible CSRF).state_mismatch) r MINIMAX_OAUTH_SCOPEr(rrr r%r@ reason_phraserr)rzr-r/rr rrOrs r?_minimax_request_user_coder8s@{{ '''#"(,%+   @( --  H s"" \8=3ZHDZ \ \$+A    mmooG@   @@@(/I  {{7u$$ ;$+;     Nr>rr interval_ms Optional[int]cddl}t|dz}||dzkr|dz } n%|td|z} td|pddz } || kr=||dt|||d d d d  } | jr| nin#t$riYnwxYw| jdkrI dipi dp| j} td| pddd d} | dkrtddd| dkr/tfddDstdddS| | || k=tddd )!Nrrlrg@@rg@i /oauth/token)rwr/rrrsrrtrr base_resp status_msgzMiniMax OAuth error: rDrnrr`r2r4z8MiniMax OAuth reported an error. Please try again later.authorization_deniedsuccessc3BK|]}|VdSr.r)rkrOs r?rz&_minimax_poll_token..s-__!w{{1~~______r>)rrqrzhmmoooBGG   GGG   3 & &;;{B//52::<HHYHMC:(8y::(/F  X&& W  J(/E  Y  ____/^_____ R,3EN HQ **,, ! !T A y   s5C C"!C"ct5t}t|d|t|ddddS#1swxYwYdS)zGPersist MiniMax OAuth state to Hermes auth store (~/.hermes/auth.json).rnN)rrrr)rrs r?_minimax_save_auth_staters   %%%'' Z*EEE$$$%%%%%%%%%%%%%%%%%%s/A  AArqrRr`rqrRc td}|dkr|jd}|jd}n|j}|j}t \}}}t rd}t d|dt d|tjtj |d d i 5} t| ||j || } t| d } t| d} t t dt d| t d| |r3tj| rt dnt d| d} | t!| nd}t dt#| ||j | |t!| d|}dddn #1swxYwYt%jt(j}t!|d}||z}d||||j t.|dd|d|d|d|t%j|t(j|d }t5|t d |d!x}rt d"||S)#z?Run MiniMax OAuth flow, persist tokens, return auth state dict.rnrrrrsFz#Starting Hermes login via MiniMax (z ) OAuth...Portal: rurrl)r-r/rr rr To continue: 1. Open:  2. If prompted, enter code: # (Opened browser for verification)z< Could not open browser automatically -- use the URL above.rNzWaiting for approval...r)r-r/rrrrr~rrrqrr$) r'rqr-r.r/r0r~rrqrr(r)rHu#✓ MiniMax OAuth login successful.notification_messagezNote from MiniMax: )rr3r-r.rrFrCr rwrvrr/r(rGrrrrrrrrrr?rrr*r)rqrRr`rr-r.rrr rz code_dataverification_urlr interval_rawr token_datar expires_in_sr)rr1s r?_minimax_oauth_loginrsi  0G ~~!-(<=$]+BC!1$7!3!5!5Hi  B B B BCCC &_ & &''' emO<<');< > > > AG. O'$E   y);<== +.//   n .,../// :y::;;;  V/00 V;<<<<TUUU }}Z00 +7+Cc,'''  '(((( O'x9\233#    1               @ ,x| $ $Cz,/00L</J$*0&$ nn\8<<">2#O4"~66}},ZHLIIISSUU"J Z((( 2333nn3444s+ )C))*** s.DGG G)r`forcer c 0 |dstdddd tj|dd}n#t $rd }YnwxYwt j}|s||z tkr|S|d }tj tj | 5}| |d d|d |ddddd}dddn #1swxYwY|j dkrV|j  t fddD}td|j p|jdd||} | ddkrtddddtjt&j} t+| d} t-|} | | d| d|d| tj| | zt&j| dt5| | S) zBRefresh MiniMax OAuth access token if close to expiry (or forced).rqz:MiniMax OAuth state has no refresh_token; please re-login.rnno_refresh_tokenTr&r)r,r>r-rrr/rrsrrtrNrc3 K|]}|vV dSr.r4)rrrs r?rz/_refresh_minimax_oauth_state..s?ZZAa4iZZZZZZr>)rorrinvalid_refresh_tokenzMiniMax OAuth refresh failed: refresh_failedr2rz-MiniMax OAuth refresh did not return success.rrr$)rrqr(r)rH)rr%rr=r?rrs"MINIMAX_OAUTH_REFRESH_SKEW_SECONDSr rwrvr r r@rrrrrrrrr=rMrr*r)r r`r r)rr-rzrrrOnow_dtr new_staters @r?_refresh_minimax_oauth_stater)s4 99_ % %  H$+=PT    +EIIlB,G,GHHRRTT   )++C j3&*LLL -.O emO<< = = =  ;; , , ,-";/!&!7 !D,                   s""}""$$ZZZZXZZZZZ VX]-Th>T V V$+;$    mmooG{{8 )) ;$+;!    \(, ' 'Fw|,--LU I / _eO6LMM'')),V-=-=-?-?,-N08 >>>>Gikk" Y''' s#:A&& A54A5 /DD D )min_token_ttl_secondsr*ctd}|r|dstddddt|}d|d|ddd d S) z?Return {provider, api_key, base_url, source} for minimax-oauth.rnrzMNot logged into MiniMax OAuth. Run `hermes model` and select MiniMax (OAuth). not_logged_inTr&r.rMoauthre)rrr%r)rN)r*r s r?)resolve_minimax_oauth_runtime_credentialsr.7s $O 4 4E   .11  $?T    ) / /E#(./66s;;   r>ctd}|r|dsdddS tj|dd}|t jz dk}n2#t $r%t|d}YnwxYw|d|dd |dd S) z3Return auth status dict for MiniMax OAuth provider.rnrFrbr)r,rrqrp)r%r'rqr))rrrr=r?rsrr)r r) token_valids r?get_minimax_oauth_auth_statusr1Ks #O 4 4E A .11A"@@@6+EIIlB,G,GHHRRTT !DIKK/14 666599^4455 6!#))Hh//ii --   sAB,B10B1ct|ddpd}t|dd }t|ddpd} t|||dS#t$r0}tt |t d d}~wwxYw) z"CLI entry for MiniMax OAuth login.rqNrprNFrrrr)rrr%rCr9rK)rrrqrRrrs r?_login_minimax_oauthr3]s T8T * * 6hFt\5999LdIt,,4G g        $$%%%mmsA B+BB, r-r.r/r0rRr`rrrc N td} |p.tjdptjdp| jd}|ptjdp| jd} |p| j}|p| j}tj |} |rdn|r|nd} trd}td| j d td ||rtd n|rtd |d tj | ddi| 5} t| |||}t|d}t|d}t!|d}t!|d}ttdtd|td||r5t#j|}|rtdntdt'dt)|t*}td|dt-| ||t|d||}d d d n #1swxYwYt/jt2j}t7|dd!}||z}t=|d"p| }|| krtd#|id$|d"|d%|d&|d&p|d'|d'd(d)|d)d*|d*d+|d,t/j |t2j-d|d.| dutC| tr| nd d/d0d d1d d2d d3d d4d d5d } tE|||dd6S#tF$r}|j$d7kr|d$tJd}ttd8td9|d:ttd;tMdd }~wwxYw)Your Nous Portal account does not have an active subscription.z Subscribe here: z/billingz>,+J+JKK#33J:>>*>??@@ # "!888 N6LNNOOO?4 Y ((1E  jnn\8<<   >2  88 s}} h,ZHLIIISSUU & %#-fc#:#:D   T !" #$ %& D'( )J,,  3+          8. . .#!#:fSkk  GGG R S S S ;z;;; < < < GGG P Q Q QQ--   s,,D>I66I:=I:+O?? R$ BRR$c ( t|ddpd}tt|dd}t|ddp'tjdptjd} t t|d dt|d dt|d dp|jt|d dp|jt|d d |||d }|d}t5t}| d}dddn #1swxYwYt5t} t| d|t| } dddn #1swxYwYttdtd| d} | dp| d} t| tr| stdddddlm} m}m}m}| }tg}|r(|d}|}|r|||d\}}| dd}|r4td t+|d!t-||||"} nP|r?|pt.d#}td$td%|d&ntd'nj#t2$r]}t|trt5|nt|}ttd(|Yd}~nd}~wwxYw| st5t} |r|| d<n| ddt| dddn #1swxYwYttd)td*dSt9d|| +}| r!t;| td,| td-|d.dS#t<$rtd/t?d0t2$r&}td1|t?d2d}~wwxYw)3z&Nous Portal device authorization flow.rNrrFrrrr inference_urlr/r0rNr4r5r.rr@rrOrrz,No runtime API key available to fetch modelsrpr`r)get_curated_nous_model_idsget_pricing_for_providercheck_nous_free_tierpartition_nous_models_by_tierT) free_tierr-r,zShowing u= curated models — use "Enter custom model name" for others.)r}rrrMz#No free models currently available.z Upgrade at z to access paid models.z,No curated models available for Nous Portal.z?Login succeeded, but could not fetch available models. Reason: z:No provider change. Nous credentials saved for future use.z4 Run `hermes model` again to switch to Nous Portal.)rlzDefault model set to: rz (model.provider=nous)rrzLogin failed: r) rrrrr<r/r0rrrrrrCrr(r%rr?r@rArBrrrrNrr9rrtrrJrK)rrr`rrrr. _prior_storeprior_active_providerrrXselected_model runtime_keyr?r@rArBrrr}rC_portal_urlrr*rps r? _login_nousrJsZdIt44<OGD*e4455Hk4(( & 9' ( ( & 9_ % % s,#D,==&t_dCCdK66K':K$..?'-$T<???+ &    ((<=    H H+--L$0$4$45F$G$G ! H H H H H H H H H H H H H H H   4 4)++J VZ @ @ @' 33H 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4  !""" )x))*** ) _$..55W9W9WKk3// { B#(             3244I GGG')  226::0022 4Q4Q!7d5551I1!nn%6;;G FpYpppqqq!8w'9&""" $ F:#:BB3GG;<<<ADAAABBBBDEEE _ _ _0:3 0J0JX',,,PSTWPXPXG GGG ]T[]] ^ ^ ^ ^ ^ ^ ^ ^ _ "## - --// (<4IJ011NN#4d;;; ,,,  - - - - - - - - - - - - - - - GGG N O O O H I I I F1 &n     = ~ . . . ;>;; < < < F;FFFGGGGG  "###oo  $s$$%%%mms,BP:4$D$ P:$D((P:+D(,P:=/E8, P:8E<<P:?E<4P:5D?K54P:5 M?AMP:MP:/N;?/P:0AP::1R+!R  Rc$t|dd}|r0t|s!td|tdt }|p|p t }|stddSt |}t|}t|s|rWttd|dtj drtd dStd dStd |ddS) z Clear auth state for a provider.r'NzUnknown provider: rz#No provider is currently logged in.zLogged out of rr'z)Hermes will use OpenRouter for inference.z9Run `hermes model` or configure an API key to use Hermes.zNo auth state found for ) rrrCrKrrzrxrrr|rr)rrrrconfig_matchesrs r?logout_commandrMns@$ D11K1+>> 0;00111mm " "F  LF L&J&L&LF  3444-f55N26::M6"";n;    /}///000 9) * * O = > > > > > M N N N N N 9999:::::r>)rr()rGr(rr(rr(rr()rr rrrr)rr(rr'rr)r)rGr(rrrr)r4rrr()rr rr+)rr)rHr(rGr+rIr rr,)rr )r`rr.)rrrr2)rr2rr )rr2rr(rr)rr2rr(r r2rr,) rr2rr(r r2rrrr,)rr(rr)rr(rr()rr+rr2)rr(rrrr )rr(rr(rr,)rr(rr(rr)rr(rr)rr+)rr+rrr)rr(rr()rr+rr+rr+rr()rr rr6)rCr rDrrr)rHr rr)rr rr+)rr rr2)rr rDrrr)rr2)rgr2rr )rjr rDrrr)ro)rgr2r`rrr2)rrrrrrrr2)rrrr2)rr+rr)rr+rr()NN)rr+r rrr()r rrr()r)rrrr()rr(rr()r/r(rr(r0r(r r(rr(rr(rr()rr(rr)rr(rr)rr(r`rrr)r!r2r/r(rr(r"r(rr(rr(r rrr2)r/r(r(r(rr(rr(rr(r`rrr2)r r2r`rrr2)r@r(rr()r^rrr2)rgr$rer(rr,)rr(rqr(r`rrr2)rgr$r`rrr$)rr)rr)rrrr+rrrr) rzrr-r(r/r(r0r+rr2)rzrr-r(r/r(rr(rHrrrrr2) rzrr-r(r/r(rqr(rr2) rzrr-r(rr(rrrr2) r.r(rGr(r`rrrrr)r r2rrrr) r`rrrrr+rrrr()$rr(rqr(r/r(r-r(r.r(r~r(r0r(r(r+r)r+rr+rr+rrr`rrrrr+rrrrrr2) r r2rrr`rrrrrrr2)rr2rr+) rrr`rrrrr+rrrr2)rr(rr2)rr(r.r(rlr+rr )r,NNr,) rrrrr(r}r~rrrr(rr+)rr(rr,)rr'rrrr,)rr5) rzrr-r(r/r(rr(r r(rr2)rzrr-r(r/r(rr(rr(rrrrrr2)rr2rr,)rqr(rRrr`rrr2)r r2r`rr rrr2)r*rrr2)rr'rr,)r-r+r.r+r/r+r0r+rRrr`rrrrr+rrrr2)r; __future__rrloggingrrr]rrorrTrrrrsrrG contextlibr dataclassesrrrr http.serverr r pathlibr typingr r rr urllib.parserrrr yamlrrrrrrutilsrrr getLoggerr8rrlrrmrrrr rr !DEFAULT_AGENT_KEY_MIN_TTL_SECONDSr rrMINIMAX_OAUTH_CLIENT_IDrr MINIMAX_OAUTH_GLOBAL_BASEMINIMAX_OAUTH_CN_BASEMINIMAX_OAUTH_GLOBAL_INFERENCEMINIMAX_OAUTH_CN_INFERENCEr&rDEFAULT_GITHUB_MODELS_BASE_URLDEFAULT_COPILOT_ACP_BASE_URLDEFAULT_OLLAMA_CLOUD_BASE_URLSTEPFUN_STEP_PLAN_INTL_BASE_URLSTEPFUN_STEP_PLAN_CN_BASE_URLryrx'CODEX_ACCESS_TOKEN_REFRESH_SKEW_SECONDSrr&QWEN_ACCESS_TOKEN_REFRESH_SKEW_SECONDSrrrrDrE)SPOTIFY_ACCESS_TOKEN_REFRESH_SKEW_SECONDSrrr%r<r.GEMINI_OAUTH_ACCESS_TOKEN_REFRESH_SKEW_SECONDSrfr'rrrrrrrrrr#rXr%r9r=rErPr\r_localrirrrrrrrrrrrrrrrrrrrr5rBrGrKrOrXr[r]rfrirnrrrrrrrrrrrrrrrrrr+r2r8r<r?rLrYrFrfrjrrrrrrrrrrrrrrrrrr7r:rErIrLrSr`r+rgrkrtrvrxrzr|rrrrrrrrrrr)r.r1r3r<rJrMr4r>r?risy   #"""""   %%%%%%((((((((''''''''::::::::,,,,,,,,,,,,6666666666 OOOOOOOOOO000000DDDDDDDDDD  8 $ $LLLL EEEMMMM FFF <H%/$+!$'!()%@@9G42!CA%'"3!@. 7"G F6=*-'9A),&$B!;H[A,/) "  y* %<!13. 1           L0 NN  %/5(    L0NN  "1 L0 ..  "0 !L0,  $"< -L08  5(& 9L0H~~  9M/ IL0X>>  !$7/ YL0f nn  M=* gL0v >>  9G'    wL0F>>  8@(   GL0\nn  &7- ]L0j~~  :-+ kL0z ^^  8-) {L0J >>  ;)'    KL0Z~~  =-+ [L0j^^  0!19)!!9N(BDD   kL0@  6\- AL0L0P~~  (S/- QL0`>> *JM7 aL0p..  ?0. qL0@  8., AL0P >>  0)'    QL0` nn  @,* aL0p..  <0. qL0@NN  720 AL0P>>   ;1/   QL0h  <., iL0x>>  =&& yL0H nn  :,* IL0X  @., YL0hNN  8,* iL0x~~  L+ yL0H^^  31 IL0L0LLLLf@3    "   89      &&&&l4gY(S d>d>df|}CEkEkEknCD  #####L....j11111 111"4DDDD---- >B[[[[[[,2222$IO%%.G66666r%<%<%<%<%(  222222n A!## vvvvvvz-)-)-)-)`2(2(2(2(j. . . . b><     :****Z%%%%^$(?????D$AAAA    *37.2 mmmmm`"" GLGLGLGLGLGLTNNNNf&&&&%%%%P====@%%%%D!MMMMMMb8<<<<<<<@%G($     &*(,#!#%@@@@@@F}}}}@;;;;;;s$3B88CCC CC