Files
wehub-resource-sync b4fbd6fe9f
Deploy Site / deploy-vercel (push) Has been skipped
Deploy Site / deploy-docs (push) Has been skipped
Build Skills Index / build-index (push) Has been skipped
CI / Deny unrelated histories (push) Has been skipped
CI / Detect affected areas (push) Successful in 27m35s
CI / OSV scan (push) Failing after 4s
CI / Build&Test Docker image (push) Successful in 9s
CI / Supply-chain scan (push) Has been skipped
CI / Lint Docker scripts (push) Failing after 5m13s
CI / Check contributors (push) Failing after 12m8s
CI / Docs Site (push) Failing after 12m8s
CI / TypeScript (push) Failing after 12m8s
CI / Python lints (push) Failing after 12m9s
CI / Python tests (push) Failing after 12m9s
CI / Check uv.lock (push) Failing after 23m22s
CI / CI timing report (push) Has been cancelled
Build Skills Index / trigger-deploy (push) Has been cancelled
CI / All required checks pass (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 11:56:03 +08:00

105 lines
4.5 KiB
Python

"""Tests for get_nous_session_validity — the /api/status classifier NAS reads
to decide whether to re-mint a hosted-agent bootstrap session.
The anti-flap contract is the load-bearing property: only a *terminal* auth
failure may report "terminal" (a spurious "terminal" triggers an unnecessary
NAS re-mint + machine restart on a healthy box). A mid-rotation blip, a
transient error, or a merely-expiring token must NOT report "terminal".
"""
import hermes_cli.auth as auth
from hermes_cli.auth import (
NOUS_SESSION_TERMINAL,
NOUS_SESSION_UNKNOWN,
NOUS_SESSION_VALID,
get_nous_session_validity,
)
def _clear_cache():
auth.invalidate_nous_auth_status_cache()
def test_valid_when_logged_in(monkeypatch):
"""A healthy login → 'valid'."""
monkeypatch.setattr(auth, "get_provider_auth_state", lambda p: {
"access_token": "at", "refresh_token": "rt",
})
monkeypatch.setattr(auth, "get_nous_auth_status", lambda: {"logged_in": True})
assert get_nous_session_validity() == NOUS_SESSION_VALID
def test_terminal_on_persisted_quarantine_marker(monkeypatch):
"""A persisted last_auth_error.relogin_required with tokens cleared →
'terminal'. This is the exact on-disk state the incident produced."""
monkeypatch.setattr(auth, "get_provider_auth_state", lambda p: {
# tokens cleared by the quarantine path
"last_auth_error": {"relogin_required": True, "code": "invalid_grant"},
})
# status would also say not-logged-in, but the marker short-circuits first
monkeypatch.setattr(auth, "get_nous_auth_status", lambda: {"logged_in": False})
assert get_nous_session_validity() == NOUS_SESSION_TERMINAL
def test_terminal_on_relogin_required_status(monkeypatch):
"""Not logged in + relogin_required from the live status → 'terminal'."""
monkeypatch.setattr(auth, "get_provider_auth_state", lambda p: {
"refresh_token": "rt", # present, but status resolution fails terminally
})
monkeypatch.setattr(auth, "get_nous_auth_status", lambda: {
"logged_in": False, "relogin_required": True, "error_code": "invalid_grant",
})
assert get_nous_session_validity() == NOUS_SESSION_TERMINAL
def test_unknown_when_no_provider_state(monkeypatch):
"""No Nous provider state at all → 'unknown' (never terminal)."""
monkeypatch.setattr(auth, "get_provider_auth_state", lambda p: None)
monkeypatch.setattr(auth, "get_nous_auth_status", lambda: {"logged_in": False})
assert get_nous_session_validity() == NOUS_SESSION_UNKNOWN
def test_anti_flap_transient_not_logged_in_is_unknown(monkeypatch):
"""ANTI-FLAP: not-logged-in WITHOUT relogin_required (a transient/network
blip) must be 'unknown', NOT 'terminal' — otherwise a healthy box mid-blip
triggers a spurious re-mint."""
monkeypatch.setattr(auth, "get_provider_auth_state", lambda p: {
"access_token": "at", "refresh_token": "rt",
})
monkeypatch.setattr(auth, "get_nous_auth_status", lambda: {
"logged_in": False, "error": "connection reset", # no relogin_required
})
assert get_nous_session_validity() == NOUS_SESSION_UNKNOWN
def test_stale_quarantine_marker_ignored_after_relogin(monkeypatch):
"""ANTI-FLAP: a leftover last_auth_error marker must NOT report 'terminal'
once a subsequent login has repopulated tokens."""
monkeypatch.setattr(auth, "get_provider_auth_state", lambda p: {
"access_token": "new-at", "refresh_token": "new-rt",
"last_auth_error": {"relogin_required": True, "code": "invalid_grant"},
})
monkeypatch.setattr(auth, "get_nous_auth_status", lambda: {"logged_in": True})
assert get_nous_session_validity() == NOUS_SESSION_VALID
def test_status_exception_is_unknown_not_terminal(monkeypatch):
"""If status computation itself throws, that's indeterminate → 'unknown'."""
monkeypatch.setattr(auth, "get_provider_auth_state", lambda p: {"refresh_token": "rt"})
def _boom():
raise RuntimeError("boom")
monkeypatch.setattr(auth, "get_nous_auth_status", _boom)
assert get_nous_session_validity() == NOUS_SESSION_UNKNOWN
def test_provider_state_exception_falls_through_to_status(monkeypatch):
"""If reading provider state throws, fall through to status (don't crash)."""
def _boom(p):
raise RuntimeError("disk error")
monkeypatch.setattr(auth, "get_provider_auth_state", _boom)
monkeypatch.setattr(auth, "get_nous_auth_status", lambda: {"logged_in": True})
assert get_nous_session_validity() == NOUS_SESSION_VALID