refactor(auth): transition Codex OAuth tokens to Hermes auth store

Updated the authentication mechanism to store Codex OAuth tokens in the Hermes auth store located at ~/.hermes/auth.json instead of the previous ~/.codex/auth.json. This change includes refactoring related functions for reading and saving tokens, ensuring better management of authentication states and preventing conflicts between different applications. Adjusted tests to reflect the new storage structure and improved error handling for missing or malformed tokens.
2026-03-01 19:59:24 -08:00 · 2026-03-01 19:59:24 -08:00 · 5e598a588f
commit 5e598a588f
parent 8bc2de4ab6
7 changed files with 295 additions and 380 deletions
--- a/tests/test_external_credential_detection.py
+++ b/tests/test_external_credential_detection.py
@ -10,42 +10,41 @@ from hermes_cli.auth import detect_external_credentials


 class TestDetectCodexCLI:
-    def test_detects_valid_codex_auth(self, tmp_path):
+    def test_detects_valid_codex_auth(self, tmp_path, monkeypatch):
        codex_dir = tmp_path / ".codex"
        codex_dir.mkdir()
        auth = codex_dir / "auth.json"
        auth.write_text(json.dumps({
            "tokens": {"access_token": "tok-123", "refresh_token": "ref-456"}
        }))
-        with patch("hermes_cli.auth.resolve_codex_home_path", return_value=codex_dir):
-            result = detect_external_credentials()
+        monkeypatch.setenv("CODEX_HOME", str(codex_dir))
+        result = detect_external_credentials()
        codex_hits = [c for c in result if c["provider"] == "openai-codex"]
        assert len(codex_hits) == 1
        assert "Codex CLI" in codex_hits[0]["label"]
-        assert str(auth) == codex_hits[0]["path"]

-    def test_skips_codex_without_access_token(self, tmp_path):
+    def test_skips_codex_without_access_token(self, tmp_path, monkeypatch):
        codex_dir = tmp_path / ".codex"
        codex_dir.mkdir()
        (codex_dir / "auth.json").write_text(json.dumps({"tokens": {}}))
-        with patch("hermes_cli.auth.resolve_codex_home_path", return_value=codex_dir):
-            result = detect_external_credentials()
+        monkeypatch.setenv("CODEX_HOME", str(codex_dir))
+        result = detect_external_credentials()
        assert not any(c["provider"] == "openai-codex" for c in result)

-    def test_skips_missing_codex_dir(self, tmp_path):
-        with patch("hermes_cli.auth.resolve_codex_home_path", return_value=tmp_path / "nonexistent"):
-            result = detect_external_credentials()
+    def test_skips_missing_codex_dir(self, tmp_path, monkeypatch):
+        monkeypatch.setenv("CODEX_HOME", str(tmp_path / "nonexistent"))
+        result = detect_external_credentials()
        assert not any(c["provider"] == "openai-codex" for c in result)

-    def test_skips_malformed_codex_auth(self, tmp_path):
+    def test_skips_malformed_codex_auth(self, tmp_path, monkeypatch):
        codex_dir = tmp_path / ".codex"
        codex_dir.mkdir()
        (codex_dir / "auth.json").write_text("{bad json")
-        with patch("hermes_cli.auth.resolve_codex_home_path", return_value=codex_dir):
-            result = detect_external_credentials()
+        monkeypatch.setenv("CODEX_HOME", str(codex_dir))
+        result = detect_external_credentials()
        assert not any(c["provider"] == "openai-codex" for c in result)

-    def test_returns_empty_when_nothing_found(self, tmp_path):
-        with patch("hermes_cli.auth.resolve_codex_home_path", return_value=tmp_path / ".codex"):
-            result = detect_external_credentials()
+    def test_returns_empty_when_nothing_found(self, tmp_path, monkeypatch):
+        monkeypatch.setenv("CODEX_HOME", str(tmp_path / "nonexistent"))
+        result = detect_external_credentials()
        assert result == []