fix(tools): add debug logging for token refresh and tighten domain check

- Add logger + debug log to read_nous_access_token() catch-all so token
  refresh failures are observable instead of silently swallowed
- Tighten _is_nous_auxiliary_client() domain check to use proper URL
  hostname parsing instead of substring match, preventing false-positives
  on domains like not-nousresearch.com or nousresearch.com.evil.com

tools/managed_tool_gateway.py

@@ -3,11 +3,14 @@
 from __future__ import annotations
 
 import json
+import logging
 import os
 from datetime import datetime, timezone
 from dataclasses import dataclass
 from typing import Callable, Optional
 
+logger = logging.getLogger(__name__)
+
 from hermes_constants import get_hermes_home
 from tools.tool_backend_helpers import managed_nous_tools_enabled
 
@@ -93,8 +96,8 @@ def read_nous_access_token() -> Optional[str]:
         )
         if isinstance(refreshed_token, str) and refreshed_token.strip():
             return refreshed_token.strip()
-    except Exception:
-        pass
+    except Exception as exc:
+        logger.debug("Nous access token refresh failed: %s", exc)
 
     return cached_token
 

tools/web_tools.py

@@ -445,8 +445,11 @@ DEFAULT_MIN_LENGTH_FOR_SUMMARIZATION = 5000
 
 def _is_nous_auxiliary_client(client: Any) -> bool:
     """Return True when the resolved auxiliary backend is Nous Portal."""
-    base_url = str(getattr(client, "base_url", "") or "").lower()
-    return "nousresearch.com" in base_url
+    from urllib.parse import urlparse
+
+    base_url = str(getattr(client, "base_url", "") or "")
+    host = (urlparse(base_url).hostname or "").lower()
+    return host == "nousresearch.com" or host.endswith(".nousresearch.com")
 
 
 def _resolve_web_extract_auxiliary(model: Optional[str] = None) -> tuple[Optional[Any], Optional[str], Dict[str, Any]]: