"""Tests for provider env var blocklist in LocalEnvironment. Verifies that Hermes-internal provider env vars (OPENAI_BASE_URL, etc.) are stripped from subprocess environments so external CLIs are not silently misrouted. See: https://github.com/NousResearch/hermes-agent/issues/1002 """ import os import threading from unittest.mock import MagicMock, patch from tools.environments.local import ( LocalEnvironment, _HERMES_PROVIDER_ENV_BLOCKLIST, _HERMES_PROVIDER_ENV_FORCE_PREFIX, ) def _make_fake_popen(captured: dict): """Return a fake Popen constructor that records the env kwarg.""" def fake_popen(cmd, **kwargs): captured["env"] = kwargs.get("env", {}) proc = MagicMock() proc.poll.return_value = 0 proc.returncode = 0 proc.stdout = iter([]) proc.stdout.close = lambda: None proc.stdin = MagicMock() return proc return fake_popen def _run_with_env(extra_os_env=None, self_env=None): """Execute a command via LocalEnvironment with mocked Popen and return the env dict passed to the subprocess.""" captured = {} fake_interrupt = threading.Event() test_environ = { "PATH": "/usr/bin:/bin", "HOME": "/home/user", "USER": "testuser", } if extra_os_env: test_environ.update(extra_os_env) env = LocalEnvironment(cwd="/tmp", timeout=10, env=self_env) with patch("tools.environments.local._find_bash", return_value="/bin/bash"), \ patch("subprocess.Popen", side_effect=_make_fake_popen(captured)), \ patch("tools.terminal_tool._interrupt_event", fake_interrupt), \ patch.dict(os.environ, test_environ, clear=True): env.execute("echo hello") return captured.get("env", {}) class TestProviderEnvBlocklist: """Provider env vars loaded from ~/.hermes/.env must not leak.""" def test_blocked_vars_are_stripped(self): """OPENAI_BASE_URL and other provider vars must not appear in subprocess env.""" leaked_vars = { "OPENAI_BASE_URL": "http://localhost:8000/v1", "OPENAI_API_KEY": "sk-fake-key", "OPENROUTER_API_KEY": "or-fake-key", "ANTHROPIC_API_KEY": "ant-fake-key", "LLM_MODEL": "anthropic/claude-opus-4-6", } result_env = _run_with_env(extra_os_env=leaked_vars) for var in leaked_vars: assert var not in result_env, f"{var} leaked into subprocess env" def test_registry_derived_vars_are_stripped(self): """Vars from the provider registry (ANTHROPIC_TOKEN, ZAI_API_KEY, etc.) must also be blocked — not just the hand-written extras.""" registry_vars = { "ANTHROPIC_TOKEN": "ant-tok", "CLAUDE_CODE_OAUTH_TOKEN": "cc-tok", "ZAI_API_KEY": "zai-key", "Z_AI_API_KEY": "z-ai-key", "GLM_API_KEY": "glm-key", "KIMI_API_KEY": "kimi-key", "MINIMAX_API_KEY": "mm-key", "MINIMAX_CN_API_KEY": "mmcn-key", } result_env = _run_with_env(extra_os_env=registry_vars) for var in registry_vars: assert var not in result_env, f"{var} leaked into subprocess env" def test_safe_vars_are_preserved(self): """Standard env vars (PATH, HOME, USER) must still be passed through.""" result_env = _run_with_env() assert "HOME" in result_env assert result_env["HOME"] == "/home/user" assert "USER" in result_env assert "PATH" in result_env def test_self_env_blocked_vars_also_stripped(self): """Blocked vars in self.env are stripped; non-blocked vars pass through.""" result_env = _run_with_env(self_env={ "OPENAI_BASE_URL": "http://custom:9999/v1", "MY_CUSTOM_VAR": "keep-this", }) assert "OPENAI_BASE_URL" not in result_env assert "MY_CUSTOM_VAR" in result_env assert result_env["MY_CUSTOM_VAR"] == "keep-this" class TestForceEnvOptIn: """Callers can opt in to passing a blocked var via _HERMES_FORCE_ prefix.""" def test_force_prefix_passes_blocked_var(self): """_HERMES_FORCE_OPENAI_API_KEY in self.env should inject OPENAI_API_KEY.""" result_env = _run_with_env(self_env={ f"{_HERMES_PROVIDER_ENV_FORCE_PREFIX}OPENAI_API_KEY": "sk-explicit", }) assert "OPENAI_API_KEY" in result_env assert result_env["OPENAI_API_KEY"] == "sk-explicit" # The force-prefixed key itself must not appear assert f"{_HERMES_PROVIDER_ENV_FORCE_PREFIX}OPENAI_API_KEY" not in result_env def test_force_prefix_overrides_os_environ_block(self): """Force-prefix in self.env wins even when os.environ has the blocked var.""" result_env = _run_with_env( extra_os_env={"OPENAI_BASE_URL": "http://leaked/v1"}, self_env={f"{_HERMES_PROVIDER_ENV_FORCE_PREFIX}OPENAI_BASE_URL": "http://intended/v1"}, ) assert result_env["OPENAI_BASE_URL"] == "http://intended/v1" class TestBlocklistCoverage: """Sanity checks that the blocklist covers all known providers.""" def test_issue_1002_offenders(self): """Blocklist includes the main offenders from issue #1002.""" must_block = { "OPENAI_BASE_URL", "OPENAI_API_KEY", "OPENROUTER_API_KEY", "ANTHROPIC_API_KEY", "LLM_MODEL", } assert must_block.issubset(_HERMES_PROVIDER_ENV_BLOCKLIST) def test_registry_vars_are_in_blocklist(self): """Every api_key_env_var and base_url_env_var from PROVIDER_REGISTRY must appear in the blocklist — ensures no drift.""" from hermes_cli.auth import PROVIDER_REGISTRY for pconfig in PROVIDER_REGISTRY.values(): for var in pconfig.api_key_env_vars: assert var in _HERMES_PROVIDER_ENV_BLOCKLIST, ( f"Registry var {var} (provider={pconfig.id}) missing from blocklist" ) if pconfig.base_url_env_var: assert pconfig.base_url_env_var in _HERMES_PROVIDER_ENV_BLOCKLIST, ( f"Registry base_url_env_var {pconfig.base_url_env_var} " f"(provider={pconfig.id}) missing from blocklist" ) def test_extra_auth_vars_covered(self): """Non-registry auth vars (ANTHROPIC_TOKEN, CLAUDE_CODE_OAUTH_TOKEN) must also be in the blocklist.""" extras = {"ANTHROPIC_TOKEN", "CLAUDE_CODE_OAUTH_TOKEN"} assert extras.issubset(_HERMES_PROVIDER_ENV_BLOCKLIST)