6jyoUdZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddlmZmZddlmZddlmZejeZejdz dz Zd Zd Zed Zed Zed ZedZedZdZ dZ!hdZ"hdZ#hdZ$dZ%dZ&dZ'iZ(de)d<ej*Z+dZ,d]dZ-dZ.d^d Z/d_d"Z0d`dad&Z1d'Z2d`dbd)Z3dcd*Z4ddd-Z5d.Z6ded0Z7dfd1Z8dfd2Z9dgd5Z:dgd6Z;dhd7Zd:d;did@Z?djdAZ@dkdDZAdldGZBdgdHZCdgdIZDdgdJZEdgdKZFdmdLZGd`dndOZHdhdPZIdodTZJdhdUZKdpdVZLdqdXZMdrdYZNdqdZZOd[ZPdsd\ZQdS)ta/In-app OAuth flow implementations for onboarding. The browser receives only WebUI-local flow metadata (flow_id, user_code, verification_uri, high-level status). Provider device/auth codes and OAuth tokens stay server-side and are persisted to the active Hermes profile's ``auth.json`` credential_pool. ) annotationsN)datetimetimezone)Path)Any.hermes auth.jsonzhttps://auth.openai.comapp_EMoamEEZ73f0CkXaXp7hrannz /codex/devicez!/api/accounts/deviceauth/usercodez/api/accounts/deviceauth/tokenz /oauth/tokenz/deviceauth/callbackz%https://chatgpt.com/backend-api/codexi>claude anthropic claude-code openai-codex>r r r > gemini-cli qwen-oauth copilot-acp minimax-oauthgoogle-gemini-clinouscopilotminimaxz9Claude Code credential linking failed. Check server logs.zdict[str, dict[str, Any]] _OAUTH_FLOWS)ANTHROPIC_TOKENANTHROPIC_API_KEYreturnNonecddlm}|5tD]"}tj|d# ddddS#1swxYwYdS)zCClear Anthropic process env fallbacks under the streaming env lock.r _ENV_LOCKN) api.streamingr_ANTHROPIC_ENV_KEYSosenvironpop)rkeys /root/hermes-webui/api/oauth.py#_clear_process_anthropic_env_valuesr'>s'''''' &&& & &C JNN3 % % % % &&&&&&&&&&&&&&&&&&&s+AA AcVddlm}|5||i|cdddS#1swxYwYdS)avResolve runtime credentials under the Anthropic onboarding env lock. Request paths must resolve Anthropic env fallbacks per outbound request, not cache ANTHROPIC_TOKEN or ANTHROPIC_API_KEY across onboarding. Sharing the process-env lock prevents a chat stream from observing one stale Anthropic env value while onboarding has already cleared the other. rrN)r r)resolverargskwargsrs r&0resolve_runtime_provider_with_anthropic_env_lockr,Gs(''''' ))x((())))))))))))))))))s ""providerstrct|pd}|tvrdS|pdS)Nr r)r.striplower_ANTHROPIC_PROVIDER_ALIASES)r-s r&$_normalize_onboarding_oauth_providerr4UsG8>r""((**0022H...{  %~%rc ddlm}t|S#t$r;}td|tjdz cYd}~Sd}~wwxYw)Nr)get_active_hermes_homez\Falling back to ~/.hermes for OAuth credential storage: active-profile resolution failed: %sr) api.profilesr7r Exceptionloggerwarninghome)r7excs r&_get_active_hermes_homer>\s '777777**,,---  ' ' '  3    y{{Y&&&&&&& 's A$0AA$A$ auth_path Path | Nonedict[str, Any]c8|pt}|r| tj|d}t |t r|niS#tj$r(}t d||icYd}~Sd}~wwxYwiS)zDRead auth.json and return parsed dict, or an empty compatible store.utf-8encodingzFailed to parse %s: %sN) AUTH_JSON_PATHexistsjsonloads read_text isinstancedictJSONDecodeErrorr:r;)r?pathloadedr=s r&_read_auth_jsonrPos  &D {{}} Z @ @AAF'55=662 =#    NN3T3 ? ? ?IIIIII  IsAA B/B BBctS)z7Public wrapper for streaming credential self-heal code.)rPr5r&read_auth_jsonrS|s   r5datacn|pt}|jdd||jdt jdtjj } | tj |dddzd  | d n3#t$r&}td ||Yd }~nd }~wwxYw|| | t$jt$jzn#t$rYnwxYw| |r|SS#t$rYSwxYw# |r|ww#t$rYwwxYwxYw)zAtomically write auth.json with owner-only permissions. OAuth access/refresh tokens live in this file. The temp file is chmod 0600 before rename so the final path never inherits a permissive process umask. T)parentsexist_okz.tmp..F)indent ensure_ascii rCrDizFailed to chmod 0600 on %s: %sN)rFparentmkdir with_namenamer"getpiduuiduuid4hex write_textrHdumpschmodOSErrorr:r;replacestatS_IRUSRS_IWUSRrGunlink)rTr?rNtmpr=s r&_write_auth_jsonros  &DKdT222 ..DILLBIKKLL$*,,:JLL M MC tz$quEEELW^___ G IIe     G G G NN;S# F F F F F F F F G D  JJt|dl2 3 3 3 3    D  zz||       D  zz||       D s0/E8 B65E86 C&C!E8!C&&E8?,D,+E8, D96E88D99E8>(E(( E54E58F4:(F$"F4$ F1.F40F11F4ctjtjddS)Nz+00:00Z)rnowrutc isoformatrirRr5r&_now_isorus0 < % % / / 1 1 9 9(C H HHr5 hermes_home token_datac Ht|dpd}t|dpd}|stdt |dz }t |}|dd|di}t|tsi}||d<|d g}t|tsg}||d <t}d } d d h} |D]2} t| tr| d | vr| } n3| Fdtj j d dzdddd t|d} |d| | dddd ||t||d ||d<t#||} ddlm} | d n,#t($rt*ddYnwxYw| S)z>DDFFM RPQQQ[!!K/I 9 % %DOOIq!!! ??,b 1 1D dD ! !'"& oonb11G gt $ $'&^ **C E ,^)rws r&_save_codex_credentialsrs %&=&?&? L LLr5dict[str, Any] | Nonec ddlm}m}|}|r/||s"t|dr|Sn2#t $r%}t d|Yd}~nd}~wwxYwdS)zRead Claude Code OAuth credentials from the host without exposing them. Delegates to the agent adapter which knows about ~/.claude/.credentials.json and macOS Keychain. Returns the credential dict or None. r)is_claude_code_token_validread_claude_code_credentials refreshTokenz*Could not read Claude Code credentials: %sN)agent.anthropic_adapterrrboolrr9r:r)rrcredsr=s r&_read_claude_code_credentialsrs H        -,..   & &u - - 15eii6O6O1P1P L HHH A3GGGGGGGGH 4sAA A5A00A5c ddlm}|t|dz dtDn2#t$r%}t d|Yd}~nd}~wwxYwtdS)a)Clear Anthropic API/setup-token env values in the active profile only. The .env write path already clears os.environ while holding the streaming env lock. Keep a locked process-env clear here too so import/write failures cannot leave or partially clear stale Anthropic fallbacks. r)_write_env_filez.envci|]}|dSrrR).0r%s r& z/_clear_anthropic_env_values..s 6 6 63S$ 6 6 6r5z(Failed to clear Anthropic env values: %sN) api.providersrrr!r9r:r;r')rvrr=s r&_clear_anthropic_env_valuesrsH111111    & 6 6"5 6 6 6     HHHA3GGGGGGGGH')))))s14 A#AA#cJt|t|dz }t|}|dd|di}t |t si}||d<|dg}t |t sg}||d<t}d}|D]4}t |t r|ddkr|}n5|@d tj j dd zd d d d|d}| d || d d d d|d||d<t|| d dlm}|ddS#t"$r t$ddYdSwxYw)uLink Hermes to use Claude Code's credential store. Clears ANTHROPIC_TOKEN and ANTHROPIC_API_KEY from the Hermes .env so that resolve_anthropic_token() falls through to reading Claude Code's ~/.claude/.credentials.json directly — the same thing the CLI's ``use_anthropic_claude_code_credentials()`` does. Also writes a marker entry in auth.json credential_pool so that ``_provider_oauth_authenticated("anthropic", ...)`` can detect the linked state without touching the actual credential files. r r{r|r}r Nrclaude_code_linkedzanthropic-claude-code-rzClaude Code (linked)rr)rrrrrr)rrrrrrr/Failed to invalidate anthropic credential cacheTr)rrrPrrKrLrrurrbrcrdrrrorrr9r:r) rvr?rrrrrrrrs r&_link_anthropic_credentialsrs  ,,,[!!K/I 9 % %DOOIq!!! ??,b 1 1D dD ! !'"& ook2..G gt $ $$#[ **C E i & & 9==+B+BFZ+Z+ZE E }*TZ\\-=crc-BB+ *    q%    LL'& DT9%%%W??????((55555 WWW FQU VVVVVVWs%E88&F"!F"flow_idflowcdd||dd|dtd}|ddkrd|d<|d r |d |d <|S) NTr statuspendingpoll_interval_seconds)okr-rrruClaude Code credentials were not found on this server. Please run 'claude login' or 'claude setup-token' in a terminal on the host, then return here — this page will detect the credentials automatically.action_required expires_at)r!ANTHROPIC_CREDENTIAL_POLL_SECONDSrrpayloads r&_anthropic_public_start_payloadrTs((8Y//!%*ACd!e!e G xxY&& e !"  xx 3 $\ 2  Nr5cdd||ddd}|ddkr|dr t|d<|S)NTr rerrorrr-rr)rANTHROPIC_PUBLIC_LINK_ERRORrs r& _anthropic_public_status_payloadrgsa((8W-- G  xxW$$'):):$6 Nr5chtjt|fd}|dSNT)targetr*daemon) threadingThread _run_anthropic_credential_workerstartrworkers r&"_spawn_anthropic_credential_workerrss5  /wjF LLNNNNNr5c  t5tt|pi}dddn #1swxYwY|sdS|ddkrdSt |dpdt jkrt |ddSt jtdt|d ptt5t|}|r|ddkr ddddS dddn #1swxYwY t}|rt5t|}|r|ddkr ddddS dddn #1swxYwYt|d }t|t5t|}|r|ddkr)t|o|dd k}n,d |d<t j|d <t|d}dddn #1swxYwY|rt!|dS#t"$r}t$d|t5t|}|rU|ddkr??dCdeeffggg  ##G,,D 488H--::        :                " 133E}#  &**733'++h"7"79"D"D        "D                tM233K ' 4 4 4" & &&**733&'++h"7"79"D"D $W%UX1F1F+1U V VII(1GH%,0IKKGL)/888 %I & & & & & & & & & & & & & & & ;-k::: F    NNDc J J J" 9 9&**7339w{{844 AA(/GH%,0IKKGL)'*3xxGG$/888  9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 FFFFF s*?AA7EEE!J63J6:7G 1 J6? J6 GJ6G.J6B J J6JJ6J J66 M6"M1"A2M  M1 M$ $M1'M$ (M11M6cPt|dz }t|}|d}t|tsdS|d}t|t sdSd|D}t |t |krdS|r||d<n|ddt|d<t|| ddl m }|ddS#t$r td d YdSwxYw) zHRemove the secret-free Claude Code linked marker after a cancelled race.r r}Nr cng|]2}t|tr|ddk0|3S)rr)rKrLr)rrs r& z1_remove_anthropic_link_marker..s? x x xez%/F/F x599U]K^K^bvKvKvEKvKvKvr5rrrrTr)rrPrrKrLrlenr$rurorrr9r:r)rvr?rrrkeptrs r&rrsW[!!K/I 9 % %D 88% & &D dD ! !hh{##G gt $ $ x xw x x xD 4yyCLL   $ [ d###!DT9%%%W??????((55555 WWW FQU VVVVVVWs(C;;&D%$D%Fformurlrrrc|r5tj|d}d}n)t j|d}d}tj||d|dd}tj|d5}t j | dcdddS#1swxYwYdS) NrCz!application/x-www-form-urlencodedzapplication/jsonPOST)z Content-TypeAccept)rTmethodheaders)timeout) urllibparse urlencodeencoderHrfrequestRequesturlopenrIreaddecode)rrrrT content_typereqresps r& _json_requestrs( *|%%g..55g>>: z'""))'22) .  !-9KLL !  C   R  0 07Dz$))++,,W5566777777777777777777s(9C..C25C2c:ttdtiS)N client_id)rCODEX_USER_CODE_URLCODEX_CLIENT_IDrRr5r&_request_codex_user_coders ,{O.L M MMr5device_auth_id user_codec tt||dS#tjj$r}|jdvrYd}~dSd}~wwxYw)N)rr)ii)rCODEX_DEVICE_TOKEN_URLrr HTTPErrorcode)rrr=s r&_poll_codex_authorizationrsj "-I F F    < ! 8z ! !44444 sA >>Aauthorization_code code_verifierc Pttd|tt|ddS)Nr ) grant_typer redirect_urirr Tr)rCODEX_TOKEN_URLCODEX_REDIRECT_URIr)r r s r&_exchange_codex_authorizationrs: .&.(*       r5c dd||ddt|dd|d|dd d S) NTrrrrr0rrr)rr-rrverification_urirrr)rCODEX_VERIFICATION_URI)rrs r&_codex_public_start_payloadrs`"((8Y//2XXk2..hh|,,!%*A1!E!E   r5cdd||ddd}|ddkrB|dr-t|ddd|d<|S)NTrrrr)rr.rs r&_codex_public_status_payloadr s~"((8W-- G  xxW$$'):):$txx0011$3$7 Nr5cz|dd}|dkrt||St||SNr-rr )rrrrrr-s r&_public_start_payloadrs@xx N33H;.w=== &w 5 55r5cz|dd}|dkrt||St||Sr)rrrrs r&_public_status_payloadrs@xx N33H;/>>> ' 6 66r5c<dD]}||ddS)N)rr r ryrzrw)r$)rr%s r&rr&s6 dr5rr float | Nonec|ptj}|dz }t5ttD]\}}|d}|dkrrrrrr) rrrritemsrrrr$)rrcutofffidrrs r&_cleanup_oauth_flowsr$2sS C 3YF ,,l002233 , ,ICXXh''F""uTXXl-C-C-Hq'I'IS'P'P!*X+D111EEE%PTPXPXYePfPfPkjkJlJlouJuJu  d+++  ,,,,,,,,,,,,,,,,,,,sC C;;C?C?chtjt|fd}|dSr)rr_run_codex_oauth_workerrrs r&_spawn_codex_oauth_workerr'?s.  %rrrr)rrrrrr)rrr(rs r&rrDs ..((  ........ X!Y[[\ F A A A ' - - -..................sBABB Bc ^ t5tt|pi}dddn #1swxYwY|sdS|d}|dkrdSt |dpdt jkrt |ddSt jtdt|dpd t5tt|pi}dddn #1swxYwY|ddkrdS tt|d pd t|d pd }|t|d pd  }t|dpd  }|r|stdt||}t5t|}|r|ddkr ddddS dddn #1swxYwYtt!|d|t |ddS#t"$rE} t$d| t |dt| Yd} ~ dSd} ~ wwxYw)NTrrrrrr|rrrr0rr r z@Device auth response missing authorization_code or code_verifierrvrz&Codex OAuth onboarding flow failed: %sr)r)rrLrrrrrrrrrr.r1rrrrr9r:r;) rrrr code_respr r tokensrr=s r&r&r&Ps+  9 9 ((117R88D 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9  F(## Y   F ,'',1 - - < < Wi 0 0 0 F 3q#dhh'>??D1EEFFGGG  9 9 ((117R88D 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 88H   * * F 1DHH-..4"55DHH[))/R00I !$Y]]3G%H%H%NB!O!O!U!U!W!W  o > > D"EEKKMMM% g] g"#efff23E}UUF#  &**733'++h"7"79"D"D        "D                'tD,?'@'@& I I I Wi 0 0 0 F    NNCS I I I WgSXX > > > > FFFFF sk*?AA*D77D;>D;AK6BK 7J K KJ!!K$J!%6K L,':L''L,ct}tjj}|rt |ddt |t jt jd}t5|t|<dddn #1swxYwYt||St jtz}dd|tt |t jt jd}t5|t|<dddn #1swxYwYt|t||S)zDStart or immediately complete the Anthropic credential-linking flow.r r)r-rrvrrNr)r-rrrrvrr) rrbrcrdrr.rrrrANTHROPIC_FLOW_MAX_WAIT_SECONDSrr)rvrrrrs r&_start_anthropic_flowr/s ) + +EjllG 4#K000#{++)++)++    ) )$(L ! ) ) ) ) ) ) ) ) ) ) ) ) ) ) )$Wd333>>J !B;''ikkikk  D %% $ W%%%%%%%%%%%%%%%&w/// $ / //s$6 B  BB DD#&D#bodyc <tt|pidpd}|t vr)|t vs|rtdtd|tvrttSt} t}n%#t$r}td||d}~wwxYwt|dpd}t|dpd}|r|std td t|d pd }t|d pt }t#jt%t|dt z} t'jj} dd||| |t|t#jt#jd } t,5| t.| <dddn #1swxYwYt1| t3| | S)zStart the supported onboarding OAuth flow. Supports OpenAI Codex (device-code flow) and Anthropic/Claude Code (credential-linking flow). Other providers are rejected. r-r0zXOnly OpenAI Codex and Anthropic/Claude OAuth are supported in WebUI onboarding right nowzprovider is requiredzFailed to start Codex OAuth: Nrrz,Device code response missing required fieldsintervalr expires_in<rr) r-rrrrrrvrr)r$r.rr1r2#_ALLOWED_ONBOARDING_OAUTH_PROVIDERS$_REJECTED_ONBOARDING_OAUTH_PROVIDERS ValueErrorr3r/r>rr9rrrCODEX_FLOW_MAX_WAIT_SECONDSrminrbrcrdrrr'r) r0r-rvdevicer=rrr3r4rrrs r&start_onboarding_oauth_flowr<s DJB##J//5266<<>>DDFFH::: ; ; ;x ;0 /000...$%<%>%>???*++KK)++ KKK@3@@AAsJKFJJ{++1r2288::I$455;<<BBDDN KNKIJJJ1c&**Z005A6677HVZZ --L1LMMJs3z2#6#68STTTJjllG"( !);''ikkikk  D %% $ W%%%%%%%%%%%%%%%g&&& $ / //s*>C C/C**C/ I44I8;I8cPtt|pd}|stdt5t |}|std|ddkrct|dpdtj kr*d|d<tj |d <t|t|t|cdddS#1swxYwYdS) Nr0flow_id is requiredzOAuth flow not foundrrrrrr) r$r.r1r8rrrKeyErrorrrrrrL)rr#rs r&poll_onboarding_oauth_flowr@sT gm   " " $ $C 0./// 77$$ 3122 2 88H   * *uTXXl5K5K5Pq/Q/QUYU^U`U`/`/`&DN!%D  ' - - -%c4::66777777777777777777s CDD"Dcft|pidpd}|stdt t|pidpd}|dvrd}t 5t |}|sd||dd cdddS|d d kr*d|d <tj|d <t|t|t|}dddn #1swxYwY|S) Nrr0r>r->r rrTrrrrr) r.rr1r8r4rrrrrrL)r0r#requested_providerrresults r&cancel_onboarding_oauth_flowrDs tzry))/R 0 0 6 6 8 8C 0.///=c4:2BRBRS]B^B^Bdbd>e>eff!>>>+ 99$$ g,>3Zeff99999999 88H   * *(DN!%D  ' - - -'T$ZZ88999999999999999 Ms #D&:A D&&D*-D*c$tddiS)Nr-r)r<rRr5r&start_codex_device_coderFs & N'C D DDr5c#KdddVdS)Nrz+Use /api/onboarding/oauth/poll with flow_id)rrrR) device_coder3s r&poll_codex_tokenrIs!'T U UUUUUUr5)rr)r-r.rr.)rrr)r?r@rrA)rTrAr?r@rr)rr.)rvrrwrArr)rr)rvrrr)rr.rrArrA)rr.rr)rr.rrArrrrA)rrA)rr.rr.rr)r r.r r.rrA)rrArr)rrrrr)rr.rr.r(rrr)rvrrrA)r0rrrA)rr.rrA)r)R__doc__ __future__rrHloggingr"rjrrrb urllib.errorr urllib.parseurllib.requestrrpathlibrtypingr getLogger__name__r:r<rF CODEX_ISSUERrrrrrrrr9r6r3r7rr.rr__annotations__Lockrr!r'r,r4r>rPrSrorurrrrrrrrrrrrrrrrrrrr$r'rr&r/r<r@rDrFrIrRr5r&rWs#"""""   ''''''''  8 $ $y(;6( 0(777%HHH(HHH!///$:::8%&\&\&\#DDD ( ( ($%&!")Y*, ,,,,"IN$$>&&&& ) ) )&&&&''''&      :IIIIBBBBLMMM ,****&:W:W:W:Wz&    7777tWWWW8FK777777"NNNN                66667777     , , , , , . . . .,,,,^!0!0!0!0H20202020j 7 7 7 7 *EEEVVVVVVr5