Fix nous refresh token rotation failure in case where api key mint/retrieval fails#269
Merged
teknium1 merged 1 commit intoMar 5, 2026
Conversation
Contributor
|
Reviewed and merged to main via What was fixed:
Bonus improvements merged:
All 3 regression tests pass. Clean code, no issues found. |
angelburgosrosado
pushed a commit
to angelburgosrosado/hermes-agent
that referenced
this pull request
Apr 27, 2026
… key mint failure Fixes a bug where the refresh token was not persisted when the API key mint failed (e.g., 402 insufficient credits, timeout). The rotated refresh token was lost, causing subsequent auth attempts to fail with a stale token. Changes: - Persist auth state immediately after each successful token refresh, before attempting the mint - Use latest in-memory refresh token on mint-retry paths (was using the stale original) - Atomic durable writes for auth.json (temp file + fsync + replace) - Opt-in OAuth trace logging (HERMES_OAUTH_TRACE=1, fingerprint-only) - 3 regression tests covering refresh+402, refresh+timeout, and invalid-token retry behavior Author: Robin Fernandes <rewbs>
olympus-terminal
pushed a commit
to olympus-terminal/hermes-agent
that referenced
this pull request
May 16, 2026
… key mint failure Fixes a bug where the refresh token was not persisted when the API key mint failed (e.g., 402 insufficient credits, timeout). The rotated refresh token was lost, causing subsequent auth attempts to fail with a stale token. Changes: - Persist auth state immediately after each successful token refresh, before attempting the mint - Use latest in-memory refresh token on mint-retry paths (was using the stale original) - Atomic durable writes for auth.json (temp file + fsync + replace) - Opt-in OAuth trace logging (HERMES_OAUTH_TRACE=1, fingerprint-only) - 3 regression tests covering refresh+402, refresh+timeout, and invalid-token retry behavior Author: Robin Fernandes <rewbs>
This was referenced May 22, 2026
rafe-walker
added a commit
to rafe-walker/kora
that referenced
this pull request
May 22, 2026
Phase 2 Feature 3 frontend. Pairs with CC#1 KR-FEAT-EMAIL (outbound-only after Option-D descope). - Backend /api/email/recent stub (4 messages spanning inbound/outbound/filtered/attachment). - EmailPanel.tsx — stats + filter pills + spoofing chip + HTML-metadata chip + attachment chip + 400-char body preview. - Dashboard card #10 (Mail icon). 4-layer security contract with email-specific guards: no raw addresses (per-field + walk-payload) + message_id stub shape + plain-text rendering (with dangerouslySetInnerHTML ban) + walk-payload sweep for Purelymail-token-hints / HMAC-secret-shapes / bearer-token-shapes. Layout: 10 cards = 3+3+3+1 wrapping to 3+3+4 in lg:grid-cols-3. 241/241 admin-panel tests pass across 21 suites; tsc --noEmit + vite build clean. Flagged pre-existing: 4 tsc -b errors in HeartbeatPanel.tsx + DashboardPage.tsx from HeartbeatStatus enum drift (unknown added) and nullable last_check_at not propagated — confirmed on bare base, NOT introduced by this PR. Recommended cleanup alongside task NousResearch#269.
This was referenced May 22, 2026
rafe-walker
added a commit
to rafe-walker/kora
that referenced
this pull request
May 23, 2026
Closes BOTH task NousResearch#265 (slowapi placement) AND task NousResearch#269 (mcp_clients test failures — confirmed downstream of same import-chain issue per CC#2 investigation in PR #125). - pyproject.toml: slowapi==0.1.9 moves from [web] optional-deps to runtime deps (next to aiosmtplib pin that set the precedent in PR #124). - uv.lock regenerated. - Exact-equals pin per the security policy in the dependencies-block header (2026-05-12 Mini Shai-Hulud response). Base-install verification (uv sync --frozen --extra dev, NO --extra web): mcp_clients 19/19 pass (was 13 fail + 5 err); full admin-panel regression 271/271 across 23 suites.
Egavasyug
pushed a commit
to Egavasyug/hermes-agent
that referenced
this pull request
Jun 10, 2026
… key mint failure Fixes a bug where the refresh token was not persisted when the API key mint failed (e.g., 402 insufficient credits, timeout). The rotated refresh token was lost, causing subsequent auth attempts to fail with a stale token. Changes: - Persist auth state immediately after each successful token refresh, before attempting the mint - Use latest in-memory refresh token on mint-retry paths (was using the stale original) - Atomic durable writes for auth.json (temp file + fsync + replace) - Opt-in OAuth trace logging (HERMES_OAUTH_TRACE=1, fingerprint-only) - 3 regression tests covering refresh+402, refresh+timeout, and invalid-token retry behavior Author: Robin Fernandes <rewbs>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We observed that many users were hitting failures because the Nous refresh token was being re-used. Most of these users had also run out of subscription credits.
The root cause is that hermes-agent was not correctly persisting the new refresh token when the call to get a new API key failed (for example due to insufficient funds).
With this change,
resolve_nous_runtime_credentialsnow persists auth state immediately after each successful refresh (including retry refreshes), uses the latest in-memory refresh token on mint-retry paths, and_save_auth_storenow does atomic durable writes (temp file + fsync + replace). Added safe optional OAuth trace logging (HERMES_OAUTH_TRACE=1, fingerprint-only token IDs + sequence IDs) and regression tests covering refresh+402, refresh+timeout, and invalid-token retry behavior across retries/restarts.