refactor(auth): drop weak JWT-shape fallback in auxiliary _nous_api_key

The import-failure fallback returned any 3-segment token without scope/ expiry validation, a divergent reimplementation of the canonical _nous_invoke_jwt_is_usable check. The import is from the same module that provides resolve_nous_runtime_credentials, so a failure means the whole auxiliary Nous path is unavailable anyway; return "" instead so the caller falls through to the clear 'run: hermes auth add nous' guidance rather than handing back an unvalidated token.
2026-05-29 14:19:06 +05:30
parent 4e4984a11a
commit 95cf8f9842
1 changed files with 1 additions and 8 deletions
--- a/agent/auxiliary_client.py
+++ b/agent/auxiliary_client.py
@ -1244,10 +1244,7 @@ def _read_nous_auth() -> Optional[dict]:

 def _nous_api_key(provider: dict) -> str:
    """Extract a usable Nous inference JWT from stored auth state."""
-    try:
-        from hermes_cli.auth import _nous_invoke_jwt_is_usable
-    except Exception:
-        _nous_invoke_jwt_is_usable = None
+    from hermes_cli.auth import _nous_invoke_jwt_is_usable

    for token_key, expiry_key in (
        ("agent_key", "agent_key_expires_at"),
@ -1256,10 +1253,6 @@ def _nous_api_key(provider: dict) -> str:
        token = provider.get(token_key)
        if not isinstance(token, str) or not token.strip():
            continue
-        if _nous_invoke_jwt_is_usable is None:
-            if token.count(".") == 2:
-                return token
-            continue
        if _nous_invoke_jwt_is_usable(
            token,
            scope=provider.get("scope"),