From 95cf8f9842d7a368afe183dd5ae0ec138d36d172 Mon Sep 17 00:00:00 2001
From: kshitijk4poor <82637225+kshitijk4poor@users.noreply.github.com>
Date: Fri, 29 May 2026 14:19:06 +0530
Subject: [PATCH] refactor(auth): drop weak JWT-shape fallback in auxiliary
 _nous_api_key

The import-failure fallback returned any 3-segment token without scope/
expiry validation, a divergent reimplementation of the canonical
_nous_invoke_jwt_is_usable check. The import is from the same module that
provides resolve_nous_runtime_credentials, so a failure means the whole
auxiliary Nous path is unavailable anyway; return "" instead so the caller
falls through to the clear 'run: hermes auth add nous' guidance rather than
handing back an unvalidated token.
---
 agent/auxiliary_client.py | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/agent/auxiliary_client.py b/agent/auxiliary_client.py
index 13b3a222c..9224ea263 100644
--- a/agent/auxiliary_client.py
+++ b/agent/auxiliary_client.py
@@ -1244,10 +1244,7 @@ def _read_nous_auth() -> Optional[dict]:
 
 def _nous_api_key(provider: dict) -> str:
     """Extract a usable Nous inference JWT from stored auth state."""
-    try:
-        from hermes_cli.auth import _nous_invoke_jwt_is_usable
-    except Exception:
-        _nous_invoke_jwt_is_usable = None
+    from hermes_cli.auth import _nous_invoke_jwt_is_usable
 
     for token_key, expiry_key in (
         ("agent_key", "agent_key_expires_at"),
@@ -1256,10 +1253,6 @@ def _nous_api_key(provider: dict) -> str:
         token = provider.get(token_key)
         if not isinstance(token, str) or not token.strip():
             continue
-        if _nous_invoke_jwt_is_usable is None:
-            if token.count(".") == 2:
-                return token
-            continue
         if _nous_invoke_jwt_is_usable(
             token,
             scope=provider.get("scope"),