From bc736ff5437bf73c9a762bd06a771408dbce711c Mon Sep 17 00:00:00 2001
From: teknium1 <127238744+teknium1@users.noreply.github.com>
Date: Fri, 29 May 2026 00:10:59 -0700
Subject: [PATCH] test(model-catalog): use exact URL equality in fallback tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CodeQL flagged 'hermes-agent.nousresearch.com' in url and similar substring
checks as py/incomplete-url-substring-sanitization. The rule is about URL
allowlist checks in production code, not test routing — there's no
security boundary here. Switch to url == self.PRIMARY / self.FALLBACK,
which is the same semantic and silences the rule.
---
 tests/hermes_cli/test_model_catalog.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/hermes_cli/test_model_catalog.py b/tests/hermes_cli/test_model_catalog.py
index fecd880e0..43ad6e42c 100644
--- a/tests/hermes_cli/test_model_catalog.py
+++ b/tests/hermes_cli/test_model_catalog.py
@@ -206,7 +206,7 @@ class TestFallbackChain:
 
         def fake_fetch(url, timeout):
             calls.append(url)
-            if "hermes-agent.nousresearch.com" in url:
+            if url == self.PRIMARY:
                 return None  # simulate Vercel 403
             return _valid_manifest()
 
@@ -245,7 +245,7 @@ class TestFallbackChain:
 
         def fake_fetch(url, timeout):
             calls.append(url)
-            if "hermes-agent.nousresearch.com" in url:
+            if url == self.PRIMARY:
                 return None
             return manifest
 
@@ -253,7 +253,7 @@ class TestFallbackChain:
             result = model_catalog.get_catalog(force_refresh=True)
 
         assert result == manifest
-        assert any("raw.githubusercontent.com" in c for c in calls)
+        assert self.FALLBACK in calls
 
 
 class TestCuratedAccessors: