From 2bf73fbe2c2a3b85315345b89090062ab3f83622 Mon Sep 17 00:00:00 2001 From: johnncenae Date: Thu, 30 Apr 2026 11:04:50 +0300 Subject: [PATCH] fix(cli): coerce tls insecure flag safely in auth state --- hermes_cli/auth.py | 6 +++--- tests/hermes_cli/test_auth_nous_provider.py | 12 ++++++++++++ 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/hermes_cli/auth.py b/hermes_cli/auth.py index 7885e99d..586962d1 100644 --- a/hermes_cli/auth.py +++ b/hermes_cli/auth.py @@ -43,7 +43,7 @@ import yaml from hermes_cli.config import get_hermes_home, get_config_path, read_raw_config from hermes_constants import OPENROUTER_BASE_URL -from utils import atomic_replace +from utils import atomic_replace, is_truthy_value logger = logging.getLogger(__name__) @@ -2480,8 +2480,8 @@ def _resolve_verify( tls_state = tls_state if isinstance(tls_state, dict) else {} effective_insecure = ( - bool(insecure) if insecure is not None - else bool(tls_state.get("insecure", False)) + is_truthy_value(insecure, default=False) if insecure is not None + else is_truthy_value(tls_state.get("insecure", False), default=False) ) effective_ca = ( ca_bundle diff --git a/tests/hermes_cli/test_auth_nous_provider.py b/tests/hermes_cli/test_auth_nous_provider.py index 75221b16..12931108 100644 --- a/tests/hermes_cli/test_auth_nous_provider.py +++ b/tests/hermes_cli/test_auth_nous_provider.py @@ -76,6 +76,18 @@ class TestResolveVerifyFallback: ) assert result is False + def test_string_false_in_auth_state_does_not_disable_tls_verify(self): + from hermes_cli.auth import _resolve_verify + + result = _resolve_verify(auth_state={"tls": {"insecure": "false"}}) + assert result is True + + def test_string_true_in_auth_state_disables_tls_verify(self): + from hermes_cli.auth import _resolve_verify + + result = _resolve_verify(auth_state={"tls": {"insecure": "true"}}) + assert result is False + def test_no_ca_bundle_returns_true(self, monkeypatch): from hermes_cli.auth import _resolve_verify