Cradicle Explorer
hermes-agent
/ tests / hermes_cli / test_profile_export_credentials.py
test_profile_export_credentials.py
 1  """Tests for credential exclusion during profile export.
 2  
 3  Profile exports should NEVER include auth.json or .env — these contain
 4  API keys, OAuth tokens, and credential pool data. Users share exported
 5  profiles; leaking credentials in the archive is a security issue.
 6  """
 7  
 8  import tarfile
 9  from pathlib import Path
10  
11  from hermes_cli.profiles import export_profile, _DEFAULT_EXPORT_EXCLUDE_ROOT
12  
13  
14  class TestCredentialExclusion:
15  
16      def test_auth_json_in_default_exclude_set(self):
17          """auth.json must be in the default export exclusion set."""
18          assert "auth.json" in _DEFAULT_EXPORT_EXCLUDE_ROOT
19  
20      def test_dotenv_in_default_exclude_set(self):
21          """.env must be in the default export exclusion set."""
22          assert ".env" in _DEFAULT_EXPORT_EXCLUDE_ROOT
23  
24      def test_named_profile_export_excludes_auth(self, tmp_path, monkeypatch):
25          """Named profile export must not contain auth.json or .env."""
26          profiles_root = tmp_path / "profiles"
27          profile_dir = profiles_root / "testprofile"
28          profile_dir.mkdir(parents=True)
29  
30          # Create a profile with credentials
31          (profile_dir / "config.yaml").write_text("model: gpt-4\n")
32          (profile_dir / "auth.json").write_text('{"tokens": {"access": "sk-secret"}}')
33          (profile_dir / ".env").write_text("OPENROUTER_API_KEY=sk-secret-key\n")
34          (profile_dir / "SOUL.md").write_text("I am helpful.\n")
35          (profile_dir / "memories").mkdir()
36          (profile_dir / "memories" / "MEMORY.md").write_text("# Memories\n")
37  
38          monkeypatch.setattr("hermes_cli.profiles._get_profiles_root", lambda: profiles_root)
39          monkeypatch.setattr("hermes_cli.profiles.get_profile_dir", lambda n: profile_dir)
40          monkeypatch.setattr("hermes_cli.profiles.validate_profile_name", lambda n: None)
41  
42          output = tmp_path / "export.tar.gz"
43          result = export_profile("testprofile", str(output))
44  
45          # Check archive contents
46          with tarfile.open(result, "r:gz") as tf:
47              names = tf.getnames()
48  
49          assert any("config.yaml" in n for n in names), "config.yaml should be in export"
50          assert any("SOUL.md" in n for n in names), "SOUL.md should be in export"
51          assert not any("auth.json" in n for n in names), "auth.json must NOT be in export"
52          assert not any(".env" in n for n in names), ".env must NOT be in export"