Fj^FUdZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl ZddlZddlZddlmZmZddlmZddlmZmZmZmZejeZdZdeZd ed Z d Z!d Z"ee#e#e#fZ$iZ%d e&d<dZ'dVdWdZ(dXdZ) dVdYdZ* dVdZd Z+eGd!d"Z,eGd#d$Z-d[d%Z.d&d'd\d*Z/d]d+Z0d]d,Z1d&d-d^d/Z2d_d2Z3d`d5Z4dad7Z5dbd;Z6dcd=Z7dd>d?d@ddAdddIZ8 dedfdKZ9dgdMZ:dNd@d&d>d?d@ddOdhdTZ;dVdidUZ/bin/bws`` on first use. Hermes pins one version (``_BWS_VERSION``) and downloads the matching asset from the official GitHub Releases page, verifying the SHA-256 against the release's published checksum file. * The access token is stored in ``~/.hermes/.env`` as ``BWS_ACCESS_TOKEN`` (or whatever name the user picked in ``secrets.bitwarden.access_token_env``). This is the one bootstrap secret — every other provider key can live in Bitwarden. * Pulling secrets is a single ``bws secret list --output json`` call. We cache the result in-process for ``cache_ttl_seconds`` so back-to-back ``hermes`` invocations don't hammer the API. * Failures NEVER block Hermes startup. Missing binary, no network, expired token, etc. all emit a one-line warning and continue with whatever credentials ``.env`` already had. The module is intentionally subprocess-driven rather than going through the ``bitwarden-sdk-secrets`` Python package: one cross-platform binary is easier to lazy-install than a wheels-with-Rust-extension dependency. ) annotationsN) dataclassfield)Path)DictListOptionalTuplez2.0.0z;https://github.com/bitwarden/sdk-sm/releases/download/bws-vzbws-sha256-checksums-z.txt<zDict[_CacheKey, '_CachedFetch']_CACHEzbws_cache.json home_pathOptional[Path]returnrc|6ttjdtjdz }|dz tz S)zReturn the disk cache path under hermes_home/cache/. `home_path` is what `load_hermes_dotenv()` already resolved; falling back to `$HERMES_HOME` / `~/.hermes` keeps direct callers working too. N HERMES_HOMEz.hermescache)rosgetenvhome_DISK_CACHE_BASENAMErs =/usr/local/lib/hermes-agent/agent/secret_sources/bitwarden.py_disk_cache_pathrXs? =$)++ 2IJJKK w !5 55 cache_key _CacheKeystrc"|\}}}|d|d|S)z:Serialize a cache key to a stable string for JSON storage.|)rtoken_fp project_id server_urls r_cache_key_strr%cs*'0$Hj* 2 2 2 2j 2 22r ttl_secondsfloatOptional['_CachedFetch']c|dkrdSt|} t|dd5}tj|}dddn #1swxYwYn#ttjf$rYdSwxYwt |tsdS|dt|krdS|d}|d}t |trt |ttfsdSd | D}t|t| } | |sdS| S) zReturn a cached entry from disk if fresh, else None. Best-effort: any I/O or parse error returns None and we re-fetch. rNrutf-8encodingkeysecrets fetched_atcni|]2\}}t|tt|t/||3Sr!) isinstancer).0kvs r z$_read_disk_cache..sP%%%AJq#,>,>%CMaQTCUCU% 1%%%rr/r0)ropenjsonloadOSErrorJSONDecodeErrorr2dictgetr%intr'items _CachedFetchis_fresh) rr&rpathfpayloadr/r0 typed_secretsentrys r_read_disk_cacherHis at I & &D $g . . . #!illG # # # # # # # # # # # # # # # T) *tt gt $ $t{{5^I6666tkk)$$G\**J gt $ $JzC<,P,Pt%% %%%M 5;L;L M M ME >>+ & &t Ls4AA  A AAAAA21A2rG'_CachedFetch'NonecZt|} |jddt||j|jd}t jddt|j\}} tj |dd 5}tj ||d d d n #1swxYwYtj |d tj||d S#t$r( tj|n#t"$rYnwxYwwxYw#t"$rYd SwxYw) zPersist a cache entry to disk atomically with mode 0600. Best-effort: any I/O error is swallowed (the next invocation will just re-fetch). We never want disk cache failures to break startup. Tparentsexist_ok)r.r/r0z .bws_cache_z.tmp)prefixsuffixdirwr+r,Ni)rparentmkdirr%r/r0tempfilemkstemprrfdopenr9dumpchmodreplace BaseExceptionunlinkr;)rrGrrCrEfdtmprDs r_write_disk_cacher_s I & &D  $666!),,}*  " S5E5E   C 2sW555 & '1%%% & & & & & & & & & & & & & & & HS% JsD ! ! ! ! !     #             slA%D7C'B0$ C'0B44C'7B48-C'' D2DD DDDDD D*)D*c,eZdZUded<ded<d dZd S) rADict[str, str]r/r'r0r&rboolcP|dkrdStj|jz |kS)NrF)timer0)selfr&s rrBz_CachedFetch.is_freshs* !  5 do-</bin/bws`` (our managed copy — preferred) 2. ``shutil.which("bws")`` (system PATH) When ``install_if_missing`` is True and neither resolves, this calls :func:`install_bws` to download and verify the pinned version. bwszbws auto-install failed: %sN) r}_platform_binary_nameexistsraccessX_OKshutilwhichr install_bws Exceptionloggerwarning)rmanagedsystemexcs rfind_bwsrs"7"9"99G~~BIgrw77 \% F F|| ==     NN8# > > >44444  4s; B B9B44B9c8tjdkrdndS)NWindowszbws.exer)platformrr!rrrrs ))Y6699EArctj}tj}|dkr dtdS|dkr|dvrdnd}d|d tdS|d krx|dvrdnd}d } t jd d gddd}d|j|jzvrd}n#tt j f$rYnwxYwd|d|dtdStd|d|)uMap (uname, arch, libc) → the upstream asset filename. Asset names follow Rust's target triple convention. Linux defaults to gnu (glibc); we switch to musl only if ldd --version says so. Darwinzbws-macos-universal-z.zipr)arm64aarch64rx86_64zbws-z-pc-windows-msvc-Linuxgnulddz --versionT)capture_outputtexttimeoutmuslz-unknown-linux--z+Unsupported platform for bws auto-install:  ) rrmachinelower _BWS_VERSION subprocessrunstdoutstderrr;TimeoutExpired RuntimeError)rrarchlibcress r_platform_asset_namersg _  F  &&((G 9l8888 #';;;yy?d??\???? #';;;yy . $# C #*sz188::::23    D DdDD4DD,DDDD HfHHwHH  s7?B77CC)forcerc pt}|dd|tz }|r|s|St }t d|}t dt }tjd5}t|}||z }|t z } t d|t||t|| t| |} t|} | | krt!d|d| d | t#j|5} t'| t} | | ||| z }d d d n #1swxYwYtjt-|d \}}t/j|t3j||t/j|t8jt8jzt8jzt8j zt8j!zt8j"zt8j#zt/j$||d d d n #1swxYwYt d tJ||S)uZDownload, verify, and install the pinned ``bws`` binary. Returns the path to the installed executable. Raises on any failure (network, checksum, extraction) — callers in the auto-install path catch these; the user-facing ``hermes secrets bitwarden setup`` surface lets them propagate so the wizard can show a clear error. TrL/z hermes-bws-)rOzDownloading %szChecksum mismatch for z : expected z, got Nz.bws_)rQrOzInstalled bws %s at %s)&r}rTrrr_BWS_RELEASE_BASE_BWS_CHECKSUM_NAMErUTemporaryDirectoryrrinfo_http_download_expected_sha256 _sha256_filerrzipfileZipFile_pick_zip_memberextractrVrrclosercopy2rYstatS_IRUSRS_IWUSRS_IXUSRS_IRGRPS_IXGRPS_IROTHS_IXOTHrZr)rbin_dirtarget asset_name asset_url checksum_urltmpdirr^zip_path checksum_pathexpectedactualzfmember extractedr]stageds rrr!sG MM$M... ,.. .F }}u %''J$33z33I'>>*<>>L  $M : : :!#f6ll#00  $i000y(+++|]333#M:>>h'' >>  v||~~ - -555$55,255  _X & & %"%b*?*A*ABBF JJvs # # #f I % % % % % % % % % % % % % % %%#g,,wGGG F   Y'''   L4< '$, 6l !\ *l !\ *   66"""C!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#F KK(,??? Ms8CJ 8F" J "F& &J )F& *CJ  JJurldestctj|ddi} tj|t5}t |d5}t j||dddn #1swxYwYddddS#1swxYwYdS#tjj $r}td|d||d}~wwxYw)Nz User-Agentz hermes-agent)headers)rwbzFailed to download : ) urllibrequestRequesturlopen_BWS_DOWNLOAD_TIMEOUTr8r copyfileobjrpURLErrorr)rrreqresprDrs rrr[sd . |^.L M MCH ^ # #C1F # G G ,4dD!! ,Q"4+++ , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , < HHH=====>>CGHs_&B# BA>2 B>B BB B B#BB#BB##C7C  C checksum_filerc0|dd}|D]Q}|}t |dkr|d|kr |dcSRt d|d|j) zParse the upstream ``bws-sha256-checksums-X.Y.Z.txt`` file. Format is the standard ``sha256sum`` output: `` ``, one per line. r+rZ)r-errorsrrzNo checksum entry for z in ) read_text splitlinesstripsplitlenrname)rrrlinepartss rrres  " "GI " F FD!! ""$$ u::??uRyJ668OOO EEE1CEE  rrCctj}t|d5tfddD]}|| dddn #1swxYwY|S)Nrbc.dS)Ni)read)rDsrz_sha256_file..xs!&&--rr)hashlibsha256r8iterupdate hexdigest)rChchunkrDs @rrrusA dD  Q////55  E HHUOOOO  ;;==s,AA"%A"rzipfile.ZipFile binary_namecfd|D}|s0tdd|ddd|t|dS) zFind the binary inside the upstream zip. Historically the archive has been flat (``bws`` at the root) but we tolerate a top-level directory just in case upstream changes. cRg|]#}|ddk!|$S)rr)r)r3nrs r z$_pick_zip_member..s2NNNaggcll2.>+.M.M!.M.M.MrzCould not find z% inside downloaded archive (members: Nz...))r.r)namelistrsortr)rr candidatess ` rrr}s ONNNR[[]]NNNJ   1k 1 1rr* 1 1 1   OOO a=rtokenctj|dddS)uESHA-256 prefix used as a cache key — never logged, never displayed.r+N)rrencoder)rs r_token_fingerprintr s3 >%,,w// 0 0 : : < /cache/bws_cache.json`` (for back-to-back CLI invocations). Both share the same TTL. Pass ``home_path`` so disk cache lookups find the right directory in tests / non-standard installs; otherwise we fall back to ``$HERMES_HOME`` / ``~/.hermes``. Raises :class:`RuntimeError` for fatal conditions (missing binary, auth failure, unparseable output). Callers in the env_loader path catch this and emit a single warning; callers in the user-facing setup wizard let it propagate. zBitwarden access token is emptyzBitwarden project_id is emptyr NTr~ubws binary not available — auto-install failed and `bws` is not on PATH. Install manually from https://github.com/bitwarden/sdk-sm/releases or re-run `hermes secrets bitwarden setup`.r7) rr r r>rBr/rHr _run_bws_listrArdr_)rr#r r rr$rrcached disk_cachedrr/rorGs rfetch_bitwarden_secretsrsR@ ><=== <:;;;#L11:z?ORPI +I&&  &foo&788 &>2% %&y2CYOO  "!,F9 &* *  5H555C { 0   &c<ZPPGX TY[[ A A AEF97)UI666 H rrct|dd|ddg}tj}||d<|dd|r||d< t j||d d t }nP#t j$r}td td |d}~wt$r}td ||d}~wwxYw|j dkrX|j p|j pddd}td|j d|dd|j } | sidgfS t!j| } n*#t j$r}td||d}~wwxYwt'| t(s$tdt+| ji} g} | D]} t'| t.s| d}| d}t'|trt'|tsmt3|s| d|d|| |<| | fS)Nsecretrvz--outputr9BWS_ACCESS_TOKENNO_COLOR1BWS_SERVER_URLT)envrrrzbws timed out after zs fetching secretszfailed to invoke bws: rr z bws exited rz'bws returned no output (empty project?)zbws returned non-JSON output: zbws returned unexpected shape: r.valuezSkipping secret z: not a valid env-var name)rrenvironcopy setdefaultrr_BWS_RUN_TIMEOUTrrr; returncoderrrrZr9loadsr<r2rvtyperfr=r>_is_valid_env_nameappend)rrr#r$cmdrprocrerrrawrEr/roitemr.rs rrrs s88Xvz:v FC *//  C*CNN:s### + *  D~ $      $ G#3 G G G    DDD9C99::CD !{/dk/R6688@@LL 8$/ 8 8S#Y 8 8    +    C ?=>>>L*S//  LLLACAABBKL gt $ $  Fd7mm.D F F   !GH  $%%  hhuoo!!#s## :eS+A+A  !#&&  OOD3DDD     H s<A66CB C+B>>C EF.FFrc|sdS|ds|ddksdStd|DS)NFr_c3JK|]}|p|dkVdS)r/N)isalnum)r3cs r z%_is_valid_env_name..'s3551qyy{{&a3h555555r)isalphaall)rs rr'r'"sS u GOO  aCu 55555 5 55rr)access_token_envr#override_existingr  auto_installr$renabledr6r7r8ct}|s|Stj|d} | s d|d|_|S|s d|_|St |} | |_| d|_|S t| || |||\} } n-#t$r } t| |_|cYd} ~ Sd} ~ wwxYw| |_ |j | | D]\}}||kr|j|&|s:tj|r|j|b|tj|<|j||S) u8Pull secrets from BSM and set them on ``os.environ``. This is the function ``load_hermes_dotenv()`` calls after the .env files have loaded. It is intentionally defensive — any failure returns a :class:`FetchResult` with ``error`` set; it never raises. ``server_url`` selects the Bitwarden region or self-hosted endpoint (e.g. ``https://vault.bitwarden.eu`` for EU Cloud). Empty string means use ``bws``'s default (US Cloud). Parameters mirror the ``secrets.bitwarden.*`` config keys so the caller can just splat the dict in. r z&secrets.bitwarden.enabled is true but z3 is not set. Run `hermes secrets bitwarden setup`.zMsecrets.bitwarden.project_id is empty. Run `hermes secrets bitwarden setup`.r~Nzhbws binary not available and auto-install is disabled. Run `hermes secrets bitwarden setup` to install.)rr#r r r$r)rkrr r>rrprrqrrrr/roextendr@rnr(rm)r9r6r#r7r r8r$rresultrr r/rorr.rs rapply_bitwarden_secretsr=/s0]]F  :>>"2B77==??L  >5E > > >    4    6 6 6FF ~ ?    3%!/!     3xx  FN O8$$$mmoo # # U " " " N ! !# & & &   RZ^^C%8%8  N ! !# & & &  3c"""" MsB C%C:CCct t|dS#tt f$rYdSwxYw)zClear in-process AND disk caches. Tests can pass ``home_path`` to scope the disk cleanup to a tmpdir. Without it we fall back to the same default resolution as the cache writer itself. N)r clearrr\FileNotFoundErrorr;rs r_reset_cache_for_testsrAs] LLNNN ##**,,,,, w '     s!>AArs)rrrr)rrrr)rrr&r'rrrr()rrrGrIrrrrJ)rr)rrbrr)rr)rrbrr)rrrrrrJ)rrrrrr)rCrrr)rrrrrr)rrrr)rrr#rr rr r'rrbr$rrrrr)r ) rrrrr#rr$rrr)rrrrb)r9rbr6rr#rr7rbr r'r8rbr$rrrrrk)rrrrJ)=ru __future__rrr9loggingrrrrrrUrd urllib.errorrurllib.requestr dataclassesrrpathlibrtypingrrr r getLoggerrfrrrrrr#rrr rirrr%rHr_rArkr}rrrrrrrrr rrr'r=rAr!rrrJs:#"""""    ((((((((............  8 $ $ Q,PP@\??? #sC- *,,,,,(66666333326B37      F ======= =  " " " " " " "  "(%%%%,16BBBB''''T"'777777tHHHH     ,BBBB"" $@@@@@@HFHDDDDDN6666 /#" $RRRRRRt        r