Issue Station
Sign In
Tools hereToolbox

hermes - ✅(Solved) Fix ACP authenticate() accepts unadvertised method_id values [1 pull requests, 2 comments, 3 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
NousResearch/hermes-agent#13452Fetched 2026-04-22 08:06:27
View on GitHub
Comments
2
Participants
3
Timeline
6
Reactions
0
Author
NewTurn2017NewTurn2017
Participants
alt-glitchalt-glitchNewTurn2017NewTurn2017zhao0112zhao0112
Timeline (top)
labeled ×3commented ×2cross-referenced ×1

HermesACPAgent.initialize() advertises a single runtime auth method based on detect_provider(), but authenticate(method_id=...) ignores the requested method id and returns success whenever has_provider() is true.

Root Cause

HermesACPAgent.initialize() advertises a single runtime auth method based on detect_provider(), but authenticate(method_id=...) ignores the requested method id and returns success whenever has_provider() is true.

Fix Action

Fix / Workaround

Minimal reproduction

import asyncio
from unittest.mock import patch
from acp_adapter.server import HermesACPAgent

async def repro():
    with patch('acp_adapter.server.detect_provider', return_value='openai'), \
         patch('acp_adapter.server.has_provider', return_value=True):
        agent = HermesACPAgent()
        init = await agent.initialize()
        auth = await agent.authenticate(method_id='anthropic')
        print([m.id for m in init.auth_methods])
        print(type(auth).__name__)

PR fix notes

PR #13533: fix(acp): reject unadvertised auth methods

Description (problem / solution / changelog)

Summary

  • validate method_id against the runtime provider advertised during ACP initialization
  • keep authentication behavior unchanged when the requested method matches the configured provider
  • add a regression test covering a mismatched method_id

Fixes #13452

Root Cause

HermesACPAgent.initialize() advertises a single auth method derived from detect_provider(), but authenticate() previously ignored the requested method_id and returned success whenever any provider was configured. That allowed clients to authenticate with method ids the server never advertised.

Validation

  • PYTHONPATH=/Users/zzl/.hermes/hermes-agent-pr-13452 /Users/zzl/.hermes/hermes-agent-update-20260421/venv/bin/python -m pytest -o addopts= tests/acp/test_server.py -q
  • PYTHONPATH=/Users/zzl/.hermes/hermes-agent-pr-13452 /Users/zzl/.hermes/hermes-agent-update-20260421/venv/bin/python -m py_compile acp_adapter/server.py tests/acp/test_server.py
  • git diff --check

Changed files

  • acp_adapter/server.py (modified, +2/-1)
  • tests/acp/test_server.py (modified, +13/-4)

Code Example

provider = detect_provider()
auth_methods = [AuthMethodAgent(id=provider, ...)]

---

async def authenticate(self, method_id: str, **kwargs):
    if has_provider():
        return AuthenticateResponse()

---

import asyncio
from unittest.mock import patch
from acp_adapter.server import HermesACPAgent

async def repro():
    with patch('acp_adapter.server.detect_provider', return_value='openai'), \
         patch('acp_adapter.server.has_provider', return_value=True):
        agent = HermesACPAgent()
        init = await agent.initialize()
        auth = await agent.authenticate(method_id='anthropic')
        print([m.id for m in init.auth_methods])
        print(type(auth).__name__)

asyncio.run(repro())

---

['openai']
AuthenticateResponse
RAW_BUFFERClick to expand / collapse

Summary

HermesACPAgent.initialize() advertises a single runtime auth method based on detect_provider(), but authenticate(method_id=...) ignores the requested method id and returns success whenever has_provider() is true.

Affected files / lines

  • acp_adapter/server.py:227-236
  • acp_adapter/server.py:259-262

Why this is a bug

Initialization exposes an explicit auth contract:

provider = detect_provider()
auth_methods = [AuthMethodAgent(id=provider, ...)]

But authentication does not validate against that contract:

async def authenticate(self, method_id: str, **kwargs):
    if has_provider():
        return AuthenticateResponse()

So a client can ask for an auth method the server never advertised and still get success.

Minimal reproduction

import asyncio
from unittest.mock import patch
from acp_adapter.server import HermesACPAgent

async def repro():
    with patch('acp_adapter.server.detect_provider', return_value='openai'), \
         patch('acp_adapter.server.has_provider', return_value=True):
        agent = HermesACPAgent()
        init = await agent.initialize()
        auth = await agent.authenticate(method_id='anthropic')
        print([m.id for m in init.auth_methods])
        print(type(auth).__name__)

asyncio.run(repro())

Observed locally:

['openai']
AuthenticateResponse

Expected behavior

If the client requests a method id other than the advertised runtime auth method, authentication should fail (e.g. return None / reject the method).

Actual behavior

Any method id succeeds as long as some provider is configured.

Suggested investigation

Validate method_id against the detected/advertised provider before returning AuthenticateResponse, and add a regression test for a mismatched method id.

extent analysis

TL;DR

Validate the method_id parameter against the detected provider in the authenticate method to ensure it matches the advertised auth method.

Guidance

  • Modify the authenticate method to check if the provided method_id matches the detected provider before returning AuthenticateResponse.
  • Add a regression test to cover the scenario where the client requests a method id that does not match the advertised runtime auth method.
  • Review the detect_provider and has_provider functions to ensure they are correctly determining the available authentication methods.
  • Consider adding error handling to return a meaningful error message when the requested method id does not match the advertised method.

Example

async def authenticate(self, method_id: str, **kwargs):
    provider = detect_provider()
    if method_id != provider or not has_provider():
        return None  # or raise an exception
    return AuthenticateResponse()

Notes

This fix assumes that the detect_provider function correctly determines the available authentication method. If this function is not reliable, additional debugging may be necessary.

Recommendation

Apply the workaround by modifying the authenticate method to validate the method_id parameter, as this will ensure that the authentication method matches the advertised method and prevent potential security vulnerabilities.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

If the client requests a method id other than the advertised runtime auth method, authentication should fail (e.g. return None / reject the method).

#model loading#dependency error#configuration error#environment variable#network issue

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

hermes - ✅(Solved) Fix ACP authenticate() accepts unadvertised method_id values [1 pull requests, 2 comments, 3 participants]