PR #24902: fix(cli): hide deprecated hermes login from --help (#24756)

• Repository: NousResearch/hermes-agent
• Author: briandevans
• State: open | merged: False
• Link: https://github.com/NousResearch/hermes-agent/pull/24902

Description (problem / solution / changelog)

Summary

• Hide the deprecated hermes login subparser from hermes --help via help=argparse.SUPPRESS so users don't discover a command that no longer works.
• Keep the subparser registered so existing scripts/aliases that invoke hermes login [--flags] still receive the actionable deprecation message rather than an argparse invalid choice: 'login' error.
• Rewrite the parser description to match the runtime's deprecation message (visible if a user runs hermes login --help).

The bug

#24756 reports a confusing UX during fresh macOS setup:

hermes login --provider openai-codex is shown in help, but running it says the command was removed and to use hermes auth instead.

hermes login was deprecated in favor of hermes auth by #5670, but that PR only updated documentation and error-message references — it left the actual subparser registration in hermes_cli/main.py intact, with a help string "Authenticate with an inference provider" that still surfaces in hermes --help. When a user follows that lead, the runtime in hermes_cli/auth.py::login_command just prints "The 'hermes login' command has been removed" and exits.

The fix

1. subparsers.add_parser("login", help=argparse.SUPPRESS, description=…) — the misleading row in hermes --help is gone, but the parser keeps accepting the old flags so scripted callers don't break.
2. Description rewrites to mirror the runtime deprecation hint (hermes auth / hermes model / hermes setup), visible on hermes login --help.
3. Symmetric logout is intentionally left alone — logout_command is still fully functional (clears auth state, resets active provider config).

Same hiding pattern is already used in hermes_cli/kanban.py for an undocumented escape hatch flag, so this is consistent with project precedent.

Test plan

• Focused regression tests (tests/hermes_cli/test_startup_plugin_gating.py):
  • test_login_subparser_hidden_from_help_description — runs hermes --help in-process, asserts the misleading description row is gone, asserts the auth subcommand is still listed.
  • test_login_command_still_responds_with_deprecation_message — invokes login_command directly with a stub args, asserts SystemExit(0) and the "command has been removed" + "hermes auth" message contract is preserved for scripted callers.
• Adjacent suite: full tests/hermes_cli/test_startup_plugin_gating.py — 38 passed, 1 failed (test_builtin_set_covers_every_registered_subcommand is the unrelated pre-existing lsp baseline failure on origin/main; addressed by my open PR #24738).
• Regression guard: with the SUPPRESS change reverted, test_login_subparser_hidden_from_help_description fails with "Authenticate with an inference provider" still in --help. With the deprecation message gutted, test_login_command_still_responds_with_deprecation_message fails.

Scope note

#24756 bundles six independent setup issues (DMG install error -36, desktop installer stuck, default provider/model states, Codex device-authorization blocker, this login discoverability issue, and ~/.codex/auth.json not auto-imported). This PR fixes only the discoverability issue (item 5). The remaining items are out of scope and need separate triage — happy to follow up on ~/.codex/auth.json auto-import in a separate PR if useful.

Sibling code paths that may need the same fix: none — logout, auth, model, setup are all live functional commands. Only login is the deprecation shim.

Related

• Refs #24756 (one of six issues bundled in that report)
• Builds on #5670 (replaced stale docs/error references but left the visible subparser)

Changed files

• hermes_cli/main.py (modified, +11/-2)
• tests/hermes_cli/test_startup_plugin_gating.py (modified, +75/-0)