fix(auth): tighten except to OSError, add type hints, fix test imports

api/auth.py

@@ -191,14 +191,14 @@ def _load_key(filename: str) -> bytes:
             raw = key_file.read_bytes()
             if len(raw) >= 32:
                 return raw[:32]
-    except Exception:
+    except OSError:
         logger.debug("Failed to read key %s", filename)
     key = secrets.token_bytes(32)
     try:
         STATE_DIR.mkdir(parents=True, exist_ok=True)
         key_file.write_bytes(key)
         key_file.chmod(0o600)
-    except Exception:
+    except OSError:
         logger.debug("Failed to persist key %s", filename)
     return key
 
@@ -293,7 +293,7 @@ def is_auth_enabled() -> bool:
     return get_password_hash() is not None
 
 
-def verify_password(plain) -> bool:
+def verify_password(plain: str) -> bool:
     """Verify a plaintext password against the stored hash.
 
     Supports transparent migration of password hashes that were computed

tests/test_auth_password_hash_cache.py

@@ -17,6 +17,7 @@ the cached result.
 import importlib
 import os
 import sys
+import tempfile
 import threading
 import time
 import unittest
@@ -27,7 +28,6 @@ from pathlib import Path
 # sibling test files that need a fresh config import).  Deleting api.config
 # would change its module-level STATE_DIR global and leak into all
 # subsequently collected tests (breaking test_pytest_state_isolation.py).
-import tempfile
 _TEST_STATE = Path(tempfile.mkdtemp())
 os.environ["HERMES_WEBUI_STATE_DIR"] = str(_TEST_STATE)
 
@@ -64,7 +64,6 @@ class TestPasswordHashCache(unittest.TestCase):
         h = auth.get_password_hash()
         self.assertIsNotNone(h)
         self.assertIsInstance(h, str)
-        assert h is not None  # narrow type for type checker
         self.assertGreater(len(h), 10)
 
     def test_cache_flag_set_after_first_call(self):