From 8ca29618fea7dea575c48da30ea61e0150260d28 Mon Sep 17 00:00:00 2001
From: Lucas Coutinho <lrclucas@gmail.com>
Date: Wed, 13 May 2026 12:27:27 -0300
Subject: [PATCH] fix(auth): tighten except to OSError, add type hints, fix
 test imports

---
 api/auth.py                            | 6 +++---
 tests/test_auth_password_hash_cache.py | 3 +--
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/api/auth.py b/api/auth.py
index 30c785c0..b725724f 100644
--- a/api/auth.py
+++ b/api/auth.py
@@ -191,14 +191,14 @@ def _load_key(filename: str) -> bytes:
             raw = key_file.read_bytes()
             if len(raw) >= 32:
                 return raw[:32]
-    except Exception:
+    except OSError:
         logger.debug("Failed to read key %s", filename)
     key = secrets.token_bytes(32)
     try:
         STATE_DIR.mkdir(parents=True, exist_ok=True)
         key_file.write_bytes(key)
         key_file.chmod(0o600)
-    except Exception:
+    except OSError:
         logger.debug("Failed to persist key %s", filename)
     return key
 
@@ -293,7 +293,7 @@ def is_auth_enabled() -> bool:
     return get_password_hash() is not None
 
 
-def verify_password(plain) -> bool:
+def verify_password(plain: str) -> bool:
     """Verify a plaintext password against the stored hash.
 
     Supports transparent migration of password hashes that were computed
diff --git a/tests/test_auth_password_hash_cache.py b/tests/test_auth_password_hash_cache.py
index 00b5be16..a74ebbd4 100644
--- a/tests/test_auth_password_hash_cache.py
+++ b/tests/test_auth_password_hash_cache.py
@@ -17,6 +17,7 @@ the cached result.
 import importlib
 import os
 import sys
+import tempfile
 import threading
 import time
 import unittest
@@ -27,7 +28,6 @@ from pathlib import Path
 # sibling test files that need a fresh config import).  Deleting api.config
 # would change its module-level STATE_DIR global and leak into all
 # subsequently collected tests (breaking test_pytest_state_isolation.py).
-import tempfile
 _TEST_STATE = Path(tempfile.mkdtemp())
 os.environ["HERMES_WEBUI_STATE_DIR"] = str(_TEST_STATE)
 
@@ -64,7 +64,6 @@ class TestPasswordHashCache(unittest.TestCase):
         h = auth.get_password_hash()
         self.assertIsNotNone(h)
         self.assertIsInstance(h, str)
-        assert h is not None  # narrow type for type checker
         self.assertGreater(len(h), 10)
 
     def test_cache_flag_set_after_first_call(self):