Address cursor review: raise on unsupported endpoint, refresh session token per-request

fede-kamel · fede-kamel · commit 27abc5cd9449 · 2026-04-02T19:25:43.000-04:00
- transform_request_to_oci now raises ValueError for endpoints other than
  'embed' and 'chat' instead of silently returning the untransformed body
- Session token auth uses a refreshing wrapper that re-reads the token file
  before each signing call, so OCI CLI token refreshes are picked up without
  restarting the client
- Add test_unsupported_endpoint_raises to cover the new explicit error
- Update test_session_auth_prefers_security_token_signer to expect multi-call
  behaviour from the refreshing signer
diff --git a/src/cohere/oci_client.py b/src/cohere/oci_client.py
@@ -399,24 +399,46 @@ def map_request_to_oci(
     if "signer" in oci_config:
         signer = oci_config["signer"]  # Instance/resource principal
     elif "security_token_file" in oci_config:
-        # Session-based authentication with security token (fallback if no user field)
-        token_file_path = os.path.expanduser(oci_config["security_token_file"])
-        with open(token_file_path, "r") as f:
-            security_token = f.read().strip()
-
-        # Load private key using OCI's utility function
+        # Session-based authentication with security token.
+        # The token file is re-read on every request so that OCI CLI token refreshes
+        # (e.g. `oci session refresh`) are picked up without restarting the client.
         key_file = oci_config.get("key_file")
         if not key_file:
             raise ValueError(
                 "OCI config profile is missing 'key_file'. "
                 "Session-based auth requires a key_file entry in your OCI config profile."
             )
+        token_file_path = os.path.expanduser(oci_config["security_token_file"])
         private_key = oci.signer.load_private_key_from_file(os.path.expanduser(key_file))
 
-        signer = oci.auth.signers.SecurityTokenSigner(
-            token=security_token,
-            private_key=private_key,
-        )
+        class _RefreshingSecurityTokenSigner:
+            """Wraps SecurityTokenSigner and re-reads the token file before each signing call."""
+
+            def __init__(self) -> None:
+                self._token_file = token_file_path
+                self._private_key = private_key
+                self._refresh()
+
+            def _refresh(self) -> None:
+                with open(self._token_file, "r") as _f:
+                    _token = _f.read().strip()
+                self._signer = oci.auth.signers.SecurityTokenSigner(
+                    token=_token,
+                    private_key=self._private_key,
+                )
+
+            # Delegate all attribute access to the inner signer, refreshing first.
+            def __call__(self, *args: typing.Any, **kwargs: typing.Any) -> typing.Any:
+                self._refresh()
+                return self._signer(*args, **kwargs)
+
+            def __getattr__(self, name: str) -> typing.Any:
+                if name.startswith("_"):
+                    raise AttributeError(name)
+                self._refresh()
+                return getattr(self._signer, name)
+
+        signer = _RefreshingSecurityTokenSigner()
     elif "user" in oci_config:
         signer = oci.signer.Signer(
             tenancy=oci_config["tenancy"],
@@ -814,7 +836,10 @@ def transform_request_to_oci(
 
         return oci_body
 
-    return cohere_body
+    raise ValueError(
+        f"Endpoint '{endpoint}' is not supported by OCI Generative AI on-demand inference. "
+        "Supported endpoints: ['embed', 'chat']"
+    )
 
 
 def transform_oci_response_to_cohere(
diff --git a/tests/test_oci_client.py b/tests/test_oci_client.py
@@ -737,6 +737,15 @@ def test_v1_client_rejects_v2_request(self):
             )
         self.assertIn("OciClient ", str(ctx.exception))
 
+    def test_unsupported_endpoint_raises(self):
+        """Test that transform_request_to_oci raises for unsupported endpoints."""
+        from cohere.oci_client import transform_request_to_oci
+
+        with self.assertRaises(ValueError) as ctx:
+            transform_request_to_oci("rerank", {"model": "rerank-v3.5"}, "compartment-123")
+        self.assertIn("rerank", str(ctx.exception))
+        self.assertIn("not supported", str(ctx.exception))
+
     def test_v1_chat_request_optional_params(self):
         """Test V1 chat request forwards supported optional params."""
         from cohere.oci_client import transform_request_to_oci
@@ -930,10 +939,13 @@ def test_session_auth_prefers_security_token_signer(self):
 
             hook(request)
 
-        mock_oci.auth.signers.SecurityTokenSigner.assert_called_once_with(
+        # SecurityTokenSigner is called at least once (init) and again per request
+        # (token file is re-read on each signing call to pick up refreshed tokens).
+        mock_oci.auth.signers.SecurityTokenSigner.assert_called_with(
             token="session-token",
             private_key="private-key",
         )
+        self.assertGreaterEqual(mock_oci.auth.signers.SecurityTokenSigner.call_count, 1)
         mock_oci.signer.Signer.assert_not_called()
 
     def test_embed_response_lowercases_embedding_keys(self):
