fix spaces config and ci and hf oauth

.github/scripts/deploy_to_hf_space.py

@@ -3,6 +3,7 @@
 import os
 import shutil
 import subprocess
+import tempfile
 from pathlib import Path
 from typing import Set
 
@@ -48,7 +49,6 @@ def get_excluded_files() -> Set[str]:
         "mkdocs.yml",
         "uv.lock",
         "AGENTS.txt",
-        "CONTRIBUTING.md",
         ".env",
         ".env.local",
         "*.local",
@@ -147,8 +147,36 @@ def deploy_to_hf_space() -> None:
         )
         print(f"✅ Created new Space: {repo_id}")
     
+    # Configure Git credential helper for authentication
+    # This is needed for Git LFS to work properly with fine-grained tokens
+    print("🔐 Configuring Git credentials...")
+    
+    # Use Git credential store to store the token
+    # This allows Git LFS to authenticate properly
+    temp_dir = Path(tempfile.gettempdir())
+    credential_store = temp_dir / ".git-credentials-hf"
+    
+    # Write credentials in the format: https://username:token@huggingface.co
+    credential_store.write_text(f"https://{hf_username}:{hf_token}@huggingface.co\n", encoding="utf-8")
+    try:
+        credential_store.chmod(0o600)  # Secure permissions (Unix only)
+    except OSError:
+        # Windows doesn't support chmod, skip
+        pass
+    
+    # Configure Git to use the credential store
+    subprocess.run(
+        ["git", "config", "--global", "credential.helper", f"store --file={credential_store}"],
+        check=True,
+        capture_output=True,
+    )
+    
+    # Also set environment variable for Git LFS
+    os.environ["GIT_CREDENTIAL_HELPER"] = f"store --file={credential_store}"
+    
     # Clone repository using git
-    space_url = f"https://{hf_token}@huggingface.co/spaces/{repo_id}"
+    # Use the token in the URL for initial clone, but LFS will use credential store
+    space_url = f"https://{hf_username}:{hf_token}@huggingface.co/spaces/{repo_id}"
     
     if Path(local_dir).exists():
         print(f"🧹 Removing existing {local_dir} directory...")
@@ -163,10 +191,58 @@ def deploy_to_hf_space() -> None:
             text=True,
         )
         print(f"✅ Cloned Space repository")
+        
+        # After clone, configure the remote to use credential helper
+        # This ensures future operations (like push) use the credential store
+        os.chdir(local_dir)
+        subprocess.run(
+            ["git", "remote", "set-url", "origin", f"https://huggingface.co/spaces/{repo_id}"],
+            check=True,
+            capture_output=True,
+        )
+        os.chdir("..")
+        
     except subprocess.CalledProcessError as e:
         error_msg = e.stderr if e.stderr else e.stdout if e.stdout else "Unknown error"
         print(f"❌ Failed to clone Space repository: {error_msg}")
-        raise RuntimeError(f"Git clone failed: {error_msg}") from e
+        
+        # Try alternative: clone with LFS skip, then fetch LFS files separately
+        print("🔄 Trying alternative clone method (skip LFS during clone)...")
+        try:
+            env = os.environ.copy()
+            env["GIT_LFS_SKIP_SMUDGE"] = "1"  # Skip LFS during clone
+            
+            subprocess.run(
+                ["git", "clone", space_url, local_dir],
+                check=True,
+                capture_output=True,
+                text=True,
+                env=env,
+            )
+            print(f"✅ Cloned Space repository (LFS skipped)")
+            
+            # Configure remote
+            os.chdir(local_dir)
+            subprocess.run(
+                ["git", "remote", "set-url", "origin", f"https://huggingface.co/spaces/{repo_id}"],
+                check=True,
+                capture_output=True,
+            )
+            
+            # Try to fetch LFS files with proper authentication
+            print("📥 Fetching LFS files...")
+            subprocess.run(
+                ["git", "lfs", "pull"],
+                check=False,  # Don't fail if LFS pull fails - we'll continue without LFS files
+                capture_output=True,
+                text=True,
+            )
+            os.chdir("..")
+            print(f"✅ Repository cloned (LFS files may be incomplete, but deployment can continue)")
+        except subprocess.CalledProcessError as e2:
+            error_msg2 = e2.stderr if e2.stderr else e2.stdout if e2.stdout else "Unknown error"
+            print(f"❌ Alternative clone method also failed: {error_msg2}")
+            raise RuntimeError(f"Git clone failed: {error_msg}") from e
     
     # Get exclusion sets
     excluded_dirs = get_excluded_dirs()
@@ -266,6 +342,12 @@ def deploy_to_hf_space() -> None:
                 capture_output=True,
             )
             print("📤 Pushing to Hugging Face Space...")
+            # Ensure remote URL uses credential helper (not token in URL)
+            subprocess.run(
+                ["git", "remote", "set-url", "origin", f"https://huggingface.co/spaces/{repo_id}"],
+                check=True,
+                capture_output=True,
+            )
             subprocess.run(
                 ["git", "push"],
                 check=True,
@@ -286,6 +368,14 @@ def deploy_to_hf_space() -> None:
     finally:
         # Return to original directory
         os.chdir(original_cwd)
+        
+        # Clean up credential store for security
+        try:
+            if credential_store.exists():
+                credential_store.unlink()
+        except Exception:
+            # Ignore cleanup errors
+            pass
     
     print(f"🎉 Successfully deployed to: https://huggingface.co/spaces/{repo_id}")
 

README.md

@@ -10,7 +10,14 @@ app_file: src/app.py
 hf_oauth: true
 hf_oauth_expiration_minutes: 480
 hf_oauth_scopes:
- - inference-api
+  # Required for HuggingFace Inference API (includes all third-party providers)
+  # This scope grants access to:
+  # - HuggingFace's own Inference API
+  # - Third-party inference providers (nebius, together, scaleway, hyperbolic, novita, nscale, sambanova, ovh, fireworks, etc.)
+  # - All models available through the Inference Providers API
+  - inference-api
+  # Optional: Uncomment if you need to access user's billing information
+  # - read-billing
 pinned: true
 license: mit
 tags:

dev/__init__.py

@@ -7,3 +7,4 @@
 
 
 
+

docs/LICENSE.md

@@ -26,3 +26,6 @@ SOFTWARE.
 
 
 
+
+
+

src/app.py

@@ -110,11 +110,29 @@ def configure_orchestrator(
     # 2. API Key (OAuth or Env) - HuggingFace only (OAuth provides HF token)
     # Priority: oauth_token > env vars
     # On HuggingFace Spaces, OAuth token is available via request.oauth_token
+    # 
+    # OAuth Scope Requirements:
+    # - 'inference-api': Required for HuggingFace Inference API access
+    #   This scope grants access to:
+    #   * HuggingFace's own Inference API
+    #   * All third-party inference providers (nebius, together, scaleway, hyperbolic, novita, nscale, sambanova, ovh, fireworks, etc.)
+    #   * All models available through the Inference Providers API
+    #   See: https://huggingface.co/docs/hub/oauth#currently-supported-scopes
+    # 
+    # Note: The hf_provider parameter is accepted but not used here because HuggingFaceProvider
+    # from pydantic-ai doesn't support provider selection. Provider selection happens at the
+    # InferenceClient level (used in HuggingFaceChatClient for advanced mode).
     effective_api_key = oauth_token or os.getenv("HF_TOKEN") or os.getenv("HUGGINGFACE_API_KEY")
+    
+    # Log which authentication source is being used
+    if effective_api_key:
+        auth_source = "OAuth token" if oauth_token else ("HF_TOKEN env var" if os.getenv("HF_TOKEN") else "HUGGINGFACE_API_KEY env var")
+        logger.info("Using HuggingFace authentication", source=auth_source, has_token=bool(effective_api_key))
 
     if effective_api_key:
         # We have an API key (OAuth or env) - use pydantic-ai with JudgeHandler
-        # This uses HuggingFace's own inference API, not third-party providers
+        # This uses HuggingFace Inference API, which includes access to all third-party providers
+        # via the Inference Providers API (router.huggingface.co)
         model: Any | None = None
         # Use selected model or fall back to env var/settings
         model_name = (
@@ -132,6 +150,7 @@ def configure_orchestrator(
         # Per https://ai.pydantic.dev/models/huggingface/#configure-the-provider
         # HuggingFaceProvider accepts api_key parameter directly
         # This is consistent with usage in src/utils/llm_factory.py and src/agent_factory/judges.py
+        # The OAuth token with 'inference-api' scope provides access to all inference providers
         provider = HuggingFaceProvider(api_key=effective_api_key)  # type: ignore[misc]
         model = HuggingFaceModel(model_name, provider=provider)  # type: ignore[misc]
         backend_info = "API (HuggingFace OAuth)" if oauth_token else "API (Env Config)"
@@ -599,11 +618,14 @@ async def research_agent(
         # OAuthToken has a .token attribute containing the access token
         if hasattr(oauth_token, "token"):
             token_value = oauth_token.token
+            logger.debug("OAuth token extracted from oauth_token.token attribute")
         elif isinstance(oauth_token, str):
             # Handle case where oauth_token is already a string (shouldn't happen but defensive)
             token_value = oauth_token
+            logger.debug("OAuth token extracted as string")
         else:
             token_value = None
+            logger.warning("OAuth token object present but token extraction failed", oauth_token_type=type(oauth_token).__name__)
 
     if oauth_profile is not None:
         # OAuthProfile has .username, .name, .profile_image attributes
@@ -616,6 +638,8 @@ async def research_agent(
                 else None
             )
         )
+        if username:
+            logger.info("OAuth user authenticated", username=username)
 
     # Check if user is logged in (OAuth token or env var)
     # Fallback to env vars for local development or Spaces with HF_TOKEN secret
@@ -695,10 +719,21 @@ async def research_agent(
         model_id = hf_model if hf_model and hf_model.strip() else None
         provider_name = hf_provider if hf_provider and hf_provider.strip() else None
 
+        # Log authentication source for debugging
+        auth_source = "OAuth" if token_value else ("Env (HF_TOKEN)" if os.getenv("HF_TOKEN") else ("Env (HUGGINGFACE_API_KEY)" if os.getenv("HUGGINGFACE_API_KEY") else "None"))
+        logger.info(
+            "Configuring orchestrator",
+            mode=effective_mode,
+            auth_source=auth_source,
+            has_oauth_token=bool(token_value),
+            model=model_id or "default",
+            provider=provider_name or "auto",
+        )
+
         orchestrator, backend_name = configure_orchestrator(
             use_mock=False,  # Never use mock in production - HF Inference is the free fallback
             mode=effective_mode,
-            oauth_token=token_value,  # Use extracted token value
+            oauth_token=token_value,  # Use extracted token value - passed to all agents and services
             hf_model=model_id,  # None will use defaults in configure_orchestrator
             hf_provider=provider_name,  # None will use defaults in configure_orchestrator
             graph_mode=graph_mode if graph_mode else None,

src/tools/searchxng_web_search.py

@@ -126,3 +126,4 @@ class SearchXNGWebSearchTool:
 
 
 
+

src/tools/serper_web_search.py

@@ -126,3 +126,4 @@ class SerperWebSearchTool:
 
 
 
+

src/tools/vendored/crawl_website.py

@@ -138,3 +138,4 @@ async def crawl_website(starting_url: str) -> list[ScrapeResult] | str:
 
 
 
+

src/tools/vendored/searchxng_client.py

@@ -107,3 +107,4 @@ class SearchXNGClient:
 
 
 
+

src/tools/vendored/serper_client.py

@@ -103,3 +103,4 @@ class SerperClient:
 
 
 
+

src/tools/vendored/web_search_core.py

@@ -212,3 +212,4 @@ def is_valid_url(url: str) -> bool:
 
 
 
+

src/tools/web_search_factory.py

@@ -79,3 +79,4 @@ def create_web_search_tool() -> SearchTool | None:
 
 
 
+

src/utils/markdown.css

@@ -17,3 +17,4 @@ body {
 
 
 
+

src/utils/md_to_pdf.py

@@ -77,3 +77,4 @@ def md_to_pdf(md_text: str, pdf_file_path: str) -> None:
 
 
 
+

src/utils/message_history.py

@@ -170,3 +170,4 @@ def create_relevance_processor(min_length: int = 10):
 
 
 
+

src/utils/report_generator.py

@@ -180,3 +180,4 @@ def generate_report_from_evidence(
 
 
 
+

tests/unit/middleware/test_budget_tracker_phase7.py

@@ -163,3 +163,4 @@ class TestIterationTokenTracking:
 
 
 
+

tests/unit/middleware/test_workflow_manager.py

@@ -289,3 +289,4 @@ class TestWorkflowManager:
 
 
 
+