fix(oracle): honor explicit wallet_password="" for auto-login wallets (closes #289)

[fede-kamel]

Summary

Fixes #289. In Pydantic v2 SecretStr("") is falsy, so the truthy guard

if cfg.wallet_password:
    params["wallet_password"] = cfg.wallet_password.get_secret_value()

silently dropped an explicit wallet_password="" before it reached
oracledb.create_pool_async. But "" is python-oracledb's documented idiom for an
auto-login (cwallet.sso) wallet. With it dropped, the thin driver falls through to
the encrypted ewallet.pem path and fails at connect time with DPY-6005 /
OSError: [Errno 22] (and prompts for a PEM passphrase on a TTY).

Change

Switch the guard to is not None at all seven Oracle pool builders, so an omitted
password (None) is still skipped while an explicit "" is forwarded:

• memory/backends/oracle.py
• memory/backends/oracle_versioned.py
• memory/store_backends/oracle.py
• rag/embeddings/oracle_indb.py
• rag/chunkers/oracle_indb.py
• rag/stores/oracle.py
• rag/loaders/oracle.py

Root-cause confirmation

from pydantic import SecretStr           # Pydantic 2.12
assert bool(SecretStr("")) is False        # truthy guard drops it
assert (SecretStr("") is not None) is True # `is not None` keeps it

Tests added

tests/unit/test_oracle_wallet_password_empty.py — 7 backends × 3 cases = 21 tests,
stubbing oracledb to capture the kwargs each _get_pool() sends to
create_pool_async:

• empty-string "" → kwarg forwarded as ""
• omitted (None) → kwarg absent
• real value → forwarded unchanged

Testing performed

1. Unit

• 21 new tests pass.
• Existing Oracle unit suites pass alongside them (test_oracle_store,
  test_oracle_adb_loader, test_oracle_versioned_checkpointer,
  test_oracle_indb_embeddings, test_oracle_indb_chunker) — 143 tests total, no
  regressions.
• Mutation check: temporarily restoring the truthy guard makes the matching test
  fail with AssertionError: empty-string wallet_password was dropped (truthy-guard regression), then passes again once the fix is restored — confirming the test
  actually pins the behavior.

2. No-database probe

Stubbing create_pool_async on the unpatched code shows the kwarg is dropped:

wallet_password forwarded? False
kwargs: ['config_dir', 'dsn', 'max', 'min', 'password', 'user', 'wallet_location']

With the fix, wallet_password is present.

3. Live Oracle Autonomous DB (auto-login wallet, wallet_password="")

Direct vs. Locus, same wallet + credentials:

Scenario	path	result
A — direct oracledb.create_pool_async(..., wallet_password="")	kwarg forwarded	connected, select 1 -> 1
B — Locus backend, wallet_password="" (unpatched)	kwarg dropped	DPY-6005 / OSError: [Errno 22] (after the driver prompted for a PEM passphrase, falling through to ewallet.pem)
C — Locus backend, wallet_password="" (patched)	kwarg forwarded	connected, select 1 -> 1

4. Integration suite — tests/integration/test_oracle_rag.py

Run against a live ADB with an auto-login wallet and ORACLE_WALLET_PASSWORD="" (the
default, i.e. the #289 trigger), exercising OracleVectorStore:

• 6 passed, 1 skipped (the skip is test_oracle_cohere_embeddings — needs an OCI
  GenAI profile that wasn't configured in this run; unrelated to this change).
• The 6 passing tests (connection, add/get, vector search, …) all connect with
  wallet_password="".
• Causation proof: restoring the truthy guard in rag/stores/oracle.py and re-running
  test_oracle_connection reproduces the failure end-to-end —
  OSError: [Errno 22] → DPY-6005 — and re-applying the fix returns it to green. This
  ties the integration pass directly to the fix.

Note: tests/integration/rag/test_oracle_adb_store.py was reviewed but is not relevant
here — its fixture defaults wallet_password to the DB password (never ""), so it does
not exercise the auto-login path.

A self-contained reproduction probe (no database required) is posted on #289.