2026-02-19 23:23:43 -08:00
#!/usr/bin/env python3
"""
Code Execution Tool - - Programmatic Tool Calling ( PTC )
Lets the LLM write a Python script that calls Hermes tools via RPC ,
collapsing multi - step tool chains into a single inference turn .
2026-04-04 12:57:49 -07:00
Architecture ( two transports ) :
* * Local backend ( UDS ) : * *
1. Parent generates a ` hermes_tools . py ` stub module with UDS RPC functions
2026-02-19 23:23:43 -08:00
2. Parent opens a Unix domain socket and starts an RPC listener thread
3. Parent spawns a child process that runs the LLM ' s script
2026-04-04 12:57:49 -07:00
4. Tool calls travel over the UDS back to the parent for dispatch
* * Remote backends ( file - based RPC ) : * *
1. Parent generates ` hermes_tools . py ` with file - based RPC stubs
2. Parent ships both files to the remote environment
3. Script runs inside the terminal backend ( Docker / SSH / Modal / Daytona / etc . )
4. Tool calls are written as request files ; a polling thread on the parent
feat(environments): unified spawn-per-call execution layer
Replace dual execution model (PersistentShellMixin + per-backend oneshot)
with spawn-per-call + session snapshot for all backends except ManagedModal.
Core changes:
- Every command spawns a fresh bash process; session snapshot (env vars,
functions, aliases) captured at init and re-sourced before each command
- CWD persists via file-based read (local) or in-band stdout markers (remote)
- ProcessHandle protocol + _ThreadedProcessHandle adapter for SDK backends
- cancel_fn wired for Modal (sandbox.terminate) and Daytona (sandbox.stop)
- Shared utilities extracted: _pipe_stdin, _popen_bash, _load_json_store,
_save_json_store, _file_mtime_key, _SYNC_INTERVAL_SECONDS
- Rate-limited file sync unified in base _before_execute() with _sync_files() hook
- execute_oneshot() removed; all 11 call sites in code_execution_tool.py
migrated to execute()
- Daytona timeout wrapper replaced with SDK-native timeout parameter
- persistent_shell.py deleted (291 lines)
Backend-specific:
- Local: process-group kill via os.killpg, file-based CWD read
- Docker: -e env flags only on init_session, not per-command
- SSH: shlex.quote transport, ControlMaster connection reuse
- Singularity: apptainer exec with instance://, no forced --pwd
- Modal: _AsyncWorker + _ThreadedProcessHandle, cancel_fn -> sandbox.terminate
- Daytona: SDK-level timeout (not shell wrapper), cancel_fn -> sandbox.stop
- ManagedModal: unchanged (gateway owns execution); docstring added explaining why
2026-04-08 13:38:04 -07:00
reads them via env . execute ( ) , dispatches , and writes response files
2026-04-04 12:57:49 -07:00
5. The script polls for response files and continues
In both cases , only the script ' s stdout is returned to the LLM; intermediate
tool results never enter the context window .
2026-02-19 23:23:43 -08:00
2026-04-04 12:57:49 -07:00
Platform : Linux / macOS only ( Unix domain sockets for local ) . Disabled on Windows .
Remote execution additionally requires Python 3 in the terminal backend .
2026-02-19 23:23:43 -08:00
"""
2026-04-04 12:57:49 -07:00
import base64
feat(execute_code): add project/strict execution modes, default to project (#11971)
Weaker models (Gemma-class) repeatedly rediscover and forget that
execute_code uses a different CWD and Python interpreter than terminal(),
causing them to flip-flop on whether user files exist and to hit import
errors on project dependencies like pandas.
Adds a new 'code_execution.mode' config key (default 'project') that
brings execute_code into line with terminal()'s filesystem/interpreter:
project (new default):
- cwd = session's TERMINAL_CWD (falls back to os.getcwd())
- python = active VIRTUAL_ENV/bin/python or CONDA_PREFIX/bin/python
with a Python 3.8+ version check; falls back cleanly to
sys.executable if no venv or the candidate fails
- result : 'import pandas' works, '.env' resolves, matches terminal()
strict (opt-in):
- cwd = staging tmpdir (today's behavior)
- python = sys.executable (today's behavior)
- result : maximum reproducibility and isolation; project deps
won't resolve
Security-critical invariants are identical across both modes and covered by
explicit regression tests:
- env scrubbing (strips *_API_KEY, *_TOKEN, *_SECRET, *_PASSWORD,
*_CREDENTIAL, *_PASSWD, *_AUTH substrings)
- SANDBOX_ALLOWED_TOOLS whitelist (no execute_code recursion, no
delegate_task, no MCP from inside scripts)
- resource caps (5-min timeout, 50KB stdout, 50 tool calls)
Deliberately avoids 'sandbox'/'isolated'/'cloud' language in tool
descriptions (regression from commit 39b83f34 where agents on local
backends falsely believed they were sandboxed and refused networking).
Override via env var: HERMES_EXECUTE_CODE_MODE=strict|project
2026-04-18 01:46:25 -07:00
import functools
2026-02-19 23:23:43 -08:00
import json
import logging
import os
2026-03-01 01:54:27 +03:00
import platform
2026-04-09 13:46:08 +02:00
import shlex
2026-02-19 23:23:43 -08:00
import socket
import subprocess
import sys
import tempfile
import threading
import time
import uuid
2026-03-01 01:54:27 +03:00
_IS_WINDOWS = platform . system ( ) == " Windows "
2026-02-19 23:23:43 -08:00
from typing import Any , Dict , List , Optional
2026-05-28 17:47:09 -04:00
from tools . thread_context import propagate_context_to_thread
2026-05-07 18:17:31 -07:00
# Availability gate. On Windows we fall back to loopback TCP for the
# sandbox RPC transport (AF_UNIX is unreliable on Windows Python) — see
# ``_use_tcp_rpc`` in ``_execute_local`` below. That makes execute_code
# available on every platform Hermes itself runs on.
2026-02-21 03:32:11 -08:00
logger = logging . getLogger ( __name__ )
2026-05-07 18:17:31 -07:00
SANDBOX_AVAILABLE = True
2026-02-19 23:23:43 -08:00
# The 7 tools allowed inside the sandbox. The intersection of this list
# and the session's enabled tools determines which stubs are generated.
SANDBOX_ALLOWED_TOOLS = frozenset ( [
" web_search " ,
" web_extract " ,
" read_file " ,
" write_file " ,
2026-02-20 02:43:57 -08:00
" search_files " ,
2026-02-19 23:23:43 -08:00
" patch " ,
" terminal " ,
] )
# Resource limit defaults (overridable via config.yaml → code_execution.*)
2026-02-20 01:29:53 -08:00
DEFAULT_TIMEOUT = 300 # 5 minutes
2026-02-19 23:23:43 -08:00
DEFAULT_MAX_TOOL_CALLS = 50
MAX_STDOUT_BYTES = 50_000 # 50 KB
MAX_STDERR_BYTES = 10_000 # 10 KB
2026-05-07 18:39:38 -07:00
# Environment variable scrubbing rules (shared between the local + remote
# backends). Secret-substring block is applied first; anything left must
2026-05-28 17:47:09 -04:00
# match a safe prefix, the operational HERMES_ allowlist, or (on Windows) an
# OS-essential name.
#
# NB: the broad "HERMES_" prefix was deliberately removed (#27303) — it leaked
# HERMES_*-named config that lacks a secret substring (e.g. HERMES_BASE_URL,
# HERMES_KANBAN_DB, HERMES_*_WEBHOOK). The child only needs the few
# location/profile vars in _HERMES_CHILD_ALLOWED below; HERMES_RPC_SOCKET /
# HERMES_RPC_DIR / TZ / HOME are injected explicitly after scrubbing.
2026-05-07 18:39:38 -07:00
_SAFE_ENV_PREFIXES = ( " PATH " , " HOME " , " USER " , " LANG " , " LC_ " , " TERM " ,
" TMPDIR " , " TMP " , " TEMP " , " SHELL " , " LOGNAME " ,
2026-05-28 17:47:09 -04:00
" XDG_ " , " PYTHONPATH " , " VIRTUAL_ENV " , " CONDA " )
2026-05-07 18:39:38 -07:00
_SECRET_SUBSTRINGS = ( " KEY " , " TOKEN " , " SECRET " , " PASSWORD " , " CREDENTIAL " ,
2026-05-28 17:47:09 -04:00
" PASSWD " , " AUTH " , " DSN " , " WEBHOOK " )
# Operational HERMES_* vars the child legitimately needs by exact name — these
# are non-secret runtime-location flags (the same set hermes_cli treats as the
# runtime location) that repo-root modules a sandbox script imports may read at
# import time. None match _SECRET_SUBSTRINGS.
_HERMES_CHILD_ALLOWED = frozenset ( {
" HERMES_HOME " ,
" HERMES_PROFILE " ,
" HERMES_CONFIG " ,
" HERMES_ENV " ,
} )
2026-05-07 18:39:38 -07:00
# Windows-only: a handful of variables are required by the OS/CRT itself.
# Without them, even stdlib calls like ``socket.socket()`` fail with
# WinError 10106 (Winsock can't locate mswsock.dll) and ``subprocess``
# can't resolve cmd.exe. These are well-known OS paths, not secrets, so
# we allow them through by exact name. The _SECRET_SUBSTRINGS block
# still runs as a safety net (none of these names match those substrings).
_WINDOWS_ESSENTIAL_ENV_VARS = frozenset ( {
" SYSTEMROOT " , # %SYSTEMROOT%\System32 — Winsock needs this
" SYSTEMDRIVE " , # C: (or wherever Windows lives)
" WINDIR " , # usually same as SYSTEMROOT
" COMSPEC " , # cmd.exe path — subprocess shell=True needs it
" PATHEXT " , # .COM;.EXE;.BAT;... — shell lookup
" OS " , # "Windows_NT" — some tools gate on this
" PROCESSOR_ARCHITECTURE " ,
" NUMBER_OF_PROCESSORS " ,
" PUBLIC " , # C:\Users\Public
" ALLUSERSPROFILE " , # C:\ProgramData — some stdlib paths use it
" PROGRAMDATA " , # C:\ProgramData
" PROGRAMFILES " ,
" PROGRAMFILES(X86) " ,
" PROGRAMW6432 " ,
" APPDATA " , # %USERPROFILE%\AppData\Roaming — Python uses it
" LOCALAPPDATA " , # %USERPROFILE%\AppData\Local
" USERPROFILE " , # C:\Users\<name> — Python's expanduser uses it
" USERDOMAIN " ,
" USERNAME " ,
" HOMEDRIVE " , # C:
" HOMEPATH " , # \Users\<name>
" COMPUTERNAME " ,
} )
def _scrub_child_env ( source_env , is_passthrough = None , is_windows = None ) :
""" Produce the scrubbed child-process env for execute_code.
Rules ( order matters ) :
1. Passthrough vars ( skill - or config - declared ) always pass .
2026-05-28 17:47:09 -04:00
2. Secret - substring names ( KEY / TOKEN / DSN / WEBHOOK / etc . ) are blocked .
2026-05-07 18:39:38 -07:00
3. Names matching a safe prefix pass .
2026-05-28 17:47:09 -04:00
4. Operational HERMES_ * vars ( _HERMES_CHILD_ALLOWED ) pass by exact name .
5. On Windows , a small OS - essential allowlist passes by exact name
2026-05-07 18:39:38 -07:00
— without these the child can ' t even create a socket or spawn a
subprocess .
Extracted into a helper so tests can exercise the logic without
spawning a subprocess .
"""
if is_passthrough is None :
try :
from tools . env_passthrough import is_env_passthrough as _ep
except Exception :
_ep = lambda _ : False # noqa: E731
is_passthrough = _ep
if is_windows is None :
is_windows = _IS_WINDOWS
scrubbed = { }
2026-05-29 01:28:37 -07:00
# Non-secret HERMES_* vars dropped by the tightened allowlist (#27303). The
# broad "HERMES_" prefix used to pass these through; now only the
# operational set does. The drop is intentional (those vars can carry
# config like HERMES_KANBAN_DB / HERMES_BASE_URL), but a sandbox script
# that imports a repo module reading one at import time would otherwise see
# it silently unset. Surface the drop once so the behavior change is
# diagnosable and points at the env_passthrough opt-in escape hatch.
_dropped_hermes = [ ]
2026-05-07 18:39:38 -07:00
for k , v in source_env . items ( ) :
if is_passthrough ( k ) :
scrubbed [ k ] = v
continue
if any ( s in k . upper ( ) for s in _SECRET_SUBSTRINGS ) :
continue
if any ( k . startswith ( p ) for p in _SAFE_ENV_PREFIXES ) :
scrubbed [ k ] = v
continue
2026-05-28 17:47:09 -04:00
if k in _HERMES_CHILD_ALLOWED :
scrubbed [ k ] = v
continue
2026-05-07 18:39:38 -07:00
if is_windows and k . upper ( ) in _WINDOWS_ESSENTIAL_ENV_VARS :
scrubbed [ k ] = v
2026-05-29 01:28:37 -07:00
continue
if k . startswith ( " HERMES_ " ) :
# Non-secret (secrets were already dropped above) and not in any
# allowlist — a deliberately-dropped HERMES_* var.
_dropped_hermes . append ( k )
if _dropped_hermes :
logger . debug (
" execute_code: dropped %d non-allowlisted HERMES_* var(s) from the "
" sandbox child env ( %s ). This is intentional hardening (#27303); if "
" a sandbox script legitimately needs one, declare it via "
" env_passthrough in the skill/config so it passes by explicit opt-in. " ,
len ( _dropped_hermes ) ,
" , " . join ( sorted ( _dropped_hermes ) ) ,
)
2026-05-07 18:39:38 -07:00
return scrubbed
2026-02-19 23:23:43 -08:00
def check_sandbox_requirements ( ) - > bool :
""" Code execution sandbox requires a POSIX OS for Unix domain sockets. """
2026-04-29 18:20:53 +05:30
if not SANDBOX_AVAILABLE :
return False
return True
2026-02-19 23:23:43 -08:00
# ---------------------------------------------------------------------------
# hermes_tools.py code generator
# ---------------------------------------------------------------------------
# Per-tool stub templates: (function_name, signature, docstring, args_dict_expr)
# The args_dict_expr builds the JSON payload sent over the RPC socket.
_TOOL_STUBS = {
" web_search " : (
" web_search " ,
" query: str, limit: int = 5 " ,
2026-02-19 23:30:01 -08:00
' " " " Search the web. Returns dict with data.web list of { url, title, description}. " " " ' ,
2026-02-19 23:23:43 -08:00
' { " query " : query, " limit " : limit} ' ,
) ,
" web_extract " : (
" web_extract " ,
" urls: list " ,
fix: improve read-loop detection — consecutive-only, correct thresholds, fix bugs
Follow-up to PR #705 (merged from 0xbyt4). Addresses several issues:
1. CONSECUTIVE-ONLY TRACKING: Redesigned the read/search tracker to only
warn/block on truly consecutive identical calls. Any other tool call
in between (write, patch, terminal, etc.) resets the counter via
notify_other_tool_call(), called from handle_function_call() in
model_tools.py. This prevents false blocks in read→edit→verify flows.
2. THRESHOLD ADJUSTMENT: Warn on 3rd consecutive (was 2nd), block on
4th+ consecutive (was 3rd+). Gives the model more room before
intervening.
3. TUPLE UNPACKING BUG: Fixed get_read_files_summary() which crashed on
search keys (5-tuple) when trying to unpack as 3-tuple. Now uses a
separate read_history set that only tracks file reads.
4. WEB_EXTRACT DOCSTRING: Reverted incorrect removal of 'title' from
web_extract return docs in code_execution_tool.py — the field IS
returned by web_tools.py.
5. TESTS: Rewrote test_read_loop_detection.py (35 tests) to cover
consecutive-only behavior, notify_other_tool_call, interleaved
read/search, and summary-unaffected-by-searches.
2026-03-10 16:25:41 -07:00
' " " " Extract content from URLs. Returns dict with results list of { url, title, content, error}. " " " ' ,
2026-02-19 23:23:43 -08:00
' { " urls " : urls} ' ,
) ,
" read_file " : (
" read_file " ,
" path: str, offset: int = 1, limit: int = 500 " ,
' " " " Read a file (1-indexed lines). Returns dict with " content " and " total_lines " . " " " ' ,
' { " path " : path, " offset " : offset, " limit " : limit} ' ,
) ,
" write_file " : (
" write_file " ,
fix(profiles): cross-profile soft guard on file-write tools + system-prompt hint (#31290)
* fix(profiles): cross-profile soft guard on file-write tools + system-prompt hint
Adds a soft guard so an agent running under one Hermes profile cannot
silently edit a different profile's skills/plugins/cron/memories.
Three layers:
A. agent/file_safety.classify_cross_profile_target
Classifies a write target against the active HERMES_HOME. Returns
a {active_profile, target_profile, area, target_path} dict when the
path lands in another profile's scoped area. PROFILE_SCOPED_AREAS =
(skills, plugins, cron, memories). get_cross_profile_warning()
wraps it into a model-facing error string that names both profiles,
names the area, and points at the cross_profile=True bypass.
Defense-in-depth, NOT a security boundary — the terminal tool runs
as the same OS user and can write any of these paths directly. The
guard exists to prevent confused-agent corruption, not to stop a
determined attacker. SECURITY.md §3.2 (terminal-bypass posture)
still applies.
Wired into tools/file_tools.write_file_tool and patch_tool with a
cross_profile=False kwarg. WRITE_FILE_SCHEMA and PATCH_SCHEMA both
advertise cross_profile so the model can pass it after explicit
user direction. patch_tool extracts target paths from V4A patch
bodies before checking (same shape as the existing sensitive-path
check).
skill_manage is already scoped to the active profile's SKILLS_DIR
by construction, so no extra guard wiring is needed there. The
D-side error message (below) still names other profiles when the
skill exists elsewhere.
B. agent/system_prompt
One deterministic line near the environment-hints block names the
active profile and tells the model not to modify another profile's
skills/plugins/cron/memories without explicit direction. Profile
name is stable for the lifetime of the AIAgent, so the line is
prompt-cache-safe.
D. tools/skill_manager_tool._skill_not_found_error
Replaces the bare "Skill 'X' not found." with a message that:
- names the active profile,
- searches OTHER profiles' skills dirs for the same name,
- names the profile(s) where the skill exists and the path,
- suggests `hermes -p <name>` to switch profiles, or
cross_profile=True for an explicit edit.
All 5 "not found" sites in skill_manager_tool (edit, patch, delete,
write_file, remove_file) now go through the helper.
Reference incident (May 2026): a hermes-security profile session
edited skills under both ~/.hermes/profiles/hermes-security/skills/
AND ~/.hermes/skills/ (the default profile's skills) without
realizing the second path belonged to a different profile. Three of
the four skill files needed manual restoration afterward.
What this PR does NOT do:
* No hard block. The terminal tool can still touch any of these
paths with no guard — same posture as the dangerous-command
approval flow. SECURITY.md §3.2 applies.
* No regex sweep on terminal commands for cross-profile paths.
That direction is a Skills-Guard-style arms race (cd + relative
paths, base64, etc.) and would false-positive on legitimate
cross-profile reads. Filed as a follow-up.
* No on-disk path migration. ~/.hermes/skills/ remains the
default profile's skills dir; this PR is about telling the
agent about that boundary, not changing the layout.
Tests:
tests/agent/test_file_safety_cross_profile.py (16 tests)
- _resolve_active_profile_name covers default/named/failure paths
- classify_cross_profile_target covers all four scoped areas,
both directions (default → named, named → default, named → named),
non-Hermes paths, and root-level config files
- get_cross_profile_warning covers in-profile no-op, cross-profile
message shape, and the defense-in-depth self-documentation
tests/tools/test_cross_profile_guard.py (12 tests)
- write_file: in-profile allow, cross-profile block, cross_profile=True
bypass, non-Hermes pass-through
- patch: replace-mode block, cross_profile=True bypass, V4A patch
path extraction
- skill_manage: error names the other profile (single + multiple),
missing-everywhere falls back to skills_list hint
- system prompt: contract-level checks (both branches present,
cross_profile=True mentioned, ~/.hermes/profiles/ referenced)
All 207 existing tests in file_safety/file_operations/skill_manager
still pass. 10 system-prompt tests still pass.
E2E verified: the exact incident scenario (security profile editing
default's hermes-agent-dev skill) is now blocked with the warning
message; cross_profile=True unblocks.
* fix(code_execution): add cross_profile to write_file/patch stubs
The cross_profile kwarg added to write_file_tool/patch_tool needs to
flow through the execute_code sandbox stubs in _TOOL_STUBS so the
test_stubs_cover_all_schema_params drift test passes. Without this,
scripts running inside execute_code couldn't pass cross_profile=True
through hermes_tools.write_file().
Caught by CI on PR #31290.
2026-05-24 00:38:17 -07:00
" path: str, content: str, cross_profile: bool = False " ,
' " " " Write content to a file (always overwrites). Returns dict with status. cross_profile=True opts out of the cross-Hermes-profile soft guard. " " " ' ,
' { " path " : path, " content " : content, " cross_profile " : cross_profile} ' ,
2026-02-19 23:23:43 -08:00
) ,
2026-02-20 02:43:57 -08:00
" search_files " : (
" search_files " ,
2026-03-06 03:40:06 -08:00
' pattern: str, target: str = " content " , path: str = " . " , file_glob: str = None, limit: int = 50, offset: int = 0, output_mode: str = " content " , context: int = 0 ' ,
' " " " Search file contents (target= " content " ) or find files by name (target= " files " ). Returns dict with " matches " . " " " ' ,
' { " pattern " : pattern, " target " : target, " path " : path, " file_glob " : file_glob, " limit " : limit, " offset " : offset, " output_mode " : output_mode, " context " : context} ' ,
2026-02-19 23:23:43 -08:00
) ,
" patch " : (
" patch " ,
fix(profiles): cross-profile soft guard on file-write tools + system-prompt hint (#31290)
* fix(profiles): cross-profile soft guard on file-write tools + system-prompt hint
Adds a soft guard so an agent running under one Hermes profile cannot
silently edit a different profile's skills/plugins/cron/memories.
Three layers:
A. agent/file_safety.classify_cross_profile_target
Classifies a write target against the active HERMES_HOME. Returns
a {active_profile, target_profile, area, target_path} dict when the
path lands in another profile's scoped area. PROFILE_SCOPED_AREAS =
(skills, plugins, cron, memories). get_cross_profile_warning()
wraps it into a model-facing error string that names both profiles,
names the area, and points at the cross_profile=True bypass.
Defense-in-depth, NOT a security boundary — the terminal tool runs
as the same OS user and can write any of these paths directly. The
guard exists to prevent confused-agent corruption, not to stop a
determined attacker. SECURITY.md §3.2 (terminal-bypass posture)
still applies.
Wired into tools/file_tools.write_file_tool and patch_tool with a
cross_profile=False kwarg. WRITE_FILE_SCHEMA and PATCH_SCHEMA both
advertise cross_profile so the model can pass it after explicit
user direction. patch_tool extracts target paths from V4A patch
bodies before checking (same shape as the existing sensitive-path
check).
skill_manage is already scoped to the active profile's SKILLS_DIR
by construction, so no extra guard wiring is needed there. The
D-side error message (below) still names other profiles when the
skill exists elsewhere.
B. agent/system_prompt
One deterministic line near the environment-hints block names the
active profile and tells the model not to modify another profile's
skills/plugins/cron/memories without explicit direction. Profile
name is stable for the lifetime of the AIAgent, so the line is
prompt-cache-safe.
D. tools/skill_manager_tool._skill_not_found_error
Replaces the bare "Skill 'X' not found." with a message that:
- names the active profile,
- searches OTHER profiles' skills dirs for the same name,
- names the profile(s) where the skill exists and the path,
- suggests `hermes -p <name>` to switch profiles, or
cross_profile=True for an explicit edit.
All 5 "not found" sites in skill_manager_tool (edit, patch, delete,
write_file, remove_file) now go through the helper.
Reference incident (May 2026): a hermes-security profile session
edited skills under both ~/.hermes/profiles/hermes-security/skills/
AND ~/.hermes/skills/ (the default profile's skills) without
realizing the second path belonged to a different profile. Three of
the four skill files needed manual restoration afterward.
What this PR does NOT do:
* No hard block. The terminal tool can still touch any of these
paths with no guard — same posture as the dangerous-command
approval flow. SECURITY.md §3.2 applies.
* No regex sweep on terminal commands for cross-profile paths.
That direction is a Skills-Guard-style arms race (cd + relative
paths, base64, etc.) and would false-positive on legitimate
cross-profile reads. Filed as a follow-up.
* No on-disk path migration. ~/.hermes/skills/ remains the
default profile's skills dir; this PR is about telling the
agent about that boundary, not changing the layout.
Tests:
tests/agent/test_file_safety_cross_profile.py (16 tests)
- _resolve_active_profile_name covers default/named/failure paths
- classify_cross_profile_target covers all four scoped areas,
both directions (default → named, named → default, named → named),
non-Hermes paths, and root-level config files
- get_cross_profile_warning covers in-profile no-op, cross-profile
message shape, and the defense-in-depth self-documentation
tests/tools/test_cross_profile_guard.py (12 tests)
- write_file: in-profile allow, cross-profile block, cross_profile=True
bypass, non-Hermes pass-through
- patch: replace-mode block, cross_profile=True bypass, V4A patch
path extraction
- skill_manage: error names the other profile (single + multiple),
missing-everywhere falls back to skills_list hint
- system prompt: contract-level checks (both branches present,
cross_profile=True mentioned, ~/.hermes/profiles/ referenced)
All 207 existing tests in file_safety/file_operations/skill_manager
still pass. 10 system-prompt tests still pass.
E2E verified: the exact incident scenario (security profile editing
default's hermes-agent-dev skill) is now blocked with the warning
message; cross_profile=True unblocks.
* fix(code_execution): add cross_profile to write_file/patch stubs
The cross_profile kwarg added to write_file_tool/patch_tool needs to
flow through the execute_code sandbox stubs in _TOOL_STUBS so the
test_stubs_cover_all_schema_params drift test passes. Without this,
scripts running inside execute_code couldn't pass cross_profile=True
through hermes_tools.write_file().
Caught by CI on PR #31290.
2026-05-24 00:38:17 -07:00
' path: str = None, old_string: str = None, new_string: str = None, replace_all: bool = False, mode: str = " replace " , patch: str = None, cross_profile: bool = False ' ,
' " " " Targeted find-and-replace (mode= " replace " ) or V4A multi-file patches (mode= " patch " ). Returns dict with status. cross_profile=True opts out of the cross-Hermes-profile soft guard. " " " ' ,
' { " path " : path, " old_string " : old_string, " new_string " : new_string, " replace_all " : replace_all, " mode " : mode, " patch " : patch, " cross_profile " : cross_profile} ' ,
2026-02-19 23:23:43 -08:00
) ,
" terminal " : (
" terminal " ,
" command: str, timeout: int = None, workdir: str = None " ,
' " " " Run a shell command (foreground only). Returns dict with " output " and " exit_code " . " " " ' ,
' { " command " : command, " timeout " : timeout, " workdir " : workdir} ' ,
) ,
}
2026-04-04 12:57:49 -07:00
def generate_hermes_tools_module ( enabled_tools : List [ str ] ,
transport : str = " uds " ) - > str :
2026-02-19 23:23:43 -08:00
"""
Build the source code for the hermes_tools . py stub module .
Only tools in both SANDBOX_ALLOWED_TOOLS and enabled_tools get stubs .
2026-04-04 12:57:49 -07:00
Args :
enabled_tools : Tool names enabled in the current session .
transport : ` ` " uds " ` ` for Unix domain socket ( local backend ) or
` ` " file " ` ` for file - based RPC ( remote backends ) .
2026-02-19 23:23:43 -08:00
"""
tools_to_generate = sorted ( SANDBOX_ALLOWED_TOOLS & set ( enabled_tools ) )
stub_functions = [ ]
export_names = [ ]
for tool_name in tools_to_generate :
if tool_name not in _TOOL_STUBS :
continue
func_name , sig , doc , args_expr = _TOOL_STUBS [ tool_name ]
stub_functions . append (
f " def { func_name } ( { sig } ): \n "
f " { doc } \n "
f " return _call( { func_name !r} , { args_expr } ) \n "
)
export_names . append ( func_name )
2026-04-04 12:57:49 -07:00
if transport == " file " :
header = _FILE_TRANSPORT_HEADER
else :
header = _UDS_TRANSPORT_HEADER
2026-02-19 23:23:43 -08:00
2026-04-04 12:57:49 -07:00
return header + " \n " . join ( stub_functions )
2026-02-19 23:23:43 -08:00
2026-03-06 01:52:46 -08:00
2026-04-04 12:57:49 -07:00
# ---- Shared helpers section (embedded in both transport headers) ----------
_COMMON_HELPERS = ''' \
2026-03-06 01:52:46 -08:00
# ---------------------------------------------------------------------------
# Convenience helpers (avoid common scripting pitfalls)
# ---------------------------------------------------------------------------
def json_parse ( text : str ) :
""" Parse JSON tolerant of control characters (strict=False).
Use this instead of json . loads ( ) when parsing output from terminal ( )
or web_extract ( ) that may contain raw tabs / newlines in strings . """
return json . loads ( text , strict = False )
def shell_quote ( s : str ) - > str :
""" Shell-escape a string for safe interpolation into commands.
Use this when inserting dynamic content into terminal ( ) commands :
terminal ( f " echo { shell_quote ( user_input ) } " )
"""
return shlex . quote ( s )
def retry ( fn , max_attempts = 3 , delay = 2 ) :
""" Retry a function up to max_attempts times with exponential backoff.
Use for transient failures ( network errors , API rate limits ) :
result = retry ( lambda : terminal ( " gh issue list ... " ) )
"""
last_err = None
for attempt in range ( max_attempts ) :
try :
return fn ( )
except Exception as e :
last_err = e
if attempt < max_attempts - 1 :
time . sleep ( delay * ( 2 * * attempt ) )
raise last_err
2026-04-04 12:57:49 -07:00
'''
# ---- UDS transport (local backend) ---------------------------------------
_UDS_TRANSPORT_HEADER = ''' \
""" Auto-generated Hermes tools RPC stubs. """
2026-04-30 13:20:05 +08:00
import json , os , socket , shlex , threading , time
2026-04-04 12:57:49 -07:00
_sock = None
2026-04-30 13:20:05 +08:00
# The RPC server handles a single client connection serially and has no
# request-id in the protocol, so concurrent _call() invocations from multiple
# threads (e.g. ThreadPoolExecutor) would race on the shared socket and get
# each other's responses. Serialize the entire send+recv round-trip.
_call_lock = threading . Lock ( )
2026-04-04 12:57:49 -07:00
''' + _COMMON_HELPERS + ''' \
2026-02-19 23:23:43 -08:00
def _connect ( ) :
feat(windows): close remaining POSIX-only landmines — TUI crash, kanban waitpid, AF_UNIX sandbox, /bin/bash, npm .cmd shims, cwd tracking, detach flags
Second pass on native Windows support, driven by a systematic audit across
five areas: POSIX-only primitives (signal.SIGKILL/SIGHUP/SIGPIPE, os.WNOHANG,
os.setsid), path translation bugs (/c/Users → C:\Users), subprocess patterns
(npm.cmd batch shims, start_new_session no-op on Windows), subsystem health
(cron, gateway daemon, update flow), and module-level import guards.
Every change is platform-gated — POSIX (Linux/macOS) behaviour is preserved
bit-identical. Explicit "do no harm" test: test_posix_path_preserved_on_linux,
test_posix_noop, test_windows_detach_popen_kwargs_is_posix_equivalent_on_posix.
## New module
- hermes_cli/_subprocess_compat.py — shared helpers (resolve_node_command,
windows_detach_flags, windows_hide_flags, windows_detach_popen_kwargs).
All no-ops on non-Windows.
## CRITICAL fixes (would crash or silently break on Windows)
- tui_gateway/entry.py: SIGPIPE/SIGHUP referenced at module top level would
AttributeError on import on Windows, breaking `hermes --tui` entirely (it
spawns this module as a subprocess). Guard each signal.signal() call with
hasattr() and add SIGBREAK as Windows' SIGHUP equivalent.
- hermes_cli/kanban_db.py: os.waitpid(-1, os.WNOHANG) in dispatcher tick was
unguarded. os.WNOHANG doesn't exist on Windows. Gate the whole reap loop
behind `os.name != "nt"` — Windows has no zombies anyway.
- tools/code_execution_tool.py: AF_UNIX socket for execute_code RPC fails on
most Windows builds. Fall back to loopback TCP (AF_INET on 127.0.0.1:0
ephemeral port) when _IS_WINDOWS. HERMES_RPC_SOCKET env var now accepts
either a filesystem path (POSIX) or `tcp://127.0.0.1:<port>` (Windows).
Generated sandbox client parses both.
- cron/scheduler.py: `argv = ["/bin/bash", str(path)]` hardcoded. Use
shutil.which("bash") so Windows (Git Bash via MinGit) works, with a
readable error when bash is genuinely absent.
- 6 bare npm/npx spawn sites: tools_config.py x2, doctor.py, whatsapp.py
(npm install + node version probe), browser_tool.py x2. On Windows npm
is npm.cmd / npx is npx.cmd (batch shims); subprocess.Popen(["npm", ...])
fails with WinError 193. shutil.which(...) returns the absolute .cmd
path which CreateProcessW accepts because the extension routes through
cmd.exe /c. POSIX behaviour unchanged (shutil.which still returns the
same path subprocess would resolve itself).
## HIGH fixes (silent misbehaviour on Windows)
- tools/environments/local.py get_temp_dir: hardcoded /tmp returned on
Windows meant `_cwd_file = "/tmp/hermes-cwd-*.txt"`, which bash wrote
via MSYS2's virtual /tmp but native Python couldn't open. Result: cwd
tracking silently broken — `cd` in terminal tool did nothing. Windows
branch now returns `%HERMES_HOME%/cache/terminal` with forward slashes
(works in both bash and Python, guaranteed no spaces).
- tools/environments/local.py _make_run_env PATH injection: `/usr/bin not
in split(":")` heuristic mangles Windows PATH (";" separator). Gate
the injection behind `not _IS_WINDOWS`.
- hermes_cli/gateway.py launch_detached_profile_gateway_restart: outer
Popen + watcher-script Popen both used start_new_session=True, which
Windows silently ignores. Watcher stayed attached to CLI's console,
died when user closed terminal after `hermes update`, left gateway
stale. Now branches through windows_detach_popen_kwargs() helper
(CREATE_NEW_PROCESS_GROUP | DETACHED_PROCESS | CREATE_NO_WINDOW on
Windows, start_new_session=True on POSIX — identical to main).
## MEDIUM fixes
- gateway/run.py /restart and /update handlers: hardcoded bash/setsid
chain crashes on Windows when user triggers /update in-gateway. Now
has sys.platform=="win32" branch using sys.executable + a tiny
Python watcher with proper detach flags. POSIX path is unchanged.
- cli.py _git_repo_root: Git on Windows sometimes returns /c/Users/...
style paths that break subprocess.Popen(cwd=...) and Path().resolve().
Added _normalize_git_bash_path() helper that translates /c/Users,
/cygdrive/c, /mnt/c variants to native C:\Users form. POSIX no-op.
_git_repo_root() now routes every result through it.
- cli.py worktree .worktreeinclude: os.symlink on directories failed
hard on Windows (requires admin or Developer Mode). Falls back to
shutil.copytree with a warning log.
## Tests
- 29 new tests in tests/tools/test_windows_native_support.py covering:
subprocess_compat helpers, TUI entry signal guards, kanban waitpid
guard, code_execution TCP fallback source-level invariants, cron bash
resolution, npm/npx bare-spawn lint per-file, local env Windows temp
dir, PATH injection gating, git bash path normalization, symlink
fallback, gateway detached watcher flags.
- One existing test assertion adjusted in test_browser_homebrew_paths:
it compared captured Popen argv to the BARE `"npx"` literal; after the
shutil.which() change argv[0] is the absolute path. New assertion
checks the shape (two items, second is `agent-browser`) rather than
the exact first-item string. Behaviour unchanged; test was too strict.
All 56 tests pass on Linux (30 from previous commits + 26 new).
267 tests from the affected files/dirs (browser, code_exec, local_env,
process_registry, kanban_db, windows_compat) all pass — zero regressions.
tests/hermes_cli/ (3909 pass) and tests/gateway/ (5021 pass) unchanged;
all pre-existing test failures confirmed unrelated via `git stash` re-run.
## What's still deferred (LOW priority)
- Visible cmd-window flashes on short-lived console apps (~14 sites) —
cosmetic, needs a follow-up pass once we have user reports.
- agent/file_safety.py POSIX-only security deny patterns — separate
hardening task.
- tools/process_registry.py returning "/tmp" as fallback — theoretical;
reachable only when all env-var candidates fail.
2026-05-07 17:29:31 -07:00
""" Connect to the parent ' s RPC server via the transport it picked.
HERMES_RPC_SOCKET can be either :
- a filesystem path ( POSIX Unix domain socket — the default on
Linux and macOS )
- a string of the form ` ` tcp : / / 127.0 .0 .1 : < port > ` ` ( Windows , where
AF_UNIX is unreliable — the parent falls back to loopback TCP )
"""
2026-02-19 23:23:43 -08:00
global _sock
if _sock is None :
feat(windows): close remaining POSIX-only landmines — TUI crash, kanban waitpid, AF_UNIX sandbox, /bin/bash, npm .cmd shims, cwd tracking, detach flags
Second pass on native Windows support, driven by a systematic audit across
five areas: POSIX-only primitives (signal.SIGKILL/SIGHUP/SIGPIPE, os.WNOHANG,
os.setsid), path translation bugs (/c/Users → C:\Users), subprocess patterns
(npm.cmd batch shims, start_new_session no-op on Windows), subsystem health
(cron, gateway daemon, update flow), and module-level import guards.
Every change is platform-gated — POSIX (Linux/macOS) behaviour is preserved
bit-identical. Explicit "do no harm" test: test_posix_path_preserved_on_linux,
test_posix_noop, test_windows_detach_popen_kwargs_is_posix_equivalent_on_posix.
## New module
- hermes_cli/_subprocess_compat.py — shared helpers (resolve_node_command,
windows_detach_flags, windows_hide_flags, windows_detach_popen_kwargs).
All no-ops on non-Windows.
## CRITICAL fixes (would crash or silently break on Windows)
- tui_gateway/entry.py: SIGPIPE/SIGHUP referenced at module top level would
AttributeError on import on Windows, breaking `hermes --tui` entirely (it
spawns this module as a subprocess). Guard each signal.signal() call with
hasattr() and add SIGBREAK as Windows' SIGHUP equivalent.
- hermes_cli/kanban_db.py: os.waitpid(-1, os.WNOHANG) in dispatcher tick was
unguarded. os.WNOHANG doesn't exist on Windows. Gate the whole reap loop
behind `os.name != "nt"` — Windows has no zombies anyway.
- tools/code_execution_tool.py: AF_UNIX socket for execute_code RPC fails on
most Windows builds. Fall back to loopback TCP (AF_INET on 127.0.0.1:0
ephemeral port) when _IS_WINDOWS. HERMES_RPC_SOCKET env var now accepts
either a filesystem path (POSIX) or `tcp://127.0.0.1:<port>` (Windows).
Generated sandbox client parses both.
- cron/scheduler.py: `argv = ["/bin/bash", str(path)]` hardcoded. Use
shutil.which("bash") so Windows (Git Bash via MinGit) works, with a
readable error when bash is genuinely absent.
- 6 bare npm/npx spawn sites: tools_config.py x2, doctor.py, whatsapp.py
(npm install + node version probe), browser_tool.py x2. On Windows npm
is npm.cmd / npx is npx.cmd (batch shims); subprocess.Popen(["npm", ...])
fails with WinError 193. shutil.which(...) returns the absolute .cmd
path which CreateProcessW accepts because the extension routes through
cmd.exe /c. POSIX behaviour unchanged (shutil.which still returns the
same path subprocess would resolve itself).
## HIGH fixes (silent misbehaviour on Windows)
- tools/environments/local.py get_temp_dir: hardcoded /tmp returned on
Windows meant `_cwd_file = "/tmp/hermes-cwd-*.txt"`, which bash wrote
via MSYS2's virtual /tmp but native Python couldn't open. Result: cwd
tracking silently broken — `cd` in terminal tool did nothing. Windows
branch now returns `%HERMES_HOME%/cache/terminal` with forward slashes
(works in both bash and Python, guaranteed no spaces).
- tools/environments/local.py _make_run_env PATH injection: `/usr/bin not
in split(":")` heuristic mangles Windows PATH (";" separator). Gate
the injection behind `not _IS_WINDOWS`.
- hermes_cli/gateway.py launch_detached_profile_gateway_restart: outer
Popen + watcher-script Popen both used start_new_session=True, which
Windows silently ignores. Watcher stayed attached to CLI's console,
died when user closed terminal after `hermes update`, left gateway
stale. Now branches through windows_detach_popen_kwargs() helper
(CREATE_NEW_PROCESS_GROUP | DETACHED_PROCESS | CREATE_NO_WINDOW on
Windows, start_new_session=True on POSIX — identical to main).
## MEDIUM fixes
- gateway/run.py /restart and /update handlers: hardcoded bash/setsid
chain crashes on Windows when user triggers /update in-gateway. Now
has sys.platform=="win32" branch using sys.executable + a tiny
Python watcher with proper detach flags. POSIX path is unchanged.
- cli.py _git_repo_root: Git on Windows sometimes returns /c/Users/...
style paths that break subprocess.Popen(cwd=...) and Path().resolve().
Added _normalize_git_bash_path() helper that translates /c/Users,
/cygdrive/c, /mnt/c variants to native C:\Users form. POSIX no-op.
_git_repo_root() now routes every result through it.
- cli.py worktree .worktreeinclude: os.symlink on directories failed
hard on Windows (requires admin or Developer Mode). Falls back to
shutil.copytree with a warning log.
## Tests
- 29 new tests in tests/tools/test_windows_native_support.py covering:
subprocess_compat helpers, TUI entry signal guards, kanban waitpid
guard, code_execution TCP fallback source-level invariants, cron bash
resolution, npm/npx bare-spawn lint per-file, local env Windows temp
dir, PATH injection gating, git bash path normalization, symlink
fallback, gateway detached watcher flags.
- One existing test assertion adjusted in test_browser_homebrew_paths:
it compared captured Popen argv to the BARE `"npx"` literal; after the
shutil.which() change argv[0] is the absolute path. New assertion
checks the shape (two items, second is `agent-browser`) rather than
the exact first-item string. Behaviour unchanged; test was too strict.
All 56 tests pass on Linux (30 from previous commits + 26 new).
267 tests from the affected files/dirs (browser, code_exec, local_env,
process_registry, kanban_db, windows_compat) all pass — zero regressions.
tests/hermes_cli/ (3909 pass) and tests/gateway/ (5021 pass) unchanged;
all pre-existing test failures confirmed unrelated via `git stash` re-run.
## What's still deferred (LOW priority)
- Visible cmd-window flashes on short-lived console apps (~14 sites) —
cosmetic, needs a follow-up pass once we have user reports.
- agent/file_safety.py POSIX-only security deny patterns — separate
hardening task.
- tools/process_registry.py returning "/tmp" as fallback — theoretical;
reachable only when all env-var candidates fail.
2026-05-07 17:29:31 -07:00
endpoint = os . environ [ " HERMES_RPC_SOCKET " ]
if endpoint . startswith ( " tcp:// " ) :
# tcp://host:port (host is always 127.0.0.1 in practice — we
# only bind loopback server-side)
_host_port = endpoint [ len ( " tcp:// " ) : ]
_host , _ , _port = _host_port . rpartition ( " : " )
_sock = socket . socket ( socket . AF_INET , socket . SOCK_STREAM )
_sock . connect ( ( _host or " 127.0.0.1 " , int ( _port ) ) )
else :
_sock = socket . socket ( socket . AF_UNIX , socket . SOCK_STREAM )
_sock . connect ( endpoint )
2026-02-19 23:23:43 -08:00
_sock . settimeout ( 300 )
return _sock
def _call ( tool_name , args ) :
""" Send a tool call to the parent process and return the parsed result. """
request = json . dumps ( { " tool " : tool_name , " args " : args } ) + " \\ n "
2026-04-30 13:20:05 +08:00
with _call_lock :
conn = _connect ( )
conn . sendall ( request . encode ( ) )
buf = b " "
while True :
chunk = conn . recv ( 65536 )
if not chunk :
raise RuntimeError ( " Agent process disconnected " )
buf + = chunk
if buf . endswith ( b " \\ n " ) :
break
2026-02-19 23:23:43 -08:00
raw = buf . decode ( ) . strip ( )
result = json . loads ( raw )
if isinstance ( result , str ) :
try :
return json . loads ( result )
except ( json . JSONDecodeError , TypeError ) :
return result
return result
'''
2026-04-04 12:57:49 -07:00
# ---- File-based transport (remote backends) -------------------------------
_FILE_TRANSPORT_HEADER = ''' \
""" Auto-generated Hermes tools RPC stubs (file-based transport). """
2026-04-30 13:20:05 +08:00
import json , os , shlex , tempfile , threading , time
2026-04-04 12:57:49 -07:00
2026-04-09 13:46:08 +02:00
_RPC_DIR = os . environ . get ( " HERMES_RPC_DIR " ) or os . path . join ( tempfile . gettempdir ( ) , " hermes_rpc " )
2026-04-04 12:57:49 -07:00
_seq = 0
2026-04-30 13:20:05 +08:00
# `_seq += 1` is not atomic (read-modify-write), so concurrent _call()
# invocations from multiple threads could allocate the same sequence number
# and clobber each other's request files. Guard seq allocation with a lock.
_seq_lock = threading . Lock ( )
2026-04-04 12:57:49 -07:00
''' + _COMMON_HELPERS + ''' \
def _call ( tool_name , args ) :
""" Send a tool call request via file-based RPC and wait for response. """
global _seq
2026-04-30 13:20:05 +08:00
with _seq_lock :
_seq + = 1
seq = _seq
seq_str = f " { seq : 06d } "
2026-04-04 12:57:49 -07:00
req_file = os . path . join ( _RPC_DIR , f " req_ { seq_str } " )
res_file = os . path . join ( _RPC_DIR , f " res_ { seq_str } " )
2026-05-07 18:52:59 -07:00
# Write request atomically (write to .tmp, then rename).
# encoding="utf-8" is critical: on Windows-hosted remote backends
# (or any non-UTF-8 locale) the default open() mode would mangle
# non-ASCII chars in tool args when encoding them as JSON.
2026-04-04 12:57:49 -07:00
tmp = req_file + " .tmp "
2026-05-07 18:52:59 -07:00
with open ( tmp , " w " , encoding = " utf-8 " ) as f :
2026-04-30 13:20:05 +08:00
json . dump ( { " tool " : tool_name , " args " : args , " seq " : seq } , f )
2026-04-04 12:57:49 -07:00
os . rename ( tmp , req_file )
# Wait for response with adaptive polling
deadline = time . monotonic ( ) + 300 # 5-minute timeout per tool call
poll_interval = 0.05 # Start at 50ms
while not os . path . exists ( res_file ) :
if time . monotonic ( ) > deadline :
raise RuntimeError ( f " RPC timeout: no response for { tool_name } after 300s " )
time . sleep ( poll_interval )
poll_interval = min ( poll_interval * 1.2 , 0.25 ) # Back off to 250ms
2026-05-07 18:52:59 -07:00
with open ( res_file , encoding = " utf-8 " ) as f :
2026-04-04 12:57:49 -07:00
raw = f . read ( )
# Clean up response file
try :
os . unlink ( res_file )
except OSError :
pass
result = json . loads ( raw )
if isinstance ( result , str ) :
try :
return json . loads ( result )
except ( json . JSONDecodeError , TypeError ) :
return result
return result
'''
2026-02-19 23:23:43 -08:00
# ---------------------------------------------------------------------------
# RPC server (runs in a thread inside the parent process)
# ---------------------------------------------------------------------------
# Terminal parameters that must not be used from ephemeral sandbox scripts
2026-04-11 17:16:11 -07:00
_TERMINAL_BLOCKED_PARAMS = { " background " , " pty " , " notify_on_complete " , " watch_patterns " }
2026-02-19 23:23:43 -08:00
def _rpc_server_loop (
server_sock : socket . socket ,
task_id : str ,
tool_call_log : list ,
tool_call_counter : list , # mutable [int] so the thread can increment
max_tool_calls : int ,
allowed_tools : frozenset ,
) :
"""
Accept one client connection and dispatch tool - call requests until
the client disconnects or the call limit is reached .
"""
from model_tools import handle_function_call
conn = None
try :
server_sock . settimeout ( 5 )
conn , _ = server_sock . accept ( )
conn . settimeout ( 300 )
buf = b " "
while True :
try :
chunk = conn . recv ( 65536 )
except socket . timeout :
break
if not chunk :
break
buf + = chunk
# Process all complete newline-delimited messages in the buffer
while b " \n " in buf :
line , buf = buf . split ( b " \n " , 1 )
line = line . strip ( )
if not line :
continue
call_start = time . monotonic ( )
try :
request = json . loads ( line . decode ( ) )
except ( json . JSONDecodeError , UnicodeDecodeError ) as exc :
refactor: add tool_error/tool_result helpers + read_raw_config, migrate 129 callsites
Add three reusable helpers to eliminate pervasive boilerplate:
tools/registry.py — tool_error() and tool_result():
Every tool handler returns JSON strings. The pattern
json.dumps({"error": msg}, ensure_ascii=False) appeared 106 times,
and json.dumps({"success": False, "error": msg}, ...) another 23.
Now: tool_error(msg) or tool_error(msg, success=False).
tool_result() handles arbitrary result dicts:
tool_result(success=True, data=payload) or tool_result(some_dict).
hermes_cli/config.py — read_raw_config():
Lightweight YAML reader that returns the raw config dict without
load_config()'s deep-merge + migration overhead. Available for
callsites that just need a single config value.
Migration (129 callsites across 32 files):
- tools/: browser_camofox (18), file_tools (10), homeassistant (8),
web_tools (7), skill_manager (7), cronjob (11), code_execution (4),
delegate (5), send_message (4), tts (4), memory (7), session_search (3),
mcp (2), clarify (2), skills_tool (3), todo (1), vision (1),
browser (1), process_registry (2), image_gen (1)
- plugins/memory/: honcho (9), supermemory (9), hindsight (8),
holographic (7), openviking (7), mem0 (7), byterover (6), retaindb (2)
- agent/: memory_manager (2), builtin_memory_provider (1)
2026-04-07 13:36:20 -07:00
resp = tool_error ( f " Invalid RPC request: { exc } " )
2026-02-19 23:23:43 -08:00
conn . sendall ( ( resp + " \n " ) . encode ( ) )
continue
tool_name = request . get ( " tool " , " " )
tool_args = request . get ( " args " , { } )
# Enforce the allow-list
if tool_name not in allowed_tools :
available = " , " . join ( sorted ( allowed_tools ) )
resp = json . dumps ( {
" error " : (
f " Tool ' { tool_name } ' is not available in execute_code. "
f " Available: { available } "
)
} )
conn . sendall ( ( resp + " \n " ) . encode ( ) )
continue
# Enforce tool call limit
if tool_call_counter [ 0 ] > = max_tool_calls :
resp = json . dumps ( {
" error " : (
f " Tool call limit reached ( { max_tool_calls } ). "
" No more tool calls allowed in this execution. "
)
} )
conn . sendall ( ( resp + " \n " ) . encode ( ) )
continue
# Strip forbidden terminal parameters
if tool_name == " terminal " and isinstance ( tool_args , dict ) :
for param in _TERMINAL_BLOCKED_PARAMS :
tool_args . pop ( param , None )
2026-02-20 01:29:53 -08:00
# Dispatch through the standard tool handler.
# Suppress stdout/stderr from internal tool handlers so
# their status prints don't leak into the CLI spinner.
2026-02-19 23:23:43 -08:00
try :
2026-02-20 01:29:53 -08:00
_real_stdout , _real_stderr = sys . stdout , sys . stderr
codebase: add encoding='utf-8' to all bare open() calls (PLW1514)
Closes the last Python-on-Windows UTF-8 exposure by making every
text-mode open() call explicit about its encoding.
Before: on Windows, bare open(path, 'r') defaults to the system
locale encoding (cp1252 on US-locale installs). That means reading
any config/yaml/markdown/json file with non-ASCII content either
crashes with UnicodeDecodeError or silently mis-decodes bytes.
After: all 89 affected call sites in production code now pass
encoding='utf-8' explicitly. Works identically on every platform
and every locale, no surprise behavior.
Mechanical sweep via:
ruff check --preview --extend-select PLW1514 --unsafe-fixes --fix --exclude 'tests,venv,.venv,node_modules,website,optional-skills, skills,tinker-atropos,plugins' .
All 89 fixes have the same shape: open(x) or open(x, mode) became
open(x, encoding='utf-8') or open(x, mode, encoding='utf-8'). Nothing
else changed. Every modified file still parses and the Windows/sandbox
test suite is still green (85 passed, 14 skipped, 0 failed across
tests/tools/test_code_execution_windows_env.py +
tests/tools/test_code_execution_modes.py + tests/tools/test_env_passthrough.py +
tests/test_hermes_bootstrap.py).
Scope notes:
- tests/ excluded: test fixtures can use locale encoding intentionally
(exercising edge cases). If we want to tighten tests later that's
a separate PR.
- plugins/ excluded: plugin-specific conventions may differ; plugin
authors own their code.
- optional-skills/ and skills/ excluded: skill scripts are user-authored
and we don't want to mass-edit them.
- website/ and tinker-atropos/ excluded: vendored / generated content.
46 files touched, 89 +/- lines (symmetric replacement). No behavior
change on POSIX or on Windows when the file is ASCII; bug fix on
Windows when the file contains non-ASCII.
2026-05-07 19:24:45 -07:00
devnull = open ( os . devnull , " w " , encoding = " utf-8 " )
2026-02-20 01:29:53 -08:00
try :
2026-03-21 15:55:25 -07:00
sys . stdout = devnull
sys . stderr = devnull
2026-02-20 01:29:53 -08:00
result = handle_function_call (
tool_name , tool_args , task_id = task_id
)
finally :
sys . stdout , sys . stderr = _real_stdout , _real_stderr
2026-03-21 15:55:25 -07:00
devnull . close ( )
2026-02-19 23:23:43 -08:00
except Exception as exc :
2026-03-08 14:50:23 +03:00
logger . error ( " Tool call failed in sandbox: %s " , exc , exc_info = True )
refactor: add tool_error/tool_result helpers + read_raw_config, migrate 129 callsites
Add three reusable helpers to eliminate pervasive boilerplate:
tools/registry.py — tool_error() and tool_result():
Every tool handler returns JSON strings. The pattern
json.dumps({"error": msg}, ensure_ascii=False) appeared 106 times,
and json.dumps({"success": False, "error": msg}, ...) another 23.
Now: tool_error(msg) or tool_error(msg, success=False).
tool_result() handles arbitrary result dicts:
tool_result(success=True, data=payload) or tool_result(some_dict).
hermes_cli/config.py — read_raw_config():
Lightweight YAML reader that returns the raw config dict without
load_config()'s deep-merge + migration overhead. Available for
callsites that just need a single config value.
Migration (129 callsites across 32 files):
- tools/: browser_camofox (18), file_tools (10), homeassistant (8),
web_tools (7), skill_manager (7), cronjob (11), code_execution (4),
delegate (5), send_message (4), tts (4), memory (7), session_search (3),
mcp (2), clarify (2), skills_tool (3), todo (1), vision (1),
browser (1), process_registry (2), image_gen (1)
- plugins/memory/: honcho (9), supermemory (9), hindsight (8),
holographic (7), openviking (7), mem0 (7), byterover (6), retaindb (2)
- agent/: memory_manager (2), builtin_memory_provider (1)
2026-04-07 13:36:20 -07:00
result = tool_error ( str ( exc ) )
2026-02-19 23:23:43 -08:00
tool_call_counter [ 0 ] + = 1
call_duration = time . monotonic ( ) - call_start
# Log for observability
args_preview = str ( tool_args ) [ : 80 ]
tool_call_log . append ( {
" tool " : tool_name ,
" args_preview " : args_preview ,
" duration " : round ( call_duration , 2 ) ,
} )
conn . sendall ( ( result + " \n " ) . encode ( ) )
except socket . timeout :
2026-03-08 14:50:23 +03:00
logger . debug ( " RPC listener socket timeout " )
except OSError as e :
logger . debug ( " RPC listener socket error: %s " , e , exc_info = True )
2026-02-19 23:23:43 -08:00
finally :
if conn :
try :
conn . close ( )
2026-03-10 06:59:20 -07:00
except OSError as e :
logger . debug ( " RPC conn close error: %s " , e )
2026-02-19 23:23:43 -08:00
2026-04-04 12:57:49 -07:00
# ---------------------------------------------------------------------------
# Remote execution support (file-based RPC via terminal backend)
# ---------------------------------------------------------------------------
def _get_or_create_env ( task_id : str ) :
""" Get or create the terminal environment for *task_id*.
Reuses the same environment ( container / sandbox / SSH session ) that the
terminal and file tools use , creating one if it doesn ' t exist yet.
Returns ` ` ( env , env_type ) ` ` tuple .
"""
from tools . terminal_tool import (
_active_environments , _env_lock , _create_environment ,
_get_env_config , _last_activity , _start_cleanup_thread ,
_creation_locks , _creation_locks_lock , _task_env_overrides ,
feat(terminal): collapse subagent task_ids to shared container (#16177)
Before: delegate_task children each allocated their own terminal
sandbox keyed by child task_id. Starting extra containers (or Modal
sandboxes / Daytona workspaces) is expensive, and the subagent's work
is invisible to the parent — files written by the child in its
container don't exist in the parent's when the subagent returns.
After: a single `_resolve_container_task_id` helper maps any
tool-call task_id to "default" UNLESS an env override is registered
for it. The parent agent and all delegate_task children therefore
share one long-lived sandbox — installed packages, cwd, /workspace
files, and /tmp scratch carry over freely between them.
RL and benchmark environments (TerminalBench2, HermesSweEnv, ...)
opt in to isolation via `register_task_env_overrides(task_id, {...})`;
those task_ids survive the collapse and get their own sandbox,
preserving the per-task Docker image behavior these benchmarks rely on.
file_state / active-subagents registry / TUI events still key off the
original child task_id, so the 'subagent wrote a file the parent read'
warning and UI per-subagent panels keep working.
Tradeoff: parallel delegate_task children (tasks=[...]) now share one
bash/container. Concurrent cd, env-var mutations, and writes to the
same path will collide. If that bites a specific workflow, the
subagent can opt back into isolation via register_task_env_overrides.
Applied at four lookup sites:
- tools/terminal_tool.py terminal_tool() and get_active_env()
- tools/file_tools.py _get_file_ops() and _get_live_tracking_cwd()
- tools/code_execution_tool.py _get_or_create_environment()
Docs: website/docs/user-guide/configuration.md updated to reflect the
shared-container reality and document the RL/benchmark carve-out.
Tests: tests/tools/test_shared_container_task_id.py (9 cases).
2026-04-26 11:55:02 -07:00
_resolve_container_task_id ,
2026-04-04 12:57:49 -07:00
)
feat(terminal): collapse subagent task_ids to shared container (#16177)
Before: delegate_task children each allocated their own terminal
sandbox keyed by child task_id. Starting extra containers (or Modal
sandboxes / Daytona workspaces) is expensive, and the subagent's work
is invisible to the parent — files written by the child in its
container don't exist in the parent's when the subagent returns.
After: a single `_resolve_container_task_id` helper maps any
tool-call task_id to "default" UNLESS an env override is registered
for it. The parent agent and all delegate_task children therefore
share one long-lived sandbox — installed packages, cwd, /workspace
files, and /tmp scratch carry over freely between them.
RL and benchmark environments (TerminalBench2, HermesSweEnv, ...)
opt in to isolation via `register_task_env_overrides(task_id, {...})`;
those task_ids survive the collapse and get their own sandbox,
preserving the per-task Docker image behavior these benchmarks rely on.
file_state / active-subagents registry / TUI events still key off the
original child task_id, so the 'subagent wrote a file the parent read'
warning and UI per-subagent panels keep working.
Tradeoff: parallel delegate_task children (tasks=[...]) now share one
bash/container. Concurrent cd, env-var mutations, and writes to the
same path will collide. If that bites a specific workflow, the
subagent can opt back into isolation via register_task_env_overrides.
Applied at four lookup sites:
- tools/terminal_tool.py terminal_tool() and get_active_env()
- tools/file_tools.py _get_file_ops() and _get_live_tracking_cwd()
- tools/code_execution_tool.py _get_or_create_environment()
Docs: website/docs/user-guide/configuration.md updated to reflect the
shared-container reality and document the RL/benchmark carve-out.
Tests: tests/tools/test_shared_container_task_id.py (9 cases).
2026-04-26 11:55:02 -07:00
effective_task_id = _resolve_container_task_id ( task_id )
2026-04-04 12:57:49 -07:00
# Fast path: environment already exists
with _env_lock :
if effective_task_id in _active_environments :
_last_activity [ effective_task_id ] = time . time ( )
return _active_environments [ effective_task_id ] , _get_env_config ( ) [ " env_type " ]
# Slow path: create environment (same pattern as file_tools._get_file_ops)
with _creation_locks_lock :
if effective_task_id not in _creation_locks :
_creation_locks [ effective_task_id ] = threading . Lock ( )
task_lock = _creation_locks [ effective_task_id ]
with task_lock :
with _env_lock :
if effective_task_id in _active_environments :
_last_activity [ effective_task_id ] = time . time ( )
return _active_environments [ effective_task_id ] , _get_env_config ( ) [ " env_type " ]
config = _get_env_config ( )
env_type = config [ " env_type " ]
overrides = _task_env_overrides . get ( effective_task_id , { } )
if env_type == " docker " :
image = overrides . get ( " docker_image " ) or config [ " docker_image " ]
elif env_type == " singularity " :
image = overrides . get ( " singularity_image " ) or config [ " singularity_image " ]
elif env_type == " modal " :
image = overrides . get ( " modal_image " ) or config [ " modal_image " ]
elif env_type == " daytona " :
image = overrides . get ( " daytona_image " ) or config [ " daytona_image " ]
else :
image = " "
cwd = overrides . get ( " cwd " ) or config [ " cwd " ]
container_config = None
remove Vercel AI Gateway and Vercel Sandbox (#33067)
* remove Vercel AI Gateway provider and Vercel Sandbox terminal backend
Both Vercel-hosted integrations are removed end-to-end. Users on the AI
Gateway should switch to OpenRouter or one of the other aggregators
(Nous Portal, Kilo Code). Users on the Vercel Sandbox backend should
switch to Docker, Modal, Daytona, or SSH.
What's removed:
- `plugins/model-providers/ai-gateway/` provider plugin
- `hermes_cli/vercel_auth.py` Vercel-Sandbox auth helper
- `tools/environments/vercel_sandbox.py` terminal backend
- `ai-gateway` provider wiring across auth, doctor, setup, models,
config, status, providers, main, web_server, model_normalize, dump
- `vercel_sandbox` backend wiring across terminal_tool, file_tools,
code_execution_tool, file_operations, approval, skills_tool,
environments/local, credential_files, lazy_deps, prompt_builder,
cli, gateway/run
- `AI_GATEWAY_BASE_URL` constant, `_AI_GATEWAY_HEADERS` auxiliary-client
header set, run_agent base-URL header/reasoning special-cases
- `[vercel]` pyproject extra and `vercel`/`vercel-workers` from uv.lock
- env vars: `AI_GATEWAY_API_KEY`, `AI_GATEWAY_BASE_URL`, `VERCEL_TOKEN`,
`VERCEL_PROJECT_ID`, `VERCEL_TEAM_ID`, `VERCEL_OIDC_TOKEN`,
`TERMINAL_VERCEL_RUNTIME`
- Tests: deletes test_ai_gateway_models.py and
test_vercel_sandbox_environment.py; scrubs references across 23
surviving test files (no entire tests deleted unless they were
dedicated to AI Gateway / Sandbox)
- Docs: provider tables, env-var reference, setup guides, security
notes, tool config, terminal-backend tables — English plus zh-Hans
i18n parity
- `hermes-agent` skill: provider table entry and remote-backend list
What stays (intentional):
- `popular-web-designs/templates/vercel.md` — CSS design reference,
unrelated to Vercel-the-AI-product
- `x-vercel-id` in `stream_diag.py` headers — generic Vercel CDN
response header, useful diag signal on any Vercel-hosted endpoint
- `vercel-labs/agent-browser` URL in browser config — lightpanda
browser project, different OSS effort
- `userStories.json` historical contributor entry mentioning Vercel
Sandbox — archive, not active docs
Validation:
- 1153 tests in the 22 targeted files pass (`scripts/run_tests.sh`)
- Full repo `py_compile` clean
- Live import of every touched module + invariant check (no
`ai-gateway` in `PROVIDER_REGISTRY`, no `_AI_GATEWAY_HEADERS`, no
`vercel_sandbox` in `_REMOTE_TERMINAL_BACKENDS`)
* test: convert profile-count check from change-detector to invariant
The hardcoded "== 34" assertion broke when ai-gateway was removed.
Per AGENTS.md change-detector-test guidance, assert the relationship
(registry count >= number of plugin dirs) instead of a literal count.
Counts shift when providers are added/removed; that's expected.
2026-05-27 00:43:32 -07:00
if env_type in { " docker " , " singularity " , " modal " , " daytona " } :
2026-04-04 12:57:49 -07:00
container_config = {
" container_cpu " : config . get ( " container_cpu " , 1 ) ,
" container_memory " : config . get ( " container_memory " , 5120 ) ,
" container_disk " : config . get ( " container_disk " , 51200 ) ,
" container_persistent " : config . get ( " container_persistent " , True ) ,
" docker_volumes " : config . get ( " docker_volumes " , [ ] ) ,
2026-04-29 16:16:43 +10:00
" docker_run_as_host_user " : config . get ( " docker_run_as_host_user " , False ) ,
2026-04-04 12:57:49 -07:00
}
ssh_config = None
if env_type == " ssh " :
ssh_config = {
" host " : config . get ( " ssh_host " , " " ) ,
" user " : config . get ( " ssh_user " , " " ) ,
" port " : config . get ( " ssh_port " , 22 ) ,
" key " : config . get ( " ssh_key " , " " ) ,
" persistent " : config . get ( " ssh_persistent " , False ) ,
}
local_config = None
if env_type == " local " :
local_config = {
" persistent " : config . get ( " local_persistent " , False ) ,
}
logger . info ( " Creating new %s environment for execute_code task %s ... " ,
env_type , effective_task_id [ : 8 ] )
env = _create_environment (
env_type = env_type ,
image = image ,
cwd = cwd ,
timeout = config [ " timeout " ] ,
ssh_config = ssh_config ,
container_config = container_config ,
local_config = local_config ,
task_id = effective_task_id ,
host_cwd = config . get ( " host_cwd " ) ,
)
with _env_lock :
_active_environments [ effective_task_id ] = env
_last_activity [ effective_task_id ] = time . time ( )
_start_cleanup_thread ( )
logger . info ( " %s environment ready for execute_code task %s " ,
env_type , effective_task_id [ : 8 ] )
return env , env_type
def _ship_file_to_remote ( env , remote_path : str , content : str ) - > None :
""" Write *content* to *remote_path* on the remote environment.
Uses ` ` echo … | base64 - d ` ` rather than stdin piping because some
backends ( Modal ) don ' t reliably deliver stdin_data to chained
commands . Base64 output is shell - safe ( [ A - Za - z0 - 9 + / = ] ) so single
quotes are fine .
"""
encoded = base64 . b64encode ( content . encode ( " utf-8 " ) ) . decode ( " ascii " )
2026-04-09 13:46:08 +02:00
quoted_remote_path = shlex . quote ( remote_path )
feat(environments): unified spawn-per-call execution layer
Replace dual execution model (PersistentShellMixin + per-backend oneshot)
with spawn-per-call + session snapshot for all backends except ManagedModal.
Core changes:
- Every command spawns a fresh bash process; session snapshot (env vars,
functions, aliases) captured at init and re-sourced before each command
- CWD persists via file-based read (local) or in-band stdout markers (remote)
- ProcessHandle protocol + _ThreadedProcessHandle adapter for SDK backends
- cancel_fn wired for Modal (sandbox.terminate) and Daytona (sandbox.stop)
- Shared utilities extracted: _pipe_stdin, _popen_bash, _load_json_store,
_save_json_store, _file_mtime_key, _SYNC_INTERVAL_SECONDS
- Rate-limited file sync unified in base _before_execute() with _sync_files() hook
- execute_oneshot() removed; all 11 call sites in code_execution_tool.py
migrated to execute()
- Daytona timeout wrapper replaced with SDK-native timeout parameter
- persistent_shell.py deleted (291 lines)
Backend-specific:
- Local: process-group kill via os.killpg, file-based CWD read
- Docker: -e env flags only on init_session, not per-command
- SSH: shlex.quote transport, ControlMaster connection reuse
- Singularity: apptainer exec with instance://, no forced --pwd
- Modal: _AsyncWorker + _ThreadedProcessHandle, cancel_fn -> sandbox.terminate
- Daytona: SDK-level timeout (not shell wrapper), cancel_fn -> sandbox.stop
- ManagedModal: unchanged (gateway owns execution); docstring added explaining why
2026-04-08 13:38:04 -07:00
env . execute (
2026-04-09 13:46:08 +02:00
f " echo ' { encoded } ' | base64 -d > { quoted_remote_path } " ,
2026-04-04 12:57:49 -07:00
cwd = " / " ,
timeout = 30 ,
)
2026-04-09 13:46:08 +02:00
def _env_temp_dir ( env : Any ) - > str :
""" Return a writable temp dir for env-backed execute_code sandboxes. """
get_temp_dir = getattr ( env , " get_temp_dir " , None )
if callable ( get_temp_dir ) :
try :
temp_dir = get_temp_dir ( )
if isinstance ( temp_dir , str ) and temp_dir . startswith ( " / " ) :
return temp_dir . rstrip ( " / " ) or " / "
except Exception as exc :
logger . debug ( " Could not resolve execute_code env temp dir: %s " , exc )
candidate = tempfile . gettempdir ( )
if isinstance ( candidate , str ) and candidate . startswith ( " / " ) :
return candidate . rstrip ( " / " ) or " / "
return " /tmp "
2026-04-04 12:57:49 -07:00
def _rpc_poll_loop (
env ,
rpc_dir : str ,
task_id : str ,
tool_call_log : list ,
tool_call_counter : list ,
max_tool_calls : int ,
allowed_tools : frozenset ,
stop_event : threading . Event ,
) :
""" Poll the remote filesystem for tool call requests and dispatch them.
feat(environments): unified spawn-per-call execution layer
Replace dual execution model (PersistentShellMixin + per-backend oneshot)
with spawn-per-call + session snapshot for all backends except ManagedModal.
Core changes:
- Every command spawns a fresh bash process; session snapshot (env vars,
functions, aliases) captured at init and re-sourced before each command
- CWD persists via file-based read (local) or in-band stdout markers (remote)
- ProcessHandle protocol + _ThreadedProcessHandle adapter for SDK backends
- cancel_fn wired for Modal (sandbox.terminate) and Daytona (sandbox.stop)
- Shared utilities extracted: _pipe_stdin, _popen_bash, _load_json_store,
_save_json_store, _file_mtime_key, _SYNC_INTERVAL_SECONDS
- Rate-limited file sync unified in base _before_execute() with _sync_files() hook
- execute_oneshot() removed; all 11 call sites in code_execution_tool.py
migrated to execute()
- Daytona timeout wrapper replaced with SDK-native timeout parameter
- persistent_shell.py deleted (291 lines)
Backend-specific:
- Local: process-group kill via os.killpg, file-based CWD read
- Docker: -e env flags only on init_session, not per-command
- SSH: shlex.quote transport, ControlMaster connection reuse
- Singularity: apptainer exec with instance://, no forced --pwd
- Modal: _AsyncWorker + _ThreadedProcessHandle, cancel_fn -> sandbox.terminate
- Daytona: SDK-level timeout (not shell wrapper), cancel_fn -> sandbox.stop
- ManagedModal: unchanged (gateway owns execution); docstring added explaining why
2026-04-08 13:38:04 -07:00
Runs in a background thread . Each ` ` env . execute ( ) ` ` spawns an
independent process , so these calls run safely concurrent with the
script - execution thread .
2026-04-04 12:57:49 -07:00
"""
from model_tools import handle_function_call
poll_interval = 0.1 # 100 ms
2026-04-09 13:46:08 +02:00
quoted_rpc_dir = shlex . quote ( rpc_dir )
2026-04-04 12:57:49 -07:00
while not stop_event . is_set ( ) :
try :
# List pending request files (skip .tmp partials)
feat(environments): unified spawn-per-call execution layer
Replace dual execution model (PersistentShellMixin + per-backend oneshot)
with spawn-per-call + session snapshot for all backends except ManagedModal.
Core changes:
- Every command spawns a fresh bash process; session snapshot (env vars,
functions, aliases) captured at init and re-sourced before each command
- CWD persists via file-based read (local) or in-band stdout markers (remote)
- ProcessHandle protocol + _ThreadedProcessHandle adapter for SDK backends
- cancel_fn wired for Modal (sandbox.terminate) and Daytona (sandbox.stop)
- Shared utilities extracted: _pipe_stdin, _popen_bash, _load_json_store,
_save_json_store, _file_mtime_key, _SYNC_INTERVAL_SECONDS
- Rate-limited file sync unified in base _before_execute() with _sync_files() hook
- execute_oneshot() removed; all 11 call sites in code_execution_tool.py
migrated to execute()
- Daytona timeout wrapper replaced with SDK-native timeout parameter
- persistent_shell.py deleted (291 lines)
Backend-specific:
- Local: process-group kill via os.killpg, file-based CWD read
- Docker: -e env flags only on init_session, not per-command
- SSH: shlex.quote transport, ControlMaster connection reuse
- Singularity: apptainer exec with instance://, no forced --pwd
- Modal: _AsyncWorker + _ThreadedProcessHandle, cancel_fn -> sandbox.terminate
- Daytona: SDK-level timeout (not shell wrapper), cancel_fn -> sandbox.stop
- ManagedModal: unchanged (gateway owns execution); docstring added explaining why
2026-04-08 13:38:04 -07:00
ls_result = env . execute (
2026-04-09 13:46:08 +02:00
f " ls -1 { quoted_rpc_dir } /req_* 2>/dev/null || true " ,
2026-04-04 12:57:49 -07:00
cwd = " / " ,
timeout = 10 ,
)
output = ls_result . get ( " output " , " " ) . strip ( )
if not output :
stop_event . wait ( poll_interval )
continue
req_files = sorted ( [
f . strip ( ) for f in output . split ( " \n " )
if f . strip ( )
and not f . strip ( ) . endswith ( " .tmp " )
and " /req_ " in f . strip ( )
] )
for req_file in req_files :
if stop_event . is_set ( ) :
break
call_start = time . monotonic ( )
2026-04-09 13:46:08 +02:00
quoted_req_file = shlex . quote ( req_file )
2026-04-04 12:57:49 -07:00
# Read request
feat(environments): unified spawn-per-call execution layer
Replace dual execution model (PersistentShellMixin + per-backend oneshot)
with spawn-per-call + session snapshot for all backends except ManagedModal.
Core changes:
- Every command spawns a fresh bash process; session snapshot (env vars,
functions, aliases) captured at init and re-sourced before each command
- CWD persists via file-based read (local) or in-band stdout markers (remote)
- ProcessHandle protocol + _ThreadedProcessHandle adapter for SDK backends
- cancel_fn wired for Modal (sandbox.terminate) and Daytona (sandbox.stop)
- Shared utilities extracted: _pipe_stdin, _popen_bash, _load_json_store,
_save_json_store, _file_mtime_key, _SYNC_INTERVAL_SECONDS
- Rate-limited file sync unified in base _before_execute() with _sync_files() hook
- execute_oneshot() removed; all 11 call sites in code_execution_tool.py
migrated to execute()
- Daytona timeout wrapper replaced with SDK-native timeout parameter
- persistent_shell.py deleted (291 lines)
Backend-specific:
- Local: process-group kill via os.killpg, file-based CWD read
- Docker: -e env flags only on init_session, not per-command
- SSH: shlex.quote transport, ControlMaster connection reuse
- Singularity: apptainer exec with instance://, no forced --pwd
- Modal: _AsyncWorker + _ThreadedProcessHandle, cancel_fn -> sandbox.terminate
- Daytona: SDK-level timeout (not shell wrapper), cancel_fn -> sandbox.stop
- ManagedModal: unchanged (gateway owns execution); docstring added explaining why
2026-04-08 13:38:04 -07:00
read_result = env . execute (
2026-04-09 13:46:08 +02:00
f " cat { quoted_req_file } " ,
2026-04-04 12:57:49 -07:00
cwd = " / " ,
timeout = 10 ,
)
try :
request = json . loads ( read_result . get ( " output " , " " ) )
except ( json . JSONDecodeError , ValueError ) :
logger . debug ( " Malformed RPC request in %s " , req_file )
# Remove bad request to avoid infinite retry
2026-04-09 13:46:08 +02:00
env . execute ( f " rm -f { quoted_req_file } " , cwd = " / " , timeout = 5 )
2026-04-04 12:57:49 -07:00
continue
tool_name = request . get ( " tool " , " " )
tool_args = request . get ( " args " , { } )
seq = request . get ( " seq " , 0 )
seq_str = f " { seq : 06d } "
res_file = f " { rpc_dir } /res_ { seq_str } "
2026-04-09 13:46:08 +02:00
quoted_res_file = shlex . quote ( res_file )
2026-04-04 12:57:49 -07:00
# Enforce allow-list
if tool_name not in allowed_tools :
available = " , " . join ( sorted ( allowed_tools ) )
tool_result = json . dumps ( {
" error " : (
f " Tool ' { tool_name } ' is not available in execute_code. "
f " Available: { available } "
)
} )
# Enforce tool call limit
elif tool_call_counter [ 0 ] > = max_tool_calls :
tool_result = json . dumps ( {
" error " : (
f " Tool call limit reached ( { max_tool_calls } ). "
" No more tool calls allowed in this execution. "
)
} )
else :
# Strip forbidden terminal parameters
if tool_name == " terminal " and isinstance ( tool_args , dict ) :
for param in _TERMINAL_BLOCKED_PARAMS :
tool_args . pop ( param , None )
# Dispatch through the standard tool handler
try :
_real_stdout , _real_stderr = sys . stdout , sys . stderr
codebase: add encoding='utf-8' to all bare open() calls (PLW1514)
Closes the last Python-on-Windows UTF-8 exposure by making every
text-mode open() call explicit about its encoding.
Before: on Windows, bare open(path, 'r') defaults to the system
locale encoding (cp1252 on US-locale installs). That means reading
any config/yaml/markdown/json file with non-ASCII content either
crashes with UnicodeDecodeError or silently mis-decodes bytes.
After: all 89 affected call sites in production code now pass
encoding='utf-8' explicitly. Works identically on every platform
and every locale, no surprise behavior.
Mechanical sweep via:
ruff check --preview --extend-select PLW1514 --unsafe-fixes --fix --exclude 'tests,venv,.venv,node_modules,website,optional-skills, skills,tinker-atropos,plugins' .
All 89 fixes have the same shape: open(x) or open(x, mode) became
open(x, encoding='utf-8') or open(x, mode, encoding='utf-8'). Nothing
else changed. Every modified file still parses and the Windows/sandbox
test suite is still green (85 passed, 14 skipped, 0 failed across
tests/tools/test_code_execution_windows_env.py +
tests/tools/test_code_execution_modes.py + tests/tools/test_env_passthrough.py +
tests/test_hermes_bootstrap.py).
Scope notes:
- tests/ excluded: test fixtures can use locale encoding intentionally
(exercising edge cases). If we want to tighten tests later that's
a separate PR.
- plugins/ excluded: plugin-specific conventions may differ; plugin
authors own their code.
- optional-skills/ and skills/ excluded: skill scripts are user-authored
and we don't want to mass-edit them.
- website/ and tinker-atropos/ excluded: vendored / generated content.
46 files touched, 89 +/- lines (symmetric replacement). No behavior
change on POSIX or on Windows when the file is ASCII; bug fix on
Windows when the file contains non-ASCII.
2026-05-07 19:24:45 -07:00
devnull = open ( os . devnull , " w " , encoding = " utf-8 " )
2026-04-04 12:57:49 -07:00
try :
sys . stdout = devnull
sys . stderr = devnull
tool_result = handle_function_call (
tool_name , tool_args , task_id = task_id
)
finally :
sys . stdout , sys . stderr = _real_stdout , _real_stderr
devnull . close ( )
except Exception as exc :
logger . error ( " Tool call failed in remote sandbox: %s " ,
exc , exc_info = True )
refactor: add tool_error/tool_result helpers + read_raw_config, migrate 129 callsites
Add three reusable helpers to eliminate pervasive boilerplate:
tools/registry.py — tool_error() and tool_result():
Every tool handler returns JSON strings. The pattern
json.dumps({"error": msg}, ensure_ascii=False) appeared 106 times,
and json.dumps({"success": False, "error": msg}, ...) another 23.
Now: tool_error(msg) or tool_error(msg, success=False).
tool_result() handles arbitrary result dicts:
tool_result(success=True, data=payload) or tool_result(some_dict).
hermes_cli/config.py — read_raw_config():
Lightweight YAML reader that returns the raw config dict without
load_config()'s deep-merge + migration overhead. Available for
callsites that just need a single config value.
Migration (129 callsites across 32 files):
- tools/: browser_camofox (18), file_tools (10), homeassistant (8),
web_tools (7), skill_manager (7), cronjob (11), code_execution (4),
delegate (5), send_message (4), tts (4), memory (7), session_search (3),
mcp (2), clarify (2), skills_tool (3), todo (1), vision (1),
browser (1), process_registry (2), image_gen (1)
- plugins/memory/: honcho (9), supermemory (9), hindsight (8),
holographic (7), openviking (7), mem0 (7), byterover (6), retaindb (2)
- agent/: memory_manager (2), builtin_memory_provider (1)
2026-04-07 13:36:20 -07:00
tool_result = tool_error ( str ( exc ) )
2026-04-04 12:57:49 -07:00
tool_call_counter [ 0 ] + = 1
call_duration = time . monotonic ( ) - call_start
tool_call_log . append ( {
" tool " : tool_name ,
" args_preview " : str ( tool_args ) [ : 80 ] ,
" duration " : round ( call_duration , 2 ) ,
} )
# Write response atomically (tmp + rename).
# Use echo piping (not stdin_data) because Modal doesn't
# reliably deliver stdin to chained commands.
encoded_result = base64 . b64encode (
tool_result . encode ( " utf-8 " )
) . decode ( " ascii " )
feat(environments): unified spawn-per-call execution layer
Replace dual execution model (PersistentShellMixin + per-backend oneshot)
with spawn-per-call + session snapshot for all backends except ManagedModal.
Core changes:
- Every command spawns a fresh bash process; session snapshot (env vars,
functions, aliases) captured at init and re-sourced before each command
- CWD persists via file-based read (local) or in-band stdout markers (remote)
- ProcessHandle protocol + _ThreadedProcessHandle adapter for SDK backends
- cancel_fn wired for Modal (sandbox.terminate) and Daytona (sandbox.stop)
- Shared utilities extracted: _pipe_stdin, _popen_bash, _load_json_store,
_save_json_store, _file_mtime_key, _SYNC_INTERVAL_SECONDS
- Rate-limited file sync unified in base _before_execute() with _sync_files() hook
- execute_oneshot() removed; all 11 call sites in code_execution_tool.py
migrated to execute()
- Daytona timeout wrapper replaced with SDK-native timeout parameter
- persistent_shell.py deleted (291 lines)
Backend-specific:
- Local: process-group kill via os.killpg, file-based CWD read
- Docker: -e env flags only on init_session, not per-command
- SSH: shlex.quote transport, ControlMaster connection reuse
- Singularity: apptainer exec with instance://, no forced --pwd
- Modal: _AsyncWorker + _ThreadedProcessHandle, cancel_fn -> sandbox.terminate
- Daytona: SDK-level timeout (not shell wrapper), cancel_fn -> sandbox.stop
- ManagedModal: unchanged (gateway owns execution); docstring added explaining why
2026-04-08 13:38:04 -07:00
env . execute (
2026-04-09 13:46:08 +02:00
f " echo ' { encoded_result } ' | base64 -d > { quoted_res_file } .tmp "
f " && mv { quoted_res_file } .tmp { quoted_res_file } " ,
2026-04-04 12:57:49 -07:00
cwd = " / " ,
timeout = 60 ,
)
# Remove the request file
2026-04-09 13:46:08 +02:00
env . execute ( f " rm -f { quoted_req_file } " , cwd = " / " , timeout = 5 )
2026-04-04 12:57:49 -07:00
except Exception as e :
if not stop_event . is_set ( ) :
logger . debug ( " RPC poll error: %s " , e , exc_info = True )
if not stop_event . is_set ( ) :
stop_event . wait ( poll_interval )
def _execute_remote (
code : str ,
task_id : Optional [ str ] ,
enabled_tools : Optional [ List [ str ] ] ,
) - > str :
""" Run a script on the remote terminal backend via file-based RPC.
The script and the generated hermes_tools . py module are shipped to
the remote environment , and tool calls are proxied through a polling
thread that communicates via request / response files .
"""
_cfg = _load_config ( )
timeout = _cfg . get ( " timeout " , DEFAULT_TIMEOUT )
max_tool_calls = _cfg . get ( " max_tool_calls " , DEFAULT_MAX_TOOL_CALLS )
session_tools = set ( enabled_tools ) if enabled_tools else set ( )
sandbox_tools = frozenset ( SANDBOX_ALLOWED_TOOLS & session_tools )
if not sandbox_tools :
sandbox_tools = SANDBOX_ALLOWED_TOOLS
effective_task_id = task_id or " default "
env , env_type = _get_or_create_env ( effective_task_id )
sandbox_id = uuid . uuid4 ( ) . hex [ : 12 ]
2026-04-09 13:46:08 +02:00
temp_dir = _env_temp_dir ( env )
sandbox_dir = f " { temp_dir } /hermes_exec_ { sandbox_id } "
quoted_sandbox_dir = shlex . quote ( sandbox_dir )
quoted_rpc_dir = shlex . quote ( f " { sandbox_dir } /rpc " )
2026-04-04 12:57:49 -07:00
tool_call_log : list = [ ]
tool_call_counter = [ 0 ]
exec_start = time . monotonic ( )
stop_event = threading . Event ( )
rpc_thread = None
try :
# Verify Python is available on the remote
feat(environments): unified spawn-per-call execution layer
Replace dual execution model (PersistentShellMixin + per-backend oneshot)
with spawn-per-call + session snapshot for all backends except ManagedModal.
Core changes:
- Every command spawns a fresh bash process; session snapshot (env vars,
functions, aliases) captured at init and re-sourced before each command
- CWD persists via file-based read (local) or in-band stdout markers (remote)
- ProcessHandle protocol + _ThreadedProcessHandle adapter for SDK backends
- cancel_fn wired for Modal (sandbox.terminate) and Daytona (sandbox.stop)
- Shared utilities extracted: _pipe_stdin, _popen_bash, _load_json_store,
_save_json_store, _file_mtime_key, _SYNC_INTERVAL_SECONDS
- Rate-limited file sync unified in base _before_execute() with _sync_files() hook
- execute_oneshot() removed; all 11 call sites in code_execution_tool.py
migrated to execute()
- Daytona timeout wrapper replaced with SDK-native timeout parameter
- persistent_shell.py deleted (291 lines)
Backend-specific:
- Local: process-group kill via os.killpg, file-based CWD read
- Docker: -e env flags only on init_session, not per-command
- SSH: shlex.quote transport, ControlMaster connection reuse
- Singularity: apptainer exec with instance://, no forced --pwd
- Modal: _AsyncWorker + _ThreadedProcessHandle, cancel_fn -> sandbox.terminate
- Daytona: SDK-level timeout (not shell wrapper), cancel_fn -> sandbox.stop
- ManagedModal: unchanged (gateway owns execution); docstring added explaining why
2026-04-08 13:38:04 -07:00
py_check = env . execute (
2026-04-04 12:57:49 -07:00
" command -v python3 >/dev/null 2>&1 && echo OK " ,
cwd = " / " , timeout = 15 ,
)
if " OK " not in py_check . get ( " output " , " " ) :
return json . dumps ( {
" status " : " error " ,
" error " : (
f " Python 3 is not available in the { env_type } terminal "
" environment. Install Python to use execute_code with "
" remote backends. "
) ,
" tool_calls_made " : 0 ,
" duration_seconds " : 0 ,
} )
# Create sandbox directory on remote
feat(environments): unified spawn-per-call execution layer
Replace dual execution model (PersistentShellMixin + per-backend oneshot)
with spawn-per-call + session snapshot for all backends except ManagedModal.
Core changes:
- Every command spawns a fresh bash process; session snapshot (env vars,
functions, aliases) captured at init and re-sourced before each command
- CWD persists via file-based read (local) or in-band stdout markers (remote)
- ProcessHandle protocol + _ThreadedProcessHandle adapter for SDK backends
- cancel_fn wired for Modal (sandbox.terminate) and Daytona (sandbox.stop)
- Shared utilities extracted: _pipe_stdin, _popen_bash, _load_json_store,
_save_json_store, _file_mtime_key, _SYNC_INTERVAL_SECONDS
- Rate-limited file sync unified in base _before_execute() with _sync_files() hook
- execute_oneshot() removed; all 11 call sites in code_execution_tool.py
migrated to execute()
- Daytona timeout wrapper replaced with SDK-native timeout parameter
- persistent_shell.py deleted (291 lines)
Backend-specific:
- Local: process-group kill via os.killpg, file-based CWD read
- Docker: -e env flags only on init_session, not per-command
- SSH: shlex.quote transport, ControlMaster connection reuse
- Singularity: apptainer exec with instance://, no forced --pwd
- Modal: _AsyncWorker + _ThreadedProcessHandle, cancel_fn -> sandbox.terminate
- Daytona: SDK-level timeout (not shell wrapper), cancel_fn -> sandbox.stop
- ManagedModal: unchanged (gateway owns execution); docstring added explaining why
2026-04-08 13:38:04 -07:00
env . execute (
2026-04-09 13:46:08 +02:00
f " mkdir -p { quoted_rpc_dir } " , cwd = " / " , timeout = 10 ,
2026-04-04 12:57:49 -07:00
)
# Generate and ship files
tools_src = generate_hermes_tools_module (
list ( sandbox_tools ) , transport = " file " ,
)
_ship_file_to_remote ( env , f " { sandbox_dir } /hermes_tools.py " , tools_src )
_ship_file_to_remote ( env , f " { sandbox_dir } /script.py " , code )
2026-05-28 17:47:09 -04:00
# Wrapped so the thread inherits the turn's approval context + callbacks
# (see tools.thread_context) — else sandbox RPC tool calls lose approval
# routing (#33057).
2026-04-04 12:57:49 -07:00
rpc_thread = threading . Thread (
2026-05-28 17:47:09 -04:00
target = propagate_context_to_thread ( _rpc_poll_loop ) ,
2026-04-04 12:57:49 -07:00
args = (
env , f " { sandbox_dir } /rpc " , effective_task_id ,
tool_call_log , tool_call_counter , max_tool_calls ,
sandbox_tools , stop_event ,
) ,
daemon = True ,
)
rpc_thread . start ( )
# Build environment variable prefix for the script
env_prefix = (
2026-04-09 13:46:08 +02:00
f " HERMES_RPC_DIR= { shlex . quote ( f ' { sandbox_dir } /rpc ' ) } "
2026-04-04 12:57:49 -07:00
f " PYTHONDONTWRITEBYTECODE=1 "
)
tz = os . getenv ( " HERMES_TIMEZONE " , " " ) . strip ( )
if tz :
env_prefix + = f " TZ= { tz } "
# Execute the script on the remote backend
logger . info ( " Executing code on %s backend (task %s )... " ,
env_type , effective_task_id [ : 8 ] )
script_result = env . execute (
2026-04-09 13:46:08 +02:00
f " cd { quoted_sandbox_dir } && { env_prefix } python3 script.py " ,
2026-04-04 12:57:49 -07:00
timeout = timeout ,
)
stdout_text = script_result . get ( " output " , " " )
exit_code = script_result . get ( " returncode " , - 1 )
status = " success "
# Check for timeout/interrupt from the backend
if exit_code == 124 :
status = " timeout "
elif exit_code == 130 :
status = " interrupted "
except Exception as exc :
duration = round ( time . monotonic ( ) - exec_start , 2 )
logger . error (
" execute_code remote failed after %s s with %d tool calls: %s : %s " ,
duration , tool_call_counter [ 0 ] , type ( exc ) . __name__ , exc ,
exc_info = True ,
)
return json . dumps ( {
" status " : " error " ,
" error " : str ( exc ) ,
" tool_calls_made " : tool_call_counter [ 0 ] ,
" duration_seconds " : duration ,
} , ensure_ascii = False )
finally :
# Stop the polling thread
stop_event . set ( )
if rpc_thread is not None :
rpc_thread . join ( timeout = 5 )
# Clean up remote sandbox dir
try :
feat(environments): unified spawn-per-call execution layer
Replace dual execution model (PersistentShellMixin + per-backend oneshot)
with spawn-per-call + session snapshot for all backends except ManagedModal.
Core changes:
- Every command spawns a fresh bash process; session snapshot (env vars,
functions, aliases) captured at init and re-sourced before each command
- CWD persists via file-based read (local) or in-band stdout markers (remote)
- ProcessHandle protocol + _ThreadedProcessHandle adapter for SDK backends
- cancel_fn wired for Modal (sandbox.terminate) and Daytona (sandbox.stop)
- Shared utilities extracted: _pipe_stdin, _popen_bash, _load_json_store,
_save_json_store, _file_mtime_key, _SYNC_INTERVAL_SECONDS
- Rate-limited file sync unified in base _before_execute() with _sync_files() hook
- execute_oneshot() removed; all 11 call sites in code_execution_tool.py
migrated to execute()
- Daytona timeout wrapper replaced with SDK-native timeout parameter
- persistent_shell.py deleted (291 lines)
Backend-specific:
- Local: process-group kill via os.killpg, file-based CWD read
- Docker: -e env flags only on init_session, not per-command
- SSH: shlex.quote transport, ControlMaster connection reuse
- Singularity: apptainer exec with instance://, no forced --pwd
- Modal: _AsyncWorker + _ThreadedProcessHandle, cancel_fn -> sandbox.terminate
- Daytona: SDK-level timeout (not shell wrapper), cancel_fn -> sandbox.stop
- ManagedModal: unchanged (gateway owns execution); docstring added explaining why
2026-04-08 13:38:04 -07:00
env . execute (
2026-04-09 13:46:08 +02:00
f " rm -rf { quoted_sandbox_dir } " , cwd = " / " , timeout = 15 ,
2026-04-04 12:57:49 -07:00
)
except Exception :
logger . debug ( " Failed to clean up remote sandbox %s " , sandbox_dir )
duration = round ( time . monotonic ( ) - exec_start , 2 )
# --- Post-process output (same as local path) ---
# Truncate stdout to cap
if len ( stdout_text ) > MAX_STDOUT_BYTES :
head_bytes = int ( MAX_STDOUT_BYTES * 0.4 )
tail_bytes = MAX_STDOUT_BYTES - head_bytes
head = stdout_text [ : head_bytes ]
tail = stdout_text [ - tail_bytes : ]
omitted = len ( stdout_text ) - len ( head ) - len ( tail )
stdout_text = (
head
+ f " \n \n ... [OUTPUT TRUNCATED - { omitted : , } chars omitted "
f " out of { len ( stdout_text ) : , } total] ... \n \n "
+ tail
)
# Strip ANSI escape sequences
from tools . ansi_strip import strip_ansi
stdout_text = strip_ansi ( stdout_text )
# Redact secrets
from agent . redact import redact_sensitive_text
stdout_text = redact_sensitive_text ( stdout_text )
# Build response
result : Dict [ str , Any ] = {
" status " : status ,
" output " : stdout_text ,
" tool_calls_made " : tool_call_counter [ 0 ] ,
" duration_seconds " : duration ,
}
if status == " timeout " :
2026-04-16 09:17:24 +02:00
timeout_msg = f " Script timed out after { timeout } s and was killed. "
result [ " error " ] = timeout_msg
# Include timeout message in output so the LLM always surfaces it
# to the user (see local path comment — same reasoning, #10807).
if stdout_text :
result [ " output " ] = stdout_text + f " \n \n ⏰ { timeout_msg } "
else :
result [ " output " ] = f " ⏰ { timeout_msg } "
logger . warning (
" execute_code (remote) timed out after %s s (limit %s s) with %d tool calls " ,
duration , timeout , tool_call_counter [ 0 ] ,
)
2026-04-04 12:57:49 -07:00
elif status == " interrupted " :
result [ " output " ] = (
stdout_text + " \n [execution interrupted — user sent a new message] "
)
elif exit_code != 0 :
result [ " status " ] = " error "
result [ " error " ] = f " Script exited with code { exit_code } "
return json . dumps ( result , ensure_ascii = False )
2026-02-19 23:23:43 -08:00
# ---------------------------------------------------------------------------
# Main entry point
# ---------------------------------------------------------------------------
def execute_code (
code : str ,
task_id : Optional [ str ] = None ,
enabled_tools : Optional [ List [ str ] ] = None ,
) - > str :
"""
Run a Python script in a sandboxed child process with RPC access
to a subset of Hermes tools .
2026-04-04 12:57:49 -07:00
Dispatches to the local ( UDS ) or remote ( file - based RPC ) path
depending on the configured terminal backend .
2026-02-19 23:23:43 -08:00
Args :
code : Python source code to execute .
task_id : Session task ID for tool isolation ( terminal env , etc . ) .
enabled_tools : Tool names enabled in the current session . The sandbox
gets the intersection with SANDBOX_ALLOWED_TOOLS .
Returns :
JSON string with execution results .
"""
if not SANDBOX_AVAILABLE :
return json . dumps ( {
2026-05-07 18:17:31 -07:00
" error " : " execute_code sandbox is unavailable in this environment. "
" Use normal tool calls (terminal, read_file, write_file, ...) instead. "
2026-02-19 23:23:43 -08:00
} )
if not code or not code . strip ( ) :
refactor: add tool_error/tool_result helpers + read_raw_config, migrate 129 callsites
Add three reusable helpers to eliminate pervasive boilerplate:
tools/registry.py — tool_error() and tool_result():
Every tool handler returns JSON strings. The pattern
json.dumps({"error": msg}, ensure_ascii=False) appeared 106 times,
and json.dumps({"success": False, "error": msg}, ...) another 23.
Now: tool_error(msg) or tool_error(msg, success=False).
tool_result() handles arbitrary result dicts:
tool_result(success=True, data=payload) or tool_result(some_dict).
hermes_cli/config.py — read_raw_config():
Lightweight YAML reader that returns the raw config dict without
load_config()'s deep-merge + migration overhead. Available for
callsites that just need a single config value.
Migration (129 callsites across 32 files):
- tools/: browser_camofox (18), file_tools (10), homeassistant (8),
web_tools (7), skill_manager (7), cronjob (11), code_execution (4),
delegate (5), send_message (4), tts (4), memory (7), session_search (3),
mcp (2), clarify (2), skills_tool (3), todo (1), vision (1),
browser (1), process_registry (2), image_gen (1)
- plugins/memory/: honcho (9), supermemory (9), hindsight (8),
holographic (7), openviking (7), mem0 (7), byterover (6), retaindb (2)
- agent/: memory_manager (2), builtin_memory_provider (1)
2026-04-07 13:36:20 -07:00
return tool_error ( " No code provided. " )
2026-02-19 23:23:43 -08:00
2026-04-04 12:57:49 -07:00
# Dispatch: remote backends use file-based RPC, local uses UDS
from tools . terminal_tool import _get_env_config
env_type = _get_env_config ( ) [ " env_type " ]
2026-05-28 17:47:09 -04:00
# execute_code runs arbitrary Python (subprocess/os.system/...) that never
# passes through terminal()/DANGEROUS_PATTERNS, so guard the whole script
# here before either dispatch path spawns it. Runs synchronously in the
# caller (tool-executor) thread, which holds the session context (#30882).
from tools . approval import check_execute_code_guard
_guard = check_execute_code_guard ( code , env_type )
if not _guard . get ( " approved " , False ) :
return json . dumps ( {
" status " : " error " ,
" error " : _guard . get ( " message " ) or " execute_code blocked by approval guard. " ,
" tool_calls_made " : 0 ,
" duration_seconds " : 0 ,
} , ensure_ascii = False )
2026-04-04 12:57:49 -07:00
if env_type != " local " :
return _execute_remote ( code , task_id , enabled_tools )
# --- Local execution path (UDS) --- below this line is unchanged ---
2026-04-11 14:02:58 -07:00
# Import per-thread interrupt check (cooperative cancellation)
from tools . interrupt import is_interrupted as _is_interrupted
2026-02-19 23:23:43 -08:00
# Resolve config
_cfg = _load_config ( )
timeout = _cfg . get ( " timeout " , DEFAULT_TIMEOUT )
max_tool_calls = _cfg . get ( " max_tool_calls " , DEFAULT_MAX_TOOL_CALLS )
# Determine which tools the sandbox can call
session_tools = set ( enabled_tools ) if enabled_tools else set ( )
sandbox_tools = frozenset ( SANDBOX_ALLOWED_TOOLS & session_tools )
if not sandbox_tools :
sandbox_tools = SANDBOX_ALLOWED_TOOLS
# --- Set up temp directory with hermes_tools.py and script.py ---
tmpdir = tempfile . mkdtemp ( prefix = " hermes_sandbox_ " )
2026-03-08 19:31:23 -07:00
# Use /tmp on macOS to avoid the long /var/folders/... path that pushes
# Unix domain socket paths past the 104-byte macOS AF_UNIX limit.
# On Linux, tempfile.gettempdir() already returns /tmp.
feat(windows): close remaining POSIX-only landmines — TUI crash, kanban waitpid, AF_UNIX sandbox, /bin/bash, npm .cmd shims, cwd tracking, detach flags
Second pass on native Windows support, driven by a systematic audit across
five areas: POSIX-only primitives (signal.SIGKILL/SIGHUP/SIGPIPE, os.WNOHANG,
os.setsid), path translation bugs (/c/Users → C:\Users), subprocess patterns
(npm.cmd batch shims, start_new_session no-op on Windows), subsystem health
(cron, gateway daemon, update flow), and module-level import guards.
Every change is platform-gated — POSIX (Linux/macOS) behaviour is preserved
bit-identical. Explicit "do no harm" test: test_posix_path_preserved_on_linux,
test_posix_noop, test_windows_detach_popen_kwargs_is_posix_equivalent_on_posix.
## New module
- hermes_cli/_subprocess_compat.py — shared helpers (resolve_node_command,
windows_detach_flags, windows_hide_flags, windows_detach_popen_kwargs).
All no-ops on non-Windows.
## CRITICAL fixes (would crash or silently break on Windows)
- tui_gateway/entry.py: SIGPIPE/SIGHUP referenced at module top level would
AttributeError on import on Windows, breaking `hermes --tui` entirely (it
spawns this module as a subprocess). Guard each signal.signal() call with
hasattr() and add SIGBREAK as Windows' SIGHUP equivalent.
- hermes_cli/kanban_db.py: os.waitpid(-1, os.WNOHANG) in dispatcher tick was
unguarded. os.WNOHANG doesn't exist on Windows. Gate the whole reap loop
behind `os.name != "nt"` — Windows has no zombies anyway.
- tools/code_execution_tool.py: AF_UNIX socket for execute_code RPC fails on
most Windows builds. Fall back to loopback TCP (AF_INET on 127.0.0.1:0
ephemeral port) when _IS_WINDOWS. HERMES_RPC_SOCKET env var now accepts
either a filesystem path (POSIX) or `tcp://127.0.0.1:<port>` (Windows).
Generated sandbox client parses both.
- cron/scheduler.py: `argv = ["/bin/bash", str(path)]` hardcoded. Use
shutil.which("bash") so Windows (Git Bash via MinGit) works, with a
readable error when bash is genuinely absent.
- 6 bare npm/npx spawn sites: tools_config.py x2, doctor.py, whatsapp.py
(npm install + node version probe), browser_tool.py x2. On Windows npm
is npm.cmd / npx is npx.cmd (batch shims); subprocess.Popen(["npm", ...])
fails with WinError 193. shutil.which(...) returns the absolute .cmd
path which CreateProcessW accepts because the extension routes through
cmd.exe /c. POSIX behaviour unchanged (shutil.which still returns the
same path subprocess would resolve itself).
## HIGH fixes (silent misbehaviour on Windows)
- tools/environments/local.py get_temp_dir: hardcoded /tmp returned on
Windows meant `_cwd_file = "/tmp/hermes-cwd-*.txt"`, which bash wrote
via MSYS2's virtual /tmp but native Python couldn't open. Result: cwd
tracking silently broken — `cd` in terminal tool did nothing. Windows
branch now returns `%HERMES_HOME%/cache/terminal` with forward slashes
(works in both bash and Python, guaranteed no spaces).
- tools/environments/local.py _make_run_env PATH injection: `/usr/bin not
in split(":")` heuristic mangles Windows PATH (";" separator). Gate
the injection behind `not _IS_WINDOWS`.
- hermes_cli/gateway.py launch_detached_profile_gateway_restart: outer
Popen + watcher-script Popen both used start_new_session=True, which
Windows silently ignores. Watcher stayed attached to CLI's console,
died when user closed terminal after `hermes update`, left gateway
stale. Now branches through windows_detach_popen_kwargs() helper
(CREATE_NEW_PROCESS_GROUP | DETACHED_PROCESS | CREATE_NO_WINDOW on
Windows, start_new_session=True on POSIX — identical to main).
## MEDIUM fixes
- gateway/run.py /restart and /update handlers: hardcoded bash/setsid
chain crashes on Windows when user triggers /update in-gateway. Now
has sys.platform=="win32" branch using sys.executable + a tiny
Python watcher with proper detach flags. POSIX path is unchanged.
- cli.py _git_repo_root: Git on Windows sometimes returns /c/Users/...
style paths that break subprocess.Popen(cwd=...) and Path().resolve().
Added _normalize_git_bash_path() helper that translates /c/Users,
/cygdrive/c, /mnt/c variants to native C:\Users form. POSIX no-op.
_git_repo_root() now routes every result through it.
- cli.py worktree .worktreeinclude: os.symlink on directories failed
hard on Windows (requires admin or Developer Mode). Falls back to
shutil.copytree with a warning log.
## Tests
- 29 new tests in tests/tools/test_windows_native_support.py covering:
subprocess_compat helpers, TUI entry signal guards, kanban waitpid
guard, code_execution TCP fallback source-level invariants, cron bash
resolution, npm/npx bare-spawn lint per-file, local env Windows temp
dir, PATH injection gating, git bash path normalization, symlink
fallback, gateway detached watcher flags.
- One existing test assertion adjusted in test_browser_homebrew_paths:
it compared captured Popen argv to the BARE `"npx"` literal; after the
shutil.which() change argv[0] is the absolute path. New assertion
checks the shape (two items, second is `agent-browser`) rather than
the exact first-item string. Behaviour unchanged; test was too strict.
All 56 tests pass on Linux (30 from previous commits + 26 new).
267 tests from the affected files/dirs (browser, code_exec, local_env,
process_registry, kanban_db, windows_compat) all pass — zero regressions.
tests/hermes_cli/ (3909 pass) and tests/gateway/ (5021 pass) unchanged;
all pre-existing test failures confirmed unrelated via `git stash` re-run.
## What's still deferred (LOW priority)
- Visible cmd-window flashes on short-lived console apps (~14 sites) —
cosmetic, needs a follow-up pass once we have user reports.
- agent/file_safety.py POSIX-only security deny patterns — separate
hardening task.
- tools/process_registry.py returning "/tmp" as fallback — theoretical;
reachable only when all env-var candidates fail.
2026-05-07 17:29:31 -07:00
#
# Windows: Python 3.9+ added partial AF_UNIX support but the file-backed
# variant is flaky across Windows builds (requires Windows 10 1803+,
# still fails under some configurations, and the socket file can't live
# on the same temp drive as the script). Fall back to loopback TCP —
# same ephemeral port, same 1-connection listen queue, same serialized
# request/response framing. The generated client reads the transport
# selector from HERMES_RPC_SOCKET (path vs. ``tcp://host:port``).
2026-03-08 19:31:23 -07:00
_sock_tmpdir = " /tmp " if sys . platform == " darwin " else tempfile . gettempdir ( )
feat(windows): close remaining POSIX-only landmines — TUI crash, kanban waitpid, AF_UNIX sandbox, /bin/bash, npm .cmd shims, cwd tracking, detach flags
Second pass on native Windows support, driven by a systematic audit across
five areas: POSIX-only primitives (signal.SIGKILL/SIGHUP/SIGPIPE, os.WNOHANG,
os.setsid), path translation bugs (/c/Users → C:\Users), subprocess patterns
(npm.cmd batch shims, start_new_session no-op on Windows), subsystem health
(cron, gateway daemon, update flow), and module-level import guards.
Every change is platform-gated — POSIX (Linux/macOS) behaviour is preserved
bit-identical. Explicit "do no harm" test: test_posix_path_preserved_on_linux,
test_posix_noop, test_windows_detach_popen_kwargs_is_posix_equivalent_on_posix.
## New module
- hermes_cli/_subprocess_compat.py — shared helpers (resolve_node_command,
windows_detach_flags, windows_hide_flags, windows_detach_popen_kwargs).
All no-ops on non-Windows.
## CRITICAL fixes (would crash or silently break on Windows)
- tui_gateway/entry.py: SIGPIPE/SIGHUP referenced at module top level would
AttributeError on import on Windows, breaking `hermes --tui` entirely (it
spawns this module as a subprocess). Guard each signal.signal() call with
hasattr() and add SIGBREAK as Windows' SIGHUP equivalent.
- hermes_cli/kanban_db.py: os.waitpid(-1, os.WNOHANG) in dispatcher tick was
unguarded. os.WNOHANG doesn't exist on Windows. Gate the whole reap loop
behind `os.name != "nt"` — Windows has no zombies anyway.
- tools/code_execution_tool.py: AF_UNIX socket for execute_code RPC fails on
most Windows builds. Fall back to loopback TCP (AF_INET on 127.0.0.1:0
ephemeral port) when _IS_WINDOWS. HERMES_RPC_SOCKET env var now accepts
either a filesystem path (POSIX) or `tcp://127.0.0.1:<port>` (Windows).
Generated sandbox client parses both.
- cron/scheduler.py: `argv = ["/bin/bash", str(path)]` hardcoded. Use
shutil.which("bash") so Windows (Git Bash via MinGit) works, with a
readable error when bash is genuinely absent.
- 6 bare npm/npx spawn sites: tools_config.py x2, doctor.py, whatsapp.py
(npm install + node version probe), browser_tool.py x2. On Windows npm
is npm.cmd / npx is npx.cmd (batch shims); subprocess.Popen(["npm", ...])
fails with WinError 193. shutil.which(...) returns the absolute .cmd
path which CreateProcessW accepts because the extension routes through
cmd.exe /c. POSIX behaviour unchanged (shutil.which still returns the
same path subprocess would resolve itself).
## HIGH fixes (silent misbehaviour on Windows)
- tools/environments/local.py get_temp_dir: hardcoded /tmp returned on
Windows meant `_cwd_file = "/tmp/hermes-cwd-*.txt"`, which bash wrote
via MSYS2's virtual /tmp but native Python couldn't open. Result: cwd
tracking silently broken — `cd` in terminal tool did nothing. Windows
branch now returns `%HERMES_HOME%/cache/terminal` with forward slashes
(works in both bash and Python, guaranteed no spaces).
- tools/environments/local.py _make_run_env PATH injection: `/usr/bin not
in split(":")` heuristic mangles Windows PATH (";" separator). Gate
the injection behind `not _IS_WINDOWS`.
- hermes_cli/gateway.py launch_detached_profile_gateway_restart: outer
Popen + watcher-script Popen both used start_new_session=True, which
Windows silently ignores. Watcher stayed attached to CLI's console,
died when user closed terminal after `hermes update`, left gateway
stale. Now branches through windows_detach_popen_kwargs() helper
(CREATE_NEW_PROCESS_GROUP | DETACHED_PROCESS | CREATE_NO_WINDOW on
Windows, start_new_session=True on POSIX — identical to main).
## MEDIUM fixes
- gateway/run.py /restart and /update handlers: hardcoded bash/setsid
chain crashes on Windows when user triggers /update in-gateway. Now
has sys.platform=="win32" branch using sys.executable + a tiny
Python watcher with proper detach flags. POSIX path is unchanged.
- cli.py _git_repo_root: Git on Windows sometimes returns /c/Users/...
style paths that break subprocess.Popen(cwd=...) and Path().resolve().
Added _normalize_git_bash_path() helper that translates /c/Users,
/cygdrive/c, /mnt/c variants to native C:\Users form. POSIX no-op.
_git_repo_root() now routes every result through it.
- cli.py worktree .worktreeinclude: os.symlink on directories failed
hard on Windows (requires admin or Developer Mode). Falls back to
shutil.copytree with a warning log.
## Tests
- 29 new tests in tests/tools/test_windows_native_support.py covering:
subprocess_compat helpers, TUI entry signal guards, kanban waitpid
guard, code_execution TCP fallback source-level invariants, cron bash
resolution, npm/npx bare-spawn lint per-file, local env Windows temp
dir, PATH injection gating, git bash path normalization, symlink
fallback, gateway detached watcher flags.
- One existing test assertion adjusted in test_browser_homebrew_paths:
it compared captured Popen argv to the BARE `"npx"` literal; after the
shutil.which() change argv[0] is the absolute path. New assertion
checks the shape (two items, second is `agent-browser`) rather than
the exact first-item string. Behaviour unchanged; test was too strict.
All 56 tests pass on Linux (30 from previous commits + 26 new).
267 tests from the affected files/dirs (browser, code_exec, local_env,
process_registry, kanban_db, windows_compat) all pass — zero regressions.
tests/hermes_cli/ (3909 pass) and tests/gateway/ (5021 pass) unchanged;
all pre-existing test failures confirmed unrelated via `git stash` re-run.
## What's still deferred (LOW priority)
- Visible cmd-window flashes on short-lived console apps (~14 sites) —
cosmetic, needs a follow-up pass once we have user reports.
- agent/file_safety.py POSIX-only security deny patterns — separate
hardening task.
- tools/process_registry.py returning "/tmp" as fallback — theoretical;
reachable only when all env-var candidates fail.
2026-05-07 17:29:31 -07:00
_use_tcp_rpc = _IS_WINDOWS
if _use_tcp_rpc :
sock_path = None # not used on Windows; TCP endpoint stored below
rpc_endpoint = None # set after bind()
else :
sock_path = os . path . join ( _sock_tmpdir , f " hermes_rpc_ { uuid . uuid4 ( ) . hex } .sock " )
rpc_endpoint = sock_path
2026-02-19 23:23:43 -08:00
tool_call_log : list = [ ]
tool_call_counter = [ 0 ] # mutable so the RPC thread can increment
exec_start = time . monotonic ( )
2026-03-16 23:13:26 -07:00
server_sock = None
2026-02-19 23:23:43 -08:00
try :
2026-05-07 18:52:59 -07:00
# Write the auto-generated hermes_tools module.
# encoding="utf-8" is required on Windows — the stub and user code
# both contain non-ASCII characters (em-dashes in docstrings, plus
# whatever the user script carries). Python's default open() uses
# the system locale on Windows (cp1252 typically), which corrupts
# those bytes; the child then fails to import with a SyntaxError
# ("'utf-8' codec can't decode byte 0x97 in position ...") because
# Python source files are decoded as UTF-8 by default (PEP 3120).
2026-03-10 06:35:28 -07:00
# sandbox_tools is already the correct set (intersection with session
# tools, or SANDBOX_ALLOWED_TOOLS as fallback — see lines above).
tools_src = generate_hermes_tools_module ( list ( sandbox_tools ) )
2026-05-07 18:52:59 -07:00
with open ( os . path . join ( tmpdir , " hermes_tools.py " ) , " w " , encoding = " utf-8 " ) as f :
2026-02-19 23:23:43 -08:00
f . write ( tools_src )
# Write the user's script
2026-05-07 18:52:59 -07:00
with open ( os . path . join ( tmpdir , " script.py " ) , " w " , encoding = " utf-8 " ) as f :
2026-02-19 23:23:43 -08:00
f . write ( code )
feat(windows): close remaining POSIX-only landmines — TUI crash, kanban waitpid, AF_UNIX sandbox, /bin/bash, npm .cmd shims, cwd tracking, detach flags
Second pass on native Windows support, driven by a systematic audit across
five areas: POSIX-only primitives (signal.SIGKILL/SIGHUP/SIGPIPE, os.WNOHANG,
os.setsid), path translation bugs (/c/Users → C:\Users), subprocess patterns
(npm.cmd batch shims, start_new_session no-op on Windows), subsystem health
(cron, gateway daemon, update flow), and module-level import guards.
Every change is platform-gated — POSIX (Linux/macOS) behaviour is preserved
bit-identical. Explicit "do no harm" test: test_posix_path_preserved_on_linux,
test_posix_noop, test_windows_detach_popen_kwargs_is_posix_equivalent_on_posix.
## New module
- hermes_cli/_subprocess_compat.py — shared helpers (resolve_node_command,
windows_detach_flags, windows_hide_flags, windows_detach_popen_kwargs).
All no-ops on non-Windows.
## CRITICAL fixes (would crash or silently break on Windows)
- tui_gateway/entry.py: SIGPIPE/SIGHUP referenced at module top level would
AttributeError on import on Windows, breaking `hermes --tui` entirely (it
spawns this module as a subprocess). Guard each signal.signal() call with
hasattr() and add SIGBREAK as Windows' SIGHUP equivalent.
- hermes_cli/kanban_db.py: os.waitpid(-1, os.WNOHANG) in dispatcher tick was
unguarded. os.WNOHANG doesn't exist on Windows. Gate the whole reap loop
behind `os.name != "nt"` — Windows has no zombies anyway.
- tools/code_execution_tool.py: AF_UNIX socket for execute_code RPC fails on
most Windows builds. Fall back to loopback TCP (AF_INET on 127.0.0.1:0
ephemeral port) when _IS_WINDOWS. HERMES_RPC_SOCKET env var now accepts
either a filesystem path (POSIX) or `tcp://127.0.0.1:<port>` (Windows).
Generated sandbox client parses both.
- cron/scheduler.py: `argv = ["/bin/bash", str(path)]` hardcoded. Use
shutil.which("bash") so Windows (Git Bash via MinGit) works, with a
readable error when bash is genuinely absent.
- 6 bare npm/npx spawn sites: tools_config.py x2, doctor.py, whatsapp.py
(npm install + node version probe), browser_tool.py x2. On Windows npm
is npm.cmd / npx is npx.cmd (batch shims); subprocess.Popen(["npm", ...])
fails with WinError 193. shutil.which(...) returns the absolute .cmd
path which CreateProcessW accepts because the extension routes through
cmd.exe /c. POSIX behaviour unchanged (shutil.which still returns the
same path subprocess would resolve itself).
## HIGH fixes (silent misbehaviour on Windows)
- tools/environments/local.py get_temp_dir: hardcoded /tmp returned on
Windows meant `_cwd_file = "/tmp/hermes-cwd-*.txt"`, which bash wrote
via MSYS2's virtual /tmp but native Python couldn't open. Result: cwd
tracking silently broken — `cd` in terminal tool did nothing. Windows
branch now returns `%HERMES_HOME%/cache/terminal` with forward slashes
(works in both bash and Python, guaranteed no spaces).
- tools/environments/local.py _make_run_env PATH injection: `/usr/bin not
in split(":")` heuristic mangles Windows PATH (";" separator). Gate
the injection behind `not _IS_WINDOWS`.
- hermes_cli/gateway.py launch_detached_profile_gateway_restart: outer
Popen + watcher-script Popen both used start_new_session=True, which
Windows silently ignores. Watcher stayed attached to CLI's console,
died when user closed terminal after `hermes update`, left gateway
stale. Now branches through windows_detach_popen_kwargs() helper
(CREATE_NEW_PROCESS_GROUP | DETACHED_PROCESS | CREATE_NO_WINDOW on
Windows, start_new_session=True on POSIX — identical to main).
## MEDIUM fixes
- gateway/run.py /restart and /update handlers: hardcoded bash/setsid
chain crashes on Windows when user triggers /update in-gateway. Now
has sys.platform=="win32" branch using sys.executable + a tiny
Python watcher with proper detach flags. POSIX path is unchanged.
- cli.py _git_repo_root: Git on Windows sometimes returns /c/Users/...
style paths that break subprocess.Popen(cwd=...) and Path().resolve().
Added _normalize_git_bash_path() helper that translates /c/Users,
/cygdrive/c, /mnt/c variants to native C:\Users form. POSIX no-op.
_git_repo_root() now routes every result through it.
- cli.py worktree .worktreeinclude: os.symlink on directories failed
hard on Windows (requires admin or Developer Mode). Falls back to
shutil.copytree with a warning log.
## Tests
- 29 new tests in tests/tools/test_windows_native_support.py covering:
subprocess_compat helpers, TUI entry signal guards, kanban waitpid
guard, code_execution TCP fallback source-level invariants, cron bash
resolution, npm/npx bare-spawn lint per-file, local env Windows temp
dir, PATH injection gating, git bash path normalization, symlink
fallback, gateway detached watcher flags.
- One existing test assertion adjusted in test_browser_homebrew_paths:
it compared captured Popen argv to the BARE `"npx"` literal; after the
shutil.which() change argv[0] is the absolute path. New assertion
checks the shape (two items, second is `agent-browser`) rather than
the exact first-item string. Behaviour unchanged; test was too strict.
All 56 tests pass on Linux (30 from previous commits + 26 new).
267 tests from the affected files/dirs (browser, code_exec, local_env,
process_registry, kanban_db, windows_compat) all pass — zero regressions.
tests/hermes_cli/ (3909 pass) and tests/gateway/ (5021 pass) unchanged;
all pre-existing test failures confirmed unrelated via `git stash` re-run.
## What's still deferred (LOW priority)
- Visible cmd-window flashes on short-lived console apps (~14 sites) —
cosmetic, needs a follow-up pass once we have user reports.
- agent/file_safety.py POSIX-only security deny patterns — separate
hardening task.
- tools/process_registry.py returning "/tmp" as fallback — theoretical;
reachable only when all env-var candidates fail.
2026-05-07 17:29:31 -07:00
# --- Start RPC server ---
# Two transports:
# POSIX: AF_UNIX stream socket on sock_path, chmod 0600 for
# owner-only access. Filesystem permissions gate the socket.
# Windows: AF_INET stream socket on 127.0.0.1 with an ephemeral
# port. No filesystem permission story, but loopback-only bind
# means only the current user's processes (not remote) can
# connect. HERMES_RPC_SOCKET is set to ``tcp://127.0.0.1:<port>``
# which the generated client parses to pick AF_INET.
if _use_tcp_rpc :
server_sock = socket . socket ( socket . AF_INET , socket . SOCK_STREAM )
server_sock . bind ( ( " 127.0.0.1 " , 0 ) ) # ephemeral port
_host , _port = server_sock . getsockname ( ) [ : 2 ]
rpc_endpoint = f " tcp:// { _host } : { _port } "
else :
server_sock = socket . socket ( socket . AF_UNIX , socket . SOCK_STREAM )
server_sock . bind ( sock_path )
os . chmod ( sock_path , 0o600 )
2026-02-19 23:23:43 -08:00
server_sock . listen ( 1 )
2026-05-28 17:47:09 -04:00
# Wrapped so the thread inherits the turn's approval context + callbacks
# (see tools.thread_context) — else gateway sandbox tool calls silently
# auto-approve dangerous commands (#33057, #30882).
2026-02-19 23:23:43 -08:00
rpc_thread = threading . Thread (
2026-05-28 17:47:09 -04:00
target = propagate_context_to_thread ( _rpc_server_loop ) ,
2026-02-19 23:23:43 -08:00
args = (
server_sock , task_id , tool_call_log ,
tool_call_counter , max_tool_calls , sandbox_tools ,
) ,
daemon = True ,
)
rpc_thread . start ( )
# --- Spawn child process ---
2026-02-25 21:16:15 -08:00
# Build a minimal environment for the child. We intentionally exclude
# API keys and tokens to prevent credential exfiltration from LLM-
# generated scripts. The child accesses tools via RPC, not direct API.
feat: env var passthrough for skills and user config (#2807)
* feat: env var passthrough for skills and user config
Skills that declare required_environment_variables now have those vars
passed through to sandboxed execution environments (execute_code and
terminal). Previously, execute_code stripped all vars containing KEY,
TOKEN, SECRET, etc. and the terminal blocklist removed Hermes
infrastructure vars — both blocked skill-declared env vars.
Two passthrough sources:
1. Skill-scoped (automatic): when a skill is loaded via skill_view and
declares required_environment_variables, vars that are present in
the environment are registered in a session-scoped passthrough set.
2. Config-based (manual): terminal.env_passthrough in config.yaml lets
users explicitly allowlist vars for non-skill use cases.
Changes:
- New module: tools/env_passthrough.py — shared passthrough registry
- hermes_cli/config.py: add terminal.env_passthrough to DEFAULT_CONFIG
- tools/skills_tool.py: register available skill env vars on load
- tools/code_execution_tool.py: check passthrough before filtering
- tools/environments/local.py: check passthrough in _sanitize_subprocess_env
and _make_run_env
- 19 new tests covering all layers
* docs: add environment variable passthrough documentation
Document the env var passthrough feature across four docs pages:
- security.md: new 'Environment Variable Passthrough' section with
full explanation, comparison table, and security considerations
- code-execution.md: update security section, add passthrough subsection,
fix comparison table
- creating-skills.md: add tip about automatic sandbox passthrough
- skills.md: add note about passthrough after secure setup docs
Live-tested: launched interactive CLI, loaded a skill with
required_environment_variables, verified TEST_SKILL_SECRET_KEY was
accessible inside execute_code sandbox (value: passthrough-test-value-42).
2026-03-24 08:19:34 -07:00
# Exception: env vars declared by loaded skills (via env_passthrough
# registry) or explicitly allowed by the user in config.yaml
2026-05-07 18:39:38 -07:00
# (terminal.env_passthrough) are passed through. On Windows, a small
# OS-essential allowlist (SYSTEMROOT, WINDIR, COMSPEC, ...) is also
# passed through — without those, the child can't create a socket
# or spawn a subprocess. See ``_scrub_child_env`` for the rules.
child_env = _scrub_child_env ( os . environ )
feat(windows): close remaining POSIX-only landmines — TUI crash, kanban waitpid, AF_UNIX sandbox, /bin/bash, npm .cmd shims, cwd tracking, detach flags
Second pass on native Windows support, driven by a systematic audit across
five areas: POSIX-only primitives (signal.SIGKILL/SIGHUP/SIGPIPE, os.WNOHANG,
os.setsid), path translation bugs (/c/Users → C:\Users), subprocess patterns
(npm.cmd batch shims, start_new_session no-op on Windows), subsystem health
(cron, gateway daemon, update flow), and module-level import guards.
Every change is platform-gated — POSIX (Linux/macOS) behaviour is preserved
bit-identical. Explicit "do no harm" test: test_posix_path_preserved_on_linux,
test_posix_noop, test_windows_detach_popen_kwargs_is_posix_equivalent_on_posix.
## New module
- hermes_cli/_subprocess_compat.py — shared helpers (resolve_node_command,
windows_detach_flags, windows_hide_flags, windows_detach_popen_kwargs).
All no-ops on non-Windows.
## CRITICAL fixes (would crash or silently break on Windows)
- tui_gateway/entry.py: SIGPIPE/SIGHUP referenced at module top level would
AttributeError on import on Windows, breaking `hermes --tui` entirely (it
spawns this module as a subprocess). Guard each signal.signal() call with
hasattr() and add SIGBREAK as Windows' SIGHUP equivalent.
- hermes_cli/kanban_db.py: os.waitpid(-1, os.WNOHANG) in dispatcher tick was
unguarded. os.WNOHANG doesn't exist on Windows. Gate the whole reap loop
behind `os.name != "nt"` — Windows has no zombies anyway.
- tools/code_execution_tool.py: AF_UNIX socket for execute_code RPC fails on
most Windows builds. Fall back to loopback TCP (AF_INET on 127.0.0.1:0
ephemeral port) when _IS_WINDOWS. HERMES_RPC_SOCKET env var now accepts
either a filesystem path (POSIX) or `tcp://127.0.0.1:<port>` (Windows).
Generated sandbox client parses both.
- cron/scheduler.py: `argv = ["/bin/bash", str(path)]` hardcoded. Use
shutil.which("bash") so Windows (Git Bash via MinGit) works, with a
readable error when bash is genuinely absent.
- 6 bare npm/npx spawn sites: tools_config.py x2, doctor.py, whatsapp.py
(npm install + node version probe), browser_tool.py x2. On Windows npm
is npm.cmd / npx is npx.cmd (batch shims); subprocess.Popen(["npm", ...])
fails with WinError 193. shutil.which(...) returns the absolute .cmd
path which CreateProcessW accepts because the extension routes through
cmd.exe /c. POSIX behaviour unchanged (shutil.which still returns the
same path subprocess would resolve itself).
## HIGH fixes (silent misbehaviour on Windows)
- tools/environments/local.py get_temp_dir: hardcoded /tmp returned on
Windows meant `_cwd_file = "/tmp/hermes-cwd-*.txt"`, which bash wrote
via MSYS2's virtual /tmp but native Python couldn't open. Result: cwd
tracking silently broken — `cd` in terminal tool did nothing. Windows
branch now returns `%HERMES_HOME%/cache/terminal` with forward slashes
(works in both bash and Python, guaranteed no spaces).
- tools/environments/local.py _make_run_env PATH injection: `/usr/bin not
in split(":")` heuristic mangles Windows PATH (";" separator). Gate
the injection behind `not _IS_WINDOWS`.
- hermes_cli/gateway.py launch_detached_profile_gateway_restart: outer
Popen + watcher-script Popen both used start_new_session=True, which
Windows silently ignores. Watcher stayed attached to CLI's console,
died when user closed terminal after `hermes update`, left gateway
stale. Now branches through windows_detach_popen_kwargs() helper
(CREATE_NEW_PROCESS_GROUP | DETACHED_PROCESS | CREATE_NO_WINDOW on
Windows, start_new_session=True on POSIX — identical to main).
## MEDIUM fixes
- gateway/run.py /restart and /update handlers: hardcoded bash/setsid
chain crashes on Windows when user triggers /update in-gateway. Now
has sys.platform=="win32" branch using sys.executable + a tiny
Python watcher with proper detach flags. POSIX path is unchanged.
- cli.py _git_repo_root: Git on Windows sometimes returns /c/Users/...
style paths that break subprocess.Popen(cwd=...) and Path().resolve().
Added _normalize_git_bash_path() helper that translates /c/Users,
/cygdrive/c, /mnt/c variants to native C:\Users form. POSIX no-op.
_git_repo_root() now routes every result through it.
- cli.py worktree .worktreeinclude: os.symlink on directories failed
hard on Windows (requires admin or Developer Mode). Falls back to
shutil.copytree with a warning log.
## Tests
- 29 new tests in tests/tools/test_windows_native_support.py covering:
subprocess_compat helpers, TUI entry signal guards, kanban waitpid
guard, code_execution TCP fallback source-level invariants, cron bash
resolution, npm/npx bare-spawn lint per-file, local env Windows temp
dir, PATH injection gating, git bash path normalization, symlink
fallback, gateway detached watcher flags.
- One existing test assertion adjusted in test_browser_homebrew_paths:
it compared captured Popen argv to the BARE `"npx"` literal; after the
shutil.which() change argv[0] is the absolute path. New assertion
checks the shape (two items, second is `agent-browser`) rather than
the exact first-item string. Behaviour unchanged; test was too strict.
All 56 tests pass on Linux (30 from previous commits + 26 new).
267 tests from the affected files/dirs (browser, code_exec, local_env,
process_registry, kanban_db, windows_compat) all pass — zero regressions.
tests/hermes_cli/ (3909 pass) and tests/gateway/ (5021 pass) unchanged;
all pre-existing test failures confirmed unrelated via `git stash` re-run.
## What's still deferred (LOW priority)
- Visible cmd-window flashes on short-lived console apps (~14 sites) —
cosmetic, needs a follow-up pass once we have user reports.
- agent/file_safety.py POSIX-only security deny patterns — separate
hardening task.
- tools/process_registry.py returning "/tmp" as fallback — theoretical;
reachable only when all env-var candidates fail.
2026-05-07 17:29:31 -07:00
child_env [ " HERMES_RPC_SOCKET " ] = rpc_endpoint
2026-02-19 23:23:43 -08:00
child_env [ " PYTHONDONTWRITEBYTECODE " ] = " 1 "
2026-05-07 18:59:35 -07:00
# Force UTF-8 for the child's stdio and default file encoding.
#
# Without this, on Windows sys.stdout is bound to the console code
# page (cp1252 on US-locale installs), and any script that does
# ``print("café")`` or ``print("→")`` crashes with:
#
# UnicodeEncodeError: 'charmap' codec can't encode character
# '\u2192' in position N: character maps to <undefined>
#
# PYTHONIOENCODING fixes sys.stdin/stdout/stderr.
# PYTHONUTF8=1 enables "UTF-8 mode" (PEP 540) which additionally
# makes ``open()``'s default encoding UTF-8, so user scripts that
# write files without specifying encoding= also work correctly.
#
# On POSIX both values usually match the locale default already,
# so setting them is harmless belt-and-suspenders for environments
# with a C/POSIX locale (containers, minimal base images).
child_env [ " PYTHONIOENCODING " ] = " utf-8 "
child_env [ " PYTHONUTF8 " ] = " 1 "
2026-03-14 15:23:09 +01:00
# Ensure the hermes-agent root is importable in the sandbox so
feat(execute_code): add project/strict execution modes, default to project (#11971)
Weaker models (Gemma-class) repeatedly rediscover and forget that
execute_code uses a different CWD and Python interpreter than terminal(),
causing them to flip-flop on whether user files exist and to hit import
errors on project dependencies like pandas.
Adds a new 'code_execution.mode' config key (default 'project') that
brings execute_code into line with terminal()'s filesystem/interpreter:
project (new default):
- cwd = session's TERMINAL_CWD (falls back to os.getcwd())
- python = active VIRTUAL_ENV/bin/python or CONDA_PREFIX/bin/python
with a Python 3.8+ version check; falls back cleanly to
sys.executable if no venv or the candidate fails
- result : 'import pandas' works, '.env' resolves, matches terminal()
strict (opt-in):
- cwd = staging tmpdir (today's behavior)
- python = sys.executable (today's behavior)
- result : maximum reproducibility and isolation; project deps
won't resolve
Security-critical invariants are identical across both modes and covered by
explicit regression tests:
- env scrubbing (strips *_API_KEY, *_TOKEN, *_SECRET, *_PASSWORD,
*_CREDENTIAL, *_PASSWD, *_AUTH substrings)
- SANDBOX_ALLOWED_TOOLS whitelist (no execute_code recursion, no
delegate_task, no MCP from inside scripts)
- resource caps (5-min timeout, 50KB stdout, 50 tool calls)
Deliberately avoids 'sandbox'/'isolated'/'cloud' language in tool
descriptions (regression from commit 39b83f34 where agents on local
backends falsely believed they were sandboxed and refused networking).
Override via env var: HERMES_EXECUTE_CODE_MODE=strict|project
2026-04-18 01:46:25 -07:00
# repo-root modules are available to child scripts. We also prepend
# the staging tmpdir so ``from hermes_tools import ...`` resolves even
# when the subprocess CWD is not tmpdir (project mode).
2026-03-14 15:23:09 +01:00
_hermes_root = os . path . dirname ( os . path . dirname ( os . path . abspath ( __file__ ) ) )
_existing_pp = child_env . get ( " PYTHONPATH " , " " )
feat(execute_code): add project/strict execution modes, default to project (#11971)
Weaker models (Gemma-class) repeatedly rediscover and forget that
execute_code uses a different CWD and Python interpreter than terminal(),
causing them to flip-flop on whether user files exist and to hit import
errors on project dependencies like pandas.
Adds a new 'code_execution.mode' config key (default 'project') that
brings execute_code into line with terminal()'s filesystem/interpreter:
project (new default):
- cwd = session's TERMINAL_CWD (falls back to os.getcwd())
- python = active VIRTUAL_ENV/bin/python or CONDA_PREFIX/bin/python
with a Python 3.8+ version check; falls back cleanly to
sys.executable if no venv or the candidate fails
- result : 'import pandas' works, '.env' resolves, matches terminal()
strict (opt-in):
- cwd = staging tmpdir (today's behavior)
- python = sys.executable (today's behavior)
- result : maximum reproducibility and isolation; project deps
won't resolve
Security-critical invariants are identical across both modes and covered by
explicit regression tests:
- env scrubbing (strips *_API_KEY, *_TOKEN, *_SECRET, *_PASSWORD,
*_CREDENTIAL, *_PASSWD, *_AUTH substrings)
- SANDBOX_ALLOWED_TOOLS whitelist (no execute_code recursion, no
delegate_task, no MCP from inside scripts)
- resource caps (5-min timeout, 50KB stdout, 50 tool calls)
Deliberately avoids 'sandbox'/'isolated'/'cloud' language in tool
descriptions (regression from commit 39b83f34 where agents on local
backends falsely believed they were sandboxed and refused networking).
Override via env var: HERMES_EXECUTE_CODE_MODE=strict|project
2026-04-18 01:46:25 -07:00
_pp_parts = [ tmpdir , _hermes_root ]
if _existing_pp :
_pp_parts . append ( _existing_pp )
child_env [ " PYTHONPATH " ] = os . pathsep . join ( _pp_parts )
2026-03-03 11:57:18 +05:30
# Inject user's configured timezone so datetime.now() in sandboxed
2026-04-16 02:26:14 -07:00
# code reflects the correct wall-clock time. Only TZ is set —
# HERMES_TIMEZONE is an internal Hermes setting and must not leak
# into child processes.
2026-03-03 11:57:18 +05:30
_tz_name = os . getenv ( " HERMES_TIMEZONE " , " " ) . strip ( )
if _tz_name :
child_env [ " TZ " ] = _tz_name
2026-04-16 02:26:14 -07:00
child_env . pop ( " HERMES_TIMEZONE " , None )
2026-02-19 23:23:43 -08:00
2026-04-10 13:37:45 -07:00
# Per-profile HOME isolation: redirect system tool configs into
# {HERMES_HOME}/home/ when that directory exists.
from hermes_constants import get_subprocess_home
_profile_home = get_subprocess_home ( )
if _profile_home :
child_env [ " HOME " ] = _profile_home
feat(execute_code): add project/strict execution modes, default to project (#11971)
Weaker models (Gemma-class) repeatedly rediscover and forget that
execute_code uses a different CWD and Python interpreter than terminal(),
causing them to flip-flop on whether user files exist and to hit import
errors on project dependencies like pandas.
Adds a new 'code_execution.mode' config key (default 'project') that
brings execute_code into line with terminal()'s filesystem/interpreter:
project (new default):
- cwd = session's TERMINAL_CWD (falls back to os.getcwd())
- python = active VIRTUAL_ENV/bin/python or CONDA_PREFIX/bin/python
with a Python 3.8+ version check; falls back cleanly to
sys.executable if no venv or the candidate fails
- result : 'import pandas' works, '.env' resolves, matches terminal()
strict (opt-in):
- cwd = staging tmpdir (today's behavior)
- python = sys.executable (today's behavior)
- result : maximum reproducibility and isolation; project deps
won't resolve
Security-critical invariants are identical across both modes and covered by
explicit regression tests:
- env scrubbing (strips *_API_KEY, *_TOKEN, *_SECRET, *_PASSWORD,
*_CREDENTIAL, *_PASSWD, *_AUTH substrings)
- SANDBOX_ALLOWED_TOOLS whitelist (no execute_code recursion, no
delegate_task, no MCP from inside scripts)
- resource caps (5-min timeout, 50KB stdout, 50 tool calls)
Deliberately avoids 'sandbox'/'isolated'/'cloud' language in tool
descriptions (regression from commit 39b83f34 where agents on local
backends falsely believed they were sandboxed and refused networking).
Override via env var: HERMES_EXECUTE_CODE_MODE=strict|project
2026-04-18 01:46:25 -07:00
# Resolve interpreter + CWD based on execute_code mode.
# - strict : today's behavior (sys.executable + tmpdir CWD).
# - project: user's venv python + session's working directory, so
# project deps like pandas and user files resolve.
# Env scrubbing and tool whitelist apply identically in both modes.
_mode = _get_execution_mode ( )
_child_python = _resolve_child_python ( _mode )
_child_cwd = _resolve_child_cwd ( _mode , tmpdir )
_script_path = os . path . join ( tmpdir , " script.py " )
2026-02-19 23:23:43 -08:00
proc = subprocess . Popen (
feat(execute_code): add project/strict execution modes, default to project (#11971)
Weaker models (Gemma-class) repeatedly rediscover and forget that
execute_code uses a different CWD and Python interpreter than terminal(),
causing them to flip-flop on whether user files exist and to hit import
errors on project dependencies like pandas.
Adds a new 'code_execution.mode' config key (default 'project') that
brings execute_code into line with terminal()'s filesystem/interpreter:
project (new default):
- cwd = session's TERMINAL_CWD (falls back to os.getcwd())
- python = active VIRTUAL_ENV/bin/python or CONDA_PREFIX/bin/python
with a Python 3.8+ version check; falls back cleanly to
sys.executable if no venv or the candidate fails
- result : 'import pandas' works, '.env' resolves, matches terminal()
strict (opt-in):
- cwd = staging tmpdir (today's behavior)
- python = sys.executable (today's behavior)
- result : maximum reproducibility and isolation; project deps
won't resolve
Security-critical invariants are identical across both modes and covered by
explicit regression tests:
- env scrubbing (strips *_API_KEY, *_TOKEN, *_SECRET, *_PASSWORD,
*_CREDENTIAL, *_PASSWD, *_AUTH substrings)
- SANDBOX_ALLOWED_TOOLS whitelist (no execute_code recursion, no
delegate_task, no MCP from inside scripts)
- resource caps (5-min timeout, 50KB stdout, 50 tool calls)
Deliberately avoids 'sandbox'/'isolated'/'cloud' language in tool
descriptions (regression from commit 39b83f34 where agents on local
backends falsely believed they were sandboxed and refused networking).
Override via env var: HERMES_EXECUTE_CODE_MODE=strict|project
2026-04-18 01:46:25 -07:00
[ _child_python , _script_path ] ,
cwd = _child_cwd ,
2026-02-19 23:23:43 -08:00
env = child_env ,
stdout = subprocess . PIPE ,
stderr = subprocess . PIPE ,
stdin = subprocess . DEVNULL ,
2026-03-01 01:54:27 +03:00
preexec_fn = None if _IS_WINDOWS else os . setsid ,
2026-05-16 12:06:09 -04:00
creationflags = subprocess . CREATE_NO_WINDOW if _IS_WINDOWS else 0 ,
2026-02-19 23:23:43 -08:00
)
# --- Poll loop: watch for exit, timeout, and interrupt ---
deadline = time . monotonic ( ) + timeout
stderr_chunks : list = [ ]
2026-03-11 00:26:13 -07:00
# Background readers to avoid pipe buffer deadlocks.
# For stdout we use a head+tail strategy: keep the first HEAD_BYTES
# and a rolling window of the last TAIL_BYTES so the final print()
# output is never lost. Stderr keeps head-only (errors appear early).
_STDOUT_HEAD_BYTES = int ( MAX_STDOUT_BYTES * 0.4 ) # 40% head
_STDOUT_TAIL_BYTES = MAX_STDOUT_BYTES - _STDOUT_HEAD_BYTES # 60% tail
2026-02-19 23:23:43 -08:00
def _drain ( pipe , chunks , max_bytes ) :
2026-03-11 00:26:13 -07:00
""" Simple head-only drain (used for stderr). """
2026-02-19 23:23:43 -08:00
total = 0
try :
while True :
data = pipe . read ( 4096 )
if not data :
break
if total < max_bytes :
keep = max_bytes - total
chunks . append ( data [ : keep ] )
total + = len ( data )
2026-03-08 14:50:23 +03:00
except ( ValueError , OSError ) as e :
logger . debug ( " Error reading process output: %s " , e , exc_info = True )
2026-02-19 23:23:43 -08:00
2026-03-11 00:26:13 -07:00
stdout_total_bytes = [ 0 ] # mutable ref for total bytes seen
def _drain_head_tail ( pipe , head_chunks , tail_chunks , head_bytes , tail_bytes , total_ref ) :
""" Drain stdout keeping both head and tail data. """
head_collected = 0
from collections import deque
tail_buf = deque ( )
tail_collected = 0
try :
while True :
data = pipe . read ( 4096 )
if not data :
break
total_ref [ 0 ] + = len ( data )
# Fill head buffer first
if head_collected < head_bytes :
keep = min ( len ( data ) , head_bytes - head_collected )
head_chunks . append ( data [ : keep ] )
head_collected + = keep
data = data [ keep : ] # remaining goes to tail
if not data :
continue
# Everything past head goes into rolling tail buffer
tail_buf . append ( data )
tail_collected + = len ( data )
# Evict old tail data to stay within tail_bytes budget
while tail_collected > tail_bytes and tail_buf :
oldest = tail_buf . popleft ( )
tail_collected - = len ( oldest )
except ( ValueError , OSError ) :
pass
# Transfer final tail to output list
tail_chunks . extend ( tail_buf )
stdout_head_chunks : list = [ ]
stdout_tail_chunks : list = [ ]
2026-02-19 23:23:43 -08:00
stdout_reader = threading . Thread (
2026-03-11 00:26:13 -07:00
target = _drain_head_tail ,
args = ( proc . stdout , stdout_head_chunks , stdout_tail_chunks ,
_STDOUT_HEAD_BYTES , _STDOUT_TAIL_BYTES , stdout_total_bytes ) ,
daemon = True
2026-02-19 23:23:43 -08:00
)
stderr_reader = threading . Thread (
target = _drain , args = ( proc . stderr , stderr_chunks , MAX_STDERR_BYTES ) , daemon = True
)
stdout_reader . start ( )
stderr_reader . start ( )
status = " success "
2026-04-16 19:01:56 +05:30
_activity_state = {
" last_touch " : time . monotonic ( ) ,
" start " : exec_start ,
}
2026-02-19 23:23:43 -08:00
while proc . poll ( ) is None :
2026-04-11 14:02:58 -07:00
if _is_interrupted ( ) :
2026-02-19 23:23:43 -08:00
_kill_process_group ( proc )
status = " interrupted "
break
if time . monotonic ( ) > deadline :
_kill_process_group ( proc , escalate = True )
status = " timeout "
break
2026-04-16 09:17:24 +02:00
# Periodic activity touch so the gateway's inactivity timeout
# doesn't kill the agent during long code execution (#10807).
2026-04-16 19:01:56 +05:30
try :
from tools . environments . base import touch_activity_if_due
touch_activity_if_due ( _activity_state , " execute_code running " )
except Exception :
pass
2026-02-19 23:23:43 -08:00
time . sleep ( 0.2 )
# Wait for readers to finish draining
stdout_reader . join ( timeout = 3 )
stderr_reader . join ( timeout = 3 )
2026-03-11 00:26:13 -07:00
stdout_head = b " " . join ( stdout_head_chunks ) . decode ( " utf-8 " , errors = " replace " )
stdout_tail = b " " . join ( stdout_tail_chunks ) . decode ( " utf-8 " , errors = " replace " )
2026-02-19 23:23:43 -08:00
stderr_text = b " " . join ( stderr_chunks ) . decode ( " utf-8 " , errors = " replace " )
2026-03-11 00:26:13 -07:00
# Assemble stdout with head+tail truncation
total_stdout = stdout_total_bytes [ 0 ]
if total_stdout > MAX_STDOUT_BYTES and stdout_tail :
omitted = total_stdout - len ( stdout_head ) - len ( stdout_tail )
truncated_notice = (
f " \n \n ... [OUTPUT TRUNCATED - { omitted : , } chars omitted "
f " out of { total_stdout : , } total] ... \n \n "
)
stdout_text = stdout_head + truncated_notice + stdout_tail
else :
stdout_text = stdout_head + stdout_tail
2026-02-19 23:23:43 -08:00
exit_code = proc . returncode if proc . returncode is not None else - 1
duration = round ( time . monotonic ( ) - exec_start , 2 )
# Wait for RPC thread to finish
2026-03-09 23:40:20 -07:00
server_sock . close ( ) # break accept() so thread exits promptly
2026-03-21 15:55:25 -07:00
server_sock = None # prevent double close in finally
2026-02-19 23:23:43 -08:00
rpc_thread . join ( timeout = 3 )
fix: strip ANSI at the source — clean terminal output before it reaches the model
Root cause: terminal_tool, execute_code, and process_registry returned raw
subprocess output with ANSI escape sequences intact. The model saw these
in tool results and copied them into file writes.
Previous fix (PR #2532) stripped ANSI at the write point in file_tools.py,
but this was a band-aid — regex on file content risks corrupting legitimate
content, and doesn't prevent ANSI from wasting tokens in the model context.
Source-level fix:
- New tools/ansi_strip.py with comprehensive ECMA-48 regex covering CSI
(incl. private-mode, colon-separated, intermediate bytes), OSC (both
terminators), DCS/SOS/PM/APC strings, Fp/Fe/Fs/nF escapes, 8-bit C1
- terminal_tool.py: strip output before returning to model
- code_execution_tool.py: strip stdout/stderr before returning
- process_registry.py: strip output in poll/read_log/wait
- file_tools.py: remove _strip_ansi band-aid (no longer needed)
Verified: `ls --color=always` output returned as clean text to model,
file written from that output contains zero ESC bytes.
2026-03-23 06:50:39 -07:00
# Strip ANSI escape sequences so the model never sees terminal
# formatting — prevents it from copying escapes into file writes.
from tools . ansi_strip import strip_ansi
stdout_text = strip_ansi ( stdout_text )
stderr_text = strip_ansi ( stderr_text )
2026-03-31 18:52:11 -07:00
# Redact secrets (API keys, tokens, etc.) from sandbox output.
# The sandbox env-var filter (lines 434-454) blocks os.environ access,
# but scripts can still read secrets from disk (e.g. open('~/.hermes/.env')).
# This ensures leaked secrets never enter the model context.
from agent . redact import redact_sensitive_text
stdout_text = redact_sensitive_text ( stdout_text )
stderr_text = redact_sensitive_text ( stderr_text )
2026-02-19 23:23:43 -08:00
# Build response
result : Dict [ str , Any ] = {
" status " : status ,
" output " : stdout_text ,
" tool_calls_made " : tool_call_counter [ 0 ] ,
" duration_seconds " : duration ,
}
if status == " timeout " :
2026-04-16 09:17:24 +02:00
timeout_msg = f " Script timed out after { timeout } s and was killed. "
result [ " error " ] = timeout_msg
# Include timeout message in output so the LLM always surfaces it
# to the user. When output is empty, models often treat the result
# as "nothing happened" and produce an empty response, which the
# gateway stream consumer silently drops (#10807).
if stdout_text :
result [ " output " ] = stdout_text + f " \n \n ⏰ { timeout_msg } "
else :
result [ " output " ] = f " ⏰ { timeout_msg } "
logger . warning (
" execute_code timed out after %s s (limit %s s) with %d tool calls " ,
duration , timeout , tool_call_counter [ 0 ] ,
)
2026-02-19 23:23:43 -08:00
elif status == " interrupted " :
result [ " output " ] = stdout_text + " \n [execution interrupted — user sent a new message] "
elif exit_code != 0 :
result [ " status " ] = " error "
result [ " error " ] = stderr_text or f " Script exited with code { exit_code } "
# Include stderr in output so the LLM sees the traceback
if stderr_text :
result [ " output " ] = stdout_text + " \n --- stderr --- \n " + stderr_text
return json . dumps ( result , ensure_ascii = False )
except Exception as exc :
duration = round ( time . monotonic ( ) - exec_start , 2 )
2026-03-16 23:13:26 -07:00
logger . error (
" execute_code failed after %s s with %d tool calls: %s : %s " ,
duration ,
tool_call_counter [ 0 ] ,
type ( exc ) . __name__ ,
exc ,
exc_info = True ,
)
2026-02-19 23:23:43 -08:00
return json . dumps ( {
" status " : " error " ,
" error " : str ( exc ) ,
" tool_calls_made " : tool_call_counter [ 0 ] ,
" duration_seconds " : duration ,
} , ensure_ascii = False )
finally :
# Cleanup temp dir and socket
2026-03-16 23:13:26 -07:00
if server_sock is not None :
try :
server_sock . close ( )
except OSError as e :
logger . debug ( " Server socket close error: %s " , e )
import shutil
shutil . rmtree ( tmpdir , ignore_errors = True )
2026-02-19 23:23:43 -08:00
try :
feat(windows): close remaining POSIX-only landmines — TUI crash, kanban waitpid, AF_UNIX sandbox, /bin/bash, npm .cmd shims, cwd tracking, detach flags
Second pass on native Windows support, driven by a systematic audit across
five areas: POSIX-only primitives (signal.SIGKILL/SIGHUP/SIGPIPE, os.WNOHANG,
os.setsid), path translation bugs (/c/Users → C:\Users), subprocess patterns
(npm.cmd batch shims, start_new_session no-op on Windows), subsystem health
(cron, gateway daemon, update flow), and module-level import guards.
Every change is platform-gated — POSIX (Linux/macOS) behaviour is preserved
bit-identical. Explicit "do no harm" test: test_posix_path_preserved_on_linux,
test_posix_noop, test_windows_detach_popen_kwargs_is_posix_equivalent_on_posix.
## New module
- hermes_cli/_subprocess_compat.py — shared helpers (resolve_node_command,
windows_detach_flags, windows_hide_flags, windows_detach_popen_kwargs).
All no-ops on non-Windows.
## CRITICAL fixes (would crash or silently break on Windows)
- tui_gateway/entry.py: SIGPIPE/SIGHUP referenced at module top level would
AttributeError on import on Windows, breaking `hermes --tui` entirely (it
spawns this module as a subprocess). Guard each signal.signal() call with
hasattr() and add SIGBREAK as Windows' SIGHUP equivalent.
- hermes_cli/kanban_db.py: os.waitpid(-1, os.WNOHANG) in dispatcher tick was
unguarded. os.WNOHANG doesn't exist on Windows. Gate the whole reap loop
behind `os.name != "nt"` — Windows has no zombies anyway.
- tools/code_execution_tool.py: AF_UNIX socket for execute_code RPC fails on
most Windows builds. Fall back to loopback TCP (AF_INET on 127.0.0.1:0
ephemeral port) when _IS_WINDOWS. HERMES_RPC_SOCKET env var now accepts
either a filesystem path (POSIX) or `tcp://127.0.0.1:<port>` (Windows).
Generated sandbox client parses both.
- cron/scheduler.py: `argv = ["/bin/bash", str(path)]` hardcoded. Use
shutil.which("bash") so Windows (Git Bash via MinGit) works, with a
readable error when bash is genuinely absent.
- 6 bare npm/npx spawn sites: tools_config.py x2, doctor.py, whatsapp.py
(npm install + node version probe), browser_tool.py x2. On Windows npm
is npm.cmd / npx is npx.cmd (batch shims); subprocess.Popen(["npm", ...])
fails with WinError 193. shutil.which(...) returns the absolute .cmd
path which CreateProcessW accepts because the extension routes through
cmd.exe /c. POSIX behaviour unchanged (shutil.which still returns the
same path subprocess would resolve itself).
## HIGH fixes (silent misbehaviour on Windows)
- tools/environments/local.py get_temp_dir: hardcoded /tmp returned on
Windows meant `_cwd_file = "/tmp/hermes-cwd-*.txt"`, which bash wrote
via MSYS2's virtual /tmp but native Python couldn't open. Result: cwd
tracking silently broken — `cd` in terminal tool did nothing. Windows
branch now returns `%HERMES_HOME%/cache/terminal` with forward slashes
(works in both bash and Python, guaranteed no spaces).
- tools/environments/local.py _make_run_env PATH injection: `/usr/bin not
in split(":")` heuristic mangles Windows PATH (";" separator). Gate
the injection behind `not _IS_WINDOWS`.
- hermes_cli/gateway.py launch_detached_profile_gateway_restart: outer
Popen + watcher-script Popen both used start_new_session=True, which
Windows silently ignores. Watcher stayed attached to CLI's console,
died when user closed terminal after `hermes update`, left gateway
stale. Now branches through windows_detach_popen_kwargs() helper
(CREATE_NEW_PROCESS_GROUP | DETACHED_PROCESS | CREATE_NO_WINDOW on
Windows, start_new_session=True on POSIX — identical to main).
## MEDIUM fixes
- gateway/run.py /restart and /update handlers: hardcoded bash/setsid
chain crashes on Windows when user triggers /update in-gateway. Now
has sys.platform=="win32" branch using sys.executable + a tiny
Python watcher with proper detach flags. POSIX path is unchanged.
- cli.py _git_repo_root: Git on Windows sometimes returns /c/Users/...
style paths that break subprocess.Popen(cwd=...) and Path().resolve().
Added _normalize_git_bash_path() helper that translates /c/Users,
/cygdrive/c, /mnt/c variants to native C:\Users form. POSIX no-op.
_git_repo_root() now routes every result through it.
- cli.py worktree .worktreeinclude: os.symlink on directories failed
hard on Windows (requires admin or Developer Mode). Falls back to
shutil.copytree with a warning log.
## Tests
- 29 new tests in tests/tools/test_windows_native_support.py covering:
subprocess_compat helpers, TUI entry signal guards, kanban waitpid
guard, code_execution TCP fallback source-level invariants, cron bash
resolution, npm/npx bare-spawn lint per-file, local env Windows temp
dir, PATH injection gating, git bash path normalization, symlink
fallback, gateway detached watcher flags.
- One existing test assertion adjusted in test_browser_homebrew_paths:
it compared captured Popen argv to the BARE `"npx"` literal; after the
shutil.which() change argv[0] is the absolute path. New assertion
checks the shape (two items, second is `agent-browser`) rather than
the exact first-item string. Behaviour unchanged; test was too strict.
All 56 tests pass on Linux (30 from previous commits + 26 new).
267 tests from the affected files/dirs (browser, code_exec, local_env,
process_registry, kanban_db, windows_compat) all pass — zero regressions.
tests/hermes_cli/ (3909 pass) and tests/gateway/ (5021 pass) unchanged;
all pre-existing test failures confirmed unrelated via `git stash` re-run.
## What's still deferred (LOW priority)
- Visible cmd-window flashes on short-lived console apps (~14 sites) —
cosmetic, needs a follow-up pass once we have user reports.
- agent/file_safety.py POSIX-only security deny patterns — separate
hardening task.
- tools/process_registry.py returning "/tmp" as fallback — theoretical;
reachable only when all env-var candidates fail.
2026-05-07 17:29:31 -07:00
# Only UDS has a filesystem socket to unlink; TCP sockets are
# freed by server_sock.close() above.
if sock_path :
os . unlink ( sock_path )
2026-03-16 23:13:26 -07:00
except OSError :
pass # already cleaned up or never created
2026-02-19 23:23:43 -08:00
def _kill_process_group ( proc , escalate : bool = False ) :
feat(cross-platform): psutil for PID/process management + Windows footgun checker
## Why
Hermes supports Linux, macOS, and native Windows, but the codebase grew up
POSIX-first and has accumulated patterns that silently break (or worse,
silently kill!) on Windows:
- `os.kill(pid, 0)` as a liveness probe — on Windows this maps to
CTRL_C_EVENT and broadcasts Ctrl+C to the target's entire console
process group (bpo-14484, open since 2012).
- `os.killpg` — doesn't exist on Windows at all (AttributeError).
- `os.setsid` / `os.getuid` / `os.geteuid` — same.
- `signal.SIGKILL` / `signal.SIGHUP` / `signal.SIGUSR1` — module-attr
errors at runtime on Windows.
- `open(path)` / `open(path, "r")` without explicit encoding= — inherits
the platform default, which is cp1252/mbcs on Windows (UTF-8 on POSIX),
causing mojibake round-tripping between hosts.
- `wmic` — removed from Windows 10 21H1+.
This commit does three things:
1. Makes `psutil` a core dependency and migrates critical callsites to it.
2. Adds a grep-based CI gate (`scripts/check-windows-footguns.py`) that
blocks new instances of any of the above patterns.
3. Fixes every existing instance in the codebase so the baseline is clean.
## What changed
### 1. psutil as a core dependency (pyproject.toml)
Added `psutil>=5.9.0,<8` to core deps. psutil is the canonical
cross-platform answer for "is this PID alive" and "kill this process
tree" — its `pid_exists()` uses `OpenProcess + GetExitCodeProcess` on
Windows (NOT a signal call), and its `Process.children(recursive=True)`
+ `.kill()` combo replaces `os.killpg()` portably.
### 2. `gateway/status.py::_pid_exists`
Rewrote to call `psutil.pid_exists()` first, falling back to the
hand-rolled ctypes `OpenProcess + WaitForSingleObject` dance on Windows
(and `os.kill(pid, 0)` on POSIX) only if psutil is somehow missing —
e.g. during the scaffold phase of a fresh install before pip finishes.
### 3. `os.killpg` migration to psutil (7 callsites, 5 files)
- `tools/code_execution_tool.py`
- `tools/process_registry.py`
- `tools/tts_tool.py`
- `tools/environments/local.py` (3 sites kept as-is, suppressed with
`# windows-footgun: ok` — the pgid semantics psutil can't replicate,
and the calls are already Windows-guarded at the outer branch)
- `gateway/platforms/whatsapp.py`
### 4. `scripts/check-windows-footguns.py` (NEW, 500 lines)
Grep-based checker with 11 rules covering every Windows cross-platform
footgun we've hit so far:
1. `os.kill(pid, 0)` — the silent killer
2. `os.setsid` without guard
3. `os.killpg` (recommends psutil)
4. `os.getuid` / `os.geteuid` / `os.getgid`
5. `os.fork`
6. `signal.SIGKILL`
7. `signal.SIGHUP/SIGUSR1/SIGUSR2/SIGALRM/SIGCHLD/SIGPIPE/SIGQUIT`
8. `subprocess` shebang script invocation
9. `wmic` without `shutil.which` guard
10. Hardcoded `~/Desktop` (OneDrive trap)
11. `asyncio.add_signal_handler` without try/except
12. `open()` without `encoding=` on text mode
Features:
- Triple-quoted-docstring aware (won't flag prose inside docstrings)
- Trailing-comment aware (won't flag mentions in `# os.kill(pid, 0)` comments)
- Guard-hint aware (skips lines with `hasattr(os, ...)`,
`shutil.which(...)`, `if platform.system() != 'Windows'`, etc.)
- Inline suppression with `# windows-footgun: ok — <reason>`
- `--list` to print all rules with fixes
- `--all` / `--diff <ref>` / staged-files (default) modes
- Scans 380 files in under 2 seconds
### 5. CI integration
A GitHub Actions workflow that runs the checker on every PR and push is
staged at `/tmp/hermes-stash/windows-footguns.yml` — not included in this
commit because the GH token on the push machine lacks `workflow` scope.
A maintainer with `workflow` permissions should add it as
`.github/workflows/windows-footguns.yml` in a follow-up. Content:
```yaml
name: Windows footgun check
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with: {python-version: "3.11"}
- run: python scripts/check-windows-footguns.py --all
```
### 6. CONTRIBUTING.md — "Cross-Platform Compatibility" expansion
Expanded from 5 to 16 rules, each with message, example, and fix.
Recommends psutil as the preferred API for PID / process-tree operations.
### 7. Baseline cleanup (91 → 0 findings)
- 14 `open()` sites → added `encoding='utf-8'` (internal logs/caches) or
`encoding='utf-8-sig'` (user-editable files that Notepad may BOM)
- 23 POSIX-only callsites in systemd helpers, pty_bridge, and plugin
tool subprocess management → annotated with
`# windows-footgun: ok — <reason>`
- 7 `os.killpg` sites → migrated to psutil (see §3 above)
## Verification
```
$ python scripts/check-windows-footguns.py --all
✓ No Windows footguns found (380 file(s) scanned).
$ python -c "from gateway.status import _pid_exists; import os
> print('self:', _pid_exists(os.getpid())); print('bogus:', _pid_exists(999999))"
self: True
bogus: False
```
Proof-of-repro that `os.kill(pid, 0)` was actually killing processes
before this fix — see commit `1cbe39914` and bpo-14484. This commit
removes the last hand-rolled ctypes path from the hot liveness-check
path and defers to the best-maintained cross-platform answer.
2026-05-08 12:57:33 -07:00
""" Kill the child and its entire process tree (cross-platform via psutil). """
import psutil
2026-02-19 23:23:43 -08:00
try :
feat(cross-platform): psutil for PID/process management + Windows footgun checker
## Why
Hermes supports Linux, macOS, and native Windows, but the codebase grew up
POSIX-first and has accumulated patterns that silently break (or worse,
silently kill!) on Windows:
- `os.kill(pid, 0)` as a liveness probe — on Windows this maps to
CTRL_C_EVENT and broadcasts Ctrl+C to the target's entire console
process group (bpo-14484, open since 2012).
- `os.killpg` — doesn't exist on Windows at all (AttributeError).
- `os.setsid` / `os.getuid` / `os.geteuid` — same.
- `signal.SIGKILL` / `signal.SIGHUP` / `signal.SIGUSR1` — module-attr
errors at runtime on Windows.
- `open(path)` / `open(path, "r")` without explicit encoding= — inherits
the platform default, which is cp1252/mbcs on Windows (UTF-8 on POSIX),
causing mojibake round-tripping between hosts.
- `wmic` — removed from Windows 10 21H1+.
This commit does three things:
1. Makes `psutil` a core dependency and migrates critical callsites to it.
2. Adds a grep-based CI gate (`scripts/check-windows-footguns.py`) that
blocks new instances of any of the above patterns.
3. Fixes every existing instance in the codebase so the baseline is clean.
## What changed
### 1. psutil as a core dependency (pyproject.toml)
Added `psutil>=5.9.0,<8` to core deps. psutil is the canonical
cross-platform answer for "is this PID alive" and "kill this process
tree" — its `pid_exists()` uses `OpenProcess + GetExitCodeProcess` on
Windows (NOT a signal call), and its `Process.children(recursive=True)`
+ `.kill()` combo replaces `os.killpg()` portably.
### 2. `gateway/status.py::_pid_exists`
Rewrote to call `psutil.pid_exists()` first, falling back to the
hand-rolled ctypes `OpenProcess + WaitForSingleObject` dance on Windows
(and `os.kill(pid, 0)` on POSIX) only if psutil is somehow missing —
e.g. during the scaffold phase of a fresh install before pip finishes.
### 3. `os.killpg` migration to psutil (7 callsites, 5 files)
- `tools/code_execution_tool.py`
- `tools/process_registry.py`
- `tools/tts_tool.py`
- `tools/environments/local.py` (3 sites kept as-is, suppressed with
`# windows-footgun: ok` — the pgid semantics psutil can't replicate,
and the calls are already Windows-guarded at the outer branch)
- `gateway/platforms/whatsapp.py`
### 4. `scripts/check-windows-footguns.py` (NEW, 500 lines)
Grep-based checker with 11 rules covering every Windows cross-platform
footgun we've hit so far:
1. `os.kill(pid, 0)` — the silent killer
2. `os.setsid` without guard
3. `os.killpg` (recommends psutil)
4. `os.getuid` / `os.geteuid` / `os.getgid`
5. `os.fork`
6. `signal.SIGKILL`
7. `signal.SIGHUP/SIGUSR1/SIGUSR2/SIGALRM/SIGCHLD/SIGPIPE/SIGQUIT`
8. `subprocess` shebang script invocation
9. `wmic` without `shutil.which` guard
10. Hardcoded `~/Desktop` (OneDrive trap)
11. `asyncio.add_signal_handler` without try/except
12. `open()` without `encoding=` on text mode
Features:
- Triple-quoted-docstring aware (won't flag prose inside docstrings)
- Trailing-comment aware (won't flag mentions in `# os.kill(pid, 0)` comments)
- Guard-hint aware (skips lines with `hasattr(os, ...)`,
`shutil.which(...)`, `if platform.system() != 'Windows'`, etc.)
- Inline suppression with `# windows-footgun: ok — <reason>`
- `--list` to print all rules with fixes
- `--all` / `--diff <ref>` / staged-files (default) modes
- Scans 380 files in under 2 seconds
### 5. CI integration
A GitHub Actions workflow that runs the checker on every PR and push is
staged at `/tmp/hermes-stash/windows-footguns.yml` — not included in this
commit because the GH token on the push machine lacks `workflow` scope.
A maintainer with `workflow` permissions should add it as
`.github/workflows/windows-footguns.yml` in a follow-up. Content:
```yaml
name: Windows footgun check
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with: {python-version: "3.11"}
- run: python scripts/check-windows-footguns.py --all
```
### 6. CONTRIBUTING.md — "Cross-Platform Compatibility" expansion
Expanded from 5 to 16 rules, each with message, example, and fix.
Recommends psutil as the preferred API for PID / process-tree operations.
### 7. Baseline cleanup (91 → 0 findings)
- 14 `open()` sites → added `encoding='utf-8'` (internal logs/caches) or
`encoding='utf-8-sig'` (user-editable files that Notepad may BOM)
- 23 POSIX-only callsites in systemd helpers, pty_bridge, and plugin
tool subprocess management → annotated with
`# windows-footgun: ok — <reason>`
- 7 `os.killpg` sites → migrated to psutil (see §3 above)
## Verification
```
$ python scripts/check-windows-footguns.py --all
✓ No Windows footguns found (380 file(s) scanned).
$ python -c "from gateway.status import _pid_exists; import os
> print('self:', _pid_exists(os.getpid())); print('bogus:', _pid_exists(999999))"
self: True
bogus: False
```
Proof-of-repro that `os.kill(pid, 0)` was actually killing processes
before this fix — see commit `1cbe39914` and bpo-14484. This commit
removes the last hand-rolled ctypes path from the hot liveness-check
path and defers to the best-maintained cross-platform answer.
2026-05-08 12:57:33 -07:00
parent = psutil . Process ( proc . pid )
children = parent . children ( recursive = True )
for child in children :
try :
child . terminate ( )
except psutil . NoSuchProcess :
pass
try :
parent . terminate ( )
except psutil . NoSuchProcess :
pass
except psutil . NoSuchProcess :
pass
except ( PermissionError , OSError ) as e :
logger . debug ( " Could not terminate process tree: %s " , e , exc_info = True )
2026-02-19 23:23:43 -08:00
try :
proc . kill ( )
2026-03-08 14:50:23 +03:00
except Exception as e2 :
logger . debug ( " Could not kill process: %s " , e2 , exc_info = True )
2026-02-19 23:23:43 -08:00
if escalate :
# Give the process 5s to exit after SIGTERM, then SIGKILL
try :
proc . wait ( timeout = 5 )
except subprocess . TimeoutExpired :
try :
feat(cross-platform): psutil for PID/process management + Windows footgun checker
## Why
Hermes supports Linux, macOS, and native Windows, but the codebase grew up
POSIX-first and has accumulated patterns that silently break (or worse,
silently kill!) on Windows:
- `os.kill(pid, 0)` as a liveness probe — on Windows this maps to
CTRL_C_EVENT and broadcasts Ctrl+C to the target's entire console
process group (bpo-14484, open since 2012).
- `os.killpg` — doesn't exist on Windows at all (AttributeError).
- `os.setsid` / `os.getuid` / `os.geteuid` — same.
- `signal.SIGKILL` / `signal.SIGHUP` / `signal.SIGUSR1` — module-attr
errors at runtime on Windows.
- `open(path)` / `open(path, "r")` without explicit encoding= — inherits
the platform default, which is cp1252/mbcs on Windows (UTF-8 on POSIX),
causing mojibake round-tripping between hosts.
- `wmic` — removed from Windows 10 21H1+.
This commit does three things:
1. Makes `psutil` a core dependency and migrates critical callsites to it.
2. Adds a grep-based CI gate (`scripts/check-windows-footguns.py`) that
blocks new instances of any of the above patterns.
3. Fixes every existing instance in the codebase so the baseline is clean.
## What changed
### 1. psutil as a core dependency (pyproject.toml)
Added `psutil>=5.9.0,<8` to core deps. psutil is the canonical
cross-platform answer for "is this PID alive" and "kill this process
tree" — its `pid_exists()` uses `OpenProcess + GetExitCodeProcess` on
Windows (NOT a signal call), and its `Process.children(recursive=True)`
+ `.kill()` combo replaces `os.killpg()` portably.
### 2. `gateway/status.py::_pid_exists`
Rewrote to call `psutil.pid_exists()` first, falling back to the
hand-rolled ctypes `OpenProcess + WaitForSingleObject` dance on Windows
(and `os.kill(pid, 0)` on POSIX) only if psutil is somehow missing —
e.g. during the scaffold phase of a fresh install before pip finishes.
### 3. `os.killpg` migration to psutil (7 callsites, 5 files)
- `tools/code_execution_tool.py`
- `tools/process_registry.py`
- `tools/tts_tool.py`
- `tools/environments/local.py` (3 sites kept as-is, suppressed with
`# windows-footgun: ok` — the pgid semantics psutil can't replicate,
and the calls are already Windows-guarded at the outer branch)
- `gateway/platforms/whatsapp.py`
### 4. `scripts/check-windows-footguns.py` (NEW, 500 lines)
Grep-based checker with 11 rules covering every Windows cross-platform
footgun we've hit so far:
1. `os.kill(pid, 0)` — the silent killer
2. `os.setsid` without guard
3. `os.killpg` (recommends psutil)
4. `os.getuid` / `os.geteuid` / `os.getgid`
5. `os.fork`
6. `signal.SIGKILL`
7. `signal.SIGHUP/SIGUSR1/SIGUSR2/SIGALRM/SIGCHLD/SIGPIPE/SIGQUIT`
8. `subprocess` shebang script invocation
9. `wmic` without `shutil.which` guard
10. Hardcoded `~/Desktop` (OneDrive trap)
11. `asyncio.add_signal_handler` without try/except
12. `open()` without `encoding=` on text mode
Features:
- Triple-quoted-docstring aware (won't flag prose inside docstrings)
- Trailing-comment aware (won't flag mentions in `# os.kill(pid, 0)` comments)
- Guard-hint aware (skips lines with `hasattr(os, ...)`,
`shutil.which(...)`, `if platform.system() != 'Windows'`, etc.)
- Inline suppression with `# windows-footgun: ok — <reason>`
- `--list` to print all rules with fixes
- `--all` / `--diff <ref>` / staged-files (default) modes
- Scans 380 files in under 2 seconds
### 5. CI integration
A GitHub Actions workflow that runs the checker on every PR and push is
staged at `/tmp/hermes-stash/windows-footguns.yml` — not included in this
commit because the GH token on the push machine lacks `workflow` scope.
A maintainer with `workflow` permissions should add it as
`.github/workflows/windows-footguns.yml` in a follow-up. Content:
```yaml
name: Windows footgun check
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with: {python-version: "3.11"}
- run: python scripts/check-windows-footguns.py --all
```
### 6. CONTRIBUTING.md — "Cross-Platform Compatibility" expansion
Expanded from 5 to 16 rules, each with message, example, and fix.
Recommends psutil as the preferred API for PID / process-tree operations.
### 7. Baseline cleanup (91 → 0 findings)
- 14 `open()` sites → added `encoding='utf-8'` (internal logs/caches) or
`encoding='utf-8-sig'` (user-editable files that Notepad may BOM)
- 23 POSIX-only callsites in systemd helpers, pty_bridge, and plugin
tool subprocess management → annotated with
`# windows-footgun: ok — <reason>`
- 7 `os.killpg` sites → migrated to psutil (see §3 above)
## Verification
```
$ python scripts/check-windows-footguns.py --all
✓ No Windows footguns found (380 file(s) scanned).
$ python -c "from gateway.status import _pid_exists; import os
> print('self:', _pid_exists(os.getpid())); print('bogus:', _pid_exists(999999))"
self: True
bogus: False
```
Proof-of-repro that `os.kill(pid, 0)` was actually killing processes
before this fix — see commit `1cbe39914` and bpo-14484. This commit
removes the last hand-rolled ctypes path from the hot liveness-check
path and defers to the best-maintained cross-platform answer.
2026-05-08 12:57:33 -07:00
parent = psutil . Process ( proc . pid )
for child in parent . children ( recursive = True ) :
try :
child . kill ( )
except psutil . NoSuchProcess :
pass
try :
parent . kill ( )
except psutil . NoSuchProcess :
pass
except psutil . NoSuchProcess :
pass
except ( PermissionError , OSError ) as e :
logger . debug ( " Could not kill process tree: %s " , e , exc_info = True )
2026-02-19 23:23:43 -08:00
try :
proc . kill ( )
2026-03-08 14:50:23 +03:00
except Exception as e2 :
logger . debug ( " Could not kill process: %s " , e2 , exc_info = True )
2026-02-19 23:23:43 -08:00
def _load_config ( ) - > dict :
2026-04-28 22:42:17 -05:00
""" Load code_execution config without importing the interactive CLI.
This helper is called while building the module - level execute_code schema
during tool discovery . Importing ` ` cli ` ` here pulls prompt_toolkit / Rich and
a large chunk of the classic REPL onto every agent startup path , including
` ` hermes - - tui ` ` where it is never used . Read the lightweight raw config
instead ; the config layer already caches by ( mtime , size ) , and an absent
key cleanly falls back to DEFAULT_EXECUTION_MODE .
"""
2026-02-19 23:23:43 -08:00
try :
2026-04-28 22:42:17 -05:00
from hermes_cli . config import read_raw_config
cfg = read_raw_config ( ) . get ( " code_execution " , { } )
return cfg if isinstance ( cfg , dict ) else { }
2026-02-19 23:23:43 -08:00
except Exception :
return { }
feat(execute_code): add project/strict execution modes, default to project (#11971)
Weaker models (Gemma-class) repeatedly rediscover and forget that
execute_code uses a different CWD and Python interpreter than terminal(),
causing them to flip-flop on whether user files exist and to hit import
errors on project dependencies like pandas.
Adds a new 'code_execution.mode' config key (default 'project') that
brings execute_code into line with terminal()'s filesystem/interpreter:
project (new default):
- cwd = session's TERMINAL_CWD (falls back to os.getcwd())
- python = active VIRTUAL_ENV/bin/python or CONDA_PREFIX/bin/python
with a Python 3.8+ version check; falls back cleanly to
sys.executable if no venv or the candidate fails
- result : 'import pandas' works, '.env' resolves, matches terminal()
strict (opt-in):
- cwd = staging tmpdir (today's behavior)
- python = sys.executable (today's behavior)
- result : maximum reproducibility and isolation; project deps
won't resolve
Security-critical invariants are identical across both modes and covered by
explicit regression tests:
- env scrubbing (strips *_API_KEY, *_TOKEN, *_SECRET, *_PASSWORD,
*_CREDENTIAL, *_PASSWD, *_AUTH substrings)
- SANDBOX_ALLOWED_TOOLS whitelist (no execute_code recursion, no
delegate_task, no MCP from inside scripts)
- resource caps (5-min timeout, 50KB stdout, 50 tool calls)
Deliberately avoids 'sandbox'/'isolated'/'cloud' language in tool
descriptions (regression from commit 39b83f34 where agents on local
backends falsely believed they were sandboxed and refused networking).
Override via env var: HERMES_EXECUTE_CODE_MODE=strict|project
2026-04-18 01:46:25 -07:00
# ---------------------------------------------------------------------------
# Execution mode resolution (strict vs project)
# ---------------------------------------------------------------------------
# Valid values for code_execution.mode. Kept as a module constant so tests
# and the config layer can reference the canonical set.
EXECUTION_MODES = ( " project " , " strict " )
DEFAULT_EXECUTION_MODE = " project "
def _get_execution_mode ( ) - > str :
""" Return the active execute_code mode — ' project ' or ' strict ' .
Reads ` ` code_execution . mode ` ` from config . yaml ; invalid values fall back
to ` ` DEFAULT_EXECUTION_MODE ` ` ( ' project ' ) with a log warning .
Mode semantics :
- ` ` project ` ` ( default ) : scripts run in the session ' s working directory
with the active virtual environment ' s python, so project dependencies
( pandas , torch , project packages ) and files resolve naturally .
- ` ` strict ` ` : scripts run in an isolated temp directory with
` ` sys . executable ` ` ( hermes - agent ' s python). Reproducible and the
interpreter is guaranteed to work , but project deps and relative paths
won ' t resolve.
Env scrubbing and tool whitelist apply identically in both modes .
"""
cfg_value = str ( _load_config ( ) . get ( " mode " , DEFAULT_EXECUTION_MODE ) ) . strip ( ) . lower ( )
if cfg_value in EXECUTION_MODES :
return cfg_value
logger . warning (
" Ignoring code_execution.mode= %r (expected one of %s ), falling back to %r " ,
cfg_value , EXECUTION_MODES , DEFAULT_EXECUTION_MODE ,
)
return DEFAULT_EXECUTION_MODE
@functools.lru_cache ( maxsize = 32 )
def _is_usable_python ( python_path : str ) - > bool :
""" Check whether a candidate Python interpreter is usable for execute_code.
Requires Python 3.8 + ( f - strings and stdlib modules the RPC stubs need ) .
Cached so we don ' t fork a subprocess on every execute_code call.
"""
try :
result = subprocess . run (
[ python_path , " -c " ,
" import sys; sys.exit(0 if sys.version_info >= (3, 8) else 1) " ] ,
timeout = 5 ,
capture_output = True ,
2026-05-16 12:06:09 -04:00
creationflags = subprocess . CREATE_NO_WINDOW if _IS_WINDOWS else 0 ,
feat(execute_code): add project/strict execution modes, default to project (#11971)
Weaker models (Gemma-class) repeatedly rediscover and forget that
execute_code uses a different CWD and Python interpreter than terminal(),
causing them to flip-flop on whether user files exist and to hit import
errors on project dependencies like pandas.
Adds a new 'code_execution.mode' config key (default 'project') that
brings execute_code into line with terminal()'s filesystem/interpreter:
project (new default):
- cwd = session's TERMINAL_CWD (falls back to os.getcwd())
- python = active VIRTUAL_ENV/bin/python or CONDA_PREFIX/bin/python
with a Python 3.8+ version check; falls back cleanly to
sys.executable if no venv or the candidate fails
- result : 'import pandas' works, '.env' resolves, matches terminal()
strict (opt-in):
- cwd = staging tmpdir (today's behavior)
- python = sys.executable (today's behavior)
- result : maximum reproducibility and isolation; project deps
won't resolve
Security-critical invariants are identical across both modes and covered by
explicit regression tests:
- env scrubbing (strips *_API_KEY, *_TOKEN, *_SECRET, *_PASSWORD,
*_CREDENTIAL, *_PASSWD, *_AUTH substrings)
- SANDBOX_ALLOWED_TOOLS whitelist (no execute_code recursion, no
delegate_task, no MCP from inside scripts)
- resource caps (5-min timeout, 50KB stdout, 50 tool calls)
Deliberately avoids 'sandbox'/'isolated'/'cloud' language in tool
descriptions (regression from commit 39b83f34 where agents on local
backends falsely believed they were sandboxed and refused networking).
Override via env var: HERMES_EXECUTE_CODE_MODE=strict|project
2026-04-18 01:46:25 -07:00
)
return result . returncode == 0
except ( OSError , subprocess . TimeoutExpired , subprocess . SubprocessError ) :
return False
def _resolve_child_python ( mode : str ) - > str :
""" Pick the Python interpreter for the execute_code subprocess.
In ` ` strict ` ` mode , always ` ` sys . executable ` ` — guaranteed to work and
keeps behavior fully reproducible across sessions .
In ` ` project ` ` mode , prefer the user ' s active virtualenv/conda env ' s
python so ` ` import pandas ` ` etc . work . Falls back to ` ` sys . executable ` `
if no venv is detected , the candidate binary is missing / not executable ,
or it fails a Python 3.8 + version check .
"""
if mode != " project " :
return sys . executable
if _IS_WINDOWS :
exe_names = ( " python.exe " , " python3.exe " )
subdirs = ( " Scripts " , )
else :
exe_names = ( " python " , " python3 " )
subdirs = ( " bin " , )
for var in ( " VIRTUAL_ENV " , " CONDA_PREFIX " ) :
root = os . environ . get ( var , " " ) . strip ( )
if not root :
continue
for subdir in subdirs :
for exe in exe_names :
candidate = os . path . join ( root , subdir , exe )
if not ( os . path . isfile ( candidate ) and os . access ( candidate , os . X_OK ) ) :
continue
if _is_usable_python ( candidate ) :
return candidate
# Found the interpreter but it failed the version check —
# log once and fall through to sys.executable.
logger . info (
" execute_code: skipping %s = %s (Python version < 3.8 or broken). "
" Using sys.executable instead. " , var , candidate ,
)
return sys . executable
return sys . executable
def _resolve_child_cwd ( mode : str , staging_dir : str ) - > str :
""" Resolve the working directory for the execute_code subprocess.
- ` ` strict ` ` : the staging tmpdir ( today ' s behavior).
- ` ` project ` ` : the session ' s TERMINAL_CWD (same as the terminal tool), or
` ` os . getcwd ( ) ` ` if TERMINAL_CWD is unset or doesn ' t point at a real dir.
Falls back to the staging tmpdir as a last resort so we never invoke
Popen with a nonexistent cwd .
"""
if mode != " project " :
return staging_dir
raw = os . environ . get ( " TERMINAL_CWD " , " " ) . strip ( )
if raw :
expanded = os . path . expanduser ( raw )
if os . path . isdir ( expanded ) :
return expanded
here = os . getcwd ( )
if os . path . isdir ( here ) :
return here
return staging_dir
2026-02-19 23:23:43 -08:00
# ---------------------------------------------------------------------------
# OpenAI Function-Calling Schema
# ---------------------------------------------------------------------------
2026-03-06 17:36:06 -08:00
# Per-tool documentation lines for the execute_code description.
# Ordered to match the canonical display order.
_TOOL_DOC_LINES = [
( " web_search " ,
" web_search(query: str, limit: int = 5) -> dict \n "
" Returns { \" data \" : { \" web \" : [ { \" url \" , \" title \" , \" description \" }, ...]}} " ) ,
( " web_extract " ,
" web_extract(urls: list[str]) -> dict \n "
fix: improve read-loop detection — consecutive-only, correct thresholds, fix bugs
Follow-up to PR #705 (merged from 0xbyt4). Addresses several issues:
1. CONSECUTIVE-ONLY TRACKING: Redesigned the read/search tracker to only
warn/block on truly consecutive identical calls. Any other tool call
in between (write, patch, terminal, etc.) resets the counter via
notify_other_tool_call(), called from handle_function_call() in
model_tools.py. This prevents false blocks in read→edit→verify flows.
2. THRESHOLD ADJUSTMENT: Warn on 3rd consecutive (was 2nd), block on
4th+ consecutive (was 3rd+). Gives the model more room before
intervening.
3. TUPLE UNPACKING BUG: Fixed get_read_files_summary() which crashed on
search keys (5-tuple) when trying to unpack as 3-tuple. Now uses a
separate read_history set that only tracks file reads.
4. WEB_EXTRACT DOCSTRING: Reverted incorrect removal of 'title' from
web_extract return docs in code_execution_tool.py — the field IS
returned by web_tools.py.
5. TESTS: Rewrote test_read_loop_detection.py (35 tests) to cover
consecutive-only behavior, notify_other_tool_call, interleaved
read/search, and summary-unaffected-by-searches.
2026-03-10 16:25:41 -07:00
" Returns { \" results \" : [ { \" url \" , \" title \" , \" content \" , \" error \" }, ...]} where content is markdown " ) ,
2026-03-06 17:36:06 -08:00
( " read_file " ,
" read_file(path: str, offset: int = 1, limit: int = 500) -> dict \n "
" Lines are 1-indexed. Returns { \" content \" : \" ... \" , \" total_lines \" : N} " ) ,
( " write_file " ,
" write_file(path: str, content: str) -> dict \n "
" Always overwrites the entire file. " ) ,
( " search_files " ,
" search_files(pattern: str, target= \" content \" , path= \" . \" , file_glob=None, limit=50) -> dict \n "
" target: \" content \" (search inside files) or \" files \" (find files by name). Returns { \" matches \" : [...]} " ) ,
( " patch " ,
" patch(path: str, old_string: str, new_string: str, replace_all: bool = False) -> dict \n "
" Replaces old_string with new_string in the file. " ) ,
( " terminal " ,
" terminal(command: str, timeout=None, workdir=None) -> dict \n "
" Foreground only (no background/pty). Returns { \" output \" : \" ... \" , \" exit_code \" : N} " ) ,
]
feat(execute_code): add project/strict execution modes, default to project (#11971)
Weaker models (Gemma-class) repeatedly rediscover and forget that
execute_code uses a different CWD and Python interpreter than terminal(),
causing them to flip-flop on whether user files exist and to hit import
errors on project dependencies like pandas.
Adds a new 'code_execution.mode' config key (default 'project') that
brings execute_code into line with terminal()'s filesystem/interpreter:
project (new default):
- cwd = session's TERMINAL_CWD (falls back to os.getcwd())
- python = active VIRTUAL_ENV/bin/python or CONDA_PREFIX/bin/python
with a Python 3.8+ version check; falls back cleanly to
sys.executable if no venv or the candidate fails
- result : 'import pandas' works, '.env' resolves, matches terminal()
strict (opt-in):
- cwd = staging tmpdir (today's behavior)
- python = sys.executable (today's behavior)
- result : maximum reproducibility and isolation; project deps
won't resolve
Security-critical invariants are identical across both modes and covered by
explicit regression tests:
- env scrubbing (strips *_API_KEY, *_TOKEN, *_SECRET, *_PASSWORD,
*_CREDENTIAL, *_PASSWD, *_AUTH substrings)
- SANDBOX_ALLOWED_TOOLS whitelist (no execute_code recursion, no
delegate_task, no MCP from inside scripts)
- resource caps (5-min timeout, 50KB stdout, 50 tool calls)
Deliberately avoids 'sandbox'/'isolated'/'cloud' language in tool
descriptions (regression from commit 39b83f34 where agents on local
backends falsely believed they were sandboxed and refused networking).
Override via env var: HERMES_EXECUTE_CODE_MODE=strict|project
2026-04-18 01:46:25 -07:00
def build_execute_code_schema ( enabled_sandbox_tools : set = None ,
mode : str = None ) - > dict :
2026-03-06 17:36:06 -08:00
""" Build the execute_code schema with description listing only enabled tools.
When tools are disabled via ` ` hermes tools ` ` ( e . g . web is turned off ) ,
the schema description should NOT mention web_search / web_extract —
otherwise the model thinks they are available and keeps trying to use them .
feat(execute_code): add project/strict execution modes, default to project (#11971)
Weaker models (Gemma-class) repeatedly rediscover and forget that
execute_code uses a different CWD and Python interpreter than terminal(),
causing them to flip-flop on whether user files exist and to hit import
errors on project dependencies like pandas.
Adds a new 'code_execution.mode' config key (default 'project') that
brings execute_code into line with terminal()'s filesystem/interpreter:
project (new default):
- cwd = session's TERMINAL_CWD (falls back to os.getcwd())
- python = active VIRTUAL_ENV/bin/python or CONDA_PREFIX/bin/python
with a Python 3.8+ version check; falls back cleanly to
sys.executable if no venv or the candidate fails
- result : 'import pandas' works, '.env' resolves, matches terminal()
strict (opt-in):
- cwd = staging tmpdir (today's behavior)
- python = sys.executable (today's behavior)
- result : maximum reproducibility and isolation; project deps
won't resolve
Security-critical invariants are identical across both modes and covered by
explicit regression tests:
- env scrubbing (strips *_API_KEY, *_TOKEN, *_SECRET, *_PASSWORD,
*_CREDENTIAL, *_PASSWD, *_AUTH substrings)
- SANDBOX_ALLOWED_TOOLS whitelist (no execute_code recursion, no
delegate_task, no MCP from inside scripts)
- resource caps (5-min timeout, 50KB stdout, 50 tool calls)
Deliberately avoids 'sandbox'/'isolated'/'cloud' language in tool
descriptions (regression from commit 39b83f34 where agents on local
backends falsely believed they were sandboxed and refused networking).
Override via env var: HERMES_EXECUTE_CODE_MODE=strict|project
2026-04-18 01:46:25 -07:00
` ` mode ` ` controls the working - directory sentence in the description :
- ` ` ' strict ' ` ` : scripts run in a temp dir ( not the session ' s CWD)
- ` ` ' project ' ` ` ( default ) : scripts run in the session ' s CWD with the
active venv ' s python
If ` ` mode ` ` is None , the current ` ` code_execution . mode ` ` config is read .
2026-03-06 17:36:06 -08:00
"""
if enabled_sandbox_tools is None :
enabled_sandbox_tools = SANDBOX_ALLOWED_TOOLS
feat(execute_code): add project/strict execution modes, default to project (#11971)
Weaker models (Gemma-class) repeatedly rediscover and forget that
execute_code uses a different CWD and Python interpreter than terminal(),
causing them to flip-flop on whether user files exist and to hit import
errors on project dependencies like pandas.
Adds a new 'code_execution.mode' config key (default 'project') that
brings execute_code into line with terminal()'s filesystem/interpreter:
project (new default):
- cwd = session's TERMINAL_CWD (falls back to os.getcwd())
- python = active VIRTUAL_ENV/bin/python or CONDA_PREFIX/bin/python
with a Python 3.8+ version check; falls back cleanly to
sys.executable if no venv or the candidate fails
- result : 'import pandas' works, '.env' resolves, matches terminal()
strict (opt-in):
- cwd = staging tmpdir (today's behavior)
- python = sys.executable (today's behavior)
- result : maximum reproducibility and isolation; project deps
won't resolve
Security-critical invariants are identical across both modes and covered by
explicit regression tests:
- env scrubbing (strips *_API_KEY, *_TOKEN, *_SECRET, *_PASSWORD,
*_CREDENTIAL, *_PASSWD, *_AUTH substrings)
- SANDBOX_ALLOWED_TOOLS whitelist (no execute_code recursion, no
delegate_task, no MCP from inside scripts)
- resource caps (5-min timeout, 50KB stdout, 50 tool calls)
Deliberately avoids 'sandbox'/'isolated'/'cloud' language in tool
descriptions (regression from commit 39b83f34 where agents on local
backends falsely believed they were sandboxed and refused networking).
Override via env var: HERMES_EXECUTE_CODE_MODE=strict|project
2026-04-18 01:46:25 -07:00
if mode is None :
mode = _get_execution_mode ( )
2026-03-06 17:36:06 -08:00
# Build tool documentation lines for only the enabled tools
tool_lines = " \n " . join (
doc for name , doc in _TOOL_DOC_LINES if name in enabled_sandbox_tools
)
# Build example import list from enabled tools
import_examples = [ n for n in ( " web_search " , " terminal " ) if n in enabled_sandbox_tools ]
if not import_examples :
import_examples = sorted ( enabled_sandbox_tools ) [ : 2 ]
2026-03-08 13:15:17 +03:00
if import_examples :
import_str = " , " . join ( import_examples ) + " , ... "
else :
import_str = " ... "
2026-03-06 17:36:06 -08:00
feat(execute_code): add project/strict execution modes, default to project (#11971)
Weaker models (Gemma-class) repeatedly rediscover and forget that
execute_code uses a different CWD and Python interpreter than terminal(),
causing them to flip-flop on whether user files exist and to hit import
errors on project dependencies like pandas.
Adds a new 'code_execution.mode' config key (default 'project') that
brings execute_code into line with terminal()'s filesystem/interpreter:
project (new default):
- cwd = session's TERMINAL_CWD (falls back to os.getcwd())
- python = active VIRTUAL_ENV/bin/python or CONDA_PREFIX/bin/python
with a Python 3.8+ version check; falls back cleanly to
sys.executable if no venv or the candidate fails
- result : 'import pandas' works, '.env' resolves, matches terminal()
strict (opt-in):
- cwd = staging tmpdir (today's behavior)
- python = sys.executable (today's behavior)
- result : maximum reproducibility and isolation; project deps
won't resolve
Security-critical invariants are identical across both modes and covered by
explicit regression tests:
- env scrubbing (strips *_API_KEY, *_TOKEN, *_SECRET, *_PASSWORD,
*_CREDENTIAL, *_PASSWD, *_AUTH substrings)
- SANDBOX_ALLOWED_TOOLS whitelist (no execute_code recursion, no
delegate_task, no MCP from inside scripts)
- resource caps (5-min timeout, 50KB stdout, 50 tool calls)
Deliberately avoids 'sandbox'/'isolated'/'cloud' language in tool
descriptions (regression from commit 39b83f34 where agents on local
backends falsely believed they were sandboxed and refused networking).
Override via env var: HERMES_EXECUTE_CODE_MODE=strict|project
2026-04-18 01:46:25 -07:00
# Mode-specific CWD guidance. Project mode is the default and matches
# terminal()'s filesystem/interpreter; strict mode retains the isolated
# temp-dir staging and hermes-agent's own python.
if mode == " strict " :
cwd_note = (
" Scripts run in their own temp dir, not the session ' s CWD — use absolute paths "
" (os.path.expanduser( ' ~/.hermes/.env ' )) or terminal()/read_file() for user files. "
)
else :
cwd_note = (
" Scripts run in the session ' s working directory with the active venv ' s python, "
" so project deps (pandas, etc.) and relative paths work like in terminal(). "
)
2026-03-06 17:36:06 -08:00
description = (
2026-02-19 23:23:43 -08:00
" Run a Python script that can call Hermes tools programmatically. "
" Use this when you need 3+ tool calls with processing logic between them, "
" need to filter/reduce large tool outputs before they enter your context, "
" need conditional branching (if X then Y else Z), or need to loop "
" (fetch N pages, process N files, retry on failure). \n \n "
" Use normal tool calls instead when: single tool call with no processing, "
" you need to see the full result and apply complex reasoning, "
" or the task requires interactive user input. \n \n "
2026-03-06 17:36:06 -08:00
f " Available via `from hermes_tools import ...`: \n \n "
f " { tool_lines } \n \n "
2026-02-21 02:41:30 -08:00
" Limits: 5-minute timeout, 50KB stdout cap, max 50 tool calls per script. "
2026-04-13 04:23:18 -07:00
" terminal() is foreground-only (no background or pty). \n \n "
feat(execute_code): add project/strict execution modes, default to project (#11971)
Weaker models (Gemma-class) repeatedly rediscover and forget that
execute_code uses a different CWD and Python interpreter than terminal(),
causing them to flip-flop on whether user files exist and to hit import
errors on project dependencies like pandas.
Adds a new 'code_execution.mode' config key (default 'project') that
brings execute_code into line with terminal()'s filesystem/interpreter:
project (new default):
- cwd = session's TERMINAL_CWD (falls back to os.getcwd())
- python = active VIRTUAL_ENV/bin/python or CONDA_PREFIX/bin/python
with a Python 3.8+ version check; falls back cleanly to
sys.executable if no venv or the candidate fails
- result : 'import pandas' works, '.env' resolves, matches terminal()
strict (opt-in):
- cwd = staging tmpdir (today's behavior)
- python = sys.executable (today's behavior)
- result : maximum reproducibility and isolation; project deps
won't resolve
Security-critical invariants are identical across both modes and covered by
explicit regression tests:
- env scrubbing (strips *_API_KEY, *_TOKEN, *_SECRET, *_PASSWORD,
*_CREDENTIAL, *_PASSWD, *_AUTH substrings)
- SANDBOX_ALLOWED_TOOLS whitelist (no execute_code recursion, no
delegate_task, no MCP from inside scripts)
- resource caps (5-min timeout, 50KB stdout, 50 tool calls)
Deliberately avoids 'sandbox'/'isolated'/'cloud' language in tool
descriptions (regression from commit 39b83f34 where agents on local
backends falsely believed they were sandboxed and refused networking).
Override via env var: HERMES_EXECUTE_CODE_MODE=strict|project
2026-04-18 01:46:25 -07:00
f " { cwd_note } \n \n "
2026-02-19 23:23:43 -08:00
" Print your final result to stdout. Use Python stdlib (json, re, math, csv, "
2026-03-06 01:52:46 -08:00
" datetime, collections, etc.) for processing between tool calls. \n \n "
" Also available (no import needed — built into hermes_tools): \n "
" json_parse(text: str) — json.loads with strict=False; use for terminal() output with control chars \n "
" shell_quote(s: str) — shlex.quote(); use when interpolating dynamic strings into shell commands \n "
" retry(fn, max_attempts=3, delay=2) — retry with exponential backoff for transient failures "
2026-03-06 17:36:06 -08:00
)
return {
" name " : " execute_code " ,
" description " : description ,
" parameters " : {
" type " : " object " ,
" properties " : {
" code " : {
" type " : " string " ,
" description " : (
" Python code to execute. Import tools with "
f " `from hermes_tools import { import_str } ` "
" and print your final result to stdout. "
) ,
} ,
2026-02-19 23:23:43 -08:00
} ,
2026-03-06 17:36:06 -08:00
" required " : [ " code " ] ,
2026-02-19 23:23:43 -08:00
} ,
2026-03-06 17:36:06 -08:00
}
feat(execute_code): add project/strict execution modes, default to project (#11971)
Weaker models (Gemma-class) repeatedly rediscover and forget that
execute_code uses a different CWD and Python interpreter than terminal(),
causing them to flip-flop on whether user files exist and to hit import
errors on project dependencies like pandas.
Adds a new 'code_execution.mode' config key (default 'project') that
brings execute_code into line with terminal()'s filesystem/interpreter:
project (new default):
- cwd = session's TERMINAL_CWD (falls back to os.getcwd())
- python = active VIRTUAL_ENV/bin/python or CONDA_PREFIX/bin/python
with a Python 3.8+ version check; falls back cleanly to
sys.executable if no venv or the candidate fails
- result : 'import pandas' works, '.env' resolves, matches terminal()
strict (opt-in):
- cwd = staging tmpdir (today's behavior)
- python = sys.executable (today's behavior)
- result : maximum reproducibility and isolation; project deps
won't resolve
Security-critical invariants are identical across both modes and covered by
explicit regression tests:
- env scrubbing (strips *_API_KEY, *_TOKEN, *_SECRET, *_PASSWORD,
*_CREDENTIAL, *_PASSWD, *_AUTH substrings)
- SANDBOX_ALLOWED_TOOLS whitelist (no execute_code recursion, no
delegate_task, no MCP from inside scripts)
- resource caps (5-min timeout, 50KB stdout, 50 tool calls)
Deliberately avoids 'sandbox'/'isolated'/'cloud' language in tool
descriptions (regression from commit 39b83f34 where agents on local
backends falsely believed they were sandboxed and refused networking).
Override via env var: HERMES_EXECUTE_CODE_MODE=strict|project
2026-04-18 01:46:25 -07:00
# Default schema used at registration time (all sandbox tools listed,
# current configured mode). model_tools.py rebuilds per-session anyway.
2026-03-06 17:36:06 -08:00
EXECUTE_CODE_SCHEMA = build_execute_code_schema ( )
2026-02-21 20:22:33 -08:00
# --- Registry ---
refactor: add tool_error/tool_result helpers + read_raw_config, migrate 129 callsites
Add three reusable helpers to eliminate pervasive boilerplate:
tools/registry.py — tool_error() and tool_result():
Every tool handler returns JSON strings. The pattern
json.dumps({"error": msg}, ensure_ascii=False) appeared 106 times,
and json.dumps({"success": False, "error": msg}, ...) another 23.
Now: tool_error(msg) or tool_error(msg, success=False).
tool_result() handles arbitrary result dicts:
tool_result(success=True, data=payload) or tool_result(some_dict).
hermes_cli/config.py — read_raw_config():
Lightweight YAML reader that returns the raw config dict without
load_config()'s deep-merge + migration overhead. Available for
callsites that just need a single config value.
Migration (129 callsites across 32 files):
- tools/: browser_camofox (18), file_tools (10), homeassistant (8),
web_tools (7), skill_manager (7), cronjob (11), code_execution (4),
delegate (5), send_message (4), tts (4), memory (7), session_search (3),
mcp (2), clarify (2), skills_tool (3), todo (1), vision (1),
browser (1), process_registry (2), image_gen (1)
- plugins/memory/: honcho (9), supermemory (9), hindsight (8),
holographic (7), openviking (7), mem0 (7), byterover (6), retaindb (2)
- agent/: memory_manager (2), builtin_memory_provider (1)
2026-04-07 13:36:20 -07:00
from tools . registry import registry , tool_error
2026-02-21 20:22:33 -08:00
registry . register (
name = " execute_code " ,
toolset = " code_execution " ,
schema = EXECUTE_CODE_SCHEMA ,
handler = lambda args , * * kw : execute_code (
code = args . get ( " code " , " " ) ,
task_id = kw . get ( " task_id " ) ,
enabled_tools = kw . get ( " enabled_tools " ) ) ,
check_fn = check_sandbox_requirements ,
2026-03-15 20:21:21 -07:00
emoji = " 🐍 " ,
2026-04-08 01:45:51 -07:00
max_result_size_chars = 100_000 ,
2026-02-21 20:22:33 -08:00
)
