2026-04-02 13:34:57 +05:30
|
|
|
"""Local execution environment — spawn-per-call with snapshot."""
|
2026-02-21 22:31:43 -08:00
|
|
|
|
2026-04-02 13:34:57 +05:30
|
|
|
import logging
|
2026-02-21 22:31:43 -08:00
|
|
|
import os
|
2026-03-01 01:54:27 +03:00
|
|
|
import platform
|
2026-02-27 15:10:27 -08:00
|
|
|
import shutil
|
2026-02-21 22:31:43 -08:00
|
|
|
import signal
|
|
|
|
|
import subprocess
|
|
|
|
|
import threading
|
|
|
|
|
|
2026-03-01 01:54:27 +03:00
|
|
|
_IS_WINDOWS = platform.system() == "Windows"
|
|
|
|
|
|
2026-02-21 22:31:43 -08:00
|
|
|
from tools.environments.base import BaseEnvironment
|
|
|
|
|
|
2026-04-02 13:34:57 +05:30
|
|
|
logger = logging.getLogger(__name__)
|
2026-03-02 22:53:21 +03:00
|
|
|
|
2026-03-13 17:52:03 +03:00
|
|
|
# Hermes-internal env vars that should NOT leak into terminal subprocesses.
|
|
|
|
|
# These are loaded from ~/.hermes/.env for Hermes' own LLM/provider calls
|
|
|
|
|
# but can break external CLIs (e.g. codex) that also honor them.
|
|
|
|
|
# See: https://github.com/NousResearch/hermes-agent/issues/1002
|
|
|
|
|
#
|
|
|
|
|
# Built dynamically from the provider registry so new providers are
|
|
|
|
|
# automatically covered without manual blocklist maintenance.
|
|
|
|
|
_HERMES_PROVIDER_ENV_FORCE_PREFIX = "_HERMES_FORCE_"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def _build_provider_env_blocklist() -> frozenset:
|
2026-03-15 02:51:04 -07:00
|
|
|
"""Derive the blocklist from provider, tool, and gateway config.
|
2026-03-13 17:52:03 +03:00
|
|
|
|
|
|
|
|
Automatically picks up api_key_env_vars and base_url_env_var from
|
2026-03-15 02:51:04 -07:00
|
|
|
every registered provider, plus tool/messaging env vars from the
|
|
|
|
|
optional config registry, so new Hermes-managed secrets are blocked
|
|
|
|
|
in subprocesses without having to maintain multiple static lists.
|
2026-03-13 17:52:03 +03:00
|
|
|
"""
|
|
|
|
|
blocked: set[str] = set()
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
from hermes_cli.auth import PROVIDER_REGISTRY
|
|
|
|
|
for pconfig in PROVIDER_REGISTRY.values():
|
|
|
|
|
blocked.update(pconfig.api_key_env_vars)
|
|
|
|
|
if pconfig.base_url_env_var:
|
|
|
|
|
blocked.add(pconfig.base_url_env_var)
|
|
|
|
|
except ImportError:
|
|
|
|
|
pass
|
|
|
|
|
|
2026-03-15 02:51:04 -07:00
|
|
|
try:
|
|
|
|
|
from hermes_cli.config import OPTIONAL_ENV_VARS
|
|
|
|
|
for name, metadata in OPTIONAL_ENV_VARS.items():
|
|
|
|
|
category = metadata.get("category")
|
|
|
|
|
if category in {"tool", "messaging"}:
|
|
|
|
|
blocked.add(name)
|
|
|
|
|
elif category == "setting" and metadata.get("password"):
|
|
|
|
|
blocked.add(name)
|
|
|
|
|
except ImportError:
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
# Vars not covered above but still Hermes-internal / conflict-prone.
|
2026-03-13 17:52:03 +03:00
|
|
|
blocked.update({
|
|
|
|
|
"OPENAI_BASE_URL",
|
|
|
|
|
"OPENAI_API_KEY",
|
|
|
|
|
"OPENAI_API_BASE", # legacy alias
|
|
|
|
|
"OPENAI_ORG_ID",
|
|
|
|
|
"OPENAI_ORGANIZATION",
|
|
|
|
|
"OPENROUTER_API_KEY",
|
|
|
|
|
"ANTHROPIC_BASE_URL",
|
|
|
|
|
"ANTHROPIC_TOKEN", # OAuth token (not in registry as env var)
|
|
|
|
|
"CLAUDE_CODE_OAUTH_TOKEN",
|
|
|
|
|
"LLM_MODEL",
|
2026-03-15 05:42:06 +01:00
|
|
|
# Expanded isolation for other major providers (Issue #1002)
|
|
|
|
|
"GOOGLE_API_KEY", # Gemini / Google AI Studio
|
|
|
|
|
"DEEPSEEK_API_KEY", # DeepSeek
|
|
|
|
|
"MISTRAL_API_KEY", # Mistral AI
|
|
|
|
|
"GROQ_API_KEY", # Groq
|
|
|
|
|
"TOGETHER_API_KEY", # Together AI
|
|
|
|
|
"PERPLEXITY_API_KEY", # Perplexity
|
|
|
|
|
"COHERE_API_KEY", # Cohere
|
|
|
|
|
"FIREWORKS_API_KEY", # Fireworks AI
|
|
|
|
|
"XAI_API_KEY", # xAI (Grok)
|
|
|
|
|
"HELICONE_API_KEY", # LLM Observability proxy
|
feat(web): add Parallel as alternative web search/extract backend (#1696)
* feat(web): add Parallel as alternative web search/extract backend
Adds Parallel (parallel.ai) as a drop-in alternative to Firecrawl for
web_search and web_extract tools using the official parallel-web SDK.
- Backend selection via WEB_SEARCH_BACKEND env var (auto/parallel/firecrawl)
- Auto mode prefers Firecrawl when both keys present; Parallel when sole backend
- web_crawl remains Firecrawl-only with clear error when unavailable
- Lazy SDK imports, interrupt support, singleton clients
- 16 new unit tests for backend selection and client config
Co-authored-by: s-jag <s-jag@users.noreply.github.com>
* fix: add PARALLEL_API_KEY to config registry and fix web_crawl policy tests
Follow-up for Parallel backend integration:
- Add PARALLEL_API_KEY to OPTIONAL_ENV_VARS (hermes doctor, env blocklist)
- Add to set_config_value api_keys list (hermes config set)
- Add to doctor keys display
- Fix 2 web_crawl policy tests that didn't set FIRECRAWL_API_KEY
(needed now that web_crawl has a Firecrawl availability guard)
* refactor: explicit backend selection via hermes tools, not auto-detect
Replace the auto-detect backend selection with explicit user choice:
- hermes tools saves WEB_SEARCH_BACKEND to .env when user picks a provider
- _get_backend() reads the explicit choice first
- Fallback only for manual/legacy config (uses whichever key is present)
- _is_provider_active() shows [active] for the selected web backend
- Updated tests, docs, and .env.example to remove 'auto' mode language
* refactor: use config.yaml for web backend, not env var
Match the TTS/browser pattern — web.backend is stored in config.yaml
(set by hermes tools), not as a WEB_SEARCH_BACKEND env var.
- _load_web_config() reads web: section from config.yaml
- _get_backend() reads web.backend from config, falls back to key detection
- _configure_provider() saves to config dict (saved to config.yaml)
- _is_provider_active() reads from config dict
- Removed WEB_SEARCH_BACKEND from .env.example, set_config_value, docs
- Updated all tests to mock _load_web_config instead of env vars
---------
Co-authored-by: s-jag <s-jag@users.noreply.github.com>
2026-03-17 04:02:02 -07:00
|
|
|
"PARALLEL_API_KEY",
|
|
|
|
|
"FIRECRAWL_API_KEY",
|
|
|
|
|
"FIRECRAWL_API_URL",
|
2026-03-15 02:51:04 -07:00
|
|
|
# Gateway/runtime config not represented in OPTIONAL_ENV_VARS.
|
|
|
|
|
"TELEGRAM_HOME_CHANNEL",
|
|
|
|
|
"TELEGRAM_HOME_CHANNEL_NAME",
|
|
|
|
|
"DISCORD_HOME_CHANNEL",
|
|
|
|
|
"DISCORD_HOME_CHANNEL_NAME",
|
|
|
|
|
"DISCORD_REQUIRE_MENTION",
|
|
|
|
|
"DISCORD_FREE_RESPONSE_CHANNELS",
|
|
|
|
|
"DISCORD_AUTO_THREAD",
|
|
|
|
|
"SLACK_HOME_CHANNEL",
|
|
|
|
|
"SLACK_HOME_CHANNEL_NAME",
|
|
|
|
|
"SLACK_ALLOWED_USERS",
|
|
|
|
|
"WHATSAPP_ENABLED",
|
|
|
|
|
"WHATSAPP_MODE",
|
|
|
|
|
"WHATSAPP_ALLOWED_USERS",
|
|
|
|
|
"SIGNAL_HTTP_URL",
|
|
|
|
|
"SIGNAL_ACCOUNT",
|
|
|
|
|
"SIGNAL_ALLOWED_USERS",
|
|
|
|
|
"SIGNAL_GROUP_ALLOWED_USERS",
|
|
|
|
|
"SIGNAL_HOME_CHANNEL",
|
|
|
|
|
"SIGNAL_HOME_CHANNEL_NAME",
|
|
|
|
|
"SIGNAL_IGNORE_STORIES",
|
|
|
|
|
"HASS_TOKEN",
|
|
|
|
|
"HASS_URL",
|
|
|
|
|
"EMAIL_ADDRESS",
|
|
|
|
|
"EMAIL_PASSWORD",
|
|
|
|
|
"EMAIL_IMAP_HOST",
|
|
|
|
|
"EMAIL_SMTP_HOST",
|
|
|
|
|
"EMAIL_HOME_ADDRESS",
|
|
|
|
|
"EMAIL_HOME_ADDRESS_NAME",
|
|
|
|
|
"GATEWAY_ALLOWED_USERS",
|
|
|
|
|
# Skills Hub / GitHub app auth paths and aliases.
|
|
|
|
|
"GH_TOKEN",
|
|
|
|
|
"GITHUB_APP_ID",
|
|
|
|
|
"GITHUB_APP_PRIVATE_KEY_PATH",
|
|
|
|
|
"GITHUB_APP_INSTALLATION_ID",
|
fix(security): block sandbox backend creds from subprocess env (#1264)
* fix: prevent infinite 400 failure loop on context overflow (#1630)
When a gateway session exceeds the model's context window, Anthropic may
return a generic 400 invalid_request_error with just 'Error' as the
message. This bypassed the phrase-based context-length detection,
causing the agent to treat it as a non-retryable client error. Worse,
the failed user message was still persisted to the transcript, making
the session even larger on each attempt — creating an infinite loop.
Three-layer fix:
1. run_agent.py — Fallback heuristic: when a 400 error has a very short
generic message AND the session is large (>40% of context or >80
messages), treat it as a probable context overflow and trigger
compression instead of aborting.
2. run_agent.py + gateway/run.py — Don't persist failed messages:
when the agent returns failed=True before generating any response,
skip writing the user's message to the transcript/DB. This prevents
the session from growing on each failure.
3. gateway/run.py — Smarter error messages: detect context-overflow
failures and suggest /compact or /reset specifically, instead of a
generic 'try again' that will fail identically.
* fix(skills): detect prompt injection patterns and block cache file reads
Adds two security layers to prevent prompt injection via skills hub
cache files (#1558):
1. read_file: blocks direct reads of ~/.hermes/skills/.hub/ directory
(index-cache, catalog files). The 3.5MB clawhub_catalog_v1.json
was the original injection vector — untrusted skill descriptions
in the catalog contained adversarial text that the model executed.
2. skill_view: warns when skills are loaded from outside the trusted
~/.hermes/skills/ directory, and detects common injection patterns
in skill content ("ignore previous instructions", "<system>", etc.).
Cherry-picked from PR #1562 by ygd58.
* fix(tools): chunk long messages in send_message_tool before dispatch (#1552)
Long messages sent via send_message tool or cron delivery silently
failed when exceeding platform limits. Gateway adapters handle this
via truncate_message(), but the standalone senders in send_message_tool
bypassed that entirely.
- Apply truncate_message() chunking in _send_to_platform() before
dispatching to individual platform senders
- Remove naive message[i:i+2000] character split in _send_discord()
in favor of centralized smart splitting
- Attach media files to last chunk only for Telegram
- Add regression tests for chunking and media placement
Cherry-picked from PR #1557 by llbn.
* fix(approval): show full command in dangerous command approval (#1553)
Previously the command was truncated to 80 chars in CLI (with a
[v]iew full option), 500 chars in Discord embeds, and missing entirely
in Telegram/Slack approval messages. Now the full command is always
displayed everywhere:
- CLI: removed 80-char truncation and [v]iew full menu option
- Gateway (TG/Slack): approval_required message includes full command
in a code block
- Discord: embed shows full command up to 4096-char limit
- Windows: skip SIGALRM-based test timeout (Unix-only)
- Updated tests: replaced view-flow tests with direct approval tests
Cherry-picked from PR #1566 by crazywriter1.
* fix(cli): flush stdout during agent loop to prevent macOS display freeze (#1624)
The interrupt polling loop in chat() waited on the queue without
invalidating the prompt_toolkit renderer. On macOS, the StdoutProxy
buffer only flushed on input events, causing the CLI to appear frozen
during tool execution until the user typed a key.
Fix: call _invalidate() on each queue timeout (every ~100ms, throttled
to 150ms) to force the renderer to flush buffered agent output.
* fix(claw): warn when API keys are skipped during OpenClaw migration (#1580)
When --migrate-secrets is not passed (the default), API keys like
OPENROUTER_API_KEY are silently skipped with no warning. Users don't
realize their keys weren't migrated until the agent fails to connect.
Add a post-migration warning with actionable instructions: either
re-run with --migrate-secrets or add the key manually via
hermes config set.
Cherry-picked from PR #1593 by ygd58.
* fix(security): block sandbox backend creds from subprocess env (#1264)
Add Modal and Daytona sandbox credentials to the subprocess env
blocklist so they're not leaked to agent terminal sessions via
printenv/env.
Cherry-picked from PR #1571 by ygd58.
---------
Co-authored-by: buray <ygd58@users.noreply.github.com>
Co-authored-by: lbn <llbn@users.noreply.github.com>
Co-authored-by: crazywriter1 <53251494+crazywriter1@users.noreply.github.com>
2026-03-17 02:20:42 -07:00
|
|
|
# Remote sandbox backend credentials.
|
|
|
|
|
"MODAL_TOKEN_ID",
|
|
|
|
|
"MODAL_TOKEN_SECRET",
|
|
|
|
|
"DAYTONA_API_KEY",
|
2026-03-13 17:52:03 +03:00
|
|
|
})
|
|
|
|
|
return frozenset(blocked)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
_HERMES_PROVIDER_ENV_BLOCKLIST = _build_provider_env_blocklist()
|
|
|
|
|
|
2026-03-02 22:03:29 -08:00
|
|
|
|
2026-03-15 02:51:04 -07:00
|
|
|
def _sanitize_subprocess_env(base_env: dict | None, extra_env: dict | None = None) -> dict:
|
|
|
|
|
"""Filter Hermes-managed secrets from a subprocess environment.
|
|
|
|
|
|
|
|
|
|
`_HERMES_FORCE_<VAR>` entries in ``extra_env`` opt a blocked variable back in
|
feat: env var passthrough for skills and user config (#2807)
* feat: env var passthrough for skills and user config
Skills that declare required_environment_variables now have those vars
passed through to sandboxed execution environments (execute_code and
terminal). Previously, execute_code stripped all vars containing KEY,
TOKEN, SECRET, etc. and the terminal blocklist removed Hermes
infrastructure vars — both blocked skill-declared env vars.
Two passthrough sources:
1. Skill-scoped (automatic): when a skill is loaded via skill_view and
declares required_environment_variables, vars that are present in
the environment are registered in a session-scoped passthrough set.
2. Config-based (manual): terminal.env_passthrough in config.yaml lets
users explicitly allowlist vars for non-skill use cases.
Changes:
- New module: tools/env_passthrough.py — shared passthrough registry
- hermes_cli/config.py: add terminal.env_passthrough to DEFAULT_CONFIG
- tools/skills_tool.py: register available skill env vars on load
- tools/code_execution_tool.py: check passthrough before filtering
- tools/environments/local.py: check passthrough in _sanitize_subprocess_env
and _make_run_env
- 19 new tests covering all layers
* docs: add environment variable passthrough documentation
Document the env var passthrough feature across four docs pages:
- security.md: new 'Environment Variable Passthrough' section with
full explanation, comparison table, and security considerations
- code-execution.md: update security section, add passthrough subsection,
fix comparison table
- creating-skills.md: add tip about automatic sandbox passthrough
- skills.md: add note about passthrough after secure setup docs
Live-tested: launched interactive CLI, loaded a skill with
required_environment_variables, verified TEST_SKILL_SECRET_KEY was
accessible inside execute_code sandbox (value: passthrough-test-value-42).
2026-03-24 08:19:34 -07:00
|
|
|
intentionally for callers that truly need it. Vars registered via
|
|
|
|
|
:mod:`tools.env_passthrough` (skill-declared or user-configured) also
|
|
|
|
|
bypass the blocklist.
|
2026-03-15 02:51:04 -07:00
|
|
|
"""
|
feat: env var passthrough for skills and user config (#2807)
* feat: env var passthrough for skills and user config
Skills that declare required_environment_variables now have those vars
passed through to sandboxed execution environments (execute_code and
terminal). Previously, execute_code stripped all vars containing KEY,
TOKEN, SECRET, etc. and the terminal blocklist removed Hermes
infrastructure vars — both blocked skill-declared env vars.
Two passthrough sources:
1. Skill-scoped (automatic): when a skill is loaded via skill_view and
declares required_environment_variables, vars that are present in
the environment are registered in a session-scoped passthrough set.
2. Config-based (manual): terminal.env_passthrough in config.yaml lets
users explicitly allowlist vars for non-skill use cases.
Changes:
- New module: tools/env_passthrough.py — shared passthrough registry
- hermes_cli/config.py: add terminal.env_passthrough to DEFAULT_CONFIG
- tools/skills_tool.py: register available skill env vars on load
- tools/code_execution_tool.py: check passthrough before filtering
- tools/environments/local.py: check passthrough in _sanitize_subprocess_env
and _make_run_env
- 19 new tests covering all layers
* docs: add environment variable passthrough documentation
Document the env var passthrough feature across four docs pages:
- security.md: new 'Environment Variable Passthrough' section with
full explanation, comparison table, and security considerations
- code-execution.md: update security section, add passthrough subsection,
fix comparison table
- creating-skills.md: add tip about automatic sandbox passthrough
- skills.md: add note about passthrough after secure setup docs
Live-tested: launched interactive CLI, loaded a skill with
required_environment_variables, verified TEST_SKILL_SECRET_KEY was
accessible inside execute_code sandbox (value: passthrough-test-value-42).
2026-03-24 08:19:34 -07:00
|
|
|
try:
|
|
|
|
|
from tools.env_passthrough import is_env_passthrough as _is_passthrough
|
|
|
|
|
except Exception:
|
|
|
|
|
_is_passthrough = lambda _: False # noqa: E731
|
|
|
|
|
|
2026-03-15 02:51:04 -07:00
|
|
|
sanitized: dict[str, str] = {}
|
|
|
|
|
|
|
|
|
|
for key, value in (base_env or {}).items():
|
|
|
|
|
if key.startswith(_HERMES_PROVIDER_ENV_FORCE_PREFIX):
|
|
|
|
|
continue
|
feat: env var passthrough for skills and user config (#2807)
* feat: env var passthrough for skills and user config
Skills that declare required_environment_variables now have those vars
passed through to sandboxed execution environments (execute_code and
terminal). Previously, execute_code stripped all vars containing KEY,
TOKEN, SECRET, etc. and the terminal blocklist removed Hermes
infrastructure vars — both blocked skill-declared env vars.
Two passthrough sources:
1. Skill-scoped (automatic): when a skill is loaded via skill_view and
declares required_environment_variables, vars that are present in
the environment are registered in a session-scoped passthrough set.
2. Config-based (manual): terminal.env_passthrough in config.yaml lets
users explicitly allowlist vars for non-skill use cases.
Changes:
- New module: tools/env_passthrough.py — shared passthrough registry
- hermes_cli/config.py: add terminal.env_passthrough to DEFAULT_CONFIG
- tools/skills_tool.py: register available skill env vars on load
- tools/code_execution_tool.py: check passthrough before filtering
- tools/environments/local.py: check passthrough in _sanitize_subprocess_env
and _make_run_env
- 19 new tests covering all layers
* docs: add environment variable passthrough documentation
Document the env var passthrough feature across four docs pages:
- security.md: new 'Environment Variable Passthrough' section with
full explanation, comparison table, and security considerations
- code-execution.md: update security section, add passthrough subsection,
fix comparison table
- creating-skills.md: add tip about automatic sandbox passthrough
- skills.md: add note about passthrough after secure setup docs
Live-tested: launched interactive CLI, loaded a skill with
required_environment_variables, verified TEST_SKILL_SECRET_KEY was
accessible inside execute_code sandbox (value: passthrough-test-value-42).
2026-03-24 08:19:34 -07:00
|
|
|
if key not in _HERMES_PROVIDER_ENV_BLOCKLIST or _is_passthrough(key):
|
2026-03-15 02:51:04 -07:00
|
|
|
sanitized[key] = value
|
|
|
|
|
|
|
|
|
|
for key, value in (extra_env or {}).items():
|
|
|
|
|
if key.startswith(_HERMES_PROVIDER_ENV_FORCE_PREFIX):
|
|
|
|
|
real_key = key[len(_HERMES_PROVIDER_ENV_FORCE_PREFIX):]
|
|
|
|
|
sanitized[real_key] = value
|
feat: env var passthrough for skills and user config (#2807)
* feat: env var passthrough for skills and user config
Skills that declare required_environment_variables now have those vars
passed through to sandboxed execution environments (execute_code and
terminal). Previously, execute_code stripped all vars containing KEY,
TOKEN, SECRET, etc. and the terminal blocklist removed Hermes
infrastructure vars — both blocked skill-declared env vars.
Two passthrough sources:
1. Skill-scoped (automatic): when a skill is loaded via skill_view and
declares required_environment_variables, vars that are present in
the environment are registered in a session-scoped passthrough set.
2. Config-based (manual): terminal.env_passthrough in config.yaml lets
users explicitly allowlist vars for non-skill use cases.
Changes:
- New module: tools/env_passthrough.py — shared passthrough registry
- hermes_cli/config.py: add terminal.env_passthrough to DEFAULT_CONFIG
- tools/skills_tool.py: register available skill env vars on load
- tools/code_execution_tool.py: check passthrough before filtering
- tools/environments/local.py: check passthrough in _sanitize_subprocess_env
and _make_run_env
- 19 new tests covering all layers
* docs: add environment variable passthrough documentation
Document the env var passthrough feature across four docs pages:
- security.md: new 'Environment Variable Passthrough' section with
full explanation, comparison table, and security considerations
- code-execution.md: update security section, add passthrough subsection,
fix comparison table
- creating-skills.md: add tip about automatic sandbox passthrough
- skills.md: add note about passthrough after secure setup docs
Live-tested: launched interactive CLI, loaded a skill with
required_environment_variables, verified TEST_SKILL_SECRET_KEY was
accessible inside execute_code sandbox (value: passthrough-test-value-42).
2026-03-24 08:19:34 -07:00
|
|
|
elif key not in _HERMES_PROVIDER_ENV_BLOCKLIST or _is_passthrough(key):
|
2026-03-15 02:51:04 -07:00
|
|
|
sanitized[key] = value
|
|
|
|
|
|
|
|
|
|
return sanitized
|
|
|
|
|
|
|
|
|
|
|
2026-03-08 03:00:05 -07:00
|
|
|
def _find_bash() -> str:
|
|
|
|
|
"""Find bash for command execution.
|
2026-03-02 22:03:29 -08:00
|
|
|
|
2026-03-08 03:00:05 -07:00
|
|
|
The fence wrapper uses bash syntax (semicolons, $?, printf), so we
|
|
|
|
|
must use bash — not the user's $SHELL which could be fish/zsh/etc.
|
2026-03-02 22:03:29 -08:00
|
|
|
On Windows: uses Git Bash (bundled with Git for Windows).
|
|
|
|
|
"""
|
|
|
|
|
if not _IS_WINDOWS:
|
2026-03-08 01:43:00 -08:00
|
|
|
return (
|
2026-03-08 03:00:05 -07:00
|
|
|
shutil.which("bash")
|
2026-03-08 01:43:00 -08:00
|
|
|
or ("/usr/bin/bash" if os.path.isfile("/usr/bin/bash") else None)
|
|
|
|
|
or ("/bin/bash" if os.path.isfile("/bin/bash") else None)
|
2026-03-08 03:00:05 -07:00
|
|
|
or os.environ.get("SHELL") # last resort: whatever they have
|
2026-03-08 01:43:00 -08:00
|
|
|
or "/bin/sh"
|
|
|
|
|
)
|
2026-03-02 22:03:29 -08:00
|
|
|
|
|
|
|
|
# Windows: look for Git Bash (installed with Git for Windows).
|
|
|
|
|
# Allow override via env var (same pattern as Claude Code).
|
|
|
|
|
custom = os.environ.get("HERMES_GIT_BASH_PATH")
|
|
|
|
|
if custom and os.path.isfile(custom):
|
|
|
|
|
return custom
|
|
|
|
|
|
|
|
|
|
# shutil.which finds bash.exe if Git\bin is on PATH
|
|
|
|
|
found = shutil.which("bash")
|
|
|
|
|
if found:
|
|
|
|
|
return found
|
|
|
|
|
|
|
|
|
|
# Check common Git for Windows install locations
|
|
|
|
|
for candidate in (
|
|
|
|
|
os.path.join(os.environ.get("ProgramFiles", r"C:\Program Files"), "Git", "bin", "bash.exe"),
|
|
|
|
|
os.path.join(os.environ.get("ProgramFiles(x86)", r"C:\Program Files (x86)"), "Git", "bin", "bash.exe"),
|
|
|
|
|
os.path.join(os.environ.get("LOCALAPPDATA", ""), "Programs", "Git", "bin", "bash.exe"),
|
|
|
|
|
):
|
|
|
|
|
if candidate and os.path.isfile(candidate):
|
|
|
|
|
return candidate
|
|
|
|
|
|
|
|
|
|
raise RuntimeError(
|
|
|
|
|
"Git Bash not found. Hermes Agent requires Git for Windows on Windows.\n"
|
|
|
|
|
"Install it from: https://git-scm.com/download/win\n"
|
|
|
|
|
"Or set HERMES_GIT_BASH_PATH to your bash.exe location."
|
|
|
|
|
)
|
|
|
|
|
|
2026-03-08 03:00:05 -07:00
|
|
|
|
|
|
|
|
# Backward compat — process_registry.py imports this name
|
|
|
|
|
_find_shell = _find_bash
|
|
|
|
|
|
|
|
|
|
|
2026-03-23 22:45:55 -07:00
|
|
|
# Standard PATH entries for environments with minimal PATH (e.g. systemd services).
|
|
|
|
|
# Includes macOS Homebrew paths (/opt/homebrew/* for Apple Silicon).
|
|
|
|
|
_SANE_PATH = (
|
|
|
|
|
"/opt/homebrew/bin:/opt/homebrew/sbin:"
|
|
|
|
|
"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|
|
|
|
)
|
2026-03-13 16:54:11 +05:30
|
|
|
|
|
|
|
|
|
|
|
|
|
def _make_run_env(env: dict) -> dict:
|
|
|
|
|
"""Build a run environment with a sane PATH and provider-var stripping."""
|
feat: env var passthrough for skills and user config (#2807)
* feat: env var passthrough for skills and user config
Skills that declare required_environment_variables now have those vars
passed through to sandboxed execution environments (execute_code and
terminal). Previously, execute_code stripped all vars containing KEY,
TOKEN, SECRET, etc. and the terminal blocklist removed Hermes
infrastructure vars — both blocked skill-declared env vars.
Two passthrough sources:
1. Skill-scoped (automatic): when a skill is loaded via skill_view and
declares required_environment_variables, vars that are present in
the environment are registered in a session-scoped passthrough set.
2. Config-based (manual): terminal.env_passthrough in config.yaml lets
users explicitly allowlist vars for non-skill use cases.
Changes:
- New module: tools/env_passthrough.py — shared passthrough registry
- hermes_cli/config.py: add terminal.env_passthrough to DEFAULT_CONFIG
- tools/skills_tool.py: register available skill env vars on load
- tools/code_execution_tool.py: check passthrough before filtering
- tools/environments/local.py: check passthrough in _sanitize_subprocess_env
and _make_run_env
- 19 new tests covering all layers
* docs: add environment variable passthrough documentation
Document the env var passthrough feature across four docs pages:
- security.md: new 'Environment Variable Passthrough' section with
full explanation, comparison table, and security considerations
- code-execution.md: update security section, add passthrough subsection,
fix comparison table
- creating-skills.md: add tip about automatic sandbox passthrough
- skills.md: add note about passthrough after secure setup docs
Live-tested: launched interactive CLI, loaded a skill with
required_environment_variables, verified TEST_SKILL_SECRET_KEY was
accessible inside execute_code sandbox (value: passthrough-test-value-42).
2026-03-24 08:19:34 -07:00
|
|
|
try:
|
|
|
|
|
from tools.env_passthrough import is_env_passthrough as _is_passthrough
|
|
|
|
|
except Exception:
|
|
|
|
|
_is_passthrough = lambda _: False # noqa: E731
|
|
|
|
|
|
2026-03-13 16:54:11 +05:30
|
|
|
merged = dict(os.environ | env)
|
|
|
|
|
run_env = {}
|
|
|
|
|
for k, v in merged.items():
|
|
|
|
|
if k.startswith(_HERMES_PROVIDER_ENV_FORCE_PREFIX):
|
|
|
|
|
real_key = k[len(_HERMES_PROVIDER_ENV_FORCE_PREFIX):]
|
|
|
|
|
run_env[real_key] = v
|
feat: env var passthrough for skills and user config (#2807)
* feat: env var passthrough for skills and user config
Skills that declare required_environment_variables now have those vars
passed through to sandboxed execution environments (execute_code and
terminal). Previously, execute_code stripped all vars containing KEY,
TOKEN, SECRET, etc. and the terminal blocklist removed Hermes
infrastructure vars — both blocked skill-declared env vars.
Two passthrough sources:
1. Skill-scoped (automatic): when a skill is loaded via skill_view and
declares required_environment_variables, vars that are present in
the environment are registered in a session-scoped passthrough set.
2. Config-based (manual): terminal.env_passthrough in config.yaml lets
users explicitly allowlist vars for non-skill use cases.
Changes:
- New module: tools/env_passthrough.py — shared passthrough registry
- hermes_cli/config.py: add terminal.env_passthrough to DEFAULT_CONFIG
- tools/skills_tool.py: register available skill env vars on load
- tools/code_execution_tool.py: check passthrough before filtering
- tools/environments/local.py: check passthrough in _sanitize_subprocess_env
and _make_run_env
- 19 new tests covering all layers
* docs: add environment variable passthrough documentation
Document the env var passthrough feature across four docs pages:
- security.md: new 'Environment Variable Passthrough' section with
full explanation, comparison table, and security considerations
- code-execution.md: update security section, add passthrough subsection,
fix comparison table
- creating-skills.md: add tip about automatic sandbox passthrough
- skills.md: add note about passthrough after secure setup docs
Live-tested: launched interactive CLI, loaded a skill with
required_environment_variables, verified TEST_SKILL_SECRET_KEY was
accessible inside execute_code sandbox (value: passthrough-test-value-42).
2026-03-24 08:19:34 -07:00
|
|
|
elif k not in _HERMES_PROVIDER_ENV_BLOCKLIST or _is_passthrough(k):
|
2026-03-13 16:54:11 +05:30
|
|
|
run_env[k] = v
|
|
|
|
|
existing_path = run_env.get("PATH", "")
|
|
|
|
|
if "/usr/bin" not in existing_path.split(":"):
|
|
|
|
|
run_env["PATH"] = f"{existing_path}:{_SANE_PATH}" if existing_path else _SANE_PATH
|
|
|
|
|
return run_env
|
|
|
|
|
|
|
|
|
|
|
2026-04-02 13:34:57 +05:30
|
|
|
class LocalEnvironment(BaseEnvironment):
|
2026-02-21 22:31:43 -08:00
|
|
|
"""Run commands directly on the host machine.
|
|
|
|
|
|
2026-04-02 13:34:57 +05:30
|
|
|
Uses the unified spawn-per-call model:
|
|
|
|
|
- bash -l once at session start to capture env snapshot
|
|
|
|
|
- bash -c for every subsequent command (fast, no shell init overhead)
|
|
|
|
|
- CWD tracked via cwdfile written after each command
|
|
|
|
|
- Process group kill (os.setsid) for clean child cleanup
|
2026-02-21 22:31:43 -08:00
|
|
|
- stdin_data support for piping content (bypasses ARG_MAX limits)
|
|
|
|
|
"""
|
|
|
|
|
|
2026-03-13 16:54:11 +05:30
|
|
|
def __init__(self, cwd: str = "", timeout: int = 60, env: dict = None,
|
2026-04-02 13:34:57 +05:30
|
|
|
**kwargs):
|
2026-02-21 22:31:43 -08:00
|
|
|
super().__init__(cwd=cwd or os.getcwd(), timeout=timeout, env=env)
|
2026-04-02 13:34:57 +05:30
|
|
|
self.init_session()
|
2026-03-13 16:54:11 +05:30
|
|
|
|
2026-04-02 13:34:57 +05:30
|
|
|
def _run_bash(self, cmd_string: str, *,
|
|
|
|
|
stdin_data: str | None = None) -> subprocess.Popen:
|
2026-03-13 16:54:11 +05:30
|
|
|
run_env = _make_run_env(self.env)
|
2026-04-02 13:34:57 +05:30
|
|
|
proc = subprocess.Popen(
|
|
|
|
|
[_find_bash(), "-c", cmd_string],
|
2026-03-13 16:54:11 +05:30
|
|
|
text=True,
|
2026-04-02 13:34:57 +05:30
|
|
|
cwd="/", # CWD set inside the script via cd
|
2026-03-13 16:54:11 +05:30
|
|
|
env=run_env,
|
2026-04-02 13:34:57 +05:30
|
|
|
encoding="utf-8",
|
|
|
|
|
errors="replace",
|
|
|
|
|
stdout=subprocess.PIPE,
|
|
|
|
|
stderr=subprocess.STDOUT,
|
|
|
|
|
stdin=subprocess.PIPE if stdin_data is not None else subprocess.DEVNULL,
|
2026-03-13 16:54:11 +05:30
|
|
|
preexec_fn=None if _IS_WINDOWS else os.setsid,
|
|
|
|
|
)
|
2026-04-02 13:34:57 +05:30
|
|
|
if stdin_data is not None:
|
|
|
|
|
def _write():
|
|
|
|
|
try:
|
|
|
|
|
proc.stdin.write(stdin_data)
|
|
|
|
|
proc.stdin.close()
|
|
|
|
|
except (BrokenPipeError, OSError):
|
|
|
|
|
pass
|
|
|
|
|
threading.Thread(target=_write, daemon=True).start()
|
|
|
|
|
return proc
|
2026-02-21 22:31:43 -08:00
|
|
|
|
2026-04-02 13:34:57 +05:30
|
|
|
def _run_bash_login(self, cmd_string: str) -> subprocess.Popen:
|
|
|
|
|
"""For snapshot creation: uses bash -l -c."""
|
2026-03-15 02:39:56 +05:30
|
|
|
run_env = _make_run_env(self.env)
|
2026-04-02 13:34:57 +05:30
|
|
|
return subprocess.Popen(
|
|
|
|
|
[_find_bash(), "-l", "-c", cmd_string],
|
2026-03-15 02:39:56 +05:30
|
|
|
text=True,
|
2026-04-02 13:34:57 +05:30
|
|
|
cwd="/",
|
2026-03-15 02:39:56 +05:30
|
|
|
env=run_env,
|
|
|
|
|
encoding="utf-8",
|
|
|
|
|
errors="replace",
|
|
|
|
|
stdout=subprocess.PIPE,
|
|
|
|
|
stderr=subprocess.STDOUT,
|
2026-04-02 13:34:57 +05:30
|
|
|
stdin=subprocess.DEVNULL,
|
2026-03-15 02:39:56 +05:30
|
|
|
preexec_fn=None if _IS_WINDOWS else os.setsid,
|
|
|
|
|
)
|
2026-02-21 22:31:43 -08:00
|
|
|
|
2026-04-02 13:34:57 +05:30
|
|
|
def _kill_process(self, proc):
|
|
|
|
|
"""Local override: kill process group for child cleanup."""
|
|
|
|
|
try:
|
|
|
|
|
if _IS_WINDOWS:
|
|
|
|
|
proc.terminate()
|
|
|
|
|
else:
|
|
|
|
|
pgid = os.getpgid(proc.pid)
|
|
|
|
|
os.killpg(pgid, signal.SIGTERM)
|
|
|
|
|
try:
|
|
|
|
|
proc.wait(timeout=1.0)
|
|
|
|
|
return
|
|
|
|
|
except subprocess.TimeoutExpired:
|
|
|
|
|
os.killpg(pgid, signal.SIGKILL)
|
|
|
|
|
except (ProcessLookupError, PermissionError, OSError):
|
2026-03-15 02:39:56 +05:30
|
|
|
try:
|
2026-04-02 13:34:57 +05:30
|
|
|
proc.kill()
|
|
|
|
|
except Exception:
|
2026-03-15 02:39:56 +05:30
|
|
|
pass
|
|
|
|
|
|
2026-04-02 13:34:57 +05:30
|
|
|
def cleanup(self):
|
2026-04-02 15:56:59 +05:30
|
|
|
for p in (self._snapshot_path,):
|
2026-04-02 13:34:57 +05:30
|
|
|
if p:
|
2026-03-15 02:39:56 +05:30
|
|
|
try:
|
2026-04-02 13:34:57 +05:30
|
|
|
os.remove(p)
|
|
|
|
|
except OSError:
|
|
|
|
|
pass
|