fix: remove stale test (missing pop_pending), add headers to FakeResponse

Follow-up fixes for cherry-pick conflicts: - Removed test_context_keeps_pending_approval test that referenced pop_pending() which doesn't exist on current main - Added headers attribute to FakeResponse in vision test (needed after #6949 added Content-Length check)
test(approval): clear leaked bypass state
2026-05-04 09:47:54 +08:00 · 2026-04-11 01:51:11 -07:00 · 2026-04-11 01:49:29 -07:00 · 2026-04-11 01:49:12 -07:00 · 2026-04-11 01:49:12 -07:00 · 2026-04-11 01:48:19 -07:00
12 changed files with 247 additions and 24 deletions
--- a/agent/skill_commands.py
+++ b/agent/skill_commands.py
@@ -168,7 +168,7 @@ def _build_skill_message(
            subdir_path = skill_dir / subdir
            if subdir_path.exists():
                for f in sorted(subdir_path.rglob("*")):
-                    if f.is_file():
+                    if f.is_file() and not f.is_symlink():
                        rel = str(f.relative_to(skill_dir))
                        supporting.append(rel)
--- a/cron/scheduler.py
+++ b/cron/scheduler.py
@@ -442,6 +442,14 @@ def _run_job_script(script_path: str) -> tuple[bool, str]:
        stdout = (result.stdout or "").strip()
        stderr = (result.stderr or "").strip()
        # Redact secrets from both stdout and stderr before any return path.
        try:
            from agent.redact import redact_sensitive_text
            stdout = redact_sensitive_text(stdout)
            stderr = redact_sensitive_text(stderr)
        except Exception:
            pass
        if result.returncode != 0:
            parts = [f"Script exited with code {result.returncode}"]
            if stderr:
@@ -450,13 +458,6 @@ def _run_job_script(script_path: str) -> tuple[bool, str]:
                parts.append(f"stdout:\n{stdout}")
            return False, "\n".join(parts)
        # Redact any secrets that may appear in script output before
        # they are injected into the LLM prompt context.
        try:
            from agent.redact import redact_sensitive_text
            stdout = redact_sensitive_text(stdout)
        except Exception:
            pass
        return True, stdout
    except subprocess.TimeoutExpired:
--- a/environments/tool_call_parsers/hermes_parser.py
+++ b/environments/tool_call_parsers/hermes_parser.py
@@ -49,6 +49,8 @@ class HermesToolCallParser(ToolCallParser):
                    continue
                tc_data = json.loads(raw_json)
                if "name" not in tc_data:
                    continue
                tool_calls.append(
                    ChatCompletionMessageToolCall(
                        id=f"call_{uuid.uuid4().hex[:8]}",
--- a/environments/tool_call_parsers/mistral_parser.py
+++ b/environments/tool_call_parsers/mistral_parser.py
@@ -89,6 +89,8 @@ class MistralToolCallParser(ToolCallParser):
                        parsed = [parsed]
                    for tc in parsed:
                        if "name" not in tc:
                            continue
                        args = tc.get("arguments", {})
                        if isinstance(args, dict):
                            args = json.dumps(args, ensure_ascii=False)
--- a/hermes_cli/tools_config.py
+++ b/hermes_cli/tools_config.py
@@ -501,6 +501,10 @@ def _get_platform_tools(
        default_ts = PLATFORMS[platform]["default_toolset"]
        toolset_names = [default_ts]
    # YAML may parse bare numeric names (e.g. ``12306:``) as int.
    # Normalise to str so downstream sorted() never mixes types.
    toolset_names = [str(ts) for ts in toolset_names]
    configurable_keys = {ts_key for ts_key, _, _ in CONFIGURABLE_TOOLSETS}
    # If the saved list contains any configurable keys directly, the user
@@ -559,7 +563,7 @@ def _get_platform_tools(
    # Special sentinel: "no_mcp" in the toolset list disables all MCP servers.
    mcp_servers = config.get("mcp_servers") or {}
    enabled_mcp_servers = {
-        name
+        str(name)
        for name, server_cfg in mcp_servers.items()
        if isinstance(server_cfg, dict)
        and _parse_enabled_flag(server_cfg.get("enabled", True), default=True)
--- a/tests/gateway/test_approve_deny_commands.py
+++ b/tests/gateway/test_approve_deny_commands.py
@@ -345,6 +345,11 @@ class TestBlockingApprovalE2E:
    def setup_method(self):
        _clear_approval_state()
        os.environ.pop("HERMES_YOLO_MODE", None)
        os.environ.pop("HERMES_INTERACTIVE", None)
        os.environ.pop("HERMES_GATEWAY_SESSION", None)
        os.environ.pop("HERMES_EXEC_ASK", None)
        os.environ.pop("HERMES_SESSION_KEY", None)
    def test_blocking_approval_approve_once(self):
        """check_all_command_guards blocks until resolve_gateway_approval is called."""
@@ -364,6 +369,7 @@ class TestBlockingApprovalE2E:
            from tools.approval import reset_current_session_key, set_current_session_key
            token = set_current_session_key(session_key)
            os.environ["HERMES_GATEWAY_SESSION"] = "1"
            os.environ["HERMES_EXEC_ASK"] = "1"
            os.environ["HERMES_SESSION_KEY"] = session_key
            try:
@@ -371,6 +377,7 @@ class TestBlockingApprovalE2E:
                    "rm -rf /important", "local"
                )
            finally:
                os.environ.pop("HERMES_GATEWAY_SESSION", None)
                os.environ.pop("HERMES_EXEC_ASK", None)
                os.environ.pop("HERMES_SESSION_KEY", None)
                reset_current_session_key(token)
@@ -410,6 +417,7 @@ class TestBlockingApprovalE2E:
            from tools.approval import reset_current_session_key, set_current_session_key
            token = set_current_session_key(session_key)
            os.environ["HERMES_GATEWAY_SESSION"] = "1"
            os.environ["HERMES_EXEC_ASK"] = "1"
            os.environ["HERMES_SESSION_KEY"] = session_key
            try:
@@ -417,6 +425,7 @@ class TestBlockingApprovalE2E:
                    "rm -rf /important", "local"
                )
            finally:
                os.environ.pop("HERMES_GATEWAY_SESSION", None)
                os.environ.pop("HERMES_EXEC_ASK", None)
                os.environ.pop("HERMES_SESSION_KEY", None)
                reset_current_session_key(token)
@@ -451,6 +460,7 @@ class TestBlockingApprovalE2E:
            from tools.approval import reset_current_session_key, set_current_session_key
            token = set_current_session_key(session_key)
            os.environ["HERMES_GATEWAY_SESSION"] = "1"
            os.environ["HERMES_EXEC_ASK"] = "1"
            os.environ["HERMES_SESSION_KEY"] = session_key
            try:
@@ -460,6 +470,7 @@ class TestBlockingApprovalE2E:
                        "rm -rf /important", "local"
                    )
            finally:
                os.environ.pop("HERMES_GATEWAY_SESSION", None)
                os.environ.pop("HERMES_EXEC_ASK", None)
                os.environ.pop("HERMES_SESSION_KEY", None)
                reset_current_session_key(token)
@@ -491,11 +502,13 @@ class TestBlockingApprovalE2E:
                from tools.approval import reset_current_session_key, set_current_session_key
                token = set_current_session_key(session_key)
                os.environ["HERMES_GATEWAY_SESSION"] = "1"
                os.environ["HERMES_EXEC_ASK"] = "1"
                os.environ["HERMES_SESSION_KEY"] = session_key
                try:
                    results[idx] = check_all_command_guards(cmd, "local")
                finally:
                    os.environ.pop("HERMES_GATEWAY_SESSION", None)
                    os.environ.pop("HERMES_EXEC_ASK", None)
                    os.environ.pop("HERMES_SESSION_KEY", None)
                    reset_current_session_key(token)
@@ -546,11 +559,13 @@ class TestBlockingApprovalE2E:
                from tools.approval import reset_current_session_key, set_current_session_key
                token = set_current_session_key(session_key)
                os.environ["HERMES_GATEWAY_SESSION"] = "1"
                os.environ["HERMES_EXEC_ASK"] = "1"
                os.environ["HERMES_SESSION_KEY"] = session_key
                try:
                    results[idx] = check_all_command_guards(cmd, "local")
                finally:
                    os.environ.pop("HERMES_GATEWAY_SESSION", None)
                    os.environ.pop("HERMES_EXEC_ASK", None)
                    os.environ.pop("HERMES_SESSION_KEY", None)
                    reset_current_session_key(token)
--- a/tests/hermes_cli/test_tools_config.py
+++ b/tests/hermes_cli/test_tools_config.py
@@ -428,3 +428,31 @@ class TestPlatformToolsetConsistency:
                f"Platform {platform!r} in tools_config but missing from "
                f"skills_config PLATFORMS"
            )
 def test_numeric_mcp_server_name_does_not_crash_sorted():
    """YAML parses bare numeric keys (e.g. ``12306:``) as int.
    _get_platform_tools must normalise them to str so that sorted()
    on the returned set never raises TypeError on mixed int/str.
    Regression test for https://github.com/NousResearch/hermes-agent/issues/6901
    """
    config = {
        "platform_toolsets": {"cli": ["web", 12306]},
        "mcp_servers": {
            12306: {"url": "https://example.com/mcp"},
            "normal-server": {"url": "https://example.com/mcp2"},
        },
    }
    enabled = _get_platform_tools(config, "cli")
    # All names must be str — no int leaking through
    assert all(isinstance(name, str) for name in enabled), (
        f"Non-string toolset names found: {enabled}"
    )
    assert "12306" in enabled
    # sorted() must not raise TypeError
    sorted(enabled)
--- a/tests/tools/test_approval.py
+++ b/tests/tools/test_approval.py
@@ -156,6 +156,8 @@ class TestSessionKeyContext:
        assert "reset_current_session_key" in called_names
 class TestRmFalsePositiveFix:
    """Regression tests: filenames starting with 'r' must NOT trigger recursive delete."""
--- a/tests/tools/test_managed_media_gateways.py
+++ b/tests/tools/test_managed_media_gateways.py
@@ -215,6 +215,7 @@ def test_openai_tts_uses_managed_audio_gateway_when_direct_key_absent(monkeypatc
    _install_fake_tools_package()
    _install_fake_openai_module(captured)
    monkeypatch.delenv("VOICE_TOOLS_OPENAI_KEY", raising=False)
    monkeypatch.delenv("OPENAI_API_KEY", raising=False)
    monkeypatch.setenv("TOOL_GATEWAY_DOMAIN", "nousresearch.com")
    monkeypatch.setenv("TOOL_GATEWAY_USER_TOKEN", "nous-token")
@@ -256,6 +257,7 @@ def test_transcription_uses_model_specific_response_formats(monkeypatch, tmp_pat
    monkeypatch.setenv("HERMES_HOME", str(tmp_path))
    (tmp_path / "config.yaml").write_text("stt:\n  provider: openai\n")
    monkeypatch.delenv("VOICE_TOOLS_OPENAI_KEY", raising=False)
    monkeypatch.delenv("OPENAI_API_KEY", raising=False)
    monkeypatch.setenv("TOOL_GATEWAY_DOMAIN", "nousresearch.com")
    monkeypatch.setenv("TOOL_GATEWAY_USER_TOKEN", "nous-token")
--- a/tests/tools/test_vision_tools.py
+++ b/tests/tools/test_vision_tools.py
@@ -414,6 +414,7 @@ class TestVisionSafetyGuards:
        class FakeResponse:
            url = "https://blocked.test/final.png"
            headers = {"content-length": "24"}
            content = b"\x89PNG\r\n\x1a\n" + b"\x00" * 16
            def raise_for_status(self):
@@ -533,6 +534,133 @@ class TestTildeExpansion:
        assert data["success"] is False
 # ---------------------------------------------------------------------------
 # file:// URI support
 # ---------------------------------------------------------------------------
 class TestFileUriSupport:
    """Verify that file:// URIs resolve as local file paths."""
    @pytest.mark.asyncio
    async def test_file_uri_resolved_as_local_path(self, tmp_path):
        """file:///absolute/path should be treated as a local file."""
        img = tmp_path / "photo.png"
        img.write_bytes(b"\x89PNG\r\n\x1a\n" + b"\x00" * 8)
        mock_response = MagicMock()
        mock_choice = MagicMock()
        mock_choice.message.content = "A test image"
        mock_response.choices = [mock_choice]
        with (
            patch(
                "tools.vision_tools._image_to_base64_data_url",
                return_value="data:image/png;base64,abc",
            ),
            patch(
                "tools.vision_tools.async_call_llm",
                new_callable=AsyncMock,
                return_value=mock_response,
            ),
        ):
            result = await vision_analyze_tool(
                f"file://{img}", "describe this", "test/model"
            )
            data = json.loads(result)
            assert data["success"] is True
    @pytest.mark.asyncio
    async def test_file_uri_nonexistent_gives_error(self, tmp_path):
        """file:// pointing to a missing file should fail gracefully."""
        result = await vision_analyze_tool(
            f"file://{tmp_path}/nonexistent.png", "describe this", "test/model"
        )
        data = json.loads(result)
        assert data["success"] is False
 # ---------------------------------------------------------------------------
 # Base64 size pre-flight check
 # ---------------------------------------------------------------------------
 class TestBase64SizeLimit:
    """Verify that oversized images are rejected before hitting the API."""
    @pytest.mark.asyncio
    async def test_oversized_image_rejected_before_api_call(self, tmp_path):
        """Images exceeding 5 MB base64 should fail with a clear size error."""
        img = tmp_path / "huge.png"
        img.write_bytes(b"\x89PNG\r\n\x1a\n" + b"\x00" * (4 * 1024 * 1024))
        with patch("tools.vision_tools.async_call_llm", new_callable=AsyncMock) as mock_llm:
            result = json.loads(await vision_analyze_tool(str(img), "describe this"))
        assert result["success"] is False
        assert "too large" in result["error"].lower()
        mock_llm.assert_not_awaited()
    @pytest.mark.asyncio
    async def test_small_image_not_rejected(self, tmp_path):
        """Images well under the limit should pass the size check."""
        img = tmp_path / "small.png"
        img.write_bytes(b"\x89PNG\r\n\x1a\n" + b"\x00" * 64)
        mock_response = MagicMock()
        mock_choice = MagicMock()
        mock_choice.message.content = "Small image"
        mock_response.choices = [mock_choice]
        with (
            patch(
                "tools.vision_tools.async_call_llm",
                new_callable=AsyncMock,
                return_value=mock_response,
            ),
        ):
            result = json.loads(await vision_analyze_tool(str(img), "describe this", "test/model"))
        assert result["success"] is True
 # ---------------------------------------------------------------------------
 # Error classification for 400 responses
 # ---------------------------------------------------------------------------
 class TestErrorClassification:
    """Verify that API 400 errors produce actionable guidance."""
    @pytest.mark.asyncio
    async def test_invalid_request_error_gives_image_guidance(self, tmp_path):
        """An invalid_request_error from the API should mention image size/format."""
        img = tmp_path / "test.png"
        img.write_bytes(b"\x89PNG\r\n\x1a\n" + b"\x00" * 8)
        api_error = Exception(
            "Error code: 400 - {'type': 'error', 'error': "
            "{'type': 'invalid_request_error', 'message': 'Invalid request data'}}"
        )
        with (
            patch(
                "tools.vision_tools._image_to_base64_data_url",
                return_value="data:image/png;base64,abc",
            ),
            patch(
                "tools.vision_tools.async_call_llm",
                new_callable=AsyncMock,
                side_effect=api_error,
            ),
        ):
            result = json.loads(await vision_analyze_tool(str(img), "describe", "test/model"))
        assert result["success"] is False
        assert "rejected the image" in result["analysis"].lower()
        assert "smaller" in result["analysis"].lower()
 class TestVisionRegistration:
    def test_vision_analyze_registered(self):
        from tools.registry import registry
--- a/tools/process_registry.py
+++ b/tools/process_registry.py
@@ -396,8 +396,8 @@ class ProcessRegistry:
                        session.output_buffer = session.output_buffer[-session.max_output_chars:]
        except Exception as e:
            logger.debug("Process stdout reader ended: %s", e)
-
+        finally:
-        # Process exited
+            # Always reap the child to prevent zombie processes.
            try:
                session.process.wait(timeout=5)
            except Exception as e:
--- a/tools/vision_tools.py
+++ b/tools/vision_tools.py
@@ -67,6 +67,10 @@ def _resolve_download_timeout() -> float:
 _VISION_DOWNLOAD_TIMEOUT = _resolve_download_timeout()
 # Hard cap on downloaded image file size (50 MB). Prevents OOM from
 # attacker-hosted multi-gigabyte files or decompression bombs.
 _VISION_MAX_DOWNLOAD_BYTES = 50 * 1024 * 1024
 def _validate_image_url(url: str) -> bool:
    """
@@ -181,13 +185,25 @@ async def _download_image(image_url: str, destination: Path, max_retries: int =
                )
                response.raise_for_status()
                # Reject overly large images early via Content-Length header.
                cl = response.headers.get("content-length")
                if cl and int(cl) > _VISION_MAX_DOWNLOAD_BYTES:
                    raise ValueError(
                        f"Image too large ({int(cl)} bytes, max {_VISION_MAX_DOWNLOAD_BYTES})"
                    )
                final_url = str(response.url)
                blocked = check_website_access(final_url)
                if blocked:
                    raise PermissionError(blocked["message"])
-                # Save the image content
+                # Save the image content (double-check actual size)
-                destination.write_bytes(response.content)
+                body = response.content
                if len(body) > _VISION_MAX_DOWNLOAD_BYTES:
                    raise ValueError(
                        f"Image too large ({len(body)} bytes, max {_VISION_MAX_DOWNLOAD_BYTES})"
                    )
                destination.write_bytes(body)
            return destination
        except Exception as e:
@@ -326,7 +342,11 @@ async def vision_analyze_tool(
        logger.info("User prompt: %s", user_prompt[:100])
        # Determine if this is a local file path or a remote URL
-        local_path = Path(os.path.expanduser(image_url))
+        # Strip file:// scheme so file URIs resolve as local paths.
        resolved_url = image_url
        if resolved_url.startswith("file://"):
            resolved_url = resolved_url[len("file://"):]
        local_path = Path(os.path.expanduser(resolved_url))
        if local_path.is_file():
            # Local file path (e.g. from platform image cache) -- skip download
            logger.info("Using local image file: %s", image_url)
@@ -363,6 +383,18 @@ async def vision_analyze_tool(
        data_size_kb = len(image_data_url) / 1024
        logger.info("Image converted to base64 (%.1f KB)", data_size_kb)
        # Pre-flight size check: most vision APIs cap base64 payloads at 5 MB.
        # Reject early with a clear message instead of a cryptic provider 400.
        _MAX_BASE64_BYTES = 5 * 1024 * 1024  # 5 MB
        # The data URL includes the header (e.g. "data:image/jpeg;base64,") which
        # is negligible, but measure the full string to be safe.
        if len(image_data_url) > _MAX_BASE64_BYTES:
            raise ValueError(
                f"Image too large for vision API: base64 payload is "
                f"{len(image_data_url) / (1024 * 1024):.1f} MB (limit 5 MB). "
                f"Resize or compress the image and try again."
            )
        debug_call_data["image_size_bytes"] = image_size_bytes
        # Use the prompt as provided (model_tools.py now handles full description formatting)
@@ -455,14 +487,21 @@ async def vision_analyze_tool(
                f"API provider account and try again. Error: {e}"
            )
        elif any(hint in err_str for hint in (
-            "does not support", "not support image", "invalid_request",
+            "does not support", "not support image",
-            "content_policy", "image_url", "multimodal",
+            "content_policy", "multimodal",
            "unrecognized request argument", "image input",
        )):
            analysis = (
                f"{model} does not support vision or our request was not "
                f"accepted by the server. Error: {e}"
            )
        elif "invalid_request" in err_str or "image_url" in err_str:
            analysis = (
                "The vision API rejected the image. This can happen when the "
                "image is too large, in an unsupported format, or corrupted. "
                "Try a smaller JPEG/PNG (under 3.5 MB) and retry. "
                f"Error: {e}"
            )
        else:
            analysis = (
                "There was a problem with the request and the image could not "
Author	SHA1	Message	Date
Teknium	e1fc0ad536	fix: remove stale test (missing pop_pending), add headers to FakeResponse Follow-up fixes for cherry-pick conflicts: - Removed test_context_keeps_pending_approval test that referenced pop_pending() which doesn't exist on current main - Added headers attribute to FakeResponse in vision test (needed after #6949 added Content-Length check)	2026-04-11 01:51:11 -07:00
Kenny Xie	177e42e90a	test(approval): clear leaked bypass state	2026-04-11 01:49:29 -07:00
Kenny Xie	224fc4c29f	test(gateway): isolate blocking approval env	2026-04-11 01:49:12 -07:00
Kenny Xie	f9a94c65e6	test(tools): isolate approval and audio gateway env	2026-04-11 01:49:12 -07:00
Tranquil-Flow	e36917867a	fix(vision): reject oversized images before API call, handle file:// URIs, improve 400 errors Three fixes for vision_analyze returning cryptic 400 "Invalid request data": 1. Pre-flight base64 size check — base64 inflates data ~33%, so a 3.8 MB file exceeds the 5 MB API limit. Reject early with a clear message instead of letting the provider return a generic 400. 2. Handle file:// URIs — strip the scheme and resolve as a local path. Previously file:///path/to/image.png fell through to the "invalid image source" error since it matched neither is_file() nor http(s). 3. Separate invalid_request errors from "does not support vision" errors so the user gets actionable guidance (resize/compress/retry) instead of a misleading "model does not support vision" message. Closes #6677	2026-04-11 01:48:19 -07:00
aaronagent	4aa97af895	fix: cap image download size at 50 MB, validate tool call parser fields vision_tools.py: _download_image() loads the full HTTP response body into memory via response.content (line 190) with no Content-Length check and no max file size limit. An attacker-hosted multi-gigabyte file causes OOM. Add a 50 MB hard cap: check Content-Length header before download, and verify actual body size before writing to disk. hermes_parser.py: tc_data["name"] at line 57 raises KeyError when the LLM outputs a tool call JSON without a "name" field. The outer except catches it silently, causing the entire tool call to be lost with zero diagnostics. Add "name" field validation before constructing the ChatCompletionMessage. mistral_parser.py: tc["name"] at line 101 has the same KeyError issue in the pre-v11 format path. The fallback decoder (line 112) already checks "name" correctly, but the primary path does not. Add validation to match. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>	2026-04-11 01:48:13 -07:00
aaronagent	ae9c1f22c1	fix: prevent zombie processes, redact cron stderr, skip symlinks in skill enumeration process_registry.py: _reader_loop() has process.wait() after the try-except block (line 380). If the reader thread crashes with an unexpected exception (e.g. MemoryError, KeyboardInterrupt), control exits the except handler but skips wait() — leaving the child as a zombie process. Move wait() and the cleanup into a finally block so the child is always reaped. cron/scheduler.py: _run_job_script() only redacts secrets in stdout on the SUCCESS path (line 417-421). When a cron script fails (non-zero exit), both stdout and stderr are returned WITHOUT redaction (lines 407-413). A script that accidentally prints an API key to stderr during a failure would leak it into the LLM context. Move redaction before the success/failure branch so both paths benefit. skill_commands.py: _build_skill_message() enumerates supporting files using rglob("*") but only checks is_file() (line 171) without filtering symlinks. PR #6693 added symlink protection to scan_skill_commands() but missed this function. A malicious skill can create symlinks in references/ pointing to arbitrary files, exposing their paths (and potentially content via skill_view) to the LLM. Add is_symlink() check to match the guard in scan_skill_commands. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>	2026-04-11 01:48:13 -07:00
kagura-agent	2a9e115210	fix: normalize numeric MCP server names to str (fixes #6901 ) YAML parses bare numeric keys (e.g. `12306:`) as int, causing TypeError when sorted() is called on mixed int/str collections. Changes: - Normalize toolset_names entries to str in _get_platform_tools() - Cast MCP server name to str(name) when building enabled_mcp_servers - Add regression test	2026-04-11 01:48:13 -07:00