Skip to content

fix(security): harden terminal safety and sandbox file writes#1653

Merged
teknium1 merged 2 commits intomainfrom
hermes/hermes-3218df83
Mar 17, 2026
Merged

fix(security): harden terminal safety and sandbox file writes#1653
teknium1 merged 2 commits intomainfrom
hermes/hermes-3218df83

Conversation

@teknium1
Copy link
Copy Markdown
Contributor

@teknium1 teknium1 commented Mar 17, 2026

Summary

Salvage of PR #1085 by @ismoilh onto current main.

1. Expanded dangerous command detection

The shell -c flag pattern in tools/approval.py only caught bash -c, sh -c, zsh -c. Common variants like bash -lc (login shell + inline command) and ksh -c bypassed detection entirely.

Before: r'\b(bash|sh|zsh)\s+-c\s+'
After: r'\b(bash|sh|zsh|ksh)\s+-[^\s]*c(\s+|$)'

Now catches any combined flags containing -c (-lc, -ic, -xc, etc.) for all four shells.

2. HERMES_WRITE_SAFE_ROOT sandboxing

New opt-in env var that constrains all write_file/patch operations to a configured directory tree. Writes outside the safe root are denied even if they're not on the static deny list.

  • Unset (default): no behavior change
  • Set to a path: only writes within that subtree are allowed
  • Empty string: treated as unset (feature disabled)
  • Static deny list still applies even inside the safe root

Useful for gateway/messaging deployments where the agent should only touch a workspace checkout.

Tests

  • 3 new approval tests: bash -lc, multiline bash -lc, ksh -c
  • 1 new yolo mode entry: bash -lc in dangerous commands list
  • 10 new write safety tests: static deny list, safe root allow/deny/empty/unset/tilde/static-override

Full suite: 4867 passed, 8 pre-existing failures (unrelated), 200 skipped.

Credit

Original implementation by @ismoilh (PR #1085).
Closes #1085
@teknium1 teknium1 mentioned this pull request Mar 17, 2026
Closed
7 tasks
ismoilh and others added 2 commits March 17, 2026 02:21
@ismoilh @teknium1
fix(security): harden terminal safety and sandbox file writes
35abfcb 
Two security improvements:

1. Dangerous command detection: expand shell -c pattern to catch
   combined flags (bash -lc, bash -ic, ksh -c) that were previously
   undetected. Pattern changed from matching only 'bash -c' to
   matching any shell invocation with -c anywhere in the flags.

2. File write sandboxing: add HERMES_WRITE_SAFE_ROOT env var that
   constrains all write_file/patch operations to a configured directory
   tree. Opt-in — when unset, behavior is unchanged. Useful for
   gateway/messaging deployments that should only touch a workspace.

Based on PR #1085 by ismoilh.
@unmodeled-tyler @teknium1
fix: correct "POSIDEON" typo to "POSEIDON" in banner ASCII art
fe4b804 
The poseidon skin's banner_logo had the E and I letters swapped,
spelling "POSIDEON-AGENT" instead of "POSEIDON-AGENT".
@teknium1 teknium1 force-pushed the hermes/hermes-3218df83 branch from 52acdee to fe4b804 Compare March 17, 2026 09:21
@teknium1 teknium1 merged commit 2c7c30b into main Mar 17, 2026
1 check failed
@teknium1 teknium1 mentioned this pull request Mar 17, 2026
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants

@teknium1 @ismoilh @unmodeled-tyler