fix: make tirith block verdicts approvable instead of hard-blocking by teknium1 · Pull Request #3428 · NousResearch/hermes-agent

teknium1 · 2026-03-27T18:05:43Z

Summary

Fixes the Discord-reported issue where curl -fsSL https://mandex.dev/install.sh | sh was hard-blocked with no way to approve. Reported by pistrie.

Before: Tirith exit code 1 (block) → immediate rejection, no prompt, agent tries another approach.
After: Tirith block/warn → approval prompt with full findings, user can approve or deny.

What changed

tools/approval.py: Removed the hard block path for tirith. Both block and warn verdicts now go through the approval flow. New _format_tirith_description() builds rich descriptions from tirith's JSON findings (severity, title, description, safer alternatives).
cli.py: Startup now warns when tirith is enabled but not available (⚠ tirith security scanner enabled but not available).
Tests: Updated test_command_guards.py — old hard-block tests replaced with approval-flow tests, plus new gateway approval_required test for the exact scenario reported.

Live test

The approval prompt now shows:

⚠️  Dangerous Command

Security scan — [MEDIUM] Lookalike TLD detected: Domain uses '.dev' TLD...;
[HIGH] Pipe to interpreter: curl | sh: Command pipes output from 'curl' directly
to interpreter 'sh'. Downloaded content will be executed without inspection.
  Safer: tirith run https://mandex.dev/install.sh;
pipe remote content to shell

❯ Allow once
  Allow for this session
  Deny

Test plan

92/92 approval+tirith+yolo tests pass
Full suite: 6503 passed (29 pre-existing failures from missing optional deps)

Previously, tirith exit code 1 (block) immediately rejected the command with no approval prompt — users saw 'BLOCKED: Command blocked by security scan' and the agent moved on. This prevented gateway/CLI users from approving pipe-to-shell installs like 'curl ... | sh' even when they understood the risk. Changes: - Tirith 'block' and 'warn' now both go through the approval flow. Users see the full tirith findings (severity, title, description, safer alternatives) and can choose to approve or deny. - New _format_tirith_description() builds rich descriptions from tirith findings JSON so the approval prompt is informative. - CLI startup now warns when tirith is enabled but not available, so users know command scanning is degraded to pattern matching only. The default approval choice is still deny, so the security posture is unchanged for unattended/timeout scenarios. Reported via Discord by pistrie — 'curl -fsSL https://mandex.dev/install.sh | sh' was hard-blocked with no way to approve.

… pages Fixes found by auditing docs against recent PRs/commits: Critical (misleading): - hooks.md: Remove stale 'planned — not yet wired' markers for 4 hooks that are now active (#3542). Add correct callback signatures. - security.md: Update tirith verdict behavior — block verdicts now go through approval flow instead of hard-blocking (#3428). Add pkill/killall self-termination guard and gateway-run backgrounding patterns (#3593). New feature docs: - configuration.md: Add tool_use_enforcement section with value table (auto/true/false/list) from #3551/#3528. - configuration.md: Expand auxiliary config with per-task timeouts (compression 120s, web_extract 30s, approval 30s) from #3597. - api-server.md: Add /v1/health alias, Security Headers section, CORS details (Max-Age, SSE headers, Idempotency-Key) from #3572/#3573/#3576/#3580/#3530. Stale/incomplete: - configuration.md: Fix Alibaba model name qwen-plus -> qwen3.5-plus (#3484). - environment-variables.md: Specify actual DashScope default URL. - cli-commands.md: Add alibaba to --provider list. - fallback-providers.md: Add Alibaba/DashScope to provider table. - email.md: Document noreply/automated sender filtering (#3606). - toolsets-reference.md: Add 4 missing platform toolsets — matrix, mattermost, dingtalk, api-server (#3583). - skills.md: List default GitHub taps including garrytan/gstack (#3605).

… pages (#3618) Fixes found by auditing docs against recent PRs/commits: Critical (misleading): - hooks.md: Remove stale 'planned — not yet wired' markers for 4 hooks that are now active (#3542). Add correct callback signatures. - security.md: Update tirith verdict behavior — block verdicts now go through approval flow instead of hard-blocking (#3428). Add pkill/killall self-termination guard and gateway-run backgrounding patterns (#3593). New feature docs: - configuration.md: Add tool_use_enforcement section with value table (auto/true/false/list) from #3551/#3528. - configuration.md: Expand auxiliary config with per-task timeouts (compression 120s, web_extract 30s, approval 30s) from #3597. - api-server.md: Add /v1/health alias, Security Headers section, CORS details (Max-Age, SSE headers, Idempotency-Key) from #3572/#3573/#3576/#3580/#3530. Stale/incomplete: - configuration.md: Fix Alibaba model name qwen-plus -> qwen3.5-plus (#3484). - environment-variables.md: Specify actual DashScope default URL. - cli-commands.md: Add alibaba to --provider list. - fallback-providers.md: Add Alibaba/DashScope to provider table. - email.md: Document noreply/automated sender filtering (#3606). - toolsets-reference.md: Add 4 missing platform toolsets — matrix, mattermost, dingtalk, api-server (#3583). - skills.md: List default GitHub taps including garrytan/gstack (#3605).

teknium1 merged commit e4e04c2 into main Mar 27, 2026
2 checks passed

teknium1 mentioned this pull request Mar 28, 2026

docs: comprehensive audit — fix 12 stale/missing items across 10 pages #3618

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: make tirith block verdicts approvable instead of hard-blocking#3428

fix: make tirith block verdicts approvable instead of hard-blocking#3428
teknium1 merged 1 commit intomainfrom
hermes/hermes-4f6a1f8e

teknium1 commented Mar 27, 2026

Uh oh!

Labels

1 participant

Conversation